Documentation for the GRR Rapid Reponse framework
Home Page: https://grr-doc.readthedocs.io/
License: Apache License 2.0
This repository contains GRR documentation sources. Rendered documentation is hosted on grr-doc.readthedocs.io.
See this document if you're interesting in fixing/contributing to the docs.
When I attempt to follow:
http://grr-response.blogspot.com/2014/10/using-distributed-data-store-in-grr.html
The following test command works fine:
/usr/share/grr-server/bin/python /usr/share/grr-server/lib/python2.7/site-packages/grr/server/data_server/data_server.py --config=/etc/grr/server.local.yaml --master --verbose
Yet when I do a systemctl restart grr-server (samething for stop/start) I dont see the port listening on 7000, but I do see the other ports (8080,8000) listening and I do see the processes running.
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1312/sshd
tcp 0 0 0.0.0.0:44449 0.0.0.0:* LISTEN 14900/python
tcp 0 224 172.31.25.121:22 :64257 ESTABLISHED 1352/sshd: ubuntu [
tcp6 0 0 :::8080 :::* LISTEN 14910/python
tcp6 0 0 :::22 :::* LISTEN 1312/sshd
tcp6 0 0 :::8000 :::* LISTEN 14900/python
root 14891 0.0 0.0 19704 3284 ? Ss Feb18 0:00 /bin/bash /usr/bin/grr_server --component ui --disallow_missing_config_definitions -p StatsStore.process_id=ui_c08493b14788489686337d6813ce5190
root 14892 0.0 0.0 19704 3292 ? Ss Feb18 0:00 /bin/bash /usr/bin/grr_server --component http_server --disallow_missing_config_definitions -p StatsStore.process_id=http_server_c08493b14788489686337d6813ce5190
root 14893 0.0 0.0 19704 3228 ? Ss Feb18 0:00 /bin/bash /usr/bin/grr_server --component worker2 --disallow_missing_config_definitions -p StatsStore.process_id=worker2_c08493b14788489686337d6813ce5190
root 14900 0.1 4.6 730456 187964 ? Sl Feb18 2:18 /usr/share/grr-server/bin/python /usr/share/grr-server//bin/grr_server --context Global Install Context --component ui --disallow_missing_config_definitions -p StatsStore.process_id=ui_c08493b14788489686337d6813ce5190
root 14903 0.0 0.0 19704 3296 ? Ss Feb18 0:00 /bin/bash /usr/bin/grr_server --component worker --disallow_missing_config_definitions -p StatsStore.process_id=worker_c08493b14788489686337d6813ce5190
root 14909 0.4 4.7 802000 193920 ? Sl Feb18 6:07 /usr/share/grr-server/bin/python /usr/share/grr-server//bin/grr_server --context Global Install Context --component worker2 --disallow_missing_config_definitions -p StatsStore.process_id=worker2_c08493b14788489686337d6813ce5190
root 14910 0.2 4.6 726740 189024 ? Sl Feb18 4:02 /usr/share/grr-server/bin/python /usr/share/grr-server//bin/grr_server --context Global Install Context --component http_server --disallow_missing_config_definitions -p StatsStore.process_id=http_server_c08493b14788489686337d6813ce5190
root 14911 0.4 4.8 802256 196456 ? Sl Feb18 6:00 /usr/share/grr-server/bin/python /usr/share/grr-server//bin/grr_server --context Global Install Context --component worker --disallow_missing_config_definitions -p StatsStore.process_id=worker_c08493b14788489686337d6813ce5190
Server.initialized: 'True'
Datastore.implementation: SqliteDataStore
Frontend.bind_port: '8080'
Dataserver.server_list:
Thoughts?
google/grr@204602d removed the option Datastore.security_manager, however the documentation still points to it in the auditing session, as the way to enable full access control: https://github.com/google/grr-doc/blame/master/admin.adoc#L373-L375
AdminUI Context:
Datastore.security_manager: FullAccessControlManager
API.DefaultRouter: ApiCallRouterWithApprovalChecksWithoutRobotAccess
I understand that simply using the last line is enough, but to avoid confusion (and errors when trying to configure the server), removing that line ( Datastore.security_manager: FullAccessControlManager) would be great!
I ran into an error running install_script_ubuntu.sh and I am not sure how to correct it. Can anyone help. Thanks.
System info: VMWare 12.1 Windows 10 host / Ubuntu 14.04 server (VM Guest) 2 GB mem
Received the following error:
Collecting codegen==1.0 (from -r requirements.txt (line 28))
Downloading codegen-1.0.tar.gz
Collecting distorm3==3.3.0 (from -r requirements.txt (line 29))
Could not find a version that satisfies the requirement distorm3==3.3.0 (from -r requirements.txt (line 29)) (from versions: 3.3.1)
No matching distribution found for distorm3==3.3.0 (from -r requirements.txt (line 29))
/usr/local/lib/python2.7/dist-packages/pip/vendor/requests/packages/urllib3/util/ssl.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
FAILURE RUNNING: pip install -r requirements.txt
Hello group,
could someone help me with my grr installation on Ubuntu 16.04 server.
I followed the simple install script on a brand new server installtion and everything passed without an issue. Just when I access the grr-service on port 8000 I get the below error. - Any help would be highly appreciated. :-)
Thanks a lot
Marcus
ValueError at /
need more than 1 value to unpack
Request Method: GET
Request URL: http://192.168.178.51:8000/
Django Version: 1.8.3
Exception Type: ValueError
Exception Value:
need more than 1 value to unpack
Exception Location: /usr/share/grr-server/local/lib/python2.7/site-packages/grr/gui/webauth.py in SecurityCheck, line 64
Python Executable: /usr/share/grr-server/bin/python
Python Version: 2.7.12
Python Path:
['/usr/share/grr-server/bin',
'/usr/share/grr-server/lib/python2.7',
'/usr/share/grr-server/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/share/grr-server/lib/python2.7/lib-tk',
'/usr/share/grr-server/lib/python2.7/lib-old',
'/usr/share/grr-server/lib/python2.7/lib-dynload',
'/usr/lib/python2.7',
'/usr/lib/python2.7/plat-x86_64-linux-gnu',
'/usr/lib/python2.7/lib-tk',
'/usr/share/grr-server/local/lib/python2.7/site-packages',
'/usr/share/grr-server/local/lib/python2.7/site-packages/IPython/extensions']
Server time: Sat, 3 Sep 2016 12:57:05 -0500
Environment:
Request Method: GET
Request URL: http://192.168.178.51:8000/
Django Version: 1.8.3
Python Version: 2.7.12
Installed Applications:
()
Installed Middleware:
('django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware')
Traceback:
File "/usr/share/grr-server/local/lib/python2.7/site-packages/django/core/handlers/base.py" in get_response
response = wrapped_callback(request, _callback_args, *_callback_kwargs)
return WEBAUTH_MANAGER.SecurityCheck(func, request, _args, *_kwargs)
" ").split(" ", 1)
Exception Type: ValueError at /
Exception Value: need more than 1 value to unpack
When running import_nsrl_hashes.py to import the NSRL the following error is received:
Traceback (most recent call last):
File "import_nsrl_hashes.py", line 100, in
flags.StartMain(main)
File "/usr/share/grr-server/local/lib/python2.7/site-packages/grr/lib/flags.py", line 121, in StartMain
main([sys.argv[0]])
File "import_nsrl_hashes.py", line 83, in main
startup.Init()
File "/usr/share/grr-server/local/lib/python2.7/site-packages/grr/lib/startup.py", line 86, in Init
ConfigInit()
File "/usr/share/grr-server/local/lib/python2.7/site-packages/grr/lib/startup.py", line 37, in ConfigInit
config_lib.ParseConfigCommandLine()
File "/usr/share/grr-server/local/lib/python2.7/site-packages/grr/lib/config_lib.py", line 1662, in ParseConfigCommandLine
CONFIG.Initialize(filename=flags.FLAGS.config, must_exist=True)
File "/usr/share/grr-server/local/lib/python2.7/site-packages/grr/lib/config_lib.py", line 1178, in Initialize
raise ConfigFormatError("Unable to parse config file %s" % filename)
grr.lib.config_lib.ConfigFormatError: Unable to parse config file /etc/grr/grr-server.yaml
Running the installation script throws an exception while collecting distorm3=3.3.1 (no matching distribution found for distorm3=3.3.1 from -r requirements.txt file line 29)
Tested in Ubuntu 14.10 LTS as root user.
Are there logs, which show end point connectivity logs & management/console access/user activity logs ? Thanks
Hi,
Is there any guide how to translate this documentation to other languages?
Does it need *.po files to do so?
The program for exporting data from GRR has changed.
I believe grr_file_exporter's functionality is now in grr_exporter. The syntax has changed.
Minor issue, but was wondering if the installation script was supposed to exit if a user chooses not to go ahead with the install (if MySQL is chosen as the DB choice and the DB is not yet ready):
Ex.
Step 2: Setting Basic Configuration Parameters
We are now going to configure the server using a bunch of questions.
-=GRR Datastore=-
For GRR to work each GRR server has to be able to communicate with the
datastore. To do this we need to configure a datastore.
1. SQLite (Default) - This datastore is stored on the local file system. If you
configure GRR to run as non-root be sure to allow that user access to the files.
2. MySQL - This datastore uses MySQL and requires MySQL 5.6 server or later
to be running and a user with the ability to create the GRR database and tables.
The MySQL client binaries are required for use with the MySQLdb python module as
well.
Datastore [1]: 2
***WARNING***
Do not continue until a MySQL server, version 5.6 or greater, is running and a
user with the ability to create the GRR database and tables has been created.
