Runecast 3.1 with German BSI Grundschutz compliance monitoring

Runecast Analyzer scans VMware infrastructures for known issues against the VMware-KB, checks hardware compatibility against HCL and compares current settings with VMware best-practice-guidelines and security baselines like DISA STIG, PCI DSS or HIPAA. The most recent version 3.1 now contains baselines from German Federal Office for Information Security (BSI). Germany is an important market for Runecast, so including BSI IT-Grundschutz (BSI IT-Baseline) was an important step to win new customers – especially in the public sector. One of the key selling points of Runecast in that market is its ability to work completely offline. No need to send any data into the cloud. You may update the appliance or get new signatures online, but you can also do this offline by mounting an ISO-image. Yes, Germany is special in that respect, but we had some…. issues.

To demonstrate all new features, Runecast will have a webinar on October 23rd 2019 at 10.00 am (CEST). Registration is free but priceless. Stanimir Markov (CEO) and Robert Berger will talk about BSI IT-Grundschutz Automation within Runecast Analyzer 3.1.

Update to latest version

Existing appliances will usually update automatically within a user defined time frame. If you want to push it fast you can do it manually from the console.

This installation would update itself tonight, because I’ve configured automatic updates. But I will show here how to trigger it manually. To do so open the VM web- or remote console interface and login as “rcadmin” (default password is “admin”).

Use arrow keys to navigate to “Updates” and select “Check for update and install”.

The update procedure will take a couple of minutes and requires a reboot to finish.

After reboot you can check the version in the web interface.

BSI IT Grundschutz Compendium

To check your infrastructure against IT Grundschutz compendium, you first have to select it from the available baselines. Settings > Security compliance.

Click “Edit” to add or remove baselines.

You’ll find the new baseline in your dashboard below “Security Hardening”.

If you click on the new baseline you might see an empty list. Most likely there wasn’t any scheduled scan since you’ve activated the new baseline. Runecast usually scans daily but you can also trigger a scan by clicking “Analyze now”. Depending on the size of your infrastructure this might take a couple of minutes.

Like in other modules you’ll see failed issues first, ordered by severity. At the end you’ll see all tests that your infrastructure has passed.

Looking at details you’ll see a short abstract of the issue and a hyperlink to the corresponding section of the BSI IT compendium. In the Findings section you’ll see all VMs or hosts that are affected by the issue.

You don’t have to follow all advises. Our example in the picture above shows a complaint that the OS does not comply with EAL 4 standard. It states that software has to be methodically designed, tested an reviewed. ESXi 6.7 U3 is not on the list. Such certifications are time consuming and expensive. No wonder that VMware’s latest release is not on the list. Looking at the list of certified operating systems made me chuckle. There you’ll find Windows2000, XP, ESX3.5 and ESX4.0. I will not comment on that. 🙂


All findings can be easiliy exported into reports. You can have PDF, CSV or just copy them to the clipboard. Archive these reports for future audits and make the auditor happy.


Leave a Reply

Your email address will not be published. Required fields are marked *