System Requirements

The following sections detail the capacity and configuration requirements for the deployment of Runecast Analyzer. Customers can deploy the application on supported platforms:

• VMware vSphere as a pre-packaged OVA image available on the Runecast Portal or the VMware Marketplace
• Amazon AWS as a pre-built AMI image available on the AWS Marketplace
• Microsoft Azure as a pre-built image available on the Azure Marketplace
• Kubernetes via Helm chart hosted in the Runecast Helm chart repository

To access the Runecast Analyzer Web Interface after deployment, please use one of the supported browsers.

VMware vSphere

• VMware vSphere infrastructure should already be deployed. ESXi hosts must be v6.x and above, and these must be managed by vCenter v6.x or v7.x.

• The Runecast Analyzer appliance is typically deployed into an existing vSphere infrastructure. Appropriate resource allocation for the appliance is selected during the deployment process. The standard sizing options are small/medium/large; with resources allocated as follows:

  Note

  If you plan to use OS analaysis, use Medium or Large sized appliance.

  • Small (use this configuration for small environments: up to 50 Hosts)

    • 2 vCPU
    • 12 GB RAM
    • 120 GB Storage
    • 100 Mbit network (1 Gbit or above recommended)

  • Medium (use this configuration for medium environments: up to 150 Hosts)

    • 4 vCPU
    • 16 GB RAM
    • 120 GB Storage
    • 100 Mbit network (1 Gbit or above recommended)

  • Large (use this configuration for large environments: up to 1200 Hosts)

    • 8 vCPU
    • 32 GB RAM
    • 120 GB Storage
    • 100 Mbit network (1 Gbit or above recommended)

• Internet Connectivity - Runecast Analyzer is packaged as a virtual appliance in OVA format that is deployed into your virtual infrastructure. All data and logic necessary for full operation are contained in the appliance. No data is transmitted from the Runecast Analyzer outside of your datacenter. Optionally, customers can connect the Runecast Analyzer to the Internet to download zero-touch updates for knowledge definitions and application updates. An entirely off-line update mechanism is provided using files (.ISO and .bin) made available from the user portal.

AWS

• An active AWS account is required to deploy Runecast Analyzer.
• Deployment requires the following resources (customers can reuse existing resources):
  • VPC
  • Network subnet with Internet Gateway attached
  • Security Group allowing the following incoming communication:
    • Ports TCP 443 (HTTPS) and TCP 22 (SSH)
    • If OS Analysis is used, port TCP 8443 (HTTPS) for agents communication

Azure

• An active Microsoft Azure cloud account is required to deploy Runecast Analyzer.
• Deployment requires the following resources (customers can reuse existing resources):
  • Azure Active Directory
  • Active subscription
  • Virtual Network
  • Subnet
  • Public IP for accessing over internet
  • Network Security Group with the following incoming communication allowed:
    • TCP 443 (HTTPS) for accessing the web interface and TCP 22 (SSH) for the remote management
    • If OS Analysis is used, port TCP 8443 (HTTPS) for agents communication

Kubernetes

• Any K8s cluster that supports Helm - on-premises upstream open-source Kubernetes version based cluster, or commercial solutions like HPE Ezmeral, Amazon EKS, Microsoft AKS or Google GKE.

• Helm 3 (Helm 2.2.0+ should work but is not validated)

  Tip

  To find out how to install and use Helm, please visit the Helm website on https://helm.sh/.

• By default, the application is deployed with the following settings:

  • Requests
    • 2.5 CPU
    • 6.9 GB RAM
  • Limits
    • 5.5 CPU
    • 12 GB RAM
  • 60 GB persistent storage

Runecast is an HPE Technology Partner, and Runecast Analyzer is validated for deployment on HPE Ezmeral Container Platform. To find more about Runecast Analyzer on HPE Ezmeral please see the HPE Ezmeral Marketplace page https://www.hpe.com/us/en/software/marketplace/runecast.html.

Analyzed System Privileges

VMware vCenter Server

A user with the following privilege at the vCenter level is required to connect to a VMware vCenter Server:

Minimum requirement

• Read Only

Note

The minimum required permission for the Analyzer to perform scanning is Read Only. However, in this case, collection will not be fully comprehensive and it will not be possible to report issues related to some areas of the configuration, such as device-specific info from ESXi hosts (driver, firmware). This is due to the way specific data is exposed through the vSphere permissions model.

To provide a fully comprehensive analysis, the additional privileges provided below will ensure that sufficient information is collected for 100% of the checks performed by Runecast Analyzer.

Recommended

vCenter privilege	Description
Host > CIM > CIM interaction	CIM collection
Global > Settings	vSAN configuration collection
Host > Configuration > Firmware	Host files collection
Host > Configuration > Change settings	Kernel modules collection
Host > Configuration > Advanced settings Host > Configuration > Change settings Host > Configuration > Security profile and firewall	Automatic ESXi Syslog configuration
Virtual Machine > Change Configuration > Advanced Configuration	Automatic VM Syslog configuration
Extension > Register extension Extension > Update extension	Automatic Web Client registration
Host profile > View Host profile > Edit	Automatic Host Profile collection
Host > Configuration > Change settings Global > Settings	HW Compatibility
Agentless Scanning privileges (what is agentless scanning?)
Virtual Machine > Snapshot management > Create snapshot Virtual Machine > Snapshot management > Remove snapshot	On target VMs
Virtual Machine > Change Configuration > Add existing disk Virtual Machine > Change Configuration > Remove disk Virtual Machine > Interaction > Reset	On a scanner VM

Tip

A PowerCLI script to automatically create Runecast Role with the above permissions is available at https://github.com/Runecast/public/blob/master/PowerCLI/createRunecastRole.ps1.

Note

For a complete evaluation of security profiles such as DISA STIG for vSphere 7, vSphere 8, or VMware Security Configuration and Hardening Guide, please ensure that the service account used by Runecast Analyzer to connect to the vCenter Server is a member of the SystemConfiguration.SupportUsers and SystemConfiguration.BashShellAdministrators SSO groups. This will allow a limited log bundle and SSH collection which enables automatic evaluation of additional vCenter Server rules. For user's convenience, if SSH is disabled Runecast will attempt to temporary enable it for the duration of the data collection and then again disable it.

VMware NSX-V

NSX-V is supported by connecting to an NSX-V Manager when paired with a vCenter instance. Runecast Analyzer supports NSX-V Manager v6.2 and above.

For connection to NSX-V, a user with the following privileges in NSX Manager is needed:

Minimum requirement

• Auditor

Recommended

• Security administrator – required to leverage the NSX-V Custom Dashboard Widget for Runecast.

Note

Due to NSX-V Manager’s constraints before v6.3.3, Runecast Analyzer cannot automatically validate that an NSX-V Manager is registered to a specific vCenter. You will be asked to confirm during the connection process.

Authentication source

Domain

Domain users are supported on NSX-V 6.4 and later.

Local

Local CLI user can be created following the below procedure:

1. Open console session to NSX-V Manager and log in with the Administrator account
2. Switch to Privilege mode using the enable command
3. Switch to Configuration mode using the configure terminal command

4. Add a CLI user account using the user <username> password (hash | plaintext) <password> command

   Example: user cliuser password plaintext abcd1234

5. Save the configuration with write memory command

6. Allow the created CLI user to run the REST API calls using the user <username> privilege web-interface command
7. Issue POST request to https://<NSX-IP>/api/2.0/services/usermgmt/role/<username>?isCli=true endpoint with user having administrator privileges to assign a role to the newly created CLI user. Example of the body content assigning auditor privilege:

   <accessControlEntry>
   <role>auditor</role>
   <resource>
   <resourceId>globalroot-0</resourceId>
   </resource>
   </accessControlEntry>    
   

8. Now you'll be able to use the new CLI user for connection to NSX-V Manager

VMware NSX-T

VMware NSX-T Data Center is supported by connecting to an NSX-T Manager, NSX-T Global Manager or its Cluster Virtual IP. Runecast Analyzer supports NSX-T version 2.4 and above.

For connection to NSX-T, a user with the following privileges in NSX-T Manager is needed:

Minimum requirement

• Auditor

VMware Horizon

VMware Horizon is supported by connecting to a Connection Server. For Connection Servers that are part of a single replication group, it is required to establish the connection to only one Connection Server which belongs to the group. Also, if there is a Load Balancer configured with session persistence, it can be used to connect to a Connection Server in a replication group. Runecast Analyzer supports Horizon v6.x and above.

For connection to a Connection Server, a user with the following privileges in Horizon is needed:

Minimum Requirement

• Administrators (Read-only).

VMware Cloud Director

VMware Cloud Director is supported by connecting to the provider portal. Runecast Analyzer supports VMware Cloud Director version 10.0 and above.

For connection to VMware Cloud Director, a user with the following privileges on the vCD provider level is needed:

Minimum Requirement

• A role with View-only permissions.

AWS

Amazon Web Services is supported by connecting to an AWS Account with access key or role-based authentication.

Access key authentication

For connection to an AWS Account using access key, we recommend using an account with Programmatic access only. To limit the operational overhead, we suggest using the AWS managed ReadOnlyAccess policy. This will cover future functionality and analysis capability provided by Analyzer, without the need to adjust the policy very often.

Note

In the Runecast SaaS deployment model it's possible to utilize the access key authentication and perform agentless scanning. To achieve this, additional policy needs to be assigned to the IAM user

Follow the steps below to allow angentless scaninig, using access key authentication:

1. Open AWS console of the desired account and select Identity and Access Management (IAM) service.
2. Under Access Management -> Policies select Create policy and follow the 2 steps:
   1. Switch to JSON in the policy permissions, paste the following policy definition and click Next.

          {
              "Version": "2012-10-17",
              "Statement": [
                  {
                      "Sid": "Statement1",
                      "Effect": "Allow",
                      "Action": [
                          "lambda:InvokeFunction"
                      ],
                      "Resource": [
                          "arn:aws:lambda:*:*:function:RunecastAgentlessInitialLambda-*"
                      ]
                  }
              ]
          }
      

   2. Provide RunecastAgentlessScanPolicy as a name and click on Create policy.
3. Select the newly created policy as additional one for the IAM user which is used for the access key authentication.

Role-based authentication

Info

IAM role-based authentication is supported only using the Runecast SaaS deployment model

It's also possible to use IAM role-based authentication to connect to AWS account. Follow the steps described in the AWS connection dialog to properly configure it.

Microsoft Azure

Azure AD is supported by connecting an Azure Application. To create the Azure Application and assign the required permissions, please follow these steps:

1. Login to the Azure Portal
2. Navigate to Azure Active Directory

3. From the left side menu, click on App registrations then click on New Registration

   

4. Provide a name for the application and select Accounts in this organizational directory only (Demo-directory only - Single tenant). Leave Redirect URI empty

   

5. Once the application is created, make a note of the Application (client) ID and Directory (tenant) ID shown in the application Overview page

6. Click on Certificates & secrets under Manage in the left side menu of the app

7. Under the Client secrets section, click on New client secret

   

8. Provide a suitable description for the client secret and select the expiration as per your organization policy. We recommend 1 year expiry for client secrets

9. Make a note of the newly created client secret value
10. Click on the API permissions under Manage in the left side menu of the App

11. Under Configured permissions section, add application permission for Directory.Read.All from Graph API and click on Grant Admin Consent for Demo-directory

    

    If you do not have admin privileges, please refer to the below link.
    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal

    With the help of your administrator, you can change User consent settings.

12. Navigate to the Subscriptions page and select the subscription for which you want to scan from Runecast Analyzer

13. From the left side menu of subscription, click on Access control (IAM) and select Role assignments then click on Add and select Add role assignment

14. Select Reader as a role and set Assign access to to option User, group, or service principal. Under Select provide the name of your app created in step 5 and click on Save

    

GCP

Create a GCP Service Account with access assigned on organization level. To limit the operational overhead, we suggest using the predefined GCP roles as seen below.

