Deployment

VMware

Installation

1. Download the Runecast Analyzer OVA file from your profile on the Runecast portal https://portal.runecast.com/, and deploy from your download location.

2. Select a VM name and folder.

3. Select a Compute resource.

4. Accept the license agreement.

5. Select the deployment configuration size (small, medium or large). Please see the VMware vSphere deployment system requirements for additional information.

6. Select Storage and Network on your environment.

7. In Customize template, configure the Networking properties of the Runecast Analyzer appliance.

8. Review the settings and click Finish.

9. Power on the appliance. After the boot process has finished, you should see the appliance console displaying the URL of the application. When you open the console, you can access Runecast Console Interface, which can be used to change the settings of the appliance, like network configuration, update settings, or rcadmin password. We recommend changing the rcadmin password right after the deployment.

Discover the step-by-step process of installing Runecast on your VMware setup in this comprehensive tutorial: Install Runecast for VMware.

Info

In the deployment wizard, you might see the message:

The OVF package contains advanced configuration options, which might pose a security risk. Review the advanced configuration options below. Click next to accept the advanced configuration options.

We have included the Extra Configuration that makes sure the appliance is deployed with the most strict settings as possible. The warning message is shown whenever any advanced settings are part of an OVA deployment.

Update

The appliance update is part of the application. Please se the Update section of Settings page.

AWS

Installation

1. Navigate to Amazon EC2 Dashboard
2. Click on Launch Instance
3. Search for Runecast Analyzer and select it on AWS Marketplace tab on the left
4. Choose one of instance types: depending on size of your AWS account(s)
   • t3a.medium
   • t3a.large
   • t3a.xlarge
5. Select Network and Subnet, which will let you connect to the instance
6. Default Storage settings should work in most cases
7. Configure Security Group, allowing access using ports:
   • TCP 443 (HTTPS) to open Web interface
   • TCP 22 (SSH) to connect over SSH (not required for normal operation)
   • TCP 8443 (HTTPS) if OS Analysis is used
8. Create new keypair, and launch the instance

9. When the EC2 instance starts, you can connect to its web interface:

   https://<EC2 instance public IPv4 address>/rc2

10. Default credentials for the webinterface:

    • Username: rcuser
    • Password: <EC2 instance Id>

Update

The appliance update is part of the application. Please se the Update section of Settings page.

Azure

Installation

1. Navigate to Microsoft Azure Portal
2. Go to the Virtual machines service page
3. Click on Create then click on Virtual Machine from drop down menu
4. Provide details like Subscription, Resource group, Virtual machine name, Region, Authentication type, etc as per your organization practice
5. Under Image, click on See all images button
6. Search for Runecast Analyzer in Marketplace and select Runecast Analyzer image
7. Choose a VM size appropriate to the scale of your environment. One of the suitable VM sizes:
   • B2ms
   • B4ms
8. On the Next page, provide Disks details
9. On the Networking page, select the existing or create a new Virtual network and Subnet. Based on your environment, you might want to create a Public IP to access the appliance from the internet. The image has a preconfigured NSG rule for port TCP 443. Ensure the port is open if you attach an existing NSG. If OS Analysis is used, additionally open port TCP 8443 for agents communication.
10. Complete the remaining steps as per your organization practice and launch the virtual machine
11. Provide details like your email id and mobile number before clicking Create button

12. Once the virtual machine is in Running state, you can connect to its web interface: https://<VM instance public IPv4 address>/rc2

    If you have not assigned public IP, you can connect to the web interface using private IP 13. Default credentials for the web interface:

    • Username: rcuser
    • Password: Runecast!

Update

The appliance update is part of the application. Please see the Update section of Settings page.

Kubernetes

Installation

Runecast Analyzer can be installed on a K8s cluster via Helm chart available in our Helm charts repository https://helm.runecast.com/.

Note

Helm is a deployment manager that allows you easily install or upgrade Kubernetes applications. To find more information about installing and using Helm, please visit the Helm website on https://helm.sh/.

To install Runecast Analyzer with default settings, follow these steps:

1. Add Runecast Helm repository to Helm repository list:

   helm repo add runecast https://helm.runecast.com/charts
   

2. Install Runecast Analyzer

   helm upgrade --install runecast-analyzer runecast/runecast-analyzer
   

3. To access the UI, please follow the output from the helm command. The instructions depend on the deployment values. If defaults are used, the UI can be accessed on localhost with kubectl port-forwarding:

   kubectl port-forward service/runecast-analyzer-nginx 9080
   

   After issuing the command, access the app on http://localhost:9080

If you would like to modify the deployment parameters such as ingress settings, annotations or tolerations, you can do that by specifying them on command line or in values.yaml file. To see the list of parameters use the following command:

helm show values runecast/runecast-analyzer

The list of values, as well as examples how to use them, can be found on the Helm chart page

Tip

To get more information about customizing the deployment please see the Helm Values Files page.

