Learn how to install GRR (Google Rapid Response) server and client on Ubuntu to perform instigations.
GRR (Google Rapid Response) is an incident response framework based on Python that can be used for live forensics and investigations. It allows you to examine and attacks and perform analysis remotely.
GRR can be deployed in a server-client architecture. It comes with a web-based user interface that allows you to analyze data collected from the clients. It provides support for Linux, Mac OS X, and Windows OS.
- A server running Ubuntu 18.xx
- A root password is set up on your server
Before starting, you will need to update your system with the latest version. You can do it by running the following command:
apt-get update -y
Once your system is updated, restart the system to apply all the changes.
Install and Configure Database
First, you will need to install the MariaDB database server to your system. You can install it with the following command:
apt-get install mariadb-server -y
Once the installation has been completed, secure the MariaDB installation by running the following command:
Answer all the questions as shown below:
Enter current password for root (enter for none): Set root password? [Y/n]: N Remove anonymous users? [Y/n]: Y Disallow root login remotely? [Y/n]: Y Remove test database and access to it? [Y/n]: Y Reload privilege tables now? [Y/n]: Y
Once the MariaDB is secured, log in to MariaDB shell with the following command:
mysql -u root -p
Enter your root password. Then, create a database and user for GRR with the following command:
MariaDB [(none)]> CREATE DATABASE grr; MariaDB [(none)]> GRANT ALL PRIVILEGES ON grr.* TO 'grr'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
Next, flush the privileges and exit from the MariaDB shell with the following command:
MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> EXIT;
Next, restart the MariaDB service with the following command:
systemctl restart mariadb
You can check the status of MariaDB service with the following command:
systemctl status mariadb
You should see the following output:
mariadb.service - MariaDB 10.1.38 database server Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2019-04-12 15:11:14 UTC; 54min ago Docs: man:mysqld(8) https://mariadb.com/kb/en/library/systemd/ Main PID: 1050 (mysqld) Status: "Taking your SQL requests now..." Tasks: 46 (limit: 1113) CGroup: /system.slice/mariadb.service └─1050 /usr/sbin/mysqld Apr 12 15:10:53 ubuntu1804 systemd: Starting MariaDB 10.1.38 database server... Apr 12 15:11:07 ubuntu1804 mysqld: 2019-04-12 15:11:07 140152311749760 [Note] /usr/sbin/mysqld (mysqld 10.1.38-MariaDB-0ubuntu0.18.04.1) Apr 12 15:11:14 ubuntu1804 systemd: Started MariaDB 10.1.38 database server. Apr 12 15:11:14 ubuntu1804 /etc/mysql/debian-start: Upgrading MySQL tables if necessary. Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start: /usr/bin/mysql_upgrade: the '--basedir' option is always ignored Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start: Looking for 'mysql' as: /usr/bin/mysql Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start: Looking for 'mysqlcheck' as: /usr/bin/mysqlcheck Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start: This installation of MySQL is already upgraded to 10.1.38-MariaDB, use --force if you Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start: Checking for insecure root accounts. Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start: Triggering myisam-recover for all MyISAM tables and aria-recover for all Aria tables lines 1-21/21 (END)
Once you have done, you can proceed to the next step.
Install GRR Server
First, you will need to download a GRR package from their official GitHub repository.
You can download it with the following command to download the GRR 184.108.40.206 version.
