GRR Rapid Response: remote live forensics for incident response
Home Page: https://grr-doc.readthedocs.io/
License: Apache License 2.0
GRR Rapid Response is an incident response framework focused on remote live forensics.
GRR is a python client (agent) that is installed on target systems, and
python server infrastructure that can manage and talk to clients.
Please visit our documentation website if you want to know more about GRR.
A quick grep shows these may not live where they are supposed to live. I didn't want to move them into a different file in /config/ without having a good idea of if they really belong where they should go.
gui/views.py:config_lib.DEFINE_string("AdminUI.page_title",
gui/views.py:config_lib.DEFINE_string("AdminUI.heading", "",
gui/views.py:config_lib.DEFINE_string("AdminUI.report_url",
gui/views.py:config_lib.DEFINE_string("AdminUI.help_url",
gui/views.py:config_lib.DEFINE_string("AdminUI.github_docs_location",
gui/plugins/new_hunt.py:config_lib.DEFINE_string("AdminUI.new_hunt_wizard.default_output_plugin",
lib/aff4_objects/cronjobs.py:config_lib.DEFINE_list("Cron.enabled_system_jobs", [],
lib/aff4_objects/stats_store.py:config_lib.DEFINE_string("StatsStore.process_id", default="",
lib/aff4_objects/stats_store.py:config_lib.DEFINE_integer("StatsStore.write_interval", default=60,
lib/aff4_objects/stats_store.py:config_lib.DEFINE_integer("StatsStore.ttl", default=60 * 60 * 24 * 7,
I'm investigating a problem with hunt scheduling. The symptoms are that hunts don't ever get scheduled. This only seems to be a problem with very new clients (3.0.0.3 clients seem to work fine). To tell if you have this problem run your worker with --verbose and you will see:
aff4:/W:Foreman is not a proper flow object
The issue seems to be that client comms uses aff4:/W:Foreman when it should be using aff4:/flows/W:Foreman in a couple of places:
https://github.com/google/grr/blob/master/client/comms.py#L977
But while that's a simple fix, it may not be the root cause, since it has been working for some time.
when i export mongo batabase data to elasticsearch, I found it to may be encrypted, that i cant search and read any more
Running the open source server installer on the current Debian version doesn't work because of libc6 version incompatibilities. Similar errors exist for the patched versions of sleuthkit and pytsk.
Run sudo dpkg -i ubuntu-12.04-amd64-debs/m2crypto_0.21.1-1_amd64.deb [Y/n/a]? y
#### Running #### sudo dpkg -i ubuntu-12.04-amd64-debs/m2crypto_0.21.1-1_amd64.deb
Selecting previously unselected package m2crypto.
(Reading database ... 62132 files and directories currently installed.)
Unpacking m2crypto (from .../m2crypto_0.21.1-1_amd64.deb) ...
dpkg: dependency problems prevent configuration of m2crypto:
m2crypto depends on libc6 (>= 2.14); however:
Version of libc6:amd64 on system is 2.13-38+deb7u6.
dpkg: error processing m2crypto (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
m2crypto
hi guys,
i have been struggling to get grr_export to export any collection that contains OSXServiceInformation entries.
the error i get is:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg/grr/tools/export_plugins/plugin.py", line 66, in ConvertBatch
self.output_plugin.ProcessResponses(batch)
File "/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg/grr/lib/hunts/output_plugins.py", line 227, in ProcessResponses
self.WriteValuesToCSVFile(converted_responses)
File "/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg/grr/lib/utils.py", line 82, in NewFunction
return f(self, *args, **kw)
File "/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg/grr/lib/hunts/output_plugins.py", line 278, in WriteValuesToCSVFile
for value in values:
File "/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg/grr/lib/export.py", line 1258, in ConvertValuesWithMetadata
for result in converter.BatchConvert(metadata_values_group, token=token):
File "/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg/grr/lib/export.py", line 385, in BatchConvert
for result in self.Convert(metadata, value, token=token):
File "/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg/grr/lib/export.py", line 376, in Convert
class_obj = self.MakeFlatRDFClass(value)
File "/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg/grr/lib/export.py", line 328, in MakeFlatRDFClass
desc.enum_name].CopyToProto(enum_type)
the relevant code from grr/lib/export.py:315 is:
if isinstance(desc, type_info.ProtoEnum):
logging.info("enum: %s" % )
field = message_type.field.add()
field.type = descriptor_pb2.FieldDescriptorProto.TYPE_ENUM
field.type_name = desc.enum_name
enum_type = message_type.enum_type.add()
if value.protobuf:
value.protobuf.DESCRIPTOR.enum_types_by_name[
desc.enum_name].CopyToProto(enum_type)from what i can tell, field 8 of OSXServiceInformation, ondemand is a ProtoBoolean, which is a subclass of a ProtoEnum. however, unlike a "true" ProtoEnum, ondemand does not come with a corresponding EnumDescriptor, so the lookup for it on line 323 fails.
without wading too deeply into the protobuf implementation, I noticed that adding a
and not isinstance(desc, type_info.ProtoBoolean)to the conditional on line 315 appears to fix the problem. i am unsure of whether or not this is actually the best way to fix the issue, it feels like kind of a hack.
regardless, as is, exporting OSXServiceInformation entries appears to be broken, and from what i can see, i believe that this might affect exporting other record types that include ProtoBoolean fields as well.
From sean.gillespie.32 on October 06, 2014 15:02:35
Can the following enhancements be made to Manage Binaries?
Original issue: http://code.google.com/p/grr/issues/detail?id=121
I was testing with the API and noticed that large enough hunt Results seems to cause request timeout responses.
From tyler.keith on April 29, 2014 11:40:34
The configuration should be set to the MySQLDataStore in order to reproduce this error.
