Install GRR Incident Response Framework on Ubuntu 18.04

|
Last Updated:
|
|

Hello folks. Today we are going to learn how to install GRR incident response framework on Ubuntu 18.04. Google Rapid Response (GRR) is a python based incident response framework that focuses on live forensics and investigations. It enables security analysts to examine and attacks and perform analysis remotely.

GRR is deployed in a server-client architecture. The GRR server provides a web based user interface that allows analysts to analyze data collected from the clients. The GRR client on the other side is deployed on the host to be investigated and it polls the GRR server from time to time for different actions such as listing a directory, downloading files.

Installing GRR Incident Response Framework on Ubuntu

Before you fire up the installation of GRR on Ubuntu 18.04, update and upgrade your system packages.

apt update

Install MySQL database server

GRR uses MySQL as the default database backend. Hence you can install MySQL on Ubuntu 18.04 by running the command below;

apt install mysql-server

Next, run the MySQL security script to set the root password, remove anonymous, etc.

mysql_secure_installation

After that, login to MySQL as root user and create GRR database and user. Creation of database user is optional since GRR can use the root password.

create database grr;
grant all privileges on grr.* to grr@localhost identified by 'password';
flush privileges;

Now, install GRR on Ubuntu 18.04. The recommended way of installing GRR is to use the DEB package. Hence download the latest server DEB from here. You can simply, run the command below;

wget https://storage.googleapis.com/releases.grr-response.com/grr-server_3.2.4-6_amd64.deb

Once the download is done, install using APT package manager which will take care of all the dependencies.

sudo apt install ./grr-server_3.2.4-6_amd64.deb

During installation, the installer will prompt you to define a few settings.


Running grr_config_updater initialize
...
-=GRR Datastore=-
For GRR to work each GRR server has to be able to communicate with
the datastore. To do this we need to configure a datastore.

GRR will use MySQL as its database backend. Enter connection details:
MySQL Host [localhost]: Enter
MySQL Port (0 for local socket) [0]: #####################################.] 
MySQL Database [grr]: Enter
MySQL Username [root]: grr   << user set above
Please enter password for database user grr: Password for grr db user
Successfully connected to MySQL with the provided details.

Define the GRR server hostname server. Note that this hostname should locally resolvable by the clients.


-=GRR URLs=-
For GRR to work each client has to be able to communicate with the
server. To do this we normally need a public dns name or IP address
to communicate with. In the standard configuration this will be used
to host both the client facing server and the admin user interface.

Please enter your hostname e.g. grr.example.com [grr.example.com]: Enter

Set the GRR server as well the administration UI URL


-=Server URL=-
The Server URL specifies the URL that the clients will connect to
communicate with the server. For best results this should be publicly
accessible. By default this will be port 8080 with the URL ending in /control.

Frontend URL [http://grr.example.com:8080/]: Enter

-=AdminUI URL=-:
The UI URL specifies where the Administrative Web Interface can be found.

AdminUI URL [http://grr.example.com:8000]: Enter

Next define the email address for alerting, logging and various updates. Email configuration assumes that you have an MTA already running.

Set the GRR admin user password.

Step 3: Adding GRR Admin User
Please enter password for user 'admin': P@SSWORD

Repackage the client templates with new configurations.

Step 4: Repackaging clients with new configuration.
Server debs include client templates. Re-download templates? [yN]:  [N]: Enter
Repack client templates? [Yn]:  [Y]: y

The installation will proceed and if everything goes well, you should be able to see such an output.


GRR Initialization complete! You can edit the new configuration in /etc/grr//server.local.yaml.

Please restart the service for the new configuration to take effect.

#################################################################
Install complete.
If upgrading, make sure you read the release notes:
https://grr-doc.readthedocs.io/en/latest/release-notes.html
...

Restart the GRR service for the new configuration to take effect.

sudo systemctl restart grr-server

To verify that the service is running, run the command below;


sudo systemctl status grr-server
* grr-server.service - GRR Service
   Loaded: loaded (/lib/systemd/system/grr-server.service; enabled; vendor preset: enabled)
   Active: active (exited) since Sat 2019-02-02 08:11:46 UTC; 39s ago
     Docs: https://github.com/google/grr
  Process: 11968 ExecStop=/bin/systemctl --no-block stop grr-server@admin_ui.service [email protected] [email protected] [email protected]
  Process: 11992 ExecStart=/bin/systemctl --no-block start grr-server@admin_ui.service [email protected] [email protected] grr-server@worker2
 Main PID: 11992 (code=exited, status=0/SUCCESS)

Running GRR UI behind Nginx Proxy with HTTPS

As a security measure, we are going to configure GRR admin UI to be served through Nginx Proxy via HTTPS. Also,be sure to limit access to GRR web UI.

Install Nginx

Nginx can be installed from the default Ubuntu repositories as shown below;

apt install nginx

After the installation is done, generate SSL/TLS certificate. In this guide, we are going to use the self-signed SSL certificates.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/grr-server.key -out /etc/nginx/grr-server.crt

Set the permissions for both the SSL certificate and key as follows;

chmod 644 /etc/nginx/grr-server.crt
chmod 400 /etc/nginx/grr-server.key

Configure Nginx to server HTTPS traffic and proxies the GRR HTTP requests.

vim /etc/nginx/sites-available/default

The configuration should look like below without comments;


server {

    listen 443;
    server_name localhost;

    ssl_certificate           /etc/nginx/grr-server.crt;
    ssl_certificate_key       /etc/nginx/grr-server.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/grr.access.log;

    location / {

    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;

     proxy_pass          http://localhost:8000;
     proxy_read_timeout  180;

     proxy_redirect      http://localhost:8000 https://grr.example.com;
    }
}

The https://grr.example.com on the proxy_redirect directive is the on you will use to publicly access GRR Admin UI. Therefore, edit the GRR server configuration file and adjust the value of AdminUI directive to this URL.

vim /etc/grr/server.local.yaml
...AdminUI.url: https://grr.example.com
...

Check Nginx for errors.

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Allow HTTP and HTTPS traffic as well as the GRR ports on firewall.

ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 8080/tcp
ufw allow 8000/tcp
ufw reload

Restart Nginx and GRR server to effect the changes.

systemctl restart nginx
systemctl restart grr-server

To access GRR administration user interface, login using the https://grr.example.com as specified in the configurations above. Ignore the invalid SSL certificate warning. GRR’s page protected by a Basic Auth dialog thus you will be prompted to authenticate before you get to the dashboard. Use admin as the user and the password you set for the admin while doing installation.

Install GRR Incident Response Framework on Ubuntu 18.04 After a successful authentication, you will be taken GRR web user interface.

grr UI

Beautiful. In our next tutorial,you will learn how to deploy GRR clients and start investigations. Enjoy.

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment