As I mentioned in my recent newsletter, I am going to get Runecast working in my lab. I heard from others how cool it is, and while I knew that, I did not put the priority on it. Now I am. So join me while I deploy, and configure Runecast. We will make it work, and make sure it can scan successfully and that will be the end of this article. We will explore things in other articles.
One of the important things that Runecast does, is find where you depart from a variety of security baselines and best practices. But, if that departure makes sense in your environment at least you know about it and can ignore it. But it is very good at finding issues!
Update: this article was created for 1.8.1 but was recently updated to work with 2.6. That means 1.8.1 specific information is not present any longer and some of the screenshots have been updated for specific 2.6 functionality.
Update: this article was updated for 4.3. BTW, in this version I learned of some amazing stuff like Enterprise Console, AWS support, and more security checks.
Update: used this article with v4.7.2 and it worked good.
BIG UPDATE: if you are interested in purchasing RuneCast, reach out to Matthew Grant (firstname.lastname@example.org) and mention my name, and you will get a 5% discount.
Things to have ready
You should have a few things ready:
- Bits – you can download the trial, or the real bits (an OVA file) at this link. Which are the same but the license makes them work different (a little).
- The release notes and docs are available in the same portal as the bits.
- Service account that Runecast can use to talk to vCenter. It can be read only, but if you want more info it should have more rights and they list them in the User Guide – in fact they tell you what else you need and why, which is quite nice. I am going to use a domain user account with admin vCenter rights to make it easy.
- License – you also get this file in the same portal as docs and bits.
- You should have ready the FQDN, and IP info. It is a good habit to have it defined in DNS already.
Only specify one DNS server! In older versions if you did you would not have an IP at boot. But you could fix it through the console. It appears in 2.6 to fix this issue you need to redeploy.
- During the deploy you will get to choose Small, Medium, or Large. Be aware that the resources will be large if you select large.
Be aware that if you are doing a trial that you do not get access to all the info that you would as a licensed user (for example, none of the device specific info from ESXi hosts – like driver and firmware).
While you deploy – it is an OVA file so pretty easy, I notice that they have the wonderful extra config that includes:
keyboard.typematicMinDelay = 2000000
In case you wonder, if you are working at distance, with latency, and you are working in a VM console you can have some issues typing, and that command above fixes it.
You will need the IP and FQDN info as part of deploy.
The deploy process is like all the other OVA deploys you did.
I use the Small choice as I have less than 10 hosts to worry about and want to keep resource utilization low as reasonable.
And once it is deployed, we need to power it up.
Configuration – basic
After the OVA is deployed, and booted you can check the VM Summary screen to make sure you see the right IP and DNS info. Then check the console to see the URL to the app, as well as the admin UI. We need to do a few thing in the admin UI. Prior to 2.0 the admin UI was VAMI based, but as of 2.0 it has become console based. So access the console via the Web Client or VMRC and you will need to hit F1 and authenticate (account rcadmin, password admin). You will see something like below.
I went through it to confirm my network settings and change my password.
We are done now, and can log out, but I had hoped, expected, to be able to define some NTP servers and my timezone. We will see if that works elsewhere.
Configuration – inside the UI
We now want to work inside the app so we access the application UI:
And at 2.6 that did not work for me in Chrome. It timed out. I used Safari and found it was able to connect fine. I restarted Chrome and it still could not connect. I cleared the cache and still could not connect. It also worked in Firefox. So I use Safari. And we see the main login screen. (update: after I updated to 2.6.1 I was able to use Chrome with no issues.)
We can log in using the default credentials of rcuser with password of Runecast! As this is our first time logging in, and we have no vCenter connection we are prompted to make one.
So we connect to vCenter and other stuff if we need to. Then we look at security profiles – and there is quite a few of them to select from.
I will select the VMware Guidelines option but there is many other choices!
Next there is the schedule.
After the schedule option there is an overview and then it does your first analyze.
I like doing daily scans as it helps me be proactive. BTW, did you know that they do approximately 32k worth of checks in a scan? Wow.
Some of you may not want to scan that often, but I want to know of issues sooner, particularly security related issues.
The scan completes fairly quickly and I have a number of issues to deal with. 1 Critical and 7 Major, hopefully is not too bad.
Now lets add our license. You need to reach up to the top right for the gear icon, then use the License tab. You use the Add License button and select the license file.
After you load the license file you will see a screen like below.
You will move your vCenter and hosts to the Licensed hosts box. You may be able to move all or only some depending on your license. You can use the double >> to all of your hosts at once.
Once you select the orange Assign License button you will see something like below – and be licensed!
If you leave settings, you can get back to it by selecting the gear icon in the top right corner.
Now we are going to change the password to the rcuser account. Lets select the User Profile button on the Settings bar.
