search

google / grr

GRR Rapid Response: remote live forensics for incident response
https://grr-doc.readthedocs.io/
Apache License 2.0
4.75k stars 761 forks source link

Client: ValueError: FLEETSPEAK_COMMS_CHANNEL_INFD is not set #983

Open bprykhodchenko opened 2 years ago

bprykhodchenko commented 2 years ago

Environment

The GRR is installed on a VM running on ESXi on-prem. The VM runs Ubuntu 18.04 and GRR was installed from DEB (using the official documentation) GRR Version is 3.4.6.0 Ubuntu 18.04 OpenSuse Leap 15

Describe the issue We are currently testing GRR and tried to run the rpm package on Linux OpenSuse (leap 15). The package does not run automatically. So when I have tried to run it manually using the command:

e09d8dd5bdf4:/usr/lib64/grr/grr_3.4.6.0_amd64 # grrd --config=grrd.yaml --verbose

It has thrown me this error:

e09d8dd5bdf4:/usr/lib64/grr/grr_3.4.6.0_amd64 # grrd --config=grrd.yaml --verbose I0608 08:06:36.050097 139777080503168 client_logging.py:113] Writing log file to /var/log/GRRlog.txt INFO:2022-06-08 08:06:36,050 client_logging:113] Writing log file to /var/log/GRRlog.txt Traceback (most recent call last): File "grr_response_client/client.py", line 36, in File "absl/app.py", line 299, in run File "absl/app.py", line 250, in _run_main File "grr_response_client/client_main.py", line 89, in main File "grr_response_client/fleetspeak_client.py", line 66, in init File "fleetspeak/client_connector/connector.py", line 108, in init File "fleetspeak/client_connector/connector.py", line 63, in _EnvOpen ValueError: FLEETSPEAK_COMMS_CHANNEL_INFD is not set [678] Failed to execute script client

FLEETSPEAK_COMMS_CHANNEL_INFD is not set - what is this error means? I have seen on github people writing that changing the mysql max size limit to 50 and then back to 40 fixes this issue. But first of all, for me this sounds like not the logical idea, but I have tested it and as expected - it didn't resolve the issue...

mbushkov commented 2 years ago

Hey, thanks for the report! It seems that you've installed Fleetspeak-enabled version of GRR. In such a setup the GRR daemon (grrd) is started by the Fleetspeak daemon (fleetspeak-client). fleetspeak-client sets the FLEETSPEAK_COMMS_CHANNEL_INFD environment variables (and some others) so that it can communicate with grrd.

What happens if you start the fleetspeak-client (which should start grrd as a subprocess and set the right env variables)? 

/usr/bin/fleetspeak-client --config /etc/fleetspeak-client/client.config
bprykhodchenko commented 2 years ago

Hello! Sorry for replying a bit late. I've got married :)

Anyway, a good point made by you. When I restart the fleetspeak client, I get the following error:

C:\Windows\System32\GRR\3.4.6.0>fleetspeak-client.exe --config fleetspeak-client.config E0630 15:36:38.337722 3820 system_service.go:250] Unable to get revoked certificate list: unable to retrieve file, last attempt failed with: Get "https://172.16.31.5:10000/files/system/RevokedCertificates": x509: cannot validate certificate for 172.16.31.5 because it doesn't contain any IP SANs

This is a Windows Log, as I have now the same issue with my Windows agents. So the issue with OpenSuse Leap 15 is the same as with Windows. I confirm that I have tried to reinstall GRR server on my ubuntu server and during one of the reinstallations I have changed the keys, but not the cert. The only cert I have attached is the one for HTTPS access to Admin UI as per GRR's manual.