In grr-server.yaml specify Worker.worker_process_count: 2 then start the worker:
/usr/bin/python /usr/bin/grr_server --start_worker --config=/etc/grr/grr-server.yaml
ERROR:2014-04-29 18:31:45,374 worker:251] Error processing session aff4:/flows/W:Foreman: (2014, "Commands out of sync; you can't run this command now")
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/worker.py", line 239, in _ProcessMessages
time.time() - now)
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/aff4.py", line 1603, in exit
self.Close()
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/aff4.py", line 1269, in Close
self.transaction.Commit()
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/data_stores/mysql_data_store.py", line 516, in Commit
self._RemoveLock()
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/data_stores/mysql_data_store.py", line 526, in _RemoveLock
(self.expires_lock, self.subject, self.subject))
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/data_stores/mysql_data_store.py", line 79, in Execute
self.cursor.execute(*args)
File "/usr/local/lib/python2.7/dist-packages/MySQLdb/cursors.py", line 205, in execute
self.errorhandler(self, exc, value)
File "/usr/local/lib/python2.7/dist-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
ProgrammingError: (2014, "Commands out of sync; you can't run this command now")
Exception _mysql_exceptions.ProgrammingError: (2014, "Commands out of sync; you can't run this command now") in <bound method DictCursor.del of <MySQLdb.cursors.DictCursor object at 0x51938d0>> ignored
Process Process-1:
Traceback (most recent call last):
File "/usr/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
self.run()
File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
self._target(_self._args, *_self._kwargs)
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/worker/worker.py", line 77, in StartWorker
worker_obj.Run()
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/worker.py", line 87, in Run
processed = self.RunOnce()
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/worker.py", line 122, in RunOnce
sessions_available = queue_manager.GetSessionsFromQueue(self.queue)
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/queue_manager.py", line 455, in GetSessionsFromQueue
token=self.token, limit=10000):
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/data_store.py", line 325, in ResolveRegex
limit=limit):
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/data_stores/mysql_data_store.py", line 295, in MultiResolveRegex
return result.iteritems()
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/data_stores/mysql_data_store.py", line 68, in exit
self.Commit()
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/data_stores/mysql_data_store.py", line 75, in Commit
self.dbh.commit()
OperationalError: (2013, 'Lost connection to MySQL server during query')
ERROR:2014-04-29 18:31:45,449 flow:995] Error in WellKnownFlow.ProcessMessage: 'NoneType' object is not callable
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/flow.py", line 993, in _SafeProcessMessage
self.ProcessMessage(_args, *_kwargs)
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/flows/general/administrative.py", line 351, in ProcessMessage
self.foreman_cache.AssignTasksToClient(message.source)
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/aff4_objects/aff4_grr.py", line 548, in AssignTasksToClient
client.Set(client.Schema.LAST_FOREMAN_TIME(latest_rule))
TypeError: 'NoneType' object is not callable
Process Process-2:
Traceback (most recent call last):
File "/usr/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
self.run()
File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
self._target(_self._args, *_self._kwargs)
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/worker/worker.py", line 77, in StartWorker
worker_obj.Run()
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/worker.py", line 87, in Run
processed = self.RunOnce()
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/worker.py", line 122, in RunOnce
sessions_available = queue_manager.GetSessionsFromQueue(self.queue)
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/queue_manager.py", line 455, in GetSessionsFromQueue
token=self.token, limit=10000):
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/data_store.py", line 325, in ResolveRegex
limit=limit):
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/data_stores/mysql_data_store.py", line 277, in MultiResolveRegex
for row in cursor.Execute(query, args):
File "/usr/local/lib/python2.7/dist-packages/grr-0.2-py2.7.egg/grr/lib/data_stores/mysql_data_store.py", line 79, in Execute
self.cursor.execute(*args)
File "/usr/local/lib/python2.7/dist-packages/MySQLdb/cursors.py", line 205, in execute
self.errorhandler(self, exc, value)
File "/usr/local/lib/python2.7/dist-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
raise errorclass, errorvalue
ProgrammingError: (2014, "Commands out of sync; you can't run this command now")
Exception _mysql_exceptions.ProgrammingError: (2014, "Commands out of sync; you can't run this command now") in <bound method DictCursor.del of <MySQLdb.cursors.DictCursor object at 0x5193510>> ignored
ERROR:2014-04-29 18:31:54,216 worker:56] Worker 2780 is dead
ERROR:2014-04-29 18:31:54,216 worker:56] Worker 2784 is dead
Original issue: http://code.google.com/p/grr/issues/detail?id=103
It would be helpful if the approval UI could change to indicate that approval is no longer needed when someone clicks through to GRR (think the red, yellow, green and gray states in based on approval status, etc.)
From darrenbilby on November 27, 2013 02:00:32
artifact.py expects to see a proper linux version come back e.g. "12.04" but due to how we build our version of python, for an ubuntu box we get back "debian/wheezy".
This is an easy fix to make it more robust, but we need a more robust fix longer term which is to collect OS versions using artifacts.
Original issue: http://code.google.com/p/grr/issues/detail?id=86
Using the quick install script and commenting out --pre during the rekall install. Causes an error on grr deb installation.
ImportError: cannot import name message_factory
Installing protobuf from source or packages allows it to finish, but when you go to the web server I get this message.
"A server error occurred. Please contact the administrator."
Clicking on the "X" in the hunt rules dialog doesn't remove the rule, it still gets added and can be seen in the overview screen. Deleting the default rule and adding a new rule will result in having both rules applied.
A workaround seems to be to modify the existing rule to match what you want. To run a hunt on mac/win/linux I changed the default windows rule to a regex one that matched .* on the system attribute.
I see these errors in the console when running the new hunt wizard, which are related to the angular changes, but I suspect they are unrelated to this problem:
core.js:17 Uncaught TypeError: Cannot read property 'CollectionTableDirective' of undefined
flow.js:16 Uncaught TypeError: Cannot read property 'FlowLogDirective' of undefined
hunt.js:17 Uncaught TypeError: Cannot read property 'HuntLogDirective' of undefined
semantic.js:19 Uncaught TypeError: Cannot read property 'ClientUrnDirective' of undefined
misha can you take a look?
I am getting the following error for all templates when trying to initialize/repack clients.
Repacking template failed: Error while retrieving Client.control_urls: Configuration hasn't been initialized yet
From sean.gillespie.32 on October 06, 2014 14:51:35
Can the following features be added to file data?
These should all be pretty light weight client actions that would have a lower impact when used than acquiring all of the files before processing them.
Original issue: http://code.google.com/p/grr/issues/detail?id=120
I show no data for any selected time window. No exceptions are thrown so it is not clear why there is no data. Will this show worker queue backlog to know if more workers need to be added?
This is just a small wish list for tracking, and I think some of these are already coming.
From tory.cullen on November 07, 2013 17:20:59
What steps will reproduce the problem? 1. Log in to the Admin Console with one user
2. Want to switch users
3. Can't log out What is the expected output? What do you see instead? I would like to see a logout button in one of the corners of the Admin Console or perhaps have a context menu appear after clicking or hovering over "User: " that allows me to log out so that I can log in as a different user. What version of the product are you using? On what operating system? GRR v 0.2-8 in Firefox 25.0 on OS X Mavericks Please provide any additional information below. I know this isn't a huge deal, but it would make GRR more user friendly.
