Welcome to our guide on how to install and setup GRR clients on Ubuntu 18.04/Debian 9 servers. Before you can deploy GRR agents, you need to have a running GRR server. We did a tutorial covering installation of GRR server on Ubuntu 18.04 in our previous guide. Once you have the GRR server ready, proceed as follows;
Install and Setup GRR clients on Ubuntu 18.04/Debian 9
While installing the GRR server, various clients versions, BSD based, Debian based and RHEL based, are repacked, configured and uploaded to the server. Therefore, to install GRR client on Ubuntu 18.4/Debian 9 server, login to the GRR server and navigate to
Manage Binaries tab on the left pane and download the respective GRR client.
If for some reasons the GRR server configurations have been adjusted, you need to repackage the clients. See how to repackage GRR clients here.
Download the GRR client binary installer and copy to the host where installation will happen. However, you can login to the GRR client and download the binary using wget command. Ensure that the GRR server hostname is resolvable. Note that you need to authenticate to the GRR server in order to download the client installer. You may also want to ignore server certificate verification.
wget --user=admin --ask-password --no-check-certificate https://grr.example.com/api/config/binaries-blobs/EXECUTABLE/linux/installers/grr_22.214.171.124_amd64.deb
Once you have the installer, launch the installation by executing the command below;
sudo apt install ./grr_126.96.36.199_amd64.deb
The GRR client is set to run and start on system reboot. You can check the status by running the command.
systemctl status grr ● grr.service - grr linux amd64 Loaded: loaded (/lib/systemd/system/grr.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2019-02-02 07:41:45 EST; 2min 21s ago Main PID: 6489 (grrd) CGroup: /system.slice/grr.service ├─6489 /usr/sbin/grrd --config=/usr/lib/grr/grr_188.8.131.52_amd64/grrd.yaml └─6490 /usr/sbin/grrd --config=/usr/lib/grr/grr_184.108.40.206_amd64/grrd.yaml Feb 02 07:41:45 ldapclient.example.com systemd: Started grr linux amd64.
The client will automatically registers itself to the GRR server. To verify that GRR client has registered to the GRR server, login to the GRR admin UI. Click on the
Search Box and press
Enter. Your clients will appear on the dashboard if they have registered to the GRR server.
To see more client details, click on it. Some of the host information details you can get include OS version, Users, network interfaces and assigned IP addresses…Click on
Full details tab to see extended host information.
Now that your clients are ready, you can go right ahead and set the GRR Flows, Hunt, Alerting etc. As an example, we are going to list the processes running on remote host. Therefore under the
Host Information, click
Start new flows > Processes > ListProcesses. You can optionally define the regex for filter processes, fetch the process binaries. Under Connection State, i have selected
Established and will leave it like that at the very basic. Click Launch to launch the flow. Once the flow run is done, you will see a notification on the notification button next to search box.
Manage launched flows > ListProcesses > Results to check the results of the ListProcesses flow.
You can as well enumare network connections on a client. Navigate to Start new flows > Network > Nestat. Set your Netstat flow options and click Launch.
That is the little we could cover about how to install and setup GRR clients on Ubuntu 18.04/Debian 9 servers. Feel free to explore more about this tool by following the links below;