Skip to content

Deployment

VMware

Installation
  1. Download the Runecast Analyzer OVA file from your profile on Runecast portal https://portal.runecast.com/login, and deploy from your download location.

  2. Accept the license agreement.

  3. Select the VM name and folder, select the destination host, datastore and network on your environment.

  4. In Customize template, configure the network configuration for the Runecast Analyzer appliance.

  5. Review the settings and click Finish.

  6. Power on the appliance. After the boot process has finished, you should see the appliance console displaying the URL of the application and how to access the Runecast Console Interface, which can be used to change the settings of the appliance, like network configuration or update settings.

Update

The appliance update is part of the application. Please se the Update section of Settings page.

AWS

Installation
  1. Navigate to Amazon EC2 Dashboard
  2. Click on Launch Instance
  3. Search for Runecast Analyzer and select it on AWS Marketplace tab on the left
  4. Choose one of instance types: depending on size of your AWS account(s)
    • t3a.medium
    • t3a.large
    • t3a.xlarge
  5. Select Network and Subnet, which will let you connect to the instance
  6. Default Storage settings should work in most cases
  7. Configure Security Group, allowing access using ports:
    • HTTPS (443) to open Web interface
    • SSH (22) to connect over SSH (not required for normal operation)
  8. Create new keypair, and launch the instance
  9. When the EC2 instance starts, you can connect to its web interface:

    https://<EC2 instance public IPv4 address>/rc2

  10. Default credentials for the webinterface:

    • Username: rcuser
    • Password: <EC2 instance Id>
Update

The appliance update is part of the application. Please se the Update section of Settings page.

Azure

Installation
  1. Navigate to Microsoft Azure Portal
  2. Go to the Virtual machines service page
  3. Click on Create then click on Virtual Machine from drop down menu
  4. Provide details like Subscription, Resource group, Virtual machine name, Region, Authentication type, etc as per your organization practice
  5. Under Image, click on See all images button
  6. Search for Runecast Analyzer in Marketplace and select Runecast Analyzer image
  7. Choose one of the following VM sizes: depending on the size of your Azure tenant resources
    • B2s
    • B2ms
    • B4ms
  8. On the Next page, provide Disks details
  9. On the Networking page, select existing or create new Virtual network and Subnet. Based on your environment you might want to create a Public IP to access the appliance from the internet. The image has preconfigured NSG rules for port 443. Ensure port 443 is open if you attach the existing NSG.
  10. Complete the remaining steps as per your organization practice and launch the virtual machine
  11. Provide details like your email id and mobile number before clicking Create button
  12. Once the virtual machine is in Running state, you can connect to its web interface: https://<VM instance public IPv4 address>/rc2

    If you have not assigned public IP, you can connect to the web interface using private IP 13. Default credentials for the web interface:

    • Username: rcuser
    • Password: Runecast!
Update

The appliance update is part of the application. Please see the Update section of Settings page.

Kubernetes

Installation

Runecast Analyzer can be installed on a K8s cluster via Helm chart available in our Helm charts repository https://helm.runecast.com/.

Note

Helm is a deployment manager that allows you easily install or upgrade Kubernetes applications. To find more information about installing and using Helm, please visit the Helm website on https://helm.sh/.

To install Runecast Analyzer with default settings, follow these steps:

  1. Add Runecast Helm repository to Helm repository list:
    helm repo add runecast https://helm.runecast.com/charts
    
  2. Install Runecast Analyzer

    helm upgrade --install runecast-analyzer runecast/runecast-analyzer
    

  3. To access the UI, please follow the output from the helm command. The instructions are dependant on the deployment values. If defaults are used, the UI can be accessed on localhost with kubectl port-forwarding:

    kubectl port-forward service/runecast-analyzer 8080:80
    
    After issuing the command, access the app on http://localhost:8080/rc2

If you would like to modify the deployment parameters such as ingress settings, annotations or tolerations, you can do that by specifying them on command line or in values.yaml file. To see the list of parameters use the following command:

helm show values runecast/runecast-analyzer

The list of values, as well as examples how to use them, can be found on the Helm chart page

Tip

To get more information about customizing the deployment please see the Helm Values Files page.

Update

The update is performed with the helm upgrade command. The same command can be used for installation and upgrade, please see the Installation section above.

OS agents

After Operating Systems (OS) Analysis is enabled in Runecast Analyzer, you need to deploy the OS agents to target operating systems.

While deploying manually to each of the operating systems is possible, it won't be much effective even with a small number of operating systems. Runecast recommends using an automated deployment where possible to establish a smooth path to the agent upgrade when needed in the future and prevent any unnecessary manual work.

In most companies, there will already be a solution in use like Ansible, Chef, Puppet or Microsoft SCCM, that helps to ease the task of deploying software to multiple computers. For those, that don't use such a solution yet, we provide two examples of how to perform automatic deployment on Linux with Ansible and on Windows with Active Directory group policy.

For virtualized deployments, there is also the possibility to include the OS agent installation in the VM template. When preparing the templates, make sure to stop the osquery service and remove the osquery database directory before shutting down the VM. The osquery database directory is located at:

  • /var/osquery/osquery.db on Linux
  • Program Files\osquery\osquery.db on Windows.