To configure the Service Account, you will need to be member of the Organization Administrator role.

1. Navigate to IAM & Admin > IAM in the GCP Console.
2. Select the organization from the top bar.
3. Click on Service accounts in the left sidebar.
4. Click the + Create Service Account button:
   • Name the service account
   • Optionally, provide a description
   • Click Create and Continue

5. Assign Roles to the Service Account:

   • Click Select a role
   • Assign the following roles:
     • Viewer Role
     • Folder Viewer
     • Firebase Viewer
     • Organization Role Viewer
   • Click Continue

6. Generate a JSON Keyfile:

   • Click on Service accounts in the left sidebar
   • Find and click on the service account
   • In Service account details, click on Keys > Add Key > Create new key
   • Select JSON and click Create

   Note

   Save the JSON keyfile immediately as it cannot be downloaded again

   Note

   In case you want to omit certain projects / folders from being analyzed you can create a deny policy.

7. In order to create, updated, and delete deny policies you need to have the Deny Admin role.

8. Create a Deny Policy .json File, see example below:
   

   {
       "displayName": "My deny policy.",
       "rules": [
   {
     "denyRule": {
       "deniedPrincipals": [
         "principal://goog/subject/adri1.test@test.com"
       ],
       "deniedPermissions": [
         "cloudresourcemanager.googleapis.com/projects.get"
                   ]
               }
           }
       ]
   }
   

9. Run the following gcloud command to apply the deny policy:
   

   gcloud beta iam policies create <name of your deny policy> \
   --attachment-point=cloudresourcemanager.googleapis.com/projects/<PROJECT ID> \
   --kind=denypolicies \
   --policy-file= <Name of your file that has the deny rules and principals; must be a .json file>
   

   You can configure the policy in JSON format directly in the Google Cloud Deny policy page.

This will cover the analysis capability provided by Runecast Analyzer and also future functionality without the need to adjust the permissions often.

Kubernetes

Kubernetes data is collected:

• By connecting to the API server address using a service account token authentication. The connection to the API can be done via a load balancer address or directly to one of the master nodes.
• From a DaemonSet-deployed Runecast Node Collector. During K8s analysis, Runecast uses the above-mentioned API connection to create a temporary DaemonSet in a user-defined namespace (by default runecast). Once the collection is complete, the pods will send the collected information to a callback address and the DaemonSet is removed. Both the namespace and the callback address can be configured in the connection settings. The pods need root privileges and use the hostPID to gather all the required node configuration information (like kubelet parameters, file permissions, etc.). The container image for the DaemonSet will be fetched from AWS public container registry (public.ecr.aws).

Info

Runecast Analyzer follows an extended version of the Kubernetes lifecycle policy, testing and validating against the current Kubernetes release, as well as the three previous releases. Managed Kubernetes environments, including Amazon EKS, Microsoft AKS, Google GKE, and HPE Ezmeral Container Platform are supported. However, as these services may limit access to the control plane, Runecast Analyzer cannot provide results for the control plane (as such, results in these environments are for the customer deployed clusters or workloads only).

To get the service account token, you need to create a service account first. The service account needs to have appropriate permissions to perform all the collection tasks. We provide you with a script to make the settings easy, please see below.

List of required permissions

API collection requirements

cluster role option	cluster role option values
verbs	get list watch
resources	nodes namespaces pods replicationcontrollers serviceaccounts services daemonsets.apps deployments.apps replicasets.apps statefulsets.apps cronjobs.batch jobs.batch networkpolicies.networking.k8s.io podsecuritypolicies.policy clusterrolebindings.rbac.authorization.k8s.io clusterroles.rbac.authorization.k8s.io rolebindings.rbac.authorization.k8s.io roles.rbac.authorization.k8s.io

Node collection requirements

role option	role option values
verbs	create update patch delete
resources	daemonsets.apps

To obtain the API address, port, and service account token, from the management workstation where K8s command-line access is configured, follow the next steps:

1. Switch to the context of the cluster you are going to connect to in Runecast Analyzer:

   kubectl config use-context <context name>
   

   Tip

   In VMware Tanzu, use kubectl vsphere login --server=<KUBERNETES-CONTROL-PLANE-IP-ADDRESS> --vsphere-username <VCENTER-SSO-USER> to log in to the cluster and then the above-mentioned command to switch to the context of the required workload cluster. To find out more information about connecting to Tanzu Kubernetes Cluster, please see the official documentation.