You will need the server, username, password, and database name (if already
created) to continue. If no database has been created this script will attempt
to create the necessary database and tables using the credentials provided.
***WARNING***
Are you ready to continue?[Yn]: n
Are you ready to continue?[Yn]: n
Are you ready to continue?[Yn]: n
Are you ready to continue?[Yn]: n
Are you ready to continue?[Yn]: n
Are you ready to continue?[Yn]: n
Are you ready to continue?[Yn]: n
Are you ready to continue?[Yn]: n
Are you ready to continue?[Yn]: n
Are you ready to continue?[Yn]: n
Are you ready to continue?[Yn]: n
Are you ready to continue?[Yn]: n
Thanks,
Wes
When I execute the GRR agent install file it doesn't completely install on my Windows Clients. I can see the process and service that starts up but few seconds later it will die. Anyone experienced this before?
At some point during installation the machine I was working on got in a bad state where /etc/grr's ymls were not being created by install_script_ubuntu.sh and the rest of the install failed. Running through installfromsource ended up solving my problem but I can't say which step actually did the trick. It would be good for the docs to have a section on removing a grr install and/or restarting from scratch. Or at least a section in the troubleshooting guide to cover such scenarios.
Environment : Ubuntu 15.04 Desktop
Before installation by
wget https://raw.githubusercontent.com/google/grr/master/scripts/install_script_ubuntu.sh
sudo bash install_script_ubuntu.sh
I replaced systemd with upstart, as seen in the error below the sh script requires upstart, ## still this error was emitted
Error Output----------------------------------------------------------------------------------------------------------------
...
...
/usr/share/grr/executables/darwin/templates/grr-client_3.0.0.7_amd64.pkg.xar repacked ok.
Initialization complete, writing configuration.
Please restart the service for it to take effect.
Enable grr services to start automatically on boot
Run . /usr/share/grr/scripts/shell_helpers.sh [Y/n/a]?
Run enable_services grr-http-server [Y/n/a]?
Starting grr-http-server
initctl: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart: Connection refused
Failed to start grr-http-server.service: Unit grr-http-server.service failed to load: No such file or directory.
FAILURE RUNNING: enable_services grr-http-server
sport@ubuntu:~$
I cant find my clients in the admin UI.
I followed the Troubleshooting guide and no luck. I do see the client installed on multiple systems. Same results. This is a snippet from one. On all systems I am able to download the server.pem
[root@ip-172-31-8-37 ~]# ls /usr/lib64/grr/grr_3.1.0.2_i386/grrd
/usr/lib64/grr/grr_3.1.0.2_i386/grrd
[root@ip-172-31-8-37 ~]# ps -aux | grep grr
root 16886 0.0 0.0 2424 512 pts/0 S 22:08 0:00 /usr/lib64/grr/grr_3.1.0.2_i386/grrd --config=/usr/lib64/grr/grr_3.1.0.2_i386/grrd.yaml
root 16888 0.2 3.0 72888 30612 pts/0 Sl 22:08 0:01 /usr/lib64/grr/grr_3.1.0.2_i386/grrd --config=/usr/lib64/grr/grr_3.1.0.2_i386/grrd.yaml
[root@ip-172-31-8-37 ~]# cat /var/log/grr_installer.txt
Loading configuration from /usr/lib64/grr/grr_3.1.0.2_i386/grrd.yaml
Loading configuration from /usr/lib64/grr/grr_3.1.0.2_i386/build.yaml
Starting installation procedure for GRR client.
Initializing Installer
Redirecting to /bin/systemctl stop grrd.service
[root@ip-172-31-8-37 ~]# /usr/lib64/grr/grr_3.1.0.2_i386/grrd --config /usr/lib64/grr/grr_3.1.0.2_i386/grrd.yaml --verbose
INFO:2016-07-18 22:20:33,670 log:197] Starting GRR Prelogging buffer.
INFO:2016-07-18 22:20:33,746 config_lib:1103] Loading configuration from /usr/lib64/grr/grr_3.1.0.2_i386/grrd.yaml
INFO:2016-07-18 22:20:33,751 config_lib:1103] Loading configuration from /usr/lib64/grr/grr_3.1.0.2_i386/build.yaml
INFO:2016-07-18 22:20:33,756 config_lib:1103] Loading configuration from /etc/grr.local.yaml
INFO:2016-07-18 22:20:33,756 config_lib:809] Configuration writeback is set to /etc/grr.local.yaml
DEBUG:2016-07-18 22:20:33,756 log:155] Initializing Logging subsystem.
DEBUG:2016-07-18 22:20:33,756 log:107] Will use logging engines ['stderr']
DEBUG:2016-07-18 22:20:33,757 registry:166] Initializing CommunicatorInit
DEBUG:2016-07-18 22:20:33,757 registry:166] Initializing CommsInit
DEBUG:2016-07-18 22:20:33,758 registry:166] Initializing VFSInit
DEBUG:2016-07-18 22:20:33,758 registry:166] Initializing InitHook
INFO:2016-07-18 22:20:33,792 comms:1490] Starting client aff4:/C.e0a1962c8bf444ba
DEBUG:2016-07-18 22:20:33,795 admin:314] Sending startup information.
INFO:2016-07-18 22:20:33,801 comms:1174] Server PEM re-keyed.
INFO:2016-07-18 22:20:33,827 comms:1338] aff4:/C.e0a1962c8bf444ba: Sending 2(779), Received 0 messages in 0.00859999656677 sec. Sleeping for 600.0
Saying data_store not defined... ?
NameError Traceback (most recent call last)
/usr/share/grr-server/local/lib/python2.7/site-packages/grr_response_server/bin/console.pyc in ()
----> 1 print data_store.REL_DB.ReadClientSnapshot(u"")
NameError: name 'data_store' is not defined
Hi,
We're getting ready to deploy GRR on a larger scale, but repacking clients as described in the docs is not working because the docs are deprecated:
https://github.com/google/grr-doc/blob/master/admin.adoc#repacking-clients-with-custom-labels-multi-organization-deployments
(many of the CLI options are either renamed or doesn't exists anymore)
I also found this thread that describes the a newer way of doing it which actually is sane to the latest stable GRR release (3.1.0.2)
https://groups.google.com/forum/#!searchin/grr-users/repacking|sort:relevance/grr-users/PUpiGT9zPuw/7G5OM-yLQwAJ
For example:
root@grr:~# grr_client_build buildandrepack --template /usr/share/grr-server/grr-response-templates/templates/
Building installers for: ['AllPlatforms Context']
Repacking AllPlatforms Context as grr with labels: []
Repacking template: /usr/share/grr-server/grr-response-templates/templates/grr_3.1.0.2_amd64.deb.zip
Loading configuration from /tmp/tmp5If28L/grrd.yaml
Configuration writeback is set to /tmp/tmp5If28L/grrd.yaml
Writing back configuration to file /tmp/tmp5If28L/grrd.yaml
Build Config Error: Empty Client.server_urls
Build Config Error: Missing Client.executable_signing_public_key.
Build Config Error: CA certificate missing from config.
Repacking template /usr/share/grr-server/grr-response-templates/templates/grr_3.1.0.2_amd64.deb.zip failed: Bad configuration generated. Terminating.
Failed to repack /usr/share/grr-server/grr-response-templates/templates/grr_3.1.0.2_amd64.deb.zip.
Complete, installers for ['AllPlatforms_Context'] are in /usr/share/grr-server/executables/2017-04-24T20:55:15Z/linux_amd64_deb
I can't find grrd.yaml in the docs nor in the grr installations (done with the provided script)
According to https://mkdocs.readthedocs.io/en/0.9/user-guide/writing-your-docs/ the syntax for linking to sections in internal pages is supposed to be something like:
project license for further details.
However, links like these do not work on readthedocs.io. E.g, on this page
http://grr-doc.readthedocs.io/en/v3.2.2/deploying-grr-clients/overview.html
the html anchor tag 'Linux instructions' has the href attribute
http://grr-doc.readthedocs.io/en/v3.2.2/deploying-grr-clients/on-linux.md#uninstalling-grr
which goes to a page that doesn't exist on the documentation site ("SORRY This page does not exist yet.").
Note that the '.md' in the hyperlink url does not get replaced with '.html'.
Here are all the places where we try to link to sections in internal pages:
$ grep * -R -e 'md#'
deploying-grr-clients/overview.md:A quick manual on how to remove the GRR client completely from a machine is included in the platform-specific docs: [Windows instructions](on-windows.md#uninstalling-grr), [OSX instructions](on-mac-os-x.md#uninstalling-grr), [Linux instructions](on-linux.md#uninstalling-grr)
faq.md:time](admin.md#building-clients-with-custom-labels-multi-organization-deployments),
faq.md:system](user_manual.md#artifacts).
faq.md:AdminUI](admin.md#authentication-to-the-admin-ui)
maintaining-and-tuning/scaling.md:The [GRR server components](implementation.md#grr-component-overview)
release-notes.md:versions](admin.md#client-and-server-version-compatibility-and-numbering).
release-notes.md: [here](faq.md#what-operating-system-versions-does-the-client-support)
release-notes.md:versions](admin.md#client-and-server-version-compatibility-and-numbering).
I'm looking to install Grr server on a CentOS box, I think I've looked through all the documentation and the requisite Google searching, but I'm unable to find a way.
I've tried cutting apart the Dockerfile, the instal_linux.sh Vagrant file, and all the documentation I could find...I even said a Hail Mary and converted the .deb into a .rpm with Alien.
The closest I can find is grr-doc/installfrompip.adoc, but I'm not sure if that's the right way or not. I'd like a cleaner way than using a development workflow if possible.