Original issue: http://code.google.com/p/grr/issues/detail?id=77
From aditya.kichu on January 08, 2014 08:33:38
What steps will reproduce the problem? 1. Built the linux client from source
2. Repacked it on the server and installed on linux client
3. Flows run on the linux client give runtime errors on new flows, works with existing flows. What is the expected output? What do you see instead? I have attached the output of the linux client build for reference. I want to confirm if the new client functionality has been included in the agent that is built. Also, I would like to know whether the agent has been properly built in the first place or not.
When I test the new flows that I created on this linux client, I see that the existing flows like Fingerprint File work properly without any errors, whereas the new flows that I added do not work properly even though they work perfectly in windows.
For example, I updated the Fingerprint files flow with fuzzy hashing, by adding new entries in the Fingerprint Tuple and updating my protobuf. However, when I run this flow it causes a Key error in the client action. Please see the error backtrace below.
Failed Fingerprint: message GrrStatus { backtrace : u'Traceback (most recent call last):\n File "/usr/local/grr_build/build/grr/out00-PYZ.pyz/grr.client.actions", line 127, in Execute\n File "/usr/local/grr_build/build/grr/out00-PYZ.pyz/grr.client.client_actions.file_fingerprint", line 47, in Run\nKeyError: 3\n' cpu_time_used : message CpuSeconds { system_cpu_time : 0.0 user_cpu_time : 0.0 } error_message : u'KeyError(3,): 3' network_bytes_sent : 384 status : GENERIC_ERROR }
The client side code for the Fingerprint File is the same as the original code except that there is one more hasher in the code that I have. This hasher is not recognized and causes the Key Error.
Another new flow that I created also does not run properly. How do I check whether the protobuf used in the client is the latest?
I am using GRR source code version 2.8.1.0 on Ubuntu 12.04 LTS.
It would be great if someone could help me in identifying the problem.
Thanks,
Aditya
Attachment: linux_client_build.txt
Original issue: http://code.google.com/p/grr/issues/detail?id=91
When I try to check server load for windows greater than 1hr the page never seems to finish loading. Watching the slow queries log on our SQL server seems to indicate it gets responses in a similar timeframe to the 1hr window that loads properly so it appears to be part of the processing to make the graphs.
From darrenbilby on December 02, 2013 14:52:40
At the moment we rely on platform.linux_distribution for determining versions. On a built in Ubuntu python this returns something sensible e.g.('Ubuntu', '12.04', 'precise')
However, this is due to Ubuntu patching http://hg.python.org/cpython/file/4d5c3cb08170/Lib/platform.py#l293 When we build, we build with the raw python sources, so Ubuntu clients report the wrong thing e.g. Linux-debian-wheezy/sid.
The best way to fix this is replacing the client side implementation with artifacts, but this will require a bit of work.
Original issue: http://code.google.com/p/grr/issues/detail?id=87
Since all of the GRR times are UTC it would be incredibly useful to have a small UTC display near the logged on user at the top for quick time comparisons.
All,
I've gotten a Windows client build environment setup, however even after all build dependencies are satisfied, I'm still seeing an error after PyInstaller is invoked.
Namely :
UnboundLocalError: local variable 'raw_val' referenced before assignment
Traceback (most recent call last):
File ".\grr\client\client_build.py", line 188, in
flags.StartMain(main)
File "C:\Users\Administrator\grr\lib\flags.py", line 107, in StartMain
main([sys.argv[0]])
File ".\grr\client\client_build.py", line 161, in main
builder_obj.MakeExecutableTemplate()
File "C:\Users\Administrator\grr\lib\builders\windows.py", line 114, in MakeExecutableTemplate
self.BuildWithPyInstaller()
File "C:\Users\Administrator\grr\lib\build.py", line 118, in BuildWithPyInstaller
subprocess.check_call(cmd)
File "C:\Python27\lib\subprocess.py", line 540, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['C:\Python27\python.exe', u'c:\grr_build\pyinstaller\pyinstaller.py', '--d
istpath', u'./dist', u'./build\grr.spec']' returned non-zero exit status 1
Digging into the PyInstaller versioninfo.py file, I see it hasn't had a commit against it in quite some time, but there is one comment. Another person encountered a similar error when using PyInstaler and a version file.
So, I had some questions:
Appreciate your time on reading
Trying to delete a client and all it's data from GRR. Sync=False is trying to be passed to the DeleteSubject function but there is no sync argument for that function.
https://github.com/google/grr/blob/master/lib/data_store.py#L159
In [7]: token = access_control.ACLToken(username="Me", reason="Removing test clients")
In [8]: aff4.FACTORY.Delete(rdfvalue.ClientURN("C.ebb1a9185cd7b5e3 "))
INFO:2014-11-04 20:10:46,294 aff4:722] Found 117 objects to remove when removing aff4:/C.ebb1a9185cd7b5e3
TypeError Traceback (most recent call last)
/usr/lib/python2.7/dist-packages/grr/tools/console.py in ()
----> 1 aff4.FACTORY.Delete(rdfvalue.ClientURN("C.ebb1a9185cd7b5e3 "))
/usr/lib/python2.7/dist-packages/grr/lib/aff4.pyc in Delete(self, urn, token, limit)
734 except KeyError:
735 pass
--> 736 data_store.DB.DeleteSubject(urn_to_delete, token=token, sync=False)
737
738 # Ensure this is removed from the cache as well.
TypeError: DeleteSubject() got an unexpected keyword argument 'sync'
It would be nice to have a report for listing any hosts suspected of being duplicates, usually as a result of cloning an already installed agent. A flow that forces a client to reenroll could be useful for resolving any detected problems.
Getting a lot of errors due to missing files that the installer is trying to find.
Repacking : /usr/share/grr/executables/windows/templates/grr-client_3.0.0.3_amd64.zip (NOT READABLE)
To : /usr/share/grr/executables/windows/installers/grr_3.0.0.3_amd64.exe
Repacking : /usr/share/grr/executables/windows/templates/grr-client_3.0.0.3_i386.zip (NOT READABLE)
To : /usr/share/grr/executables/windows/installers/grr_3.0.0.3_i386.exe
Repacking : /usr/share/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.zip (NOT READABLE)
To : /usr/share/grr/executables/linux/installers/grr_3.0.0.3_amd64.deb
Repacking : /usr/share/grr/executables/linux/templates/grr-client_3.0.0.3_i386.zip (NOT READABLE)
To : /usr/share/grr/executables/linux/installers/grr_3.0.0.3_i386.deb
Repacking : /usr/share/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.rpm.zip (NOT READABLE)
To : /usr/share/grr/executables/linux/installers/grr_3.0.0.3_amd64.rpm
Repacking : /usr/share/grr/executables/darwin/templates/grr-client_3.0.0.3_amd64.template (NOT READABLE)
To : /usr/share/grr/executables/darwin/installers/grr_3.0.0.3_amd64.pkg
Template /usr/share/grr/executables/windows/templates/grr-client_3.0.0.3_amd64.zip missing - will not repack.