2. Issue the following commands to find out the API address and port:

   bash

   CURRENT_CONTEXT=$(kubectl config view -o jsonpath="{.current-context}")
   CURRENT_CLUSTER=$(kubectl config view -o jsonpath="{.contexts[?(@.name=='$CURRENT_CONTEXT')].context.cluster}")
   echo $(kubectl config view -o jsonpath="{.clusters[?(@.name=='$CURRENT_CLUSTER')].cluster.server}")
   

   PowerShell

   $CURRENT_CONTEXT=(kubectl config view -o jsonpath="{.current-context}")
   $CURRENT_CLUSTER=(kubectl config view -o jsonpath="{.contexts[?(@.name=='$CURRENT_CONTEXT')].context.cluster}")
   Write-Host (kubectl config view -o jsonpath="{.clusters[?(@.name=='$CURRENT_CLUSTER')].cluster.server}")
   

3. Create a service account with the appropriate permissions and read its token.

   Note

   Please note that since K8s 1.24 the service account token is not created automatically and the steps for K8s 1.24 and above slightly differ.

   You can use the following commands to perform the task:

   K8s below 1.24

   bash

   # set the namespace where the service account will be created
   NAMESPACE='runecast'
   
   # create the namespace and the service account
   kubectl create namespace ${NAMESPACE}
   kubectl create serviceaccount runecast-scan -n ${NAMESPACE}
   
   # create the clusterrole (API collection)
   kubectl create clusterrole runecast-api-collection --verb=get,list,watch --resource=nodes,namespaces,pods,replicationcontrollers,serviceaccounts,services,daemonsets.apps,deployments.apps,replicasets.apps,statefulsets.apps,cronjobs.batch,jobs.batch,networkpolicies.networking.k8s.io,podsecuritypolicies.policy,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io
   
   # bind the clusterrole (API collection)
   kubectl create clusterrolebinding runecast-api-collection --clusterrole=runecast-api-collection --serviceaccount=${NAMESPACE}:runecast-scan
   
   # create the role (node collection)
   kubectl create role runecast-node-collection -n ${NAMESPACE} --verb=create,update,patch,delete --resource=daemonsets.apps
   
   # bind the role (node collection)
   kubectl create rolebinding runecast-node-collection -n ${NAMESPACE} --role=runecast-node-collection --serviceaccount=${NAMESPACE}:runecast-scan
   
   # output the service account token
   kubectl get serviceaccounts runecast-scan -n ${NAMESPACE} -o jsonpath='{.secrets[].name}' | xargs kubectl get secret -n ${NAMESPACE} -o jsonpath='{.data.token}' | base64 -d | awk '{print $1}'
   

   PowerShell

   # set the namespace where the service account will be created
   $namespace = 'runecast'
   
   # create the namespace and the service account
   kubectl create namespace $namespace
   kubectl create serviceaccount runecast-scan -n $namespace
   
   # create the clusterrole (API collection)
   kubectl create clusterrole runecast-scan --verb=get,list,watch --resource=nodes,namespaces,pods,replicationcontrollers,serviceaccounts,services,daemonsets.apps,deployments.apps,replicasets.apps,statefulsets.apps,cronjobs.batch,jobs.batch,networkpolicies.networking.k8s.io,podsecuritypolicies.policy,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io
   
   # bind the clusterrole (API collection)
   kubectl create clusterrolebinding runecast-scan --clusterrole=runecast-scan --serviceaccount="$($namespace):runecast-scan"
   
   # create the role (node collection)
   kubectl create role runecast-node-collection -n $namespace --verb=create,update,patch,delete --resource=daemonsets.apps
   
   # bind the role (node collection)
   kubectl create rolebinding runecast-node-collection -n $namespace --role=runecast-node-collection --serviceaccount=${NAMESPACE}:runecast-scan
   
