{"id":2144,"date":"2019-02-02T13:41:14","date_gmt":"2019-02-02T10:41:14","guid":{"rendered":"http:\/\/kifarunix.com\/?p=2144"},"modified":"2024-03-11T22:21:27","modified_gmt":"2024-03-11T19:21:27","slug":"install-grr-incident-response-framework-on-ubuntu-18-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-grr-incident-response-framework-on-ubuntu-18-04\/","title":{"rendered":"Install GRR Incident Response Framework on Ubuntu 18.04"},"content":{"rendered":"\n

Hello folks. Today we are going to learn how to install GRR incident response framework on Ubuntu 18.04. Google Rapid Response (GRR)<\/a> is a python based incident response framework that focuses on live forensics and investigations. It enables security analysts to examine and attacks and perform analysis remotely.<\/p>\n\n\n\n

GRR is deployed in a server-client architecture. The GRR server provides a web based user interface that allows analysts to analyze data collected from the clients. The GRR client on the other side is deployed on the host to be investigated and it polls the GRR server from time to time for different actions such as listing a directory, downloading files.<\/p>\n\n\n\n

Installing GRR Incident Response Framework on Ubuntu<\/h2>\n\n\n\n

Before you fire up the installation of GRR on Ubuntu 18.04, update and upgrade your system packages.<\/p>\n\n\n\n