Once the download is completed, you can install the downloaded file with the following command:
dpkg -i grr-server_3.2.4-6_amd64.deb
Next, install the required dependencies with the following command:
apt-get install -f
During the installation, you will need to provide some details like, database host, username, password, GRR URLS and Admin password as shown below:
Running grr_config_updater initialize To avoid this prompting, set DEBIAN_FRONTEND=noninteractive ################################################################# Checking write access on config /etc/grr//server.local.yaml Step 0: Importing Configuration from previous installation. No old config file found. Step 1: Setting Basic Configuration Parameters We are now going to configure the server using a bunch of questions.-=GRR Datastore=-For GRR to work each GRR server has to be able to communicate withthe datastore. To do this we need to configure a datastore.GRR will use MySQL as its database backend. Enter connection details:MySQL Host [localhost]:MySQL Port (0 for local socket) :MySQL Database [grr]:MySQL Username [root]: grrPlease enter password for database user grr:Successfully connected to MySQL with the provided details.-=GRR URLs=-For GRR to work each client has to be able to communicate with theserver. To do this we normally need a public dns name or IP addressto communicate with. In the standard configuration this will be usedto host both the client facing server and the admin user interface.Please enter your hostname e.g. grr.example.com [ubuntu1804]: 192.168.0.104-=Server URL=-The Server URL specifies the URL that the clients will connect tocommunicate with the server. For best results this should be publiclyaccessible. By default this will be port 8080 with the URL ending in /control.Frontend URL [http://192.168.0.104:8080/]:-=AdminUI URL=-:The UI URL specifies where the Administrative Web Interface can be found.AdminUI URL [http://192.168.0.104:8000]:-=GRR Emails=-GRR needs to be able to send emails for various logging andalerting functions. The email domain will be appended to GRRusernames when sending emails to users.-=Monitoring/Email Domain=-Emails concerning alerts or updates must be sent to this domain.Email Domain e.g example.com [localhost]:-=Alert Email Address=-Address where monitoring events get sent, e.g. crashed clients,broken server, etc.Alert Email Address [grr-monitoring@localhost]:-=Emergency Email Address=-Address where high priority events such as an emergency ACL bypass are sent.Emergency Access Email Address [grr-emergency@localhost]:Rekall is no longer actively supported. Enable anyway? [yN]: [N]:Step 2: Key GenerationAll keys will have a bit length of 2048.Generating executable signing keyGenerating CA keysGenerating Server keysGenerating secret key for csrf protection.Repacked into /usr/share/grr-server/executables/installers/grr_220.127.116.11_amd64.debGRR Initialization complete! You can edit the new configuration in /etc/grr//server.local.yaml.Please restart the service for the new configuration to take effect.#################################################################Install complete.
Now, restart the GRR service to apply all the changes:
systemctl restart grr-server
You can now check the status of GRR with the following command:
systemctl status grr-server
You should see the following output:
grr-server.service - GRR Service Loaded: loaded (/lib/systemd/system/grr-server.service; enabled; vendor preset: enabled) Active: active (exited) since Fri 2019-04-12 15:57:09 UTC; 6s ago Docs: https://github.com/google/grr Process: 7178 ExecStop=/bin/systemctl --no-block stop grr-server@admin_ui.service email@example.com firstname.lastname@example.org grr-s Process: 7215 ExecStart=/bin/systemctl --no-block start grr-server@admin_ui.service email@example.com firstname.lastname@example.org grr Main PID: 7215 (code=exited, status=0/SUCCESS) Apr 12 15:57:09 ubuntu1804 systemd: Starting GRR Service... Apr 12 15:57:09 ubuntu1804 systemd: Started GRR Service.
Access GRR Web Interface
GRR is now installed and listening on port 8000 (Admin) and 8080 (Frontend).
To access the GRR Admin interface, open your web browser and type the URL http://192.168.0.104:8000.
You will be asked to provide Admin username and password, use admin as the user and the password you set during the installation. Then, click on the OK button. You will be redirected to the following page:
Install GRR Client
First, log in to your GRR server web interface and navigate to Manage Binaries tab on the left pane. You should see the various clients versions like, RHEL, Debian, and BSD in the following page:
Now, Your distro is Ubuntu 18.04. So, click on the grr_18.104.22.168_amd64.deb to download the GRR client for Ubuntu.
Once the download is completed, install the downloaded file with the following command:
dpkg -i grr_22.214.171.124_amd64.deb
The above command will install the GRR client to your system and automatically registers itself to the GRR server.
You can also check the status of GRR with the following command:
systemctl status grr
You should see the following output:
grr.service - grr linux amd64Loaded: loaded (/lib/systemd/system/grr.service; enabled; vendor preset: enabled)Active: active (running) since Fri 2019-04-12 16:24:39 UTC; 16s agoMain PID: 3305 (grrd)Tasks: 6 (limit: 847)CGroup: /system.slice/grr.service├─3305 /usr/sbin/grrd --config=/usr/lib/grr/grr_126.96.36.199_amd64/grrd.yaml└─3306 /usr/sbin/grrd --config=/usr/lib/grr/grr_188.8.131.52_amd64/grrd.yamlApr 12 16:24:39 ubuntu1804 systemd: Started grr linux amd64.
Now, go to the GRR server web interface, click on the Search Box and press Enter. You should see your Client in the following page:
Now, click on your Client to see more details as shown in the following page:
Next, we will list the processes running on the Client.
To do so, click on Start new flows > Processes > ListProcesses, Under Connection State, select Established and click on the Launch to launch the flow. You should see the following page:
Next, click on the Manage launched flows > ListProcesses > Results to see the results of the ListProcesses flow in the following page:
Congratulations! You have successfully installed the GRR server and client. Go ahead and play around with the tool.