Failed to repack /usr/share/grr/executables/windows/templates/grr-client_3.0.0.3_amd64.zip.
Template /usr/share/grr/executables/windows/templates/grr-client_3.0.0.3_i386.zip missing - will not repack.
Failed to repack /usr/share/grr/executables/windows/templates/grr-client_3.0.0.3_i386.zip.
Template /usr/share/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.zip missing - will not repack.
Failed to repack /usr/share/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.zip.
Template /usr/share/grr/executables/linux/templates/grr-client_3.0.0.3_i386.zip missing - will not repack.
Failed to repack /usr/share/grr/executables/linux/templates/grr-client_3.0.0.3_i386.zip.
Template /usr/share/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.rpm.zip missing - will not repack.
Failed to repack /usr/share/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.rpm.zip.
Template /usr/share/grr/executables/darwin/templates/grr-client_3.0.0.3_amd64.template missing - will not repack.
Failed to repack /usr/share/grr/executables/darwin/templates/grr-client_3.0.0.3_amd64.template.
Here's the directory listing:
ls -l /usr/share/grr/executables/linux/templates/
total 94348
-rwxr-xr-x 1 root root 38468543 Aug 2 23:20 grr-client_3.0.0.2_amd64.rpm.zip
-rwxr-xr-x 1 root root 31894380 Aug 2 23:20 grr-client_3.0.0.2_amd64.zip
-rwxr-xr-x 1 root root 26244559 Aug 2 23:20 grr-client_3.0.0.2_i386.zip
OS version is Ubuntu 14.04.1 LTS.
Looks like a problem with the minor version change from 3.0.0.2 to 3.0.0.3?
I recently stood up an opensource install running HEAD. The process was:
This works great, but you end up with GRR installed in:
/usr/lib/python2.7/dist-packages/grr/
by the deb, and in here by setup.py:
/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg
extracted to: /usr/local/lib/python2.7/dist-packages
So depending on your path search order it's very likely that you will end up running the old code. To get things working I ended up just moving /usr/lib/python2.7/dist-packages/grr/ out of the way, but we should come up with a better solution to make this less of a trap.
Maybe we can just change either the deb or the setup.py so they install to the same place....
From joachim.metz on October 27, 2013 03:51:37
I've build sleuthkit and pytsk 4.1.2 ubuntu 12.04 packages. https://googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Current/Dependencies/test/ Though the grr-server deb is dependent on sleuthkit-lib. Let's change this with the next grr server release so we can deprecate the sleuthkit 3.2.3 support.
Original issue: http://code.google.com/p/grr/issues/detail?id=71
I have been looking into why we had to extend our Worker.flow_lease_time to avoid crashes and it appears that most flows loop through responses creating AFF4 objects without doing a HeartBeat during that process. This causes problems with things like deep file/registry listings where it doesn't loop through all the results fast enough to extend its lease time.
Reducing the maximum size of results might also fix this, but then the client needs to be online and available for a longer period of time to retrieve more result sets.
Does this look correct and what is the best way to approach this?
I setup a new dataserver & frontend services using the latest code in git (11/14/14). When existing clients connect the datastore/worker/enroller/http/ui services crashes within a few minutes. The dataserver generates the error below. The file mentioned in the error/opt/grr/C%2E047d1311ce5a38e5.sqlite does not exist on disk.
Exception happened during processing of request from ('10.10.10.10', 45285)
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 593, in process_request_thread
File "/usr/lib/python2.7/SocketServer.py", line 334, in finish_request
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/data_server.py", line 87, in __init__
File "/usr/lib/python2.7/SocketServer.py", line 649, in __init__
File "/usr/lib/python2.7/BaseHTTPServer.py", line 342, in handle
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/data_server.py", line 526, in do_POST
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/data_server.py", line 258, in HandleDataStoreService
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/data_server.py", line 151, in HandleClient
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/store.py", line 50, in Wrapper
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/store.py", line 161, in MultiResolveRegex
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 602, in MultiResolveRegex
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 647, in ResolveRegex
File "/usr/lib/python2.7/dist-packages/grr/lib/utils.py", line 82, in NewFunction
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 173, in Get
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 125, in _EnsureDatabaseExists
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 104, in _WaitUntilReadable
IOError: database file /opt/grr/C%2E047d1311ce5a38e5.sqlite cannot be read
----------------------------------------
WARNING:2014-11-14 18:44:41,346 data_server:551] Client ('10.10.10.10', 45296) has stopped using the server
----------------------------------------
Exception happened during processing of request from ('10.10.10.10', 45296)
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 593, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python2.7/SocketServer.py", line 334, in finish_request
self.RequestHandlerClass(request, client_address, self)
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/data_server.py", line 87, in __init__
BaseHTTPRequestHandler.__init__(self, request, client_address, server)
File "/usr/lib/python2.7/SocketServer.py", line 649, in __init__
self.handle()
File "/usr/lib/python2.7/BaseHTTPServer.py", line 342, in handle
self.handle_one_request()
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
method()
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/data_server.py", line 526, in do_POST
fun(self)
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/data_server.py", line 258, in HandleDataStoreService
replybody = self.HandleClient(sock, perms)
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/data_server.py", line 151, in HandleClient
response = method(request)
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/store.py", line 50, in Wrapper
f(self, request, response)
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/store.py", line 177, in DeleteAttributes
token=token, sync=sync)
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 578, in DeleteAttributes
end)
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 408, in __exit__
self.Flush()
File "/usr/lib/python2.7/dist-packages/grr/lib/utils.py", line 82, in NewFunction
return f(self, *args, **kw)
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 423, in Flush
self.Vacuum()
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 463, in Vacuum
self.cursor.execute("VACUUM")
OperationalError: unable to open database fileand also
WARNING:2014-11-14 20:47:18,624 data_server:551] Client ('10.10.10.10', 36704) has stopped using the server
----------------------------------------
Exception happened during processing of request from ('10.10.10.10', 36704)
Traceback (most recent call last):
File "/usr/lib/python2.7/SocketServer.py", line 593, in process_request_thread
File "/usr/lib/python2.7/SocketServer.py", line 334, in finish_request
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/data_server.py", line 87, in __init__
File "/usr/lib/python2.7/SocketServer.py", line 649, in __init__
File "/usr/lib/python2.7/BaseHTTPServer.py", line 342, in handle
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/data_server.py", line 526, in do_POST
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/data_server.py", line 258, in HandleDataStoreService
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/data_server.py", line 151, in HandleClient
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/store.py", line 50, in Wrapper
File "/usr/lib/python2.7/dist-packages/grr/server/data_server/store.py", line 161, in MultiResolveRegex
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 602, in MultiResolveRegex
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 647, in ResolveRegex
File "/usr/lib/python2.7/dist-packages/grr/lib/utils.py", line 82, in NewFunction
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 174, in Get
File "/usr/lib/python2.7/dist-packages/grr/lib/data_stores/sqlite_data_store.py", line 193, in __init__
OperationalError: unable to open database fileI ran these commands to install from source on Ubuntu 12.04.5 x64 Desktop:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install python-setuptools python-dateutil curl ia32-libs libtool autoconf \
ipython apache2-utils zip python-ipaddr python-matplotlib build-essential python-dev git \
mongodb python-pymongo python-pip python-pandas rpm prelink openssh-server
sudo easy_install django
wget https://744592537a0751a28dba27df4a20131058ff8e4d.googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Current/Dependencies/ubuntu-12.04-amd64-debs.tar.gz
tar zxfv ubuntu-12.04-amd64-debs.tar.gz
sudo dpkg -i ubuntu-12.04-amd64-debs/m2crypto_0.21.1-1_amd64.deb
git clone https://github.com/google/protobuf.git
cd protobuf
./autogen.sh
./configure
make
sudo make install
cd python
sudo python setup.py build
sudo python setup.py install
sudo ldconfig
cd ../../
sudo dpkg -i ubuntu-12.04-amd64-debs/sleuthkit-lib_3.2.3-1_amd64.deb
sudo dpkg -i ubuntu-12.04-amd64-debs/pytsk3_3.2.3-1_amd64.deb
sudo easy_install -v psutil
git clone https://github.com/google/grr.git
cd grr
sudo python setup.py build
sudo python setup.py install
sudo mkdir /etc/grr/
sudo mkdir /var/log/grr/
sudo cp config/grr-server.yaml /etc/grr/
PACKAGE="/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg";
PREFIX="/usr/local";
sudo mkdir -p ${PREFIX}/bin ${PREFIX}/sbin
sudo ln -s ${PACKAGE}/grr/tools/console.py ${PREFIX}/bin/grr_console.py
sudo ln -s ${PACKAGE}/grr/tools/config_updater.py ${PREFIX}/bin/grr_config_updater.py
sudo ln -s ${PACKAGE}/grr/tools/grr_server.py ${PREFIX}/sbin/grr_server.py
sudo cp config/debian/default/grr-* /etc/default/
sudo nano /etc/default/grr-single-server
sudo cp config/debian/initd/grr-* /etc/init.d/
sudo chmod +x /etc/init.d/grr-*
sudo cp config/debian/upstart/grr-* /etc/init/
sudo sed -i 's/START=\"no\"/START=\"yes\"/' /etc/default/grr-single-server
sudo pip install rekall --upgrade
sudo grr_config_updater generate_keys
sudo grr_config_updater add_user admin
sudo nano /etc/grr/server.local.yaml
#Add the following lines at the end. Change the ip and user to match yours
#ClientBuilder.executables_path: /home/ubuntu/grr/executables
#Monitoring.emergency_access_email: [email protected]
#Monitoring.alert_email: [email protected]
#Logging.domain: 10.0.0.237
#Client.control_urls: http://10.0.0.237:8080/control
#AdminUI.url: http://10.0.0.237:8000
cd executables/windows/templates
wget https://744592537a0751a28dba27df4a20131058ff8e4d.googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Current/Client/3.0.0.3/Windows/grr-client_3.0.0.3_i386.zip
wget https://744592537a0751a28dba27df4a20131058ff8e4d.googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Current/Client/3.0.0.3/Windows/grr-client_3.0.0.3_amd64.zip
cd ../../linux/templates
wget https://744592537a0751a28dba27df4a20131058ff8e4d.googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Current/Client/3.0.0.3/Linux/grr-client_3.0.0.3_amd64.rpm.zip
wget https://744592537a0751a28dba27df4a20131058ff8e4d.googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Current/Client/3.0.0.3/Linux/grr-client_3.0.0.3_amd64.zip
wget https://744592537a0751a28dba27df4a20131058ff8e4d.googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Current/Client/3.0.0.3/Linux/grr-client_3.0.0.3_i386.zip
cd ../../darwin/templates
wget https://744592537a0751a28dba27df4a20131058ff8e4d.googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Current/Client/3.0.0.3/OSX/grr-client_3.0.0.3_amd64.template
cd ../../../
sudo grr_config_updater repack_clients
sudo service grr-single-server start
When this command is ran sudo grr_config_updater repack_clients
It prints to stderror when trying to repackage the linux binary.
ubuntu@grr-ubuntu:~/grr$ sudo grr_config_updater repack_clients
Using configuration <YamlParser filename="/etc/grr/grr-server.yaml">
Will repack the following clients :
Repacking : /home/ubuntu/grr/executables/windows/templates/grr-client_3.0.0.3_amd64.zip
To : /home/ubuntu/grr/executables/windows/installers/GRR_3.0.0.3_amd64.exe
Repacking : /home/ubuntu/grr/executables/windows/templates/grr-client_3.0.0.3_i386.zip
To : /home/ubuntu/grr/executables/windows/installers/GRR_3.0.0.3_i386.exe
Repacking : /home/ubuntu/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.zip
To : /home/ubuntu/grr/executables/linux/installers/grr_3.0.0.3_amd64.deb
Repacking : /home/ubuntu/grr/executables/linux/templates/grr-client_3.0.0.3_i386.zip
To : /home/ubuntu/grr/executables/linux/installers/grr_3.0.0.3_i386.deb
Repacking : /home/ubuntu/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.rpm.zip
To : /home/ubuntu/grr/executables/linux/installers/grr_3.0.0.3_amd64.rpm
Repacking : /home/ubuntu/grr/executables/darwin/templates/grr-client_3.0.0.3_amd64.template
To : /home/ubuntu/grr/executables/darwin/installers/grr_3.0.0.3_amd64.pkg
/home/ubuntu/grr/executables/windows/templates/grr-client_3.0.0.3_amd64.zip repacked ok.
