Skip to content

Operating Systems Analysis

Operating Systems (OS) Analysis consists of two components:

  • OS analysis service running on Runecast Analyzer appliance,
  • OS agents running on operating systems, collecting data and reporting to OS Analysis service.

We use Fleet as part of the OS analysis service. Fleet is running on the appliance in case of the image-based deployments and is disabled by default. After you Activate OS connection in Settings > Connections, the service is enabled and started. For K8s deployments, the OS analysis service is running since deployment when enabled with values fed to the helm chart.

The OS agent is the well-known and widely used osquery. We use official packages, add our installation scripts and configuration bits and package them as a ready-to-deploy installation package, that can be downloaded directly from Runecast Analyzer. When osquery is deployed from this package to target operating systems, it is automatically connected to our Fleet service. The connection is secured by a TLS certificate that is automatically generated when the OS Analysis is enabled and is part of the installation package.

When Runecast Analyzer starts analysis, it creates data query requests and sends them to Fleet. There, the OS agents collect the queries, process them and send back the results. Runecast Analyer then gathers the data and performs the actual analysis, showing the results afterward.

Host Collection Status

The host can appear in the inventory in one of three states - fully collected, Collection incomplete, or Host offline.

Collection incomplete status is displayed for hosts that are online, but for some reason Runecast was not able to collect all the required data. There can be several reasons for this. If you see a host in this state in your inventory, please do the following:

  • verify if the host has enough memory (the osquery agent may need up to 400 MB),
  • If it's a VM, verify the health of the underlying hypervisor and its resources,
  • Verify connectivity between Runecast and the host,
  • Verify antivirus scan results on the host, and
  • Restart the osquery service.

The offline host may only be temporarily unavailable. In this case, it is necessary to analyze the object later to get valid results. If the host is decommissioned, navigate to Menu -> System settings -> Connected systems -> Operating systems connection settings. Click the Show details link to display all systems, select the offline hosts, and press Remove selected hosts to remove them from the inventory. If the online host is selected for removal, it will reappear in the inventory in a minute.

Collected information

osquery is able to collect various types of information. Runecast Analyzer collects only data that are necessary to perform the analysis of the target operating system, such as OS information, installed applications, configuration files or some registry settings, etc. If you would like to see the whole collected dataset, please follow these steps:

  1. Navigate to Settings > API Access tokens and click Explore API Documentation.

  2. Click on Ecosystems and /api/v2/rca-instances/{id}/ecosystems. For Parameter id enter 1 and press Try it out!.

  3. In the Response Body field, find Operating Systems and note the id. 

    ...
  {
  "id": 31,
  "viewName": "Operating Systems",
  "ecosystemType": "FLEET",
...

  4. Open a new tab in your browser and paste the following URL: https://<your appliance>/rc2/api/v2/ecosystems/<ecosystemId>/config-scans/latest/dataset. Replace the <ecosystemId> with the ID noted in step 3 and execute it.

  5. You will download a zipped dataset with all operating system information that is collected from OS agents and used in OS Analysis.

How to replace the Fleet service self-signed SSL certificate

By default, the agent connections to the Runecast Analyzer are secured using a self-signed SSL certificate. We recommend replacing it with a CA-signed certificate.

In order to generate new fleet certificate, please perform the following steps:

  1. Generate a key and a csr for the new certificate. Please replace the rca-server-name and the 10.0.0.10 with a real hostname and the IP of Runecast Analyzer. 

    openssl genrsa -out /etc/runecast/fleet/server.key 2048
openssl req \
    -key server.key \
    -subj '/CN=rca-server-name' \
    -addext 'subjectAltName = DNS:rca-server-name,IP:10.0.0.10,IP:127.0.0.1' \
    -addext 'extendedKeyUsage = serverAuth' \
    -new -sha256 -out server.csr

    Warning

    Important! Keep 127.0.0.1 in subjectAltName otherwise internal communication between components will stop working.

  2. Send the resulting server.csr file to your certification authority, and obtain the certificate. Name the file server.crt.

  3. Place the server.key and the server.crt in the /etc/runecast/fleet/ directory:

    sudo cp /tmp/server.key /etc/runecast/fleet
sudo cp /tmp/server.crt /etc/runecast/fleet
sudo chown root:fleet /etc/runecast/fleet/server.key /etc/runecast/fleet/server.crt
sudo chmod 640 /etc/runecast/fleet/server.key /etc/runecast/fleet/server.crt
sudo systemctl restart fleet.service

  4. Replace the osquery-ca.crt on agents with a certificate chain of the certificate authority used for signing the Fleet server certificate. You can obtain the installation package from Runecast Analyzer, replace the file inside and use the usual automated way to update the agents.