   # output the service account token
   $secretname = kubectl get serviceaccounts runecast-scan -n $namespace -o json | ConvertFrom-json | % { $_.secrets.name }
   $token = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($(kubectl get secret $secretname -n $namespace -o json | ConvertFrom-Json | % { $_.data.token})))
   $token | Set-Clipboard
   Write-Host "the service account token was copied to clipboard:`n$($token)`n"
   

   K8s 1.24 and above

   bash

   # set the namespace where the service account will be created and the token validity, 8760h = 1 year
   NAMESPACE='runecast'
   TOKEN_VALIDITY='8760h'
   
   # create the namespace and the service account
   kubectl create namespace ${NAMESPACE}
   kubectl create serviceaccount runecast-scan -n ${NAMESPACE}
   
   # create the clusterrole (API collection)
   kubectl create clusterrole runecast-api-collection --verb=get,list,watch --resource=nodes,namespaces,pods,replicationcontrollers,serviceaccounts,services,daemonsets.apps,deployments.apps,replicasets.apps,statefulsets.apps,cronjobs.batch,jobs.batch,networkpolicies.networking.k8s.io,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io
   
   # bind the clusterrole (API collection)
   kubectl create clusterrolebinding runecast-api-collection --clusterrole=runecast-api-collection --serviceaccount=${NAMESPACE}:runecast-scan
   
   # create the role (node collection)
   kubectl create role runecast-node-collection -n ${NAMESPACE} --verb=create,update,patch,delete --resource=daemonsets.apps
   
   # bind the role (node collection)
   kubectl create rolebinding runecast-node-collection -n ${NAMESPACE} --role=runecast-node-collection --serviceaccount=${NAMESPACE}:runecast-scan
   
   # create and output the service account token
   kubectl create token runecast-scan --duration=${TOKEN_VALIDITY} -n ${NAMESPACE}
   

   PowerShell

   # set the namespace where the service account will be created and the token validity, 8760h = 1 year 
   $namespace = 'runecast'
   $token_validity = '8760h'
   
   # create the namespace and the service account
   kubectl create namespace $namespace
   kubectl create serviceaccount runecast-scan -n $namespace
   
   # create the clusterrole (API collection)
   kubectl create clusterrole runecast-scan --verb=get,list,watch --resource=nodes,namespaces,pods,replicationcontrollers,serviceaccounts,services,daemonsets.apps,deployments.apps,replicasets.apps,statefulsets.apps,cronjobs.batch,jobs.batch,networkpolicies.networking.k8s.io,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io
   
   # bind the clusterrole (API collection)
   kubectl create clusterrolebinding runecast-scan --clusterrole=runecast-scan --serviceaccount="$($namespace):runecast-scan"
   
   # create the role (node collection)
   kubectl create role runecast-node-collection -n $namespace --verb=create,update,patch,delete --resource=daemonsets.apps
   
   # bind the role (node collection)
   kubectl create rolebinding runecast-node-collection -n $namespace --role=runecast-node-collection --serviceaccount="$($namespace):runecast-scan"
   
   # create and output the service account token
   $token = kubectl create token runecast-scan --duration=$token_validity -n $namespace
   $token | Set-Clipboard
   Write-Host "the service account token was copied to clipboard:`n$($token)`n"
   

Operating Systems

Operating Systems (OS) Analysis consists of two components:

• OS analysis service running on Runecast Analyzer appliance,
• OS agents running on operating systems, collecting data and reporting to OS Analysis service.

Before activating OS Analysis in Runecast Analyzer:

• make sure you are running OVA with the size of medium or large to fulfill the performance needs. Please see the System Requirements chapter for more information.
• prepare a DNS hostname or FQDN record pointing to Runecast Analyzer, that will be used by the OS agents to communicate with the OS analysis service. Alternatively, you can use the Runecast Analyzer IP address.
• install mysql-server package from public Ubuntu repositories, by following steps:
  • Enable SSH, as described in Advanced Configuration
  • Login using SSH to Runecast VM
  • Execute the script: /opt/runecast/scripts/install_mysql.sh

After the OS analysis service is enabled, you will need to download the OS agent installation packages and deploy them to target operating systems. The packages are preconfigured to connect to the OS analysis service and contain a service certificate for trust verification and enrollment secret to allow the agent to register with the service.

To deploy OS agents:

• you will need administrative rights on the target computer to install agents,
• the agent is running under SYSTEM account on Windows, root account on Linux.

Note

Please refer to the OS agents chapter on the Deployment page for more information about OS agent deployment.

When the OS agent is started for the very first time, it tries to connect to the OS analysis service using a user-defined hostname or FQDN (provided when enabling the service), verifies the service certificate is trusted and performs the enrollment. After the OS agent is enrolled, it will periodically send a status message to the OS analysis service and will collect data on-demand.

Network connectivity

Source	Destination	Protocol	Port	Description	Comment
RCA	vCenter	TCP	443	Collection of data using vSphere SDK (vCenter, ESXi, VMs configuration settings)	required for core product functionality
RCA	vCenter	TCP	5480	Collection of data using VCSA REST API	required for extended security rules evaluation (vSphere 7.0 U1 and later)
RCA	vCenter	TCP	22	Collection of data using SSH	required for extended security rules evaluation via SSH
RCA	ESXi	TCP	443	Collection of data from ESXi servers (file-level configuration settings)	required for file-level checks
RCA	ESXi	TCP	5988, 5989	CIM data collection from ESXi servers	required for CIM data
RCA	NSX Manager	TCP	443	Collection of data using NSX-v REST API (NSX configuration settings)	required for core product functionality (in case NSX-v functionality is required)
RCA	NSX-T Manager	TCP	443	Collection of data using NSX-T REST API (NSX-T configuration settings)	required for core product functionality (in case NSX-T functionality is required)
RCA	AWS	TCP	443	Collection of data using AWS REST API (AWS configuration settings)	required for core product functionality (where AWS functionality is required)
RCA	Azure	TCP	443	Collection of data using Azure REST API (Azure configuration settings)	required for core product functionality (where Azure functionality is required)
RCA	GCP	TCP	443	Collection of data using GCP REST API (GCP configuration settings)	required for core product functionality (where GCP functionality is required)
RCA	Horizon	TCP	443	Collection of data using Horizon API (Horizon configuration settings)	required for core product functionality (in case Horizon functionality is required)
RCA	Kubernetes API	TCP	6443	Collection of data using Kubernetes API (Kubernetes configuration settings)	required for core product functionality (in case Kubernetes functionality is required)
RCA	Container image repository (default: hub.docker.com)	TCP	443	Access to container images for scanning	required for core product functionality (in case container image scanning functionality is required)
RCA	Cloud Director	TCP	443	Collection of configuration data using vCD API	required for core product functionality (in case vCD functionality is required)
OS agents	RCA	TCP	8443	Collection of OS agents data	required for Operating Systems data collection
ESXi	RCA	UDP	514	Syslog data collection	required for log analysis
RCA	updates.runecast.com	TCP	443	Application and rules definition updates	required for online updates only
User browser	RCA	TCP	80, 443	RCA web interface	HTTP always redirects to HTTPS
vSphere Web Client	RCA	TCP	443	Web client plugin communication to RCA	required for displaying results in WebClient
REST API client	RCA	TCP	443	Runecast API client’s communication	required for REST API
Enterprise Console (EC)	RCA	TCP	443	Single pane of Glass to RCA communication	required for displaying results from multiple Analyzers
RCA	DC	TCP & UDP	88	RCA communication to DC	required for Kerberos authentication
RCA	LDAP	TCP	389	RCA communication to AD	required for connection to a DC on a regular LDAP port
RCA	LDAP SSL	TCP	636	RCA communication to AD	required for connection to a DC on a protected LDAPS port
RCA	DNS	TCP & UDP	53	RCA communication to DNS	required for core product functionality
RCA	NTP servers (default: ntp.ubuntu.com)	UDP	123	RCA time synchronization	required to keep appliance time in sync