diff --git a/installing-and-running-grr/advanced-usecases/sandbox.md b/installing-and-running-grr/advanced-usecases/sandbox.md index 365366a..6bdc9a4 100644 --- a/installing-and-running-grr/advanced-usecases/sandbox.md +++ b/installing-and-running-grr/advanced-usecases/sandbox.md @@ -46,7 +46,7 @@ You will have to create a ```demo``` user first. The script will ask you for a p You can create the ```demo``` user by executing the command listed in the box below. ``` -docker exec -it sandbox-grr-admin-1 /grr/venv/bin/grr_config_updater add_user demo +docker exec -it sandbox-grr-admin-1 grr_config_updater add_user demo --secondary_configs /config/grr-server/server.local.yaml ``` With the ```demo``` user in place you can now point your browser to the GRR UI: [http://localhost:8000](http://localhost:8000) diff --git a/installing-and-running-grr/advanced-usecases/sandbox/config/fleetspeak-frontend/components.textproto b/installing-and-running-grr/advanced-usecases/sandbox/config/fleetspeak-frontend/components.textproto index 4dc8f52..0a71d06 100644 --- a/installing-and-running-grr/advanced-usecases/sandbox/config/fleetspeak-frontend/components.textproto +++ b/installing-and-running-grr/advanced-usecases/sandbox/config/fleetspeak-frontend/components.textproto @@ -1,8 +1,8 @@ mysql_data_source_name: "fleetspeak-user:fleetspeak-password@tcp(mysql-fleetspeak:3306)/fleetspeak" https_config: < listen_address: "0.0.0.0:9090" - certificates: "FRONTEND_CERTIFICATE" - key: "FRONTEND_KEY" + certificates: "FLEETSPEAK_CERT" + key: "FLEETSPEAK_KEY" frontend_config: < https_header_checksum_config: < client_certificate_header: "x-client-certificate" diff --git a/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/client.yaml b/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/client.yaml index 2592224..a34e44e 100644 --- a/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/client.yaml +++ b/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/client.yaml @@ -1,6 +1,16 @@ Client.fleetspeak_enabled: true +ClientBuilder.fleetspeak_bundled: true Client.foreman_check_frequency: 30 + Logging.verbose: true Logging.engines: file,stderr Logging.path: / Logging.filename: /grr-client.log + +Client.executable_signing_public_key: "%(/config/public-key.pem|file)" +Target:Linux: + ClientBuilder.fleetspeak_client_config: /config/grr-client/config.textproto +Target:Windows: + ClientBuilder.fleetspeak_client_config: /config/grr-client/config.textproto +Target:Darwin: + ClientBuilder.fleetspeak_client_config: /config/grr-client/config.textproto diff --git a/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/config.textproto b/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/config.textproto index f575bde..c8acbad 100644 --- a/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/config.textproto +++ b/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/config.textproto @@ -1,9 +1,9 @@ client_certificate_header: "x-client-certificate" -trusted_certs: "FRONTEND_CERTIFICATE" +trusted_certs: "TRUSTED_FLEETSPEAK_CERT" server: "fleetspeak-server:10000" client_label: "" filesystem_handler: < - configuration_directory: "/config/" + configuration_directory: "/config/grr-client/" state_file: "/fleetspeak.state" > streaming: true diff --git a/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/textservices/grr.service b/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/textservices/grr.service index a63867f..9b2678a 100644 --- a/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/textservices/grr.service +++ b/installing-and-running-grr/advanced-usecases/sandbox/config/grr-client/textservices/grr.service @@ -2,10 +2,10 @@ name: "GRR" factory: "Daemon" config: { [type.googleapis.com/fleetspeak.daemonservice.Config]: { - argv: "/grr/venv/bin/python" + argv: "python" argv: "-m" - argv: "grr_response_client.grr_fs_client" - argv: "--config" - argv: "/grr/venv/install_data/etc/client.yaml" + argv: "grr_response_client.client" + argv: "--secondary_configs" + argv: "/config/grr-client/client.yaml" } } diff --git a/installing-and-running-grr/advanced-usecases/sandbox/config/grr-server/server.local.yaml b/installing-and-running-grr/advanced-usecases/sandbox/config/grr-server/server.local.yaml index cad931d..3e1e3ee 100644 --- a/installing-and-running-grr/advanced-usecases/sandbox/config/grr-server/server.local.yaml +++ b/installing-and-running-grr/advanced-usecases/sandbox/config/grr-server/server.local.yaml @@ -1,16 +1,30 @@ Database.implementation: MysqlDB Blobstore.implementation: DbBlobStore + + API.DefaultRouter: ApiCallRouterWithoutChecks + + Server.initialized: true + Server.fleetspeak_enabled: true + Server.fleetspeak_server: fleetspeak-admin:9091 + FleetspeakFrontend Context: + Server.fleetspeak_message_listen_address: 0.0.0.0:11111 + Mysql.host: mysql-grr Mysql.port: 3306 - Mysql.database_name: grr Mysql.database: grr - Mysql.database_username: grr-user Mysql.username: grr-user - Client.server_urls: - - http://localhost:8080/ + Mysql.password: grr-password + Mysql.database_name: grr + Mