How to Install GRR on Ubuntu 18 for Incident Response

Google Rapid Response (GRR) is an extremely powerful open source incident response framework built for remote live forensics and threat hunting at scale across cloud and endpoint infrastructure.

With out-of-the-box support for major platforms like Windows, Linux and macOS, integrated data collection capabilities ranging from memory and file analysis to network connections listing and user behavior analytics, as well as robust server infrastructure for managing thousand of endpoints, GRR delivers unparalleled visibility and response automation for the modern SOC.

In this comprehensive guide, we will deploy GRR server and client on Ubuntu 18.04, including configuration of backend databases, enrolling agents for data collection as well as performing example threat hunts across the infrastructure.

Introduction to GRR Capabilities

GRR architecture follows a server/client model designed specifically for IR workflows. Some of its key capabilities:

Remote Live Forensics

  • Perform remote acquisition of forensic artifacts like process lists, file system data, memory dumps etc.
  • Collect data from multiple endpoints (Windows, Linux, macOS)
  • Support both "pull" and "push" models for real-time data retrieval

Centralized Analysis and Automation

  • Store and analyze collected forensic data at scale
  • Automate common investigation tasks through pre-built actions/workflows
  • Schedule recurring collections or hunts via intuitive UI

Extensible and Integrations Ready

  • Python based scripts and plugins for custom data analysis
  • Integrate with other security tools like MISP, Splunk, VirustTotal etc.

Enterprise Scale

  • Deploy across regions with distributed server architecture
  • Horizontally scale through worker queue based processing
  • Reliable data collection using TLS encrypted channels

grf-architecture-diagram

Let‘s now proceed to installing GRR on Ubuntu 18.04 LTS.

Prerequisites and System Requirements

GRR Server

For the GRR server, a freshly installed Ubuntu 18.04 system with root access would be required. Based on planned deployments size, a server with 4 to 8 cores and high IOPS SSD storage is recommended.

Software dependencies:

  • MariaDB or MySQL
  • Python 2.7

GRR Client

The GRR client supports multiple platforms like Windows, Linux, macOS and BSD variants. We will be installing the Ubuntu 18.04 client in this guide. Based on intended data collection parameters like filesystem access, memory dumps etc., additional access considerations maybe applicable for endpoints.

Step 1 – Prepare Ubuntu for Installation

Start by updating Ubuntu‘s package repositories and installing latest packages:

apt update
apt upgrade -y

Once complete, reboot to apply updates:

reboot

The base OS is now ready for GRR installation.

Step 2 – Install and Configure MariaDB Database

GRR requires a relational data store to persist artifacts, client metadata as well as investigation data. We‘ll use MariaDB for this purpose on Ubuntu.

apt install mariadb-server -y

On first install, MariaDB setup wizard kicks in to take care of basic configuration including root password etc. Alternatively, you can manually run:

mysql_secure_installation

Next, login to MariaDB shell and create the database along with a dedicated user for GRR.

mysql -u root -p

CREATE DATABASE grr;

GRANT ALL ON grr.* TO ‘grruser‘@‘localhost‘ IDENTIFIED BY ‘strongpassword‘;

FLUSH PRIVILEGES;
EXIT

Finally, enable MariaDB service to survive reboots:

systemctl enable mariadb

This completes setting up the database backend. The same steps work for any compatible MySQL database flavor.

Step 3 – Install GRR Server and Web UI

With the database ready, we can now proceed with installing the main GRR server. Here we‘ll be installing the latest version – 3.2.4.6

Download the Ubuntu 18.04 server package from GRR releases:

wget https://storage.googleapis.com/releases.grr-response.com/grr-server_3.2.4.6_amd64.deb

dpkg -i grr-server_3.2.4.6_amd64.deb

You will be prompted to enter database connection parameters and set a admin password during install.

MySQL Host [localhost]: 
MySQL Database [grr]:  
MySQL Username [grruser]:
MySQL Password: xyz

AdminUI Password:       

Once installed successfully, enable the main GRR service:

systemctl enable grr-server
systemctl start grr-server

This completes the server installation process.

Step 4 – Access and Configure the GRR Web Interface

The Admin UI bundle shipped along with the server package sets up a web based console accessible over port 8000.