Any help would be appreciated, thanks in advance.
I cant seem to understand the log files that I got. I tried reinstalling the binaries and checking out the host connections but it lead to a dead end. for some reason it tries to remove grr monitor despite never telling or configuring to do so.
GRR.log
GRR_installer.txt
It would be nice to have a separate LICENSE and/or COPYING file for the documentation in this repo, including the icons and images. That would make it possible to build and distribute the documentation downstream, e.g. as a Debian package.
Are there any plans to incorporate failover/HA features in the future?
Would it be possible to have a full listing of all possible configuration options?
https://github.com/google/grr-doc/blob/master/user_manual.adoc#delete-a-client-and-all-of-its-data
No longer works. There are probably others but I haven't been digging around on the console lately.
Hi there,
#I have installed the GRR server as well as client properly, however, the client does not show up in the Admin UI. I tried the troubleshooting page at https://github.com/google/grr-doc/blob/master/troubleshooting.adoc#i-dont-see-my-clients
and I am currently stuck at the last step where I run the server in verbose mode but did not get the expected output.
below is a screenshot of what I got
The MacOS client installer pkg for 3.4.6.8 on the latest Ventura release 13.4.1 does not work. The installer runs and says successful but does nothing -- these launchd files are not created:
/etc/grr.local.yaml
/Library/LaunchDaemons/com.google.code.grr.plist
Moreover, the alternative installation instructions (using apt-get) have not been relevant for years, leaving RAM on fleets of recent developer Macbooks unmonitored.
Can anyone point me to the GRR scripts used for memory acquisition on Macs? From the docs, I understand that Yara is used for analysis with a presumably modified dependency for acquisition, since Yara itself does not appear to handle acquisition on Macs. This is actually all I want to do -- can anyone point me to a solution?
Use-case: deployment has to be rebuilt from scratch, but existing clients should be able to talk with the rebuilt deployment.
Just run a install on fresh Xenial 16.04, following "installing-grr-server-for-dev-ie-tracking-head", and after running install_script_ubuntu.sh :
it seems that some dependencies as missing in the first apt-get install.
I needed to also install :
libffi-dev protobuf-compiler
protobuf-c-compiler
protobuf-compiler
in order to get this procedure working.
Also note, if running as root, bower will refuse to run, so if you want to disable this protection :
echo '{ "allow_root": true }' > /root/.bowerrc
but this is not an error....
Thanks
https://github.com/google/grr-doc/blob/master/installfrompip.adoc#installing-from-pip
Provide documentation on PKG signing in addition to already-present RPM and EXE.
In particular, I'd like to know how to generate things like install_script_ubuntu.sh. I'd like to tinker with the source code for personal customization.
mysql(the Configuration).txt
after setting up mysql with [mysqld] from directly following the queries
max_allowed_packet=90M from directly following the queries. i still get an error in relation to the limited amount of
the allowed packets.
error.txt
i cant seem to connect to the grr server in response to this issue despite the status saying that it is up
Hello.
I just installed ubuntu 16.04 and ran the quick install script. That generates a working server but the grr_server --config-help throws
grr_server --config_help
Traceback (most recent call last):
File "/home/notroot/Desktop/GRR_ENV/lib/python2.7/site-packages/grr/tools/GRR_ENV/bin/grr_server", line 11, in
sys.exit(GrrServer())
File "/home/notroot/Desktop/GRR_ENV/lib/python2.7/site-packages/grr/tools/GRR_ENV/local/lib/python2.7/site-packages/grr/lib/distro_entry.py", line 82, in GrrServer
flags.StartMain(grr_server.main)
File "/home/notroot/Desktop/GRR_ENV/lib/python2.7/site-packages/grr/tools/GRR_ENV/local/lib/python2.7/site-packages/grr/lib/flags.py", line 121, in StartMain
main([sys.argv[0]])
File "/home/notroot/Desktop/GRR_ENV/lib/python2.7/site-packages/grr/tools/GRR_ENV/local/lib/python2.7/site-packages/grr/tools/grr_server.py", line 31, in main
if flags.FLAGS.component.startswith("worker"):
AttributeError: 'NoneType' object has no attribute 'startswith'
I then followed the PIP install directions with virtualenv (listed in the trace above)
I continue to get issues with
grr_fuse
grr_fuse
/home/notroot/Desktop/GRR_ENV/lib/python2.7/site-packages/grr/tools/GRR_ENV/local/lib/python2.7/site-packages/rdflib/plugins/parsers/structureddata.py:30: UserWarning: html5lib not found! RDFa and Microdata parsers will not be available.
'parsers will not be available.')
/home/notroot/Desktop/GRR_ENV/lib/python2.7/site-packages/grr/tools/GRR_ENV/local/lib/python2.7/site-packages/rdflib/plugins/parsers/hturtle.py:32: UserWarning: html5lib not found! RDFa and Microdata parsers will not be available.
'will not be available.')
CRITICAL:2017-02-02 12:35:42,944 fuse_mount:562] Could not start!
fusepy must be installed to run fuse_mount.py!
Try:
sudo pip install fusepy
But fusepy is already installed. I'm not sure what to do next to get this fully operational.
Hi,
I am testing out grr using Docker "goofy_kare" build and am having issues with my Mac OS el capitan GRR agent talking to the docker image.
Need Clarity around the following:
To get the GRR agent and debug agent to run in El Captian, do i just need to download the agent from the manage binaries tab in the GRR Docker portal and install the .pkg files published here?
Or do i need to do anything with vagrant to get the agent to talk to the server?
Platform:
Mac OS X El capitan using Kitematic and Goofy_Kare GRR build.
Thanks
Chris
The doc page should differentiate between default paths for client and server installations.
Default path for server installations is indicated to be /etc/grr/grr_server.yaml, which is incorrect. It is actually /usr/share/grr-server/install_data/etc/grr-server.yaml.
Client.control_urls is mentioned in the doc page; This config option is deprecated and should be deleted (from the GRR codebase, as well as the documentation).
The Memory Limit section of the admin page states:
"Default soft limit is 500MB, but GRR should only use about 30MB. Some volatility plugins can use a lot of memory so we try to be generous. Hard limit is double the soft limit. This is configurable from the config file."
I ran into an error running install_script_ubuntu.sh and I am not sure how to correct it. Can anyone help? Thanks.
System info: VMWare 12.1 Windows 10 host / Ubuntu 14.04 server (VM Guest) 2 GB mem
Received the following error:
Collecting codegen==1.0 (from -r requirements.txt (line 28))
Downloading codegen-1.0.tar.gz
Collecting distorm3==3.3.0 (from -r requirements.txt (line 29))
Could not find a version that satisfies the requirement distorm3==3.3.0 (from -r requirements.txt (line 29)) (from versions: 3.3.1)
No matching distribution found for distorm3==3.3.0 (from -r requirements.txt (line 29))
/usr/local/lib/python2.7/dist-packages/pip/vendor/requests/packages/urllib3/util/ssl.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
FAILURE RUNNING: pip install -r requirements.txt
I can understand if the GRR project doesn't want to start offering advice on tuning MySQL, but...
We've tried GRR with both SQLite and MySQL. Both work well, however when receiving large files, GRR will stall when using MySQL. This is due to a rather low default (16M) max_allowed_packet setting on Ubuntu. Should correcting this value be mentioned in the documentation?
Hi.
Memory analysis issues. I tried these plugins : arp , pslist, netscan, dns, all without extra arguments. This worked only once, the target was a Win7x64 VM. It has failed everytime since on multiple hosts (physical boxes & VM, Win7x64). So far every non-memory-analysis related features works well.
Here is a debug report from a Win7x64 physical box. Agent installed from GRR_3.1.0.2_amd64.exe
Plugin pslist
Client urn aff4:/C.5a5c4e8d5429643a
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\inventory.gz
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Logging level set to 10
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Unable to open \.\pmem: (2, 'CreateFile', 'The system cannot find the file specified.')
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Loading driver from c:\windows\system32\grr\3.1.0.2\components\grr-rekall\0.4\resources\WinPmem\winpmem_x64.sys
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Removing service pmem
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] pmem service does not exist.
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Created service pmem
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Running plugin (pslist) with args (()) kwargs ({})
Metadata:
session
state
profile
0
1 FileName
ept
0
1 IntParser
filename
0
1 FileName
timezone
0 UTC
1 TimeZone
session_name
0
1 String
pagefile
0
1 FileName
mro GrrRekallSession:Session:object
id 327
session_id 2
cookie 329
tool_name rekall
plugin_name pslist
tool_version 1.5.2.rc1
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Will detect profile using these Detectors: linux_index,nt_index,osx,pe,windows_kernel_file,rsds,ntfs,linux
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\Linux\index.gz
[INFO (2016-11-03 19:13:33 UTC) rekall.2] Loaded profile Linux/index from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.018000125885 sec)
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\nt\eprocess_index.gz
[INFO (2016-11-03 19:13:33 UTC) rekall.2] Loaded profile nt/eprocess_index from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.0460000038147 sec)
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\nt\index.gz
[INFO (2016-11-03 19:13:33 UTC) rekall.2] Loaded profile nt/index from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.0520000457764 sec)
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\OSX\index.gz
[INFO (2016-11-03 19:13:33 UTC) rekall.2] Loaded profile OSX/index from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.000999927520752 sec)
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\pe.gz
[INFO (2016-11-03 19:13:33 UTC) rekall.2] Loaded profile pe from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.0239999294281 sec)