/home/ubuntu/grr/executables/windows/templates/grr-client_3.0.0.3_i386.zip repacked ok.
/home/ubuntu/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.zip repacked ok.
/home/ubuntu/grr/executables/linux/templates/grr-client_3.0.0.3_i386.zip repacked ok.
sh: 0: getcwd() failed: No such file or directory
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
prelink: cannot open ELF file: I/O error: file too big for memory
prelink: /tmp/tmpQUyxUQ/rpmroot/usr/lib64/GRR/GRR_3.0.0.3_amd64/libdistorm3.so does not have .gnu.prelink_undo section
prelink: /tmp/tmpQUyxUQ/rpmroot/usr/lib64/GRR/GRR_3.0.0.3_amd64/libpython2.7.so.1.0 does not have .gnu.prelink_undo section
prelink: /tmp/tmpQUyxUQ/rpmroot/usr/lib64/GRR/GRR_3.0.0.3_amd64/libtalloc.so.2 does not have .gnu.prelink_undo section
prelink: /tmp/tmpQUyxUQ/rpmroot/usr/lib64/GRR/GRR_3.0.0.3_amd64/libtsk.so.10 does not have .gnu.prelink_undo section
prelink: /tmp/tmpQUyxUQ/rpmroot/usr/lib64/GRR/GRR_3.0.0.3_amd64/libyara.so.2 does not have .gnu.prelink_undo section
/home/ubuntu/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.rpm.zip repacked ok.
/home/ubuntu/grr/executables/darwin/templates/grr-client_3.0.0.3_amd64.template repacked ok.
Will repack the following clients (debug build):
Repacking : /home/ubuntu/grr/executables/windows/templates/grr-client_3.0.0.3_amd64.zip
To : /home/ubuntu/grr/executables/windows/installers/dbg_GRR_3.0.0.3_amd64.exe
Repacking : /home/ubuntu/grr/executables/windows/templates/grr-client_3.0.0.3_i386.zip
To : /home/ubuntu/grr/executables/windows/installers/dbg_GRR_3.0.0.3_i386.exe
Repacking : /home/ubuntu/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.zip
To : /home/ubuntu/grr/executables/linux/installers/dbg_GRR_3.0.0.3_amd64.deb
Repacking : /home/ubuntu/grr/executables/linux/templates/grr-client_3.0.0.3_i386.zip
To : /home/ubuntu/grr/executables/linux/installers/dbg_GRR_3.0.0.3_i386.deb
Repacking : /home/ubuntu/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.rpm.zip
To : /home/ubuntu/grr/executables/linux/installers/dbg_GRR_3.0.0.3_amd64.rpm
Repacking : /home/ubuntu/grr/executables/darwin/templates/grr-client_3.0.0.3_amd64.template
To : /home/ubuntu/grr/executables/darwin/installers/dbg_GRR_3.0.0.3_amd64.pkg
/home/ubuntu/grr/executables/windows/templates/grr-client_3.0.0.3_amd64.zip repacked ok.
/home/ubuntu/grr/executables/windows/templates/grr-client_3.0.0.3_i386.zip repacked ok.
/home/ubuntu/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.zip repacked ok.
/home/ubuntu/grr/executables/linux/templates/grr-client_3.0.0.3_i386.zip repacked ok.
sh: 0: getcwd() failed: No such file or directory
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
prelink: cannot open ELF file: I/O error: file too big for memory
prelink: /tmp/tmpvcR2UT/rpmroot/usr/lib64/GRR/dbg_GRR_3.0.0.3_amd64/libdistorm3.so does not have .gnu.prelink_undo section
prelink: /tmp/tmpvcR2UT/rpmroot/usr/lib64/GRR/dbg_GRR_3.0.0.3_amd64/libpython2.7.so.1.0 does not have .gnu.prelink_undo section
prelink: /tmp/tmpvcR2UT/rpmroot/usr/lib64/GRR/dbg_GRR_3.0.0.3_amd64/libtalloc.so.2 does not have .gnu.prelink_undo section
prelink: /tmp/tmpvcR2UT/rpmroot/usr/lib64/GRR/dbg_GRR_3.0.0.3_amd64/libtsk.so.10 does not have .gnu.prelink_undo section
prelink: /tmp/tmpvcR2UT/rpmroot/usr/lib64/GRR/dbg_GRR_3.0.0.3_amd64/libyara.so.2 does not have .gnu.prelink_undo section
/home/ubuntu/grr/executables/linux/templates/grr-client_3.0.0.3_amd64.rpm.zip repacked ok.
/home/ubuntu/grr/executables/darwin/templates/grr-client_3.0.0.3_amd64.template repacked ok.
# dpkg -i grr_3.0.0.2_amd64.deb
(Reading database ... 29507 files and directories currently installed.)
Preparing to replace grr 3002-1 (using grr_3.0.0.2_amd64.deb) ...
invoke-rc.d: unknown initscript, /etc/init.d/grr not found.
dpkg: warning: subprocess old pre-removal script returned error exit status 100
dpkg: trying script from the new package instead ...
invoke-rc.d: unknown initscript, /etc/init.d/grr not found.
dpkg: error processing grr_3.0.0.2_amd64.deb (--install):
subprocess new pre-removal script returned error exit status 100
invoke-rc.d: unknown initscript, /etc/init.d/grr not found.
dpkg: error while cleaning up:
subprocess installed post-installation script returned error exit status 100
Errors were encountered while processing:
grr_3.0.0.2_amd64.deb
# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 7.4 (wheezy)
Release: 7.4
Codename: wheezy
Seems the pip in Ubuntu 12.04 doesn't have the install --pre option, though others do, such as pip-2.7 on my Mac.
A quick edit to the install script got rekall installed and the quick install moving along. It's line 127 in the install_script_ubuntu.sh I wget'd in a couple hours ago as per the quick install adoc.
header "Installing Rekall"
run_cmd_confirm sudo pip install --upgrade rekall #--pre
If you want a pull req (or patch) for this please tell me where to send it.
Thanks,
adric
This was reported on the code.google.com issue tracker back on Nov 24, 2013. I thought since I am running into this same issue that I would also add it here.
The grr server is running Ubuntu 14.04.1, when trying to install a client on Ubuntu 12.04.5 the following error is encountered.
dpkg -i grr_3.0.0.2_amd64.deb
Selecting previously unselected package grr.
(Reading database ... 116552 files and directories currently installed.)
