Introduction
GRR (Google Rapid Response) is an incident response framework based on Python that can be used for live forensics and investigations. It allows you to examine and attacks and perform analysis remotely. GRR can be deployed in a server-client architecture. It comes with a web-based user interface that allows you to analyze data collected from the clients. It provides support for Linux, Mac OS X, and Windows OS.
Requirements
A server running Ubuntu 18.xx A root password is set up on your server
Getting Started
Before starting, you will need to update your system with the latest version. You can do it by running the following command: Once your system is updated, restart the system to apply all the changes.
Install and Configure Database
First, you will need to install the MariaDB database server to your system. You can install it with the following command: Once the installation has been completed, secure the MariaDB installation by running the following command: Answer all the questions as shown below: Once the MariaDB is secured, log in to MariaDB shell with the following command: Enter your root password. Then, create a database and user for GRR with the following command: Next, flush the privileges and exit from the MariaDB shell with the following command: Next, restart the MariaDB service with the following command: You can check the status of MariaDB service with the following command: You should see the following output: Once you have done, you can proceed to the next step.
Install GRR Server
First, you will need to download a GRR package from their official GitHub repository. You can download it with the following command to download the GRR 3.2.4.6 version. Once the download is completed, you can install the downloaded file with the following command: Next, install the required dependencies with the following command: During the installation, you will need to provide some details like, database host, username, password, GRR URLS and Admin password as shown below: Now, restart the GRR service to apply all the changes: You can now check the status of GRR with the following command: You should see the following output:
Access GRR Web Interface
GRR is now installed and listening on port 8000 (Admin) and 8080 (Frontend). To access the GRR Admin interface, open your web browser and type the URL http://192.168.0.104:8000. You will be asked to provide Admin username and password, use admin as the user and the password you set during the installation. Then, click on the OK button. You will be redirected to the following page:
Install GRR Client
First, log in to your GRR server web interface and navigate to Manage Binaries tab on the left pane. You should see the various clients versions like, RHEL, Debian, and BSD in the following page:
Now, Your distro is Ubuntu 18.04. So, click on the grr_3.2.4.6_amd64.deb to download the GRR client for Ubuntu. Once the download is completed, install the downloaded file with the following command: The above command will install the GRR client to your system and automatically registers itself to the GRR server. You can also check the status of GRR with the following command: You should see the following output:
Perform Investigation
Now, go to the GRR server web interface, click on the Search Box and press Enter. You should see your Client in the following page:
Now, click on your Client to see more details as shown in the following page:
Next, we will list the processes running on the Client. To do so, click on Start new flows > Processes > ListProcesses, Under Connection State, select Established and click on the Launch to launch the flow. You should see the following page:
Next, click on the Manage launched flows > ListProcesses > Results to see the results of the ListProcesses flow in the following page:
Congratulations! You have successfully installed the GRR server and client. Go ahead and play around with the tool.
