本文概述
了解如何在Ubuntu上安装GRR(Google快速响应)服务器和客户端以执行指示。
介绍
GRR(Google快速响应)是基于Python的事件响应框架, 可用于实时取证和调查。它使你可以远程检查和攻击并执行分析。
GRR可以部署在服务器-客户端体系结构中。它带有基于Web的用户界面, 可让你分析从客户端收集的数据。它提供对Linux, Mac OS X和Windows OS的支持。
要求
- 运行Ubuntu 18.xx的服务器
- 在你的服务器上设置了root密码
入门
开始之前, 你需要使用最新版本更新系统。你可以通过运行以下命令来做到这一点:
apt-get update -y
更新系统后, 请重新启动系统以应用所有更改。
安装和配置数据库
首先, 你需要将MariaDB数据库服务器安装到系统中。你可以使用以下命令进行安装:
apt-get install mariadb-server -y
安装完成后, 通过运行以下命令保护MariaDB安装:
mysql_secure_installation
回答所有问题, 如下所示:
Enter current password for root (enter for none):
Set root password? [Y/n]: N
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]: Y
Reload privilege tables now? [Y/n]: Y
一旦MariaDB安全, 请使用以下命令登录MariaDB shell:
mysql -u root -p
输入你的根密码。然后, 使用以下命令为GRR创建数据库和用户:
MariaDB [(none)]> CREATE DATABASE grr;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON grr.* TO 'grr'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
接下来, 刷新特权并使用以下命令从MariaDB shell退出:
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> EXIT;
接下来, 使用以下命令重新启动MariaDB服务:
systemctl restart mariadb
你可以使用以下命令检查MariaDB服务的状态:
systemctl status mariadb
你应该看到以下输出:
mariadb.service - MariaDB 10.1.38 database server
Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2019-04-12 15:11:14 UTC; 54min ago
Docs: man:mysqld(8)
https://mariadb.com/kb/en/library/systemd/
Main PID: 1050 (mysqld)
Status: "Taking your SQL requests now..."
Tasks: 46 (limit: 1113)
CGroup: /system.slice/mariadb.service
└─1050 /usr/sbin/mysqld
Apr 12 15:10:53 ubuntu1804 systemd[1]: Starting MariaDB 10.1.38 database server...
Apr 12 15:11:07 ubuntu1804 mysqld[1050]: 2019-04-12 15:11:07 140152311749760 [Note] /usr/sbin/mysqld (mysqld 10.1.38-MariaDB-0ubuntu0.18.04.1)
Apr 12 15:11:14 ubuntu1804 systemd[1]: Started MariaDB 10.1.38 database server.
Apr 12 15:11:14 ubuntu1804 /etc/mysql/debian-start[1251]: Upgrading MySQL tables if necessary.
Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start[1265]: /usr/bin/mysql_upgrade: the '--basedir' option is always ignored
Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start[1265]: Looking for 'mysql' as: /usr/bin/mysql
Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start[1265]: Looking for 'mysqlcheck' as: /usr/bin/mysqlcheck
Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start[1265]: This installation of MySQL is already upgraded to 10.1.38-MariaDB, use --force if you
Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start[1306]: Checking for insecure root accounts.
Apr 12 15:11:15 ubuntu1804 /etc/mysql/debian-start[1311]: Triggering myisam-recover for all MyISAM tables and aria-recover for all Aria tables
lines 1-21/21 (END)
完成后, 你可以继续下一步。
安装GRR服务器
首先, 你需要从其官方GitHub存储库下载GRR软件包。
你可以使用以下命令下载它, 以下载GRR 3.2.4.6版本。
wget https://storage.googleapis.com/releases.grr-response.com/grr-server_3.2.4-6_amd64.deb
下载完成后, 可以使用以下命令安装下载的文件:
dpkg -i grr-server_3.2.4-6_amd64.deb
接下来, 使用以下命令安装所需的依赖项:
apt-get install -f
在安装过程中, 你将需要提供一些详细信息, 例如数据库主机, 用户名, 密码, GRR URL和管理员密码, 如下所示:
Running grr_config_updater initialize
To avoid this prompting, set DEBIAN_FRONTEND=noninteractive
#################################################################
Checking write access on config /etc/grr//server.local.yaml
Step 0: Importing Configuration from previous installation.
No old config file found.
Step 1: Setting Basic Configuration Parameters
We are now going to configure the server using a bunch of questions.-=GRR Datastore=-For GRR to work each GRR server has to be able to communicate withthe datastore. To do this we need to configure a datastore.GRR will use MySQL as its database backend. Enter connection details:MySQL Host [localhost]:MySQL Port (0 for local socket) [0]:MySQL Database [grr]:MySQL Username [root]: grrPlease enter password for database user grr:Successfully connected to MySQL with the provided details.-=GRR URLs=-For GRR to work each client has to be able to communicate with theserver. To do this we normally need a public dns name or IP addressto communicate with. In the standard configuration this will be usedto host both the client facing server and the admin user interface.Please enter your hostname e.g. grr.example.com [ubuntu1804]: 192.168.0.104-=Server URL=-The Server URL specifies the URL that the clients will connect tocommunicate with the server. For best results this should be publiclyaccessible. By default this will be port 8080 with the URL ending in /control.Frontend URL [http://192.168.0.104:8080/]:-=AdminUI URL=-:The UI URL specifies where the Administrative Web Interface can be found.AdminUI URL [http://192.168.0.104:8000]:-=GRR Emails=-GRR needs to be able to send emails for various logging andalerting functions. The email domain will be appended to GRRusernames when sending emails to users.-=Monitoring/Email Domain=-Emails concerning alerts or updates must be sent to this domain.Email Domain e.g example.com [localhost]:-=Alert Email Address=-Address where monitoring events get sent, e.g. crashed clients, broken server, etc.Alert Email Address [[email protected]]:-=Emergency Email Address=-Address where high priority events such as an emergency ACL bypass are sent.Emergency Access Email Address [[email protected]]:Rekall is no longer actively supported. Enable anyway? [yN]: [N]:Step 2: Key GenerationAll keys will have a bit length of 2048.Generating executable signing keyGenerating CA keysGenerating Server keysGenerating secret key for csrf protection.Repacked into /usr/share/grr-server/executables/installers/grr_3.2.4.6_amd64.debGRR Initialization complete! You can edit the new configuration in /etc/grr//server.local.yaml.Please restart the service for the new configuration to take effect.#################################################################Install complete.
现在, 重新启动GRR服务以应用所有更改:
systemctl restart grr-server
现在, 你可以使用以下命令检查GRR的状态:
systemctl status grr-server
你应该看到以下输出:
grr-server.service - GRR Service
Loaded: loaded (/lib/systemd/system/grr-server.service; enabled; vendor preset: enabled)
Active: active (exited) since Fri 2019-04-12 15:57:09 UTC; 6s ago
Docs: https://github.com/google/grr
Process: 7178 ExecStop=/bin/systemctl --no-block stop [email protected]_ui.service [email protected] [email protected] grr-s
Process: 7215 ExecStart=/bin/systemctl --no-block start [email protected]_ui.service [email protected] [email protected] grr
Main PID: 7215 (code=exited, status=0/SUCCESS)
Apr 12 15:57:09 ubuntu1804 systemd[1]: Starting GRR Service...
Apr 12 15:57:09 ubuntu1804 systemd[1]: Started GRR Service.
访问GRR Web界面
现在已安装GRR, 并在端口8000(Admin)和8080(Frontend)上侦听。
要访问GRR管理员界面, 请打开Web浏览器, 然后输入URL http://192.168.0.104:8000。
系统将要求你提供管理员用户名和密码, 使用admin作为用户以及在安装过程中设置的密码。然后, 单击确定按钮。你将被重定向到以下页面:
安装GRR客户端
首先, 登录到GRR服务器Web界面, 然后导航到左窗格上的”管理二进制文件”选项卡。你应该在以下页面中看到各种客户端版本, 例如RHEL, Debian和BSD:
现在, 你的发行版是Ubuntu 18.04。因此, 单击grr_3.2.4.6_amd64.deb以下载适用于Ubuntu的GRR客户端。
下载完成后, 请使用以下命令安装下载的文件:
dpkg -i grr_3.2.4.6_amd64.deb
上面的命令会将GRR客户端安装到你的系统, 并自动将其注册到GRR服务器。
你还可以使用以下命令检查GRR的状态:
systemctl status grr
你应该看到以下输出:
grr.service - grr linux amd64Loaded: loaded (/lib/systemd/system/grr.service; enabled; vendor preset: enabled)Active: active (running) since Fri 2019-04-12 16:24:39 UTC; 16s agoMain PID: 3305 (grrd)Tasks: 6 (limit: 847)CGroup: /system.slice/grr.service├─3305 /usr/sbin/grrd --config=/usr/lib/grr/grr_3.2.4.6_amd64/grrd.yaml└─3306 /usr/sbin/grrd --config=/usr/lib/grr/grr_3.2.4.6_amd64/grrd.yamlApr 12 16:24:39 ubuntu1804 systemd[1]: Started grr linux amd64.
进行调查
现在, 转到GRR服务器Web界面, 单击搜索框, 然后按Enter。你应该在以下页面中看到你的客户:
现在, 单击你的客户端以查看更多详细信息, 如下页所示:
接下来, 我们将列出客户端上运行的进程。
为此, 请单击”开始新流程”>”进程”>” ListProcesses”, 在”连接状态”下, 选择”已建立”, 然后单击”启动”以启动该流程。你应该看到以下页面:
接下来, 单击管理启动的流> ListProcesses>结果, 以在以下页面中查看ListProcesses流的结果:
恭喜你!你已经成功安装了GRR服务器和客户端。继续并使用该工具。
评论前必须登录!
注册