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Trying method pe, offset 0
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Trying method windows_kernel_file, offset 0
[INFO (2016-11-03 19:13:33 UTC) rekall.2] Found RSDS in kernel image: 41859C34E0F14EE1B63BDA4607E028162 (ntkrnlmp.pdb)
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Skipped profile nt/GUID/41859C34E0F14EE1B63BDA4607E028162 from None (Not in inventory)
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Trying method rsds, offset 0
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Trying method linux_index, offset 0
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] LinuxIndexDetector:DetectFromHit(0) = None
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] Trying method nt_index, offset 0
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] nt/GUID/A02D90EADA7E4195BD50672CD0A0ABD52 matched offset 0x99b4e+0xfffff80003466000=0xfffff800034ffb4e ('\x90')
[DEBUG (2016-11-03 19:13:33 UTC) rekall.2] nt/GUID/A02D90EADA7E4195BD50672CD0A0ABD52 matches 1/13 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/F72F5B948181401796C8747CDBD02A0B2 matched offset 0x48aa3f+0xfffff80003466000=0xfffff800038f0a3f ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/F72F5B948181401796C8747CDBD02A0B2 matches 1/12 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/80B56B0EBF4A45F8827658E0826FE4ED2 matched offset 0x47d7af+0xfffff80003466000=0xfffff800038e37af ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/80B56B0EBF4A45F8827658E0826FE4ED2 matches 1/13 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/437E0D7F5BAD46D2BEDAABBDFBA554A71 matched offset 0x4160bf+0xfffff80003466000=0xfffff8000387c0bf ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/437E0D7F5BAD46D2BEDAABBDFBA554A71 matches 1/11 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/31E8E2145E6F4397B542859183FF79072 matched offset 0x2467c+0xfffff80003466000=0xfffff8000348a67c ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/31E8E2145E6F4397B542859183FF79072 matches 1/12 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/706A01493491438C9E1D97ADBB9950C12 matched offset 0x6a43f+0xfffff80003466000=0xfffff800034d043f ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/706A01493491438C9E1D97ADBB9950C12 matches 1/12 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/2E3403F0AAF2487FBD3B41763D6DB26F2 matched offset 0x2a6b1c+0xfffff80003466000=0xfffff8000370cb1c ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/2E3403F0AAF2487FBD3B41763D6DB26F2 matches 1/13 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/F79084B4F72C4D508F0F4924B2AE188F2 matched offset 0x30fd2f+0xfffff80003466000=0xfffff80003775d2f ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/F79084B4F72C4D508F0F4924B2AE188F2 matches 1/12 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/76280CA49D9549AD9030AAB3B2BB97B32 matched offset 0x5503e8+0xfffff80003466000=0xfffff800039b63e8 ('IRP_MN_QUERY_DEVICE_TEXT')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/76280CA49D9549AD9030AAB3B2BB97B32 matches 1/12 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/B883868B88CB415A92EC010CF6A115A52 matched offset 0x110a4d+0xfffff80003466000=0xfffff80003576a4d ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/B883868B88CB415A92EC010CF6A115A52 matches 1/12 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/6DFDC02F680D41D38E56E1EF5A71F16B2 matched offset 0x19c62+0xfffff80003466000=0xfffff8000347fc62 ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/6DFDC02F680D41D38E56E1EF5A71F16B2 matches 1/13 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/156B9EB6B75E403B901BC4E40653F2D82 matched offset 0x17dd9+0xfffff80003466000=0xfffff8000347ddd9 ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/156B9EB6B75E403B901BC4E40653F2D82 matches 1/13 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/9722FFCB56A54FCFA86444471E118CE42 matched offset 0x8f16f+0xfffff80003466000=0xfffff800034f516f ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/9722FFCB56A54FCFA86444471E118CE42 matches 1/12 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/10165C7EAE314C94B245DBA6C764BD151 matched offset 0x83668+0xfffff80003466000=0xfffff800034e9668 ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/10165C7EAE314C94B245DBA6C764BD151 matches 1/13 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/253DE844208F4973B0890F15157027E11 matched offset 0x2f253f+0xfffff80003466000=0xfffff8000375853f ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/253DE844208F4973B0890F15157027E11 matches 1/11 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/100945A3A7F04EDE894A49BD9FEF988B1 matched offset 0x151cef+0xfffff80003466000=0xfffff800035b7cef ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/100945A3A7F04EDE894A49BD9FEF988B1 matches 1/12 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/CF6A1D28362E4610946B4EBA29A3CFAE2 matched offset 0x20df+0xfffff80003466000=0xfffff800034680df ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/CF6A1D28362E4610946B4EBA29A3CFAE2 matches 1/13 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/37AEA986314C4921ACCFC606BD6FC77C2 matched offset 0x99b4e+0xfffff80003466000=0xfffff800034ffb4e ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/37AEA986314C4921ACCFC606BD6FC77C2 matches 1/13 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/8DCA302B311D4D60A7DA738353336B6C1 