Skip to content

Operating Systems Analysis

Operating Systems (OS) Analysis consists of two components:

  • OS analysis service running on Runecast Analyzer appliance,
  • OS agents running on operating systems, collecting data and reporting to OS Analysis service.

We use Fleet as part of the OS analysis service. Fleet is running on the appliance in case of the image-based deployments and is disabled by default. After you Activate OS connection in Settings > Connections, the service is enabled and started.

The OS agent is the well-known and widely used osquery. We use official packages, add our installation scripts and configuration bits and package them as a ready-to-deploy installation package, that can be downloaded directly from Runecast Analyzer. When osquery is deployed from this package to target operating systems, it is automatically connected to our Fleet service.

When Runecast Analyzer starts analysis, it creates data query requests and sends them to Fleet. There, the OS agents collect the queries, process them and send back the results. Runecast Analyer then gathers the data and performs the actual analysis, showing the results afterward.

Collected information

osquery is able to collect various types of information. Runecast Analyzer collects only data that are necessary to perform the analysis of the target operating system, such as OS information, installed applications, configuration files or some registry settings, etc. If you would like to see the whole collected dataset, please follow these steps:

  1. Navigate to Settings > API Access tokens and click Explore API Documentation.

  2. Click on Ecosystems and /api/v2/rca-instances/{id}/ecosystems. For Parameter id enter 1 and press Try it out!.

  3. In the Response Body field, find Operating Systems and note the id.

    ...
      {
      "id": 31,
      "viewName": "Operating Systems",
      "ecosystemType": "FLEET",
    ...
    

  4. Open a new tab in your browser and paste the following URL: https://<your appliance>/rc2/api/v2/ecosystems/<ecosystemId>/config-scans/latest/dataset. Replace the <ecosystemId> with the ID noted in step 3 and execute it.

  5. You will download a zipped dataset with all operating system information that is collected from OS agents and used in OS Analysis.