Automated Deployment Examples

Deploying to Linux hosts with Ansible

Ansible uses SSH for target host access. The following example will use SSH keys authentication but it's possible to use password authentication too. Please see the Connection methods and details chapter in the Ansible documentation.

  1. Download the RPM and/or DEB package from Settings > Connections > Install OS agents.

  2. Place it to a directory together with the following ansible playbook file:

    # runecast-deploy-osquery-linux.yaml
    - name: Install Runecast osquery on Linux
      hosts: all
      vars:
        package_name:
          Debian: runecast-deb-osquery_5.0.1-1.linux_amd64.tar.gz
          RedHat: runecast-rpm-osquery-5.0.1-1.linux.x86_64.tar.gz
      gather_facts: true
      become: true
      tasks:
        - name: Copy and extract installation package
          ansible.builtin.unarchive:
            src: '{{ package_name[ansible_os_family] }}'
            dest: /tmp/
            copy: yes
        - name: Install and configure osquery (Debian)
          ansible.builtin.shell:
            cmd: /tmp/{{ package_name[ansible_os_family].split(".tar.gz")[0] }}/install-osquery-deb.sh
          when: ansible_os_family == 'Debian'
        - name: Install and configure osquery (RedHat)
          ansible.builtin.shell:
            cmd: /tmp/{{ package_name[ansible_os_family].split(".tar.gz")[0] }}/install-osquery-rpm.sh
          when: ansible_os_family == 'RedHat'
        - name: Cleanup
          ansible.builtin.file:
            path: /tmp/{{ package_name[ansible_os_family].split(".tar.gz")[0] }}/
            state: absent
    
    If the downloaded package names differ from those in the playbook, please modify the package_name variable accordingly.

  3. Run this Ansible command to install the OS agent to the list of Linux computers, you will be asked for the sudo password:

    ansible-playbook --ask-become-pass -i host1,host2,host3 runecast-deploy-osquery-linux.yaml
    
  4. When the deployment finished, the computers will register to the OS analysis service and can be found in Runecast Analyzer under Connections > Registered OS agents > Show OS agents.

Deploying to Windows hosts with Active Directory

To deploy OS agents to computers that are members of Active Directory, the following steps need to be performed:

  • download the Windows OS agent package
  • create a Group Policy that will install the OS agent package on computer start
  • link the GPO to Organizational Unit where the target computers reside and reboot the computers

Please see the detailed procedure below:

  1. In Runecast Analyzer, download the Windows OS agent from Settings > Connections > Install OS agents.

  2. On a domain controller, run Group Policy Management console, navigate to Group Policy Objects and create a new GPO. The new Group Policy is named OS agents deployment in the example.

  3. Edit the newly created GPO, navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) and double-click startup.

  4. On the PowerShell Scripts tab click Show files. Copy and extract the downloaded OS agent archive and remove the archive file afterward.

    Close the opened window.

  5. Back in the Startup Properties window, click Add... > Browse..., select the install-osquery.ps1 script, click Open and click OK.

    You should now see the script name in the Startup Scripts list:

    Close the Startup Properties with the OK button and close the GPO window as well.

  6. We have configured the GPO to deploy the OS agent when the computer starts. Now we need to link this GPO to an Organizational Unit where the target computers reside.

    In the Group Policy Management console, find the OU, right-click and select Link an existing GPO.... Choose the GPO we just created (OS agents deployment in our case).

  7. After you restart a Windows computer that resides in the OU where we linked the GPO, you can find the agent deployed and the computer registered to the OS analysis service. The computer can be found in Runecast Analyzer under Connections > Registered OS agents > Show OS agents.

Manual Deployment

If you would like to deploy the agents manually, please follow the steps for the desired operating system.

Microsoft Windows
  1. Download the Windows OS agent from Settings > Connections > Install OS agents.

  2. Transfer and unzip the package on the target OS.

  3. Start PowerShell with administrative rights and run the installation script with ./install-osquery.psl command.

  4. Verify the OS is present in Connections > Registered OS agents > Show OS agents.

Linux (RPM)
  1. Download the RPM OS agent package from Settings > Connections > Install OS agents.

  2. Transfer the file to the target system and extract the archive with tar -zxvf <package name>.

  3. From the extracted package directory, run sudo ./install-osquery-rpm.sh.

  4. Verify the OS is present in Connections > Registered OS agents > Show OS agents.

Linux (DEB)
  1. Download the DEB OS agent package from Settings > Connections > Install OS agents.

  2. Transfer the file to the target system and extract the archive with tar -zxvf <package name>.

  3. From the extracted package directory, run sudo ./install-osquery-deb.sh.

  4. Verify the OS is present in Connections > Registered OS agents > Show OS agents.

Removal of agents

The OS agents can be removed from the operating systems similar way as they were deployed. The installation packages, that are downloaded from Runecast Analyzer, contain the uninstall scripts for the respective operating systems type:

  • Microsoft Windows (MSI): uninstall-osquery.ps1

  • Linux (RPM): uninstall-osquery-rpm.sh

  • Linux (DEB): uninstall-osquery-deb.sh

After the agents are removed, you can remove the host entries from the OS analysis service in Runecast Analyzer. To remove the hosts, navigate to Settings > Connections > Operating Systems connections settings > Show details.