Update

The update is performed with the helm upgrade command. The same command can be used for installation and upgrade, please see the Installation section above.

OS agents

After Operating Systems (OS) Analysis is enabled in Runecast Analyzer, you need to deploy the OS agents to target operating systems.

While deploying manually to each of the operating systems is possible, it won't be much effective even with a small number of operating systems. Runecast recommends using an automated deployment where possible to establish a smooth path to the agent upgrade when needed in the future and prevent any unnecessary manual work.

In most companies, there will already be a solution in use like Ansible, Chef, Puppet or Microsoft SCCM, that helps to ease the task of deploying software to multiple computers. For those, that don't use such a solution yet, we provide two examples of how to perform automatic deployment on Linux with Ansible and on Windows with Active Directory group policy.

For virtualized deployments, there is also the possibility to include the OS agent installation in the VM template. When preparing the templates, make sure to stop the osquery service and remove the osquery database directory before shutting down the VM. The osquery database directory is located at:

• /var/osquery/osquery.db on Linux
• Program Files\osquery\osquery.db on Windows.

Automated Deployment Examples

Deploying to Linux hosts with Ansible

Ansible uses SSH for target host access. The following example will use SSH keys authentication but it's possible to use password authentication too. Please see the Connection methods and details chapter in the Ansible documentation.

1. Download the Linux package from Settings > Connections > Install OS agents.

2. Place the package to a directory together with the following ansible playbook file:

   runecast-install-osagent.yaml

   # runecast-install-osagent.yaml
   - name: Install Runecast OS agent
     hosts: all
     vars:
       package_name:
         Windows: runecast-osagent-windows-5.8.2.zip
         Linux: runecast-osagent-linux-5.8.2.tar.gz
     gather_facts: true
     tasks:
       - name: Copy and extract installation package (Linux)
         become: true
         when: ansible_system == 'Linux'
         ansible.builtin.unarchive:
           src: "{{ package_name['Linux'] }}"
           dest: /tmp/
           copy: yes
       - name: Create a temporary directory (Windows)
         when: ansible_os_family == 'Windows'    
         ansible.windows.win_tempfile:
           state: directory
         register: win_temp
       - name: Copy installation package (Windows)
         when: ansible_os_family == 'Windows'
         ansible.windows.win_copy:
           src: "{{ package_name['Windows'] }}"
           dest: '{{ win_temp.path }}'
       - name: Extract installation package (Windows)
         when: ansible_os_family == 'Windows'
         community.windows.win_unzip:
           src: '{{ win_temp.path }}\{{ package_name["Windows"] }}'
           dest: '{{ win_temp.path }}'
           delete_archive: yes
       - name: Install and configure OS agent (Linux)
         when: ansible_system == 'Linux'
         become: true
         ansible.builtin.shell:
           cmd: /tmp/{{ package_name['Linux'].split('.tar.gz')[0] }}/install-osagent.sh
       - name: Install and configure OS agent (Windows)
         when: ansible_os_family == 'Windows'
         ansible.windows.win_shell: '{{ win_temp.path }}\{{ package_name["Windows"].split(".zip")[0] }}\install-osagent.ps1'
       - name: Cleanup (Linux)
         when: ansible_system == 'Linux'    
         become: true
         ansible.builtin.file:
           path: /tmp/{{ package_name['Linux'].split('.tar.gz')[0] }}/
           state: absent
       - name: Cleanup (Windows)
         when: ansible_os_family == 'Windows'    
         ansible.windows.win_file:
           path: '{{ win_temp.path }}'
           state: absent
   

   If the downloaded package name differs from the value of package_name variable, please modify the variable accordingly.

3. Run this Ansible command to install the OS agent to the list of Linux computers, you will be asked for the sudo password:

   ansible-playbook --ask-become-pass -i host1,host2,host3 runecast-deploy-osquery-linux.yaml
   

4. When the deployment finished, the computers will register to the OS analysis service and can be found in Runecast Analyzer under Connections > Registered OS agents > Show OS agents.

Deploying to Windows hosts with Active Directory

To deploy OS agents to computers that are members of Active Directory, the following steps need to be performed:

• download the package of Runecast OS agent for Windows
• create a Group Policy that will install the OS agent package on computer start
• link the GPO to Organizational Unit where the target computers reside and reboot the computers

Please see the detailed procedure below:

1. In Runecast Analyzer, download the Runecast OS agent for Windows from Settings > Connections > Install OS agents.

2. On a domain controller, run Group Policy Management console, navigate to Group Policy Objects and create a new GPO. The new Group Policy is named Runecast OS agent deployment in the example.