matched offset 0x648a7+0xfffff80003466000=0xfffff800034ca8a7 ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/8DCA302B311D4D60A7DA738353336B6C1 matches 1/13 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] ntdll/GUID/B005A3B66ED64473B02451207DEFC0802 matched offset 0x9d571+0xfffff80003466000=0xfffff80003503571 ('\xcc')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] ntdll/GUID/B005A3B66ED64473B02451207DEFC0802 matches 1/2 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/44C6B918C126440083600BDD67F31BF82 matched offset 0x207e7+0xfffff80003466000=0xfffff800034867e7 ('\x90')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] nt/GUID/44C6B918C126440083600BDD67F31BF82 matches 1/13 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] ntdll/GUID/0CB7245D955042C79948F7F767BBA0041 matched offset 0x6be9f+0xfffff80003466000=0xfffff800034d1e9f ('\xcc')
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] ntdll/GUID/0CB7245D955042C79948F7F767BBA0041 matches 1/1 comparison points
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\ntdll\GUID\0CB7245D955042C79948F7F767BBA0041.gz
[INFO (2016-11-03 19:13:34 UTC) rekall.2] Loaded profile ntdll/GUID/0CB7245D955042C79948F7F767BBA0041 from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.348999977112 sec)
[INFO (2016-11-03 19:13:34 UTC) rekall.2] Detection method nt_index yielded profile <I386 profile ntdll/GUID/0CB7245D955042C79948F7F767BBA0041 (Ntdll)>
Table:
PPID Thds Hnds Sess Wow64 Start Exit
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] Listed 0 processes using PsActiveProcessHead
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] Listed 0 processes using CSRSS
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] Listed 0 processes using PspCidTable
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] Listed 0 processes using Sessions
[DEBUG (2016-11-03 19:13:34 UTC) rekall.2] Listed 0 processes using Handles
EOM
Greetings GRR experts. I posted earlier about having trouble installing GRR - destijl's advice helped me install GRR successfully (thanks!).
Sadly, I've run into another issue: GRR isn't receiving communications from my clients after deploying agents. Here's the pertinent troubleshooting information I've performed so far:
-GRR clients (WIN7, Kali) can successfully communicate with GRR server at
http://GRR:8080/server.pem
-All system firewalls turned off during troubleshooting period (yikes!)
-GRR agents match appropriate architecture and OS
-GRR Monitor and GRR.exe services are running
-I do not see any connections to the GRR server via netstat -ano / netstat -tulpn
-GRR can see agent deployed on local GRR server file system (but again, not the remote clients)
I've soaked many hours over the last few days trying to get this program to work, so I would be extremely grateful for any feedback you can provide. Thanks!
The server from scratch page is woefully out of date:
https://github.com/google/grr-doc/blob/master/serverfromscratch.adoc
These instructions should be replaced mostly with a script that takes advantage of the vagrant client build environment automation.
Would be nice to see it in the list at https://github.com/google
In the paragraph
GRR artifacts are defined in YAML, with a style guide available here. We use a standard set of machine information collected from the host for variable interpolation. This collection of data is called the Knowledge Base (see proto/knowledge_base.proto) and is referenced with a %%variable%% syntax.
The artifact defines where the data lives. Once it is retrieved by GRR a parser can optionally be applied to turn the collected information into a more useful format, such as parsing a browser history file to produce URLs.
The style guide, knowledge base and parser links lead to 404s
Hi
I'm wondering why I get this issue when the different clients, windows and ubuntu 19.04 are able to make the the following request and get a 200 ok response:
request:
http://myserver:8080/api/users/me/notifications/pending/count
response body:
{ " count":0}
But the more important step when setting up the client does not work:
EBUG:2019-12-06 06:55:47,702 connectionpool:437] http://myserver:8080 "GET /server.pem HTTP/1.1" 404 232
Is my server supposed to have a file named "server.pem" somewhere? I searched the whole computer and this file does not exist.
Regards,
T
Hi All,
Trying to do a DB reset after testing before I go into production. Following is an exert from the server...
xxxxxxt@GRR:/usr/share/grr/scripts$ bash database_reset.sh
[sudo] password for xxxxxxxt:
grr-http-server start/running, process 950
Stopping grr-http-server
grr-http-server stop/waiting
Dropping database
database_reset.sh: line 12: mongo: command not found
grr-http-server stop/waiting
Starting grr-http-server
grr-http-server start/running, process 1602
Here's a copy of database_reset.sh
stop_services $GRR_SERVICES
echo "Dropping database"
echo "db.dropDatabase()" | mongo grr
stop_services $GRR_SERVICES
Any ideas?
after making sure that the max allocated packets are 40M the error still asks to update MySQL configuration or grant GRR sufficient privs to override global variables. This is after restarting the services to update as well as doing or fix installation of grr
mysql(the Configuration).txt
error.txt
apt-get install -f ./grr-server_3.4.6-0_amd64.deb
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.