Unpacking grr (from grr_3.0.0.2_amd64.deb) ...
dpkg: dependency problems prevent configuration of grr:
grr depends on sysv-rc (>= 2.88dsf-24) | file-rc (>= 0.8.16); however:
Version of sysv-rc on system is 2.88dsf-13.10ubuntu11.1.
Package file-rc is not installed.
From tory.cullen on November 07, 2013 17:12:46
What steps will reproduce the problem? 1. Log in to Admin Console
2. Click on blue, vertical bar where four dots are located
3. Attempt to drag left or right What is the expected output? What do you see instead? I expect to have the bar drag either way and stay where I leave it. Instead, the bar will snap back to it's original position. What version of the product are you using? On what operating system? GRR v 0.2-8 in Firefox 25.0 on OS X Mavericks Please provide any additional information below.
Original issue: http://code.google.com/p/grr/issues/detail?id=76
The windows client attempts to use inet_pton for handling addresses, which doesn't exist until python 3.4 on windows. This affects the interrogate flow. Working on a fix now.
From tyler.keith on May 22, 2014 12:31:45
What steps will reproduce the problem? 1. Install latest version of GRR beta
2. Build clients
3. Install on Windows 7 x64, Mac OS 10.9 What is the expected output? What do you see instead? On all four test machines the Interrogate job would not complete. This should automatically be done once a client connects. What version of the product are you using? On what operating system? 2.10 Beta
Three Windows 7 x64 clients
One Mac OS 10.9 Please provide any additional information below. === Windows 7 x64 Details ===
All Windows clients have the following error:
INFO:2014-05-22 12:53:50,388 logging:1611] Job Error (ActionPlugin): KeyError(u'Action GetConfig not available on this platform.',): u'Action GetConfig not available on this platform.'
DEBUG:2014-05-22 12:53:50,388 logging:1619] Traceback (most recent call last):
File "C:\grr_build\build\grr\out00-PYZ.pyz\grr.client.actions", line 133, in Execute
File "C:\grr_build\build\grr\out00-PYZ.pyz\grr.client.actions", line 182, in Run
KeyError: u'Action GetConfig not available on this platform.'
INFO:2014-05-22 12:53:53,539 logging:1611] Job Error (StatFile): File not found: message PathSpec {
path : u'AllUsersProfile'
pathtype : TSK
}
Following Interrogate Flows do not complete, all have the next state as 'StartCollection'
Artifact list AllUsersAppDataEnvironmentVariable
Artifact list CurrentControlSet
Artifact list ProgramFiles
Artifact list ProgramFilesx86
Artifact list WindowsRegistryProfiles
=== Mac Client Details ===
Flow stops at: Interrogate > KnowledgeBaseInitializationFlow > ArtifactCollectorFlow >Artifact list
OSXUsers
Additional details:
backtrace None
client_resources
create_time 2014-05-21 23:13:51
creator GRREnroller
current_state Start
kill_timestamp None
network_bytes_sent 0
next_outbound_id 2
next_processed_request 1
next_states set([])
output None
output_urn None
outstanding_requests 1
remaining_cpu_quota 0
session_id aff4:/C.cf57bdebf47be38f/flows/CA:6F0D3DE5/CA:A7F01C02/CA:6C04AE4
state RUNNING
user GRREnroller
user_notified False
failed_count 0
knowledge_base
Hostname Macintosh.local
Os Darwin
Os major version 10
Os minor version 9
path_type OS
Last Response
flow:request:00000001
Id 1
Next state StartCollection
Client id aff4:/C.cf57bdebf47be38f
ร
Client aff4:/C.cf57bdebf47be38f
Session id aff4:/C.cf57bdebf47be38f/flows/CA:6F0D3DE5/CA:A7F01C02/CA:6C04AE4
Session id aff4:/C.cf57bdebf47be38f/flows/CA:6F0D3DE5/CA:A7F01C02/CA:6C04AE4
Request id 1
Response id 1
Auth state AUTHENTICATED
Type STATUS
Task id 13911605062698200808
Original issue: http://code.google.com/p/grr/issues/detail?id=108
We get a lot of errors associated with the wmi_parser. The clients are all 3.0.0.3 and the server is pretty recent.
ERROR:2015-01-02 00:56:59,498 flow_runner:873] Error in flow aff4:/hunts/W:F5AF45EF/C.0e550087c9a8a545/W:42170A93/W:635150B6 (aff4:/C.0e550087c9a8a545). Trace: Traceback (most recent call last):
File "/opt/grr/lib64/python2.7/site-packages/grr-0.3.0_2-py2.7.egg/grr/lib/flow_runner.py", line 528, in RunStateMethod
responses=responses)
File "/opt/grr/lib64/python2.7/site-packages/grr-0.3.0_2-py2.7.egg/grr/lib/flow.py", line 310, in Decorated
res = f(*args[:f.func_code.co_argcount])
File "/opt/grr/lib64/python2.7/site-packages/grr-0.3.0_2-py2.7.egg/grr/lib/flows/general/collectors.py", line 479, in ProcessCollected
artifact_name, collector)
File "/opt/grr/lib64/python2.7/site-packages/grr-0.3.0_2-py2.7.egg/grr/lib/flows/general/collectors.py", line 650, in _ParseResponses
for result in result_iterator:
File "/opt/grr/lib64/python2.7/site-packages/grr-0.3.0_2-py2.7.egg/grr/parsers/wmi_parser.py", line 103, in Parse
size = int(result.get("Size"))
TypeError: int() argument must be a string or a number, not 'NoneType'
When attempting to delete artifacts via the UI I get the following error.
Error: Traceback (most recent call last):
File "/opt/grr/lib64/python2.7/site-packages/grr-0.3.0_2-py2.7.egg/grr/gui/renderers.py", line 318, in Decorated
return func(_args, *_kwargs)
File "/opt/grr/lib64/python2.7/site-packages/grr-0.3.0_2-py2.7.egg/grr/gui/views.py", line 159, in RenderGenericRenderer
result = method(request, result) or result
File "/opt/grr/lib64/python2.7/site-packages/grr-0.3.0_2-py2.7.egg/grr/gui/plugins/acl_manager.py", line 452, in Layout
(namespace, self.subject))
RuntimeError: Unexpected namespace for access check: artifact_store (subject=aff4:/artifact_store).
Process I just went through:
It doesn't create a Hunt but does give me weirdness in the UI as per screenshot. In log /var/log/grr/grr-worker.log I see:
DEBUG:2014-11-03 22:30:40,876 flow_runner:513] aff4:/flows/W:7E9D9F83 Running Start with 1 responses from None
DEBUG:2014-11-03 22:30:40,878 flow_runner:516] aff4:/hunts/W:61D101F0 Running state method Start
WARNING:2014-11-03 22:30:40,878 flow:535] aff4:/hunts/W:61D101F0 is heartbeating while not being locked.
INFO:2014-11-03 22:30:40,913 flow_runner:1018] aff4:/flows/W:7E9D9F83: User GRRWorker created a new ListProcesses hunt
DEBUG:2014-11-03 22:30:40,930 flow_runner:516] aff4:/flows/W:7E9D9F83 Running state method End
DEBUG:2014-11-03 22:30:40,932 aff4:1291] Attribute aff4:labels_list not defined, skipping.
INFO:2014-11-03 22:30:40,939 flow_runner:459] Destroying session aff4:/flows/W:7E9D9F83(CreateGenericHuntFlow) for client None
DEBUG:2014-11-03 22:30:40,945 worker:321] Done processing aff4:/flows/W:7E9D9F83: 0.0735599994659 sec
DEBUG:2014-11-03 22:30:41,170 worker:239] Got lock on aff4:/audit/W:listener
DEBUG:2014-11-03 22:30:41,174 worker:321] Done processing aff4:/audit/W:listener: 0.00429201126099 sec
So something odd is definitely going on. Will file an issue for someone who knows this code better to follow up on.
To make the hunt UI usable we sort the children of aff4:/hunts/ by age (i.e. last activity), take the most recent 50, then open them all and present them in the UI.
Since default lifetime is 1 month, starting a few hunts each week can easily tip you over 50 active hunts. I couldn't find the end to end test cron hunt in the list, which was weird since it was created just a few hours ago. But since it has a short lifetime there were > 50 active hunts with the default lifetime that had been updated more recently. So I had to scroll down, wait, then click the robot, then search in the list. Not exactly obvious.
Ideas:
3 seems best to me, open to better ideas.
(Additional data available) in the GUI isn't expanding. I saw it in the flow information tab for a filefinder with lots of paths, but it's probably not working everywhere.
Hello,
What is the upgrade path for the new versions of the GRR server that are released? Do I just run the new install script for the new version and re-pack the clients? Or do I need to do a clean install for each new version? Thank You
-Tom
From loic.jaquemet on March 20, 2014 09:46:19
M2Crypto has a new maintainer
New release 0.22.3 https://github.com/martinpaljak/M2Crypto/releases
Original issue: http://code.google.com/p/grr/issues/detail?id=100
When you run 'thrdscan' from the web ui the client returns:
Enumerating VADs in %s (%s)",["OUTLOOK.EXE",2408],{}],["p","Merging export table: %s",["??0OdfStgParams@@QAE@XZ"],{}],["e","
Traceback (most recent call last):
File "c:\grr_build\autobuild\20140911_1115_qq0s9d\build\grr\out00-PYZ.pyz\rekall.session", line 448, in _RunPlugin
File "c:\grr_build\autobuild\20140911_1115_qq0s9d\build\grr\out00-PYZ.pyz\rekall.plugins.windows.modscan", line 179, in render
File "c:\grr_build\autobuild\20140911_1115_qq0s9d\build\grr\out00-PYZ.pyz\rekall.kb", line 481, in format_address
File "c:\grr_build\autobuild\20140911_1115_qq0s9d\build\grr\out00-PYZ.pyz\rekall.kb", line 562, in get_nearest_constant_by_address
File "c:\grr_build\autobuild\20140911_1115_qq0s9d\build\grr\out00-PYZ.pyz\rekall.kb", line 333, in LoadProfileForDll
File "c:\grr_build\autobuild\20140911_1115_qq0s9d\build\grr\out00-PYZ.pyz\rekall.session", line 590, in report_progress
File "c:\grr_build\autobuild\20140911_1115_qq0s9d\build\grr\out00-PYZ.pyz\rekall.session", line 229, in Broadcast
File "c:\grr_build\autobuild\20140911_1115_qq0s9d\build\grr\out00-PYZ.pyz\rekall.ui.json_renderer", line 590, in RenderProgress
TypeError: 'tuple' object does not support item assignmentSo far I have tested this on two Windows 7 x64 machines.
When running vadinfo in the web gui, it always returns:
Error: Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg/grr/gui/renderers.py", line 318, in Decorated
return func(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg/grr/gui/views.py", line 159, in RenderGenericRenderer
result = method(request, result) or result
File "/usr/local/lib/python2.7/dist-packages/grr-0.3.0_2-py2.7.egg/grr/gui/plugins/rekall_viewer.py", line 240, in Layout
self.free_text.append(format_string.format(*args))
ValueError: Unknown format code 'x' for object of type 'str'The results are there and can be viewed with rekall. Let me know if any more info is needed.
From darrenbilby on October 28, 2013 17:34:51
We have a couple of requirements that people often screw up when installing GRR, e.g. a decent amount of diskspace for Mongo where Mongos database is stored, and a decent amount of memory (1.5G+).
Would be nice to add some checks somewhere to warn users, or bail if these requirements aren't met, as I've seen a number of people waste time with these.
The mongo diskspace thing is particularly annoying, as its hard to recover from once it thinks it has an overly full disk.
Original issue: http://code.google.com/p/grr/issues/detail?id=72
From rohanmuley89 on January 30, 2014 09:05:04
Hello,
I recently started using GRR. I have two queries to ask.
1] Is there any way that we can view recently deleted files from the Client's System?
2] If, for example, I want to search all PDF (.pdf) files from the Client's Machine, is there any way we can search and get the complete list of the same extension files?
Please give the solution, if any.
Thank You.
Original issue: http://code.google.com/p/grr/issues/detail?id=93
It appears the functionality of grr_file_exporter got rolled into grr/tools/export.py
db@grrhost: ~$ grr_file_exporter --collection=aff4:/hunts/W:123456/Results --output=/tmp
^^ That was the previous command, but grr_file_exporter doesn't exist anymore.
Excuse my lack knowledge in this area. But why doesn't something like this work.
sudo python export.py collection --path aff4:/hunts/W:FB094358/Results csv
Also I was reading things about there being an export button in the gui. I dug for a while and couldn't find it, where the heck is that at? I'm running a build from latest source.
From [email protected] on September 08, 2014 12:26:28
What steps will reproduce the problem? 1. N/A What is the expected output? What do you see instead? N/A What version of the product are you using? On what operating system? Ubuntu 14.04 & GRR 3.0.0.2 Please provide any additional information below. Feature Request: Add the functionality to use credentials for code interacting with SMTP server (sending email alerts).
Original issue: http://code.google.com/p/grr/issues/detail?id=119
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.