You can see the gear icon above we will use to edit the password.
Changing the password was a bit harder than I expected. It always said my passwords did not match. Of course, what makes me smile is I copied and pasted the password. Turns out the issue was I had a special character in the password. So use only numbers, letters, upper case letters, and punctuation. This is still correct for 1.8.1 and 2.0.1 but not sure if it is still true in 2.6 as I just used the same password as in older versions.
I like to log out and back in here to confirm my new password works.
Now, I want to add Runecast to my vSphere Web Client. Lets do that before we do an analyze.
So back into Settings if you left, and on the vCenter Connection screen you can see an Edit button. Select it.
Once you select the Install Plugin button you see a different and bigger screen.
We will be using the big orange button. But I do like how they have a PowerCLI script too. A few moments after we hit the Install button we should see success.
We have some extra steps to do now to make it work. Note that we have to do this twice! Once in FLEX and once in HTML5 – if you are working with vSphere 7 like I am you only need do it once (HTML5). Now select API Access tokens in the orange bar.
Now use the orange Generate button. Provide a description.
Once you hit the Generate button you will see a new access token in a green bar, make sure to copy it to Notepad or somewhere safe. We will need to use it. Once you have done that select I understand. After you select it you will see something like below.
Now, log into the vSphere Client. If it is open, log out, and then log back in. Once back in, navigate to Administration > Runecast > Settings. Note: I was not able to do this in the HTML5 client so log into the Flex version! After it is done in FLEX you can do it in HTML5.
Now add your RuneCast FQDN, and paste the API access token. Once filled in you will see a green bar.
Use the Save Settings button, and then use the Go To Main View link.
If you did a scan when you first connected and configured you will not see the above but rather see a bunch of other things – problems most likely!
One more thing to do before our first scan. We need to configure log collection. If we are already forwarding logs to our Log Insight server – like I am, that is no problem as ESXi can handle several log destinations.
Now do this in the HTML5 client.
Back into Settings, then change to the Log Analysis tab.
I like the default config of only saving 30 days of logs. If we had to, we could use the Edit button to tweak the settings. Now expand the vC, seen above as Lefroy.
Note the little wrench seen above and with the red arrows? We use that to enable the log forwarding to Runecast. We are not going to have the VM logs forwarded to Runecast yet as I am not sure if I need that.
Lets hit the wrench for the hosts.
Now we should ignore the hint at the bottom of the screen. It confused me. Checkbox each of the hosts and hit Configure.
After you hit OK, and a few moments later it looks green.
Now, since I am careful, and maybe a tiny little bit paranoid, I will go visit Log Insight and make sure my host are still sending to it. And they do appear to be so that is good.
You may notice I did not enable the capture of VM logs, and not sure why not. I will do that later if / when I find out more about it.
Our First Scan
We do not have to wait for the scheduled scan, but lets do a manual scan to make sure things work! From the Dashboard, and in the top right hit that big blue Analyze now button.
It will take a bit of time. Maybe 2 minutes and you dashboard will update.
So it doesn’t look too good for me. But not too bad – I hope. But things are working. I love the idea of the Issue History.
This is now the end of the this deploy and configure article and I will do one soon looking at what was found.
We did a scan so that is good. But lets be sure that things are good.
- We use the HTML5 client and change to the Monitor view of a VM and see Runecast info.
- We use the FLEX client client and change to Monitor and make sure we see Runecast info.
- We do a scan and make sure we see things we know to be true. Such as old guest hardware on appliances.
So we do have a good install and see lots of useful info. Most excellent!
- 12/6/20 – used with 4.7 and it worked good. Some slight visual differences in the UI but nothing serious or confusing.
- 5/9/20 – this article was used with 4.3 and it did not need much updating either.
- 4/7/19 – finished my review. In the middle of doing plug-ins, there was a 184.108.40.206 update so dealt with that.
- 4/6/19 – doing the 2.6 install, so went through and updated or simplified the article as necessary. I am using vSphere 6.7 U1 with Runecast 2.6.
- 12/16/18 – I wanted to do the 2.5 upgrade – which I was excited for the Horizon support, but when I checked it had already been done! I had only to update the web client plug-in. So consider me impressed.
- 9/23/18 – I used this article with 2.0.1. In fact I had heard that there was no upgrade from 1.8.1 so I deleted it and did this install. I did reach out to people at Runecast and confirmed there is no upgrade path at this time. They made serious improvements in the appliance and it made an upgrade very tricky. Support can help you migrate notes if you have those but I don’t so was easy to delete and re-deploy.
- 8/6/18 – I used this article with 1.8.1. Worked good, but there are some slight changes that I tried to update above. Short on time as I have a dinner to be ready but will update as necessary in the future. Of note, in this version you cannot install the plug-in on 6.7.
=== END ===