apt update<\/code><\/pre>\n\n\n\n
Install MySQL database server<\/h3>\n\n\n\n
GRR uses MySQL as the default database backend. Hence you can install MySQL on Ubuntu 18.04 by running the command below;<\/p>\n\n\n\n
apt install mysql-server<\/code><\/pre>\n\n\n\n
Next, run the MySQL security script to set the root password, remove anonymous, etc.<\/p>\n\n\n\n
mysql_secure_installation<\/code><\/pre>\n\n\n\n
After that, login to MySQL as root user and create GRR database and user. Creation of database user is optional since GRR can use the root password.<\/p>\n\n\n\n
create database grr;\ngrant all privileges on grr.* to grr@localhost identified by 'password';\nflush privileges;<\/code><\/pre>\n\n\n\n
Now, install GRR on Ubuntu 18.04. The recommended way of installing GRR is to use the DEB package. Hence download the latest server DEB from here<\/a>. You can simply, run the command below;<\/p>\n\n\n\n
wget https:\/\/storage.googleapis.com\/releases.grr-response.com\/grr-server_3.2.4-6_amd64.deb<\/code><\/pre>\n\n\n\n
Once the download is done, install using APT package manager which will take care of all the dependencies.<\/p>\n\n\n\n
sudo apt install .\/grr-server_3.2.4-6_amd64.deb<\/code><\/pre>\n\n\n\n
During installation, the installer will prompt you to define a few settings.<\/p>\n\n\n\n
\nRunning grr_config_updater initialize\n...\n-=GRR Datastore=-\nFor GRR to work each GRR server has to be able to communicate with\nthe datastore. To do this we need to configure a datastore.\n\nGRR will use MySQL as its database backend. Enter connection details:\nMySQL Host [localhost]: Enter<\/strong>\nMySQL Port (0 for local socket) [0]: #####################################.] \nMySQL Database [grr]: Enter<\/strong>\nMySQL Username [root]: grr   << user set above<\/strong>\nPlease enter password for database user grr: Password for grr db user<\/strong>\nSuccessfully connected to MySQL with the provided details.\n<\/code><\/pre>\n\n\n\n
Define the GRR server hostname server. Note that this hostname should locally resolvable by the clients.<\/p>\n\n\n\n
\n-=GRR URLs=-\nFor GRR to work each client has to be able to communicate with the\nserver. To do this we normally need a public dns name or IP address\nto communicate with. In the standard configuration this will be used\nto host both the client facing server and the admin user interface.\n\nPlease enter your hostname e.g. grr.example.com [grr.example.com]: Enter<\/strong>\n<\/code><\/pre>\n\n\n\n
Set the GRR server as well the administration UI URL<\/p>\n\n\n\n
\n-=Server URL=-\nThe Server URL specifies the URL that the clients will connect to\ncommunicate with the server. For best results this should be publicly\naccessible. By default this will be port 8080 with the URL ending in \/control.\n\nFrontend URL [http:\/\/grr.example.com:8080\/]: Enter<\/strong>\n\n-=AdminUI URL=-:\nThe UI URL specifies where the Administrative Web Interface can be found.\n\nAdminUI URL [http:\/\/grr.example.com:8000]: Enter<\/strong>\n<\/code><\/pre>\n\n\n\n
Next define the email address for alerting, logging and various updates. Email configuration assumes that you have an MTA already running.<\/p>\n\n\n\n
Set the GRR admin user password.<\/p>\n\n\n\n
Step 3: Adding GRR Admin User\nPlease enter password for user 'admin': P@SSWORD<\/strong><\/code><\/pre>\n\n\n\n
Repackage the client templates with new configurations.<\/p>\n\n\n\n
Step 4: Repackaging clients with new configuration.\nServer debs include client templates. Re-download templates? [yN]:  [N]: Enter<\/strong>\nRepack client templates? [Yn]:  [Y]: y<\/code><\/pre>\n\n\n\n
The installation will proceed and if everything goes well, you should be able to see such an output.<\/p>\n\n\n\n
\nGRR Initialization complete! You can edit the new configuration in \/etc\/grr\/\/server.local.yaml.\n\nPlease restart the service for the new configuration to take effect.\n\n#################################################################\nInstall complete.\nIf upgrading, make sure you read the release notes:\nhttps:\/\/grr-doc.readthedocs.io\/en\/latest\/release-notes.html\n...<\/strong>\n<\/code><\/pre>\n\n\n\n
Restart the GRR service for the new configuration to take effect.<\/p>\n\n\n\n
sudo systemctl restart grr-server<\/code><\/pre>\n\n\n\n
To verify that the service is running, run the command below;<\/p>\n\n\n\n
\nsudo systemctl status grr-server\n*<\/span> grr-server.service - GRR Service\n   Loaded: loaded (\/lib\/systemd\/system\/grr-server.service; enabled; vendor preset: enabled)\n   Active: active (exited)<\/span> since Sat 2019-02-02 08:11:46 UTC; 39s ago\n     Docs: https:\/\/github.com\/google\/grr\n  Process: 11968 ExecStop=\/bin\/systemctl --no-block stop grr-server@admin_ui.service grr-server@frontend.service grr-server@worker.service grr-server@worker2.s\n  Process: 11992 ExecStart=\/bin\/systemctl --no-block start grr-server@admin_ui.service grr-server@frontend.service grr-server@worker.service grr-server@worker2\n Main PID: 11992 (code=exited, status=0\/SUCCESS)\n<\/code><\/pre>\n\n\n\n
Running GRR UI behind Nginx Proxy with HTTPS<\/h2>\n\n\n\n
As a security measure, we are going to configure GRR admin UI to be served through Nginx Proxy via HTTPS. Also,be sure to limit access to GRR web UI.<\/p>\n\n\n\n
Install Nginx<\/h3>\n\n\n\n
Nginx can be installed from the default Ubuntu repositories as shown below;<\/p>\n\n\n\n
apt install nginx<\/code><\/pre>\n\n\n\n
After the installation is done, generate SSL\/TLS certificate. In this guide, we are going to use the self-signed SSL certificates.<\/p>\n\n\n\n
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \/etc\/nginx\/grr-server.key -out \/etc\/nginx\/grr-server.crt<\/code><\/pre>\n\n\n\n
Set the permissions for both the SSL certificate and key as follows;<\/p>\n\n\n\n
chmod 644 \/etc\/nginx\/grr-server.crt\nchmod 400 \/etc\/nginx\/grr-server.key<\/code><\/pre>\n\n\n\n
Configure Nginx to server HTTPS traffic and proxies the GRR HTTP requests.<\/p>\n\n\n\n
vim \/etc\/nginx\/sites-available\/default<\/code><\/pre>\n\n\n\n
The configuration should look like below without comments;<\/p>\n\n\n\n
\nserver {\n\n    listen 443;\n    server_name localhost;\n\n    ssl_certificate           \/etc\/nginx\/grr-server.crt;\n    ssl_certificate_key       \/etc\/nginx\/grr-server.key;\n\n    ssl on;\n    ssl_session_cache  builtin:1000  shared:SSL:10m;\n    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;\n    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;\n    ssl_prefer_server_ciphers on;\n\n    access_log            \/var\/log\/nginx\/grr.access.log;\n\n    location \/ {\n\n    proxy_set_header        Host $host;\n    proxy_set_header        X-Real-IP $remote_addr;\n    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;\n    proxy_set_header        X-Forwarded-Proto $scheme;\n\n     proxy_pass          http:\/\/localhost:8000;\n     proxy_read_timeout  180;\n\n     proxy_redirect      http:\/\/localhost:8000 https:\/\/grr.example.com<\/strong>;\n    }\n}\n<\/code><\/pre>\n\n\n\n
The https:\/\/grr.example.com<\/code> on the proxy_redirect<\/code> directive is the on you will use to publicly access GRR Admin UI. Therefore, edit the GRR server configuration file and adjust the value of AdminUI<\/code> directive to this URL.<\/p>\n\n\n\n
vim \/etc\/grr\/server.local.yaml<\/code><\/pre>\n\n\n\n
...AdminUI.url: https:\/\/grr.example.com<\/strong>\n...<\/code><\/pre>\n\n\n\n
Check Nginx for errors.<\/p>\n\n\n\n
nginx -t<\/code><\/pre>\n\n\n\n
nginx: the configuration file \/etc\/nginx\/nginx.conf syntax is ok\nnginx: configuration file \/etc\/nginx\/nginx.conf test is successful<\/code><\/pre>\n\n\n\n
Allow HTTP and HTTPS traffic as well as the GRR ports on firewall.<\/p>\n\n\n\n
ufw allow 80\/tcp\nufw allow 443\/tcp\nufw allow 8080\/tcp\nufw allow 8000\/tcp\nufw reload<\/code><\/pre>\n\n\n\n
Restart Nginx and GRR server to effect the changes.<\/p>\n\n\n\n
systemctl restart nginx\nsystemctl restart grr-server<\/code><\/pre>\n\n\n\n
To access GRR administration user interface, login using the https:\/\/grr.example.com<\/code> as specified in the configurations above. Ignore the invalid SSL certificate warning. GRR’s page protected by a Basic Auth dialog thus you will be prompted to authenticate before you get to the dashboard. Use admin<\/code> as the user and the password you set for the admin while doing installation.<\/p>\n\n\n\n
\"Install<\/a> After a successful authentication, you will be taken GRR web user interface.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Beautiful. In our next tutorial,you will learn how to deploy GRR clients<\/a> and start investigations. Enjoy.<\/p>\n","protected":false},"excerpt":{"rendered":"
Hello folks. Today we are going to learn how to install GRR incident response framework on Ubuntu 18.04. Google Rapid Response (GRR) is a python<\/p>\n","protected":false},"author":1,"featured_media":12806,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,314],"tags":[315,67],"class_list":["post-2144","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-forensics","tag-grr","tag-ubuntu-18-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2144"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=2144"}],"version-history":[{"count":9,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2144\/revisions"}],"predecessor-version":[{"id":21113,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2144\/revisions\/21113"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/12806"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=2144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=2144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=2144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}