URL: http://<hostname_or_ip>:8000

Creds: Username: admin, Password: <set_during_install>

grr-webui-login

Upon first login, you land on the GRR dashboard page:

grr-web-ui-dashboard

The sidebar menu provides access to the rest of the modules – hunts, clients, filestore, cron jobs etc. We will onboard a client next.

Step 5 – Enroll GRR Client on Ubuntu Endpoint

GRR employs a lightweight client agent for endpoint data collection. Client binaries for all supported operating systems are available through the server‘s UI.

Navigate to Manage Binaries section and download the Ubuntu 18.04 DEB package.

download-grr-client

Install the client package on your target Ubuntu system:

dpkg -i grr_3.2.4.6_amd64.deb

Enrollment involves the client securely registering itself with the GRR server/database. Confirm successful registration on the Manage Clients page.

grr-enrolled-client

The Ubuntu machine can now be remotely accessed through the GRR server for forensics activities.

GRR Client Types and Collected Artifacts

The GRR client is highly flexible when it comes to data collection modules and modes of operations. Multiple client types specialize in acquiring specific artifact categories:

Memory Forensics Client

  • Capture memory dumps for analysis
  • Volatile data acquisition e.g. running processes, open network sockets etc

Filesystem Client

  • Remotely browse filesystem like a regular user
  • Copy interesting files to server for further inspection
  • Filter directory contents by regex or metadata

Network Forensics Client

  • Capture and inspect network traffic
  • Analyze DNS and DHCP activity
  • High speed acquisition over 10/40 Gbps links

Cloud Forensics Client

  • Interact with cloud APIs (AWS, GCP etc)
  • Instance metadata and storage access
  • Virtual machine memory and disk analysis

And more! Memory, filesystem and network comprise the standard client capabilities.

Step 6 – Perform Basic Forensics using GRR Hunts

Hunting refers to the process of performing investigative actions across clients to collect data, look for threats and respond to incidents. We will run a simple example hunt to list all running processes on our enrolled Ubuntu client.

Navigate to Start new hunt and launch the ListProcesses module while specifying target client.

start-listprocesses-hunt

Completed hunts move to the Manage Hunts section. Click on the just ran ListProcesses hunt result.

listprocesses-hunt-result

The hunt successfully collected details for all processes actively running on our Ubuntu client at the time of execution.

This was just basic example of GRR‘s extensive hunt capabilities. Hundreds of out-of-the-box hunts modules are available covering everything from memory analysis, monitoring user logins to scanning for sensitive files etc. Robust filtering mechanisms help sift through terabytes of historical hunt results data with ease.

Custom hunts can also be created by chaining together basic information gathering and data processing modules. Python scripts extend hunt capabilities even further.

Integrating GRR with Other Tools

While GRR provides unparalleled client management and data collection capabilities, integration with other security tools like threat intel platforms and SIEMs help enrich and act on the generated data feeds for protecting enterprise environments.

MISP – Sync event data like malware hashes for ongoing threat hunts

Splunk – Forward hunt results for analysis and correlation

VirusTotal – Submit suspicious executables for online scanning

Active Directory – Manage GRR client deployments and ACLs

Amongst 100+ GRR API clients for popular tools.

Securing GRR Data Collection and Access

Since GRR clients allow extensive data collection from enterprise endpoints, well defined access control policies and secure network channels are critical for balancing security and privacy needs.

Some best practices around deployment:

  • Separate server infrastructure for production vs testing environments
  • Control client enrollment through server side approval workflow
  • Always use TLS for traffic between clients and GRR server
  • Enforce 2FA for console access
  • Restrict hunt creation permissions to only authorized users
  • Carefully audit user activities and artifact access

Adjust according to your business requirements!

Conclusion

In this detailed guide, we went through the complete process of installing GRR on Ubuntu including preparing the host, configuring databases, downloading server and client packages, performing client enrollment and running an example threat hunt.

With out-of-the-box capabilities for remote digital forensics and incident response spanning across every modern OS, GRR brings unparalleled visibility into endpoint activity both on-premise and in the cloud. Its enterprise scale architecture allows organizations to leverage big data tooling for effectively combating threats.

Whether you are looking for proactive threat hunting across regions or require automation for resource intensive tasks like forensic disk image analysis – GRR flexible architecture, extensive module library and Python based extensibility provides the ideal platform for the next generation security operations center built to protect modern hybrid environments.

Tags: