Skip to content

What is an Issue?

In Runecast, an Issue represents a discovered problematic combination of infrastructure values such as configuration settings, log patterns, software and hardware type and versions, etc. The discovered combination of values is considered problematic based on information from various sources including VMware Knowledge Base articles, official VMware Security Hardening Guide and industry Best Practices.

An issue in Runecast has several fields:

  • Severity: This grades the estimated importance of the issue based on its general impact and importance. Depending on the specifics of your environment, it is possible that certain issues may have a different importance than the suggested severity.

  • AppliesTo: The virtual infrastructure layer the issue affects – Compute, Network, Storage, VM, Management.

  • Affects: The infrastructure quality the issue affects – Availability, Manageability, Performance, Recoverability, Security.

  • Products: Supported products by Runecast

    • VMware - vSphere, NSX-V, NSX-T, vSAN, VMware Cloud Director, Horizon.

    • AWS - EC2, IAM, S3, RDS, Redshift, VPC, CloudFront, Lambda, EFS, AWS Inspector, CloudTrail, EKS, AWS Health, AWS Config, CloudWatch

    • Kubernetes

  • Objects: The number of objects (e.g. VMs, Hosts, Datastores, Instances, Buckets) affected by this issue.

  • Title: A short description of the issue.

  • Count: This field is applicable only to log related KBs. The number of problematic log pattern occurrences within the specified period of time.

  • Last seen date: This field is applicable only to log related KBs. The last date and time when the problematic log pattern was detected.

  • Result: This field is applicable only to Security hardening section. Presents the status of security rule based on the findings results: Pass or Fail.

  • Vulnerability id: This field is applicable only to DISA STIG. The identification id set by Information Assurance Support Environment on their rules list.

  • Control id: This field is applicable only to PCI DSS. The identification id set by Payment Card Industry Security Standards Council on their documentation list.

  • Milestone: This field is applicable only to PCI DSS. Milestones are defined in the PCI DSS standard to enable you to use the “Prioritized Approach” to prioritize higher risk issues.

  • Rule ID: This field is applicable only to HIPAA. The identification id set by Health Insurance Portability and Accountability Act on their documentation list.

  • Building Block: This field is applicable only to BSI IT-Grundschutz. The identification id set by Bundesamt fur Sicherheit in der Informationstechnik on their IT-Grundschutz documentation list.

  • Recommendation Section: This field is applicable only to CIS. The identification id set by Center for Internet Security on their documentation list.

  • Level: This field is applicable only to CIS. The benchmark defines the identification id of the existing configuration profiles.

  • Scored: This field is applicable only to CIS. A scoring status indicates whether compliance with the given recommendation impacts the assessed target's benchmark score.

  • Priority: This field is applicable only to NIST. The recommended priority codes used for sequencing decisions during security control implementation.

  • Controls: This field is applicable only to NIST. The identification id set by National Institute of Standards and Technology on their documentation list.

  • Category: This field is applicable only to GDPR. The area that customers need to strengthen to keep their private data safe.

  • Technical control theme: This field is applicable only to Cyber Essentials. The area that customers need to strengthen to keep their private data safe.

  • Articles: This field is applicable only to GDPR. The identification id on the GDPR documentation.

  • ISO controls: This field is applicable only to ISO 27001. The identification id set by International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) on their documentation list.

  • Mitigation strategy: This field is applicable only to Essential Eight. The Strategies to Mitigate Cyber Security Incidents is a prioritised list of mitigation strategies to assist organisations in protecting their systems against a range of adversaries. The mitigation strategies can be customised based on each organisation’s risk profile and the adversaries they are most concerned about.

Once you expand an issue in the Runecast interface, you can view additional fields:

  • Issue ID: A unique identifier of each rule.

  • Source: The source describing the issue – Knowledge Base, Security Hardening Guide, Best Practice.

  • Reference: A link to online resources further describing the issue.

  • Date of last update: The date when the issue definition was last updated in the Runecast database.

  • Impact: The relative potential impact of the issue – 1 is low and 3 is high.

  • Importance: The importance of this issue – 1 is low and 3 is high. The issue importance depends on the infrastructure quality it relates to (Availability, Manageability, Performance, Recoverability, Security) and the infrastructure layer it impacts (Compute, Storage, Network, VM, Management). For example, if the issue is Security- or Availability-related and applies to the Compute layer then the Importance will be higher. If the issue impacts Manageability of individual VMs then the Importance will be lower.

  • Risk rating: The sum of Impact and Importance.

  • Findings: This is an important tab that shows the list of affected objects (e.g. VMs, Hosts, Datastores, Instances, Buckets). For each object, the settings that were found to be problematic or the log messages that need to be reviewed are displayed. Click on an object from the affected objects list on the left to see the list of findings listed on the right. The findings list displays the description and current value of each finding that needs to be reviewed. In case of log-related KBs, you can see the exact log messages associated with the described issue.

  • Note: Here you can add a note to any Knowledge Base article, Best Practice or Security Hardening check. The notes are not linked to the actual check (not to a detected issue) – so even if you have a Security Hardening check which is with Pass status, you can still add a note to it.

  • Ignore: You will be able to filter out the current KB/SH/BP against infrastructure objects based on your selection.