Hot news Linux TIPS Weekly news WORLD

How to Install GRR Server on Ubuntu 18?

A step-by-step guide to installing Google Rapid Response server on Ubuntu.

Introduction

GRR (Google Rapid Response) is an incident response framework based on Python that can be used for live forensics and investigations. It allows you to examine and attacks and perform analysis remotely.

GRR can be deployed in a server-client architecture. It comes with a web-based user interface that allows you to analyze data collected from the clients. It provides support for Linux, Mac OS X, and Windows OS.

Requirements

  • A server running Ubuntu 18.xx
  • A root password is set up on your server

Getting Started

Before starting, you will need to update your system with the latest version. You can do it by running the following command:

apt-get update -y

Once your system is updated, restart the system to apply all the changes.

Install and Configure Database

First, you will need to install the MariaDB database server to your system. You can install it with the following command:

apt-get install mariadb-server -y

Once the installation has been completed, secure the MariaDB installation by running the following command:

mysql_secure_installation

Answer all the questions as shown below:

Enter current password for root (enter for none):
Set root password? [Y/n]: N
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]: Y
Reload privilege tables now? [Y/n]: Y

Once the MariaDB is secured, log in to MariaDB shell with the following command:

mysql -u root -p

Enter your root password. Then, create a database and user for GRR with the following command:

MariaDB [(none)]> CREATE DATABASE grr;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON grr.* TO 'grr'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;

Next, flush the privileges and exit from the MariaDB shell with the following command:

MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;

Next, restart the MariaDB service with the following command:

systemctl restart mariadb

You can check the status of MariaDB service with the following command:

systemctl status mariadb

You should see the following output:

● mariadb.service - MariaDB 10.1.38 database server
Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2019-04-12 15:11:14 UTC; 54min ago
Docs: man:mysqld(8)
https://mariadb.com/kb/en/library/systemd/
Main PID: 1050 (mysqld)
Status: "Taking your SQL requests now..."
Tasks: 46 (limit: 1113)
CGroup: /system.slice/mariadb.service
└─1050 /usr/sbin/mysqld
Apr 12 15:10:53 ubuntu1804 systemd[1]: Starting MariaDB 10.1.38 database server...
Apr 12 15:11:07 ubuntu1804 mysqld[1050]: 2019-04-12 15:11:07 140152311749760 [Note] /usr/sbin/mysqld (mysqld 10.1.38-MariaDB-0ubuntu0.18.04.1)
Apr 12 15:11:14 ubuntu1804 systemd[1]: Started MariaDB 10.1.38 database server.
Apr 12 15:11:14 ubuntu1804 /etc/mysql/debian-start[1251]: Upgrading MySQL tables if necessary.
Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start[1265]: /usr/bin/mysql_upgrade: the '--basedir' option is always ignored
Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start[1265]: Looking for 'mysql' as: /usr/bin/mysql
Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start[1265]: Looking for 'mysqlcheck' as: /usr/bin/mysqlcheck
Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start[1265]: This installation of MySQL is already upgraded to 10.1.38-MariaDB, use --force if you
Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start[1306]: Checking for insecure root accounts.
Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start[1311]: Triggering myisam-recover for all MyISAM tables and aria-recover for all Aria tables
lines 1-21/21 (END)

Once you have done, you can proceed to the next step.

Install GRR

First, you will need to download a GRR package from their official GitHub repository.

You can download it with the following command to download the GRR 3.2.4.6 version.

wget https://storage.googleapis.com/releases.grr-response.com/grr-server_3.2.4-6_amd64.deb

Once the download is completed, you can install the downloaded file with the following command:

dpkg -i grr-server_3.2.4-6_amd64.deb

Next, install the required dependencies with the following command:

apt-get install -f

During the installation, you will need to provide some details like, database host, username, password, GRR URLS and Admin password as shown below:


Running grr_config_updater initialize
To avoid this prompting, set DEBIAN_FRONTEND=noninteractive
#################################################################
Checking write access on config /etc/grr//server.local.yaml
Step 0: Importing Configuration from previous installation.
No old config file found.
Step 1: Setting Basic Configuration Parameters
We are now going to configure the server using a bunch of questions.

-=GRR Datastore=-
For GRR to work each GRR server has to be able to communicate with
the datastore. To do this we need to configure a datastore.

GRR will use MySQL as its database backend. Enter connection details:

MySQL Host [localhost]:
MySQL Port (0 for local socket) [0]:
MySQL Database [grr]:
MySQL Username [root]: grr
Please enter password for database user grr:

Successfully connected to MySQL with the provided details.

-=GRR URLs=-
For GRR to work each client has to be able to communicate with the
server. To do this we normally need a public dns name or IP address
to communicate with. In the standard configuration this will be used
to host both the client facing server and the admin user interface.

Please enter your hostname e.g. grr.example.com [ubuntu1804]: 192.168.0.104

-=Server URL=-
The Server URL specifies the URL that the clients will connect to
communicate with the server. For best results this should be publicly
accessible. By default this will be port 8080 with the URL ending in /control.

Frontend URL [http://192.168.0.104:8080/]:

-=AdminUI URL=-:
The UI URL specifies where the Administrative Web Interface can be found.

AdminUI URL [http://192.168.0.104:8000]:

-=GRR Emails=-
GRR needs to be able to send emails for various logging and
alerting functions. The email domain will be appended to GRR
usernames when sending emails to users.

-=Monitoring/Email Domain=-
Emails concerning alerts or updates must be sent to this domain.

Email Domain e.g example.com [localhost]:

-=Alert Email Address=-
Address where monitoring events get sent, e.g. crashed clients,
broken server, etc.

Alert Email Address [[email protected]]:

-=Emergency Email Address=-
Address where high priority events such as an emergency ACL bypass are sent.

Emergency Access Email Address [[email protected]]:
Rekall is no longer actively supported. Enable anyway? [yN]: [N]:

Step 2: Key Generation
All keys will have a bit length of 2048.
Generating executable signing key
Generating CA keys
Generating Server keys
Generating secret key for csrf protection.

Repacked into /usr/share/grr-server/executables/installers/grr_3.2.4.6_amd64.deb

GRR Initialization complete! You can edit the new configuration in /etc/grr//server.local.yaml.

Please restart the service for the new configuration to take effect.

#################################################################
Install complete.

Now, restart the GRR service to apply all the changes:

systemctl restart grr-server

You can now check the status of GRR with the following command:

systemctl status grr-server

You should see the following output:

● grr-server.service - GRR Service
Loaded: loaded (/lib/systemd/system/grr-server.service; enabled; vendor preset: enabled)
Active: active (exited) since Fri 2019-04-12 15:57:09 UTC; 6s ago
Docs: https://github.com/google/grr
Process: 7178 ExecStop=/bin/systemctl --no-block stop [email protected]_ui.service [email protected] [email protected] grr-s
Process: 7215 ExecStart=/bin/systemctl --no-block start [email protected]_ui.service [email protected] [email protected] grr
Main PID: 7215 (code=exited, status=0/SUCCESS)
Apr 12 15:57:09 ubuntu1804 systemd[1]: Starting GRR Service...
Apr 12 15:57:09 ubuntu1804 systemd[1]: Started GRR Service.

Access GRR Web Interface

GRR is now installed and listening on port 8000 (Admin) and 8080 (Frontend).

To access the GRR Admin interface, open your web browser and type the URL http://192.168.0.104:8000.

You will be asked to provide Admin username and password, use admin as the user and the password you set during the installation. Then, click on the OK button. You will be redirected to the following page:

Congratulations! We have successfully installed the GRR server on Ubuntu.