   

   

3. Edit the newly created GPO, navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) and double-click startup.

   

4. On the PowerShell Scripts tab click Show files. Copy and extract the downloaded OS agent archive and remove the archive file afterward.

   

   Close the opened window.

5. Back in the Startup Properties window, click Add... > Browse..., select the install-osagent.ps1 script, click Open and click OK.

   

   You should now see the script name in the Startup Scripts list:

   

   Close the Startup Properties with the OK button and close the GPO window as well.

6. We have configured the GPO to deploy the OS agent when the computer starts. Now we need to link this GPO to an Organizational Unit where the target computers reside.

   In the Group Policy Management console, find the OU, right-click and select Link an existing GPO.... Choose the GPO we just created (Runecast OS agent deployment in our case).

   

7. After you restart a Windows computer that resides in the OU where we linked the GPO, you can find the agent deployed and the computer registered to the OS analysis service. The computer can be found in Runecast Analyzer under Connections > Registered OS agents > Show OS agents.

Manual Deployment

If you would like to deploy the agents manually, please follow the steps for the desired operating system.

Microsoft Windows

1. Download the Runecast OS agent for Windows from Settings > Connections > Install OS agents.

2. Transfer and unzip the package on the target OS.

3. Start PowerShell with administrative rights and run the installation script with ./install-osagent.psl command.

4. Verify the OS is present in Connections > Registered OS agents > Show OS agents.

Linux

1. Download the Runecast OS agent for Linux from Settings > Connections > Install OS agents.

2. Transfer the file to the target system and extract the archive with tar -zxvf <package name>.

3. From the extracted package directory, run sudo ./install-osagent.sh.

4. Verify the OS is present in Connections > Registered OS agents > Show OS agents.

Removal of agents

The OS agents can be removed from the operating systems similar way as they were deployed. The installation packages, that are downloaded from Runecast Analyzer, contain the uninstall scripts for the respective operating systems type:

• Microsoft Windows: uninstall-osagent.ps1

• Linux: uninstall-osagent.sh

An example playbook to uninstall the agent from multiple computers:

runecast-uninstall-osagent.yaml

# runecast-uninstall-osagent.yaml
- name: Uninstall Runecast OS agent
  hosts: all
  vars:
    package_name:
      Windows: runecast-osagent-windows-5.8.2.zip
      Linux: runecast-osagent-linux-5.8.2.tar.gz
  gather_facts: true
  tasks:
    - name: Copy and extract installation package (Linux)
      become: true
      when: ansible_system == 'Linux'
      ansible.builtin.unarchive:
        src: "{{ package_name['Linux'] }}"
        dest: /tmp/
        copy: yes
    - name: Create a temporary directory (Windows)
      when: ansible_os_family == 'Windows'    
      ansible.windows.win_tempfile:
        state: directory
      register: win_temp
    - name: Copy installation package (Windows)
      when: ansible_os_family == 'Windows'
      ansible.windows.win_copy:
        src: "{{ package_name['Windows'] }}"
        dest: '{{ win_temp.path }}'
    - name: Extract installation package (Windows)
      when: ansible_os_family == 'Windows'
      community.windows.win_unzip:
        src: '{{ win_temp.path }}\{{ package_name["Windows"] }}'
        dest: '{{ win_temp.path }}'
        delete_archive: yes
    - name: Uninstall OS agent (Linux)
      when: ansible_system == 'Linux'
      become: true
      ansible.builtin.shell:
        cmd: /tmp/{{ package_name['Linux'].split('.tar.gz')[0] }}/uninstall-osagent.sh
    - name: Uninstall OS agent (Windows)
      when: ansible_os_family == 'Windows'
      ansible.windows.win_shell: '{{ win_temp.path }}\{{ package_name["Windows"].split(".zip")[0] }}\uninstall-osagent.ps1'
    - name: Cleanup (Linux)
      when: ansible_system == 'Linux'    
      become: true
      ansible.builtin.file:
        path: /tmp/{{ package_name['Linux'].split('.tar.gz')[0] }}/
        state: absent
    - name: Cleanup (Windows)
      when: ansible_os_family == 'Windows'    
      ansible.windows.win_file:
        path: '{{ win_temp.path }}'
        state: absent

After the agents are removed, you can remove the host entries from the OS analysis service in Runecast Analyzer. To remove the hosts, navigate to Settings > Connections > Operating Systems connections settings > Show details.