Skip to content

Operating Systems Analysis

Operating Systems (OS) Analysis consists of two components:

  • OS analysis service running on Runecast Analyzer appliance,
  • OS agents running on operating systems, collecting data and reporting to OS Analysis service.

We use Fleet as part of the OS analysis service. Fleet is running on the appliance in case of the image-based deployments and is disabled by default. After you Activate OS connection in Settings > Connections, the service is enabled and started. For K8s deployments, the OS analysis service is running since deployment when enabled with values fed to the helm chart.

The OS agent is the well-known and widely used osquery. We use official packages, add our installation scripts and configuration bits and package them as a ready-to-deploy installation package, that can be downloaded directly from Runecast Analyzer. When osquery is deployed from this package to target operating systems, it is automatically connected to our Fleet service. The connection is secured by a TLS certificate that is automatically generated when the OS Analysis is enabled and is part of the installation package.

When Runecast Analyzer starts analysis, it creates data query requests and sends them to Fleet. There, the OS agents collect the queries, process them and send back the results. Runecast Analyer then gathers the data and performs the actual analysis, showing the results afterward.

Host Collection Status

The host can appear in the inventory in one of three states - fully collected, Collection incomplete, or Host offline.

Collection incomplete status is displayed for hosts that are online, but for some reason Runecast was not able to collect all the required data. There can be several reasons for this. If you see a host in this state in your inventory, please do the following:

  • verify if the host has enough memory (the osquery agent may need up to 400 MB),
  • If it's a VM, verify the health of the underlying hypervisor and its resources,
  • Verify connectivity between Runecast and the host,
  • Verify antivirus scan results on the host, and
  • Restart the osquery service.

The offline host may only be temporarily unavailable. In this case, it is necessary to analyze the object later to get valid results. If the host is decommissioned, navigate to Menu -> System settings -> Connected systems -> Operating systems connection settings. Click the Show details link to display all systems, select the offline hosts, and press Remove selected hosts to remove them from the inventory. If the online host is selected for removal, it will reappear in the inventory in a minute.

Collected information

osquery is able to collect various types of information. Runecast Analyzer collects only data that are necessary to perform the analysis of the target operating system, such as OS information, installed applications, configuration files or some registry settings, etc. If you would like to see the whole collected dataset, please follow these steps:

  1. Navigate to Settings > API Access tokens and click Explore API Documentation.

  2. Click on Ecosystems and /api/v2/rca-instances/{id}/ecosystems. For Parameter id enter 1 and press Try it out!.

  3. In the Response Body field, find Operating Systems and note the id.

    ...
      {
      "id": 31,
      "viewName": "Operating Systems",
      "ecosystemType": "FLEET",
    ...
    

  4. Open a new tab in your browser and paste the following URL: https://<your appliance>/rc2/api/v2/ecosystems/<ecosystemId>/config-scans/latest/dataset. Replace the <ecosystemId> with the ID noted in step 3 and execute it.

  5. You will download a zipped dataset with all operating system information that is collected from OS agents and used in OS Analysis.