search

google / grr

GRR Rapid Response: remote live forensics for incident response
https://grr-doc.readthedocs.io/
Apache License 2.0
4.78k stars 761 forks source link

Manage Binaries Enhancements #34

Open destijl opened 10 years ago

destijl commented 10 years ago

From sean.gillespie.32 on October 06, 2014 15:02:35

Can the following enhancements be made to Manage Binaries?

  1. The ability to remove old/unnecessary binaries
  2. Display the necessary information for use with the Upgrade Client flows.

Original issue: http://code.google.com/p/grr/issues/detail?id=121

pidydx commented 9 years ago

Should this get closed and tracked under the datastore management issue? Ultimately the datastore management piece is about being able to delete old stuff whether it is old drivers, installers, hunts, flows, clients, client data, blobs, etc.

grrrrrrrrr commented 7 years ago

Manage Binaries is all new. Fixed.

b2az commented 6 years ago

Have i missed something?

The ability to remove old/unnecessary binaries

Where/how can i remove binaries, which are listed in "Manage Binaries"?

I repacked the client with another 'Client.name' for obfuscation as described here: https://github.com/google/grr-doc/blob/master/deploying-grr-clients/protection.md

After testing i deleted the new files from /usr/share/grr-server/executables/installers/ but they're still listed in the WebUI.

Any help would be appreciated. Thanks in advance.

mbushkov commented 6 years ago

I think this issues was closed too early. "Manage Binaries" was indeed redesigned, but we didn't add an API nor grr_config_updater command to delete old binaries. Reopening this issue.

mbushkov commented 6 years ago

@b2az , answering your questions. After being repacked your clients got written to GRR datastore. So effectively, even if you delete the files from the /usr/share/grr-server/executables/installers/, they will continue to be visible in the UI, since UI gets them from the datastore. Unfortunately, at the moment, as I mentioned in my previous comment, there's no easy (and documented) way to delete binaries from the datastore. We'll fix that.

b2az commented 6 years ago

@mbushkov , thanks for your fast reply. I found it out yesterday, after i greped the sqlite files for the process name string, that the binary is saved there and it doesn't have to do anything with the files in the installers folder.

This feature is at least from my sight pretty important, because i want to deploy dozens of differently obfuscated GRR clients in my environment and don't want to bloat up the SQL databases with binaries.

I will look at the process behind the removage of a client as described in: https://github.com/google/grr-doc/blob/master/maintaining-and-tuning/low-level-maintenance-with-console.md

Thanks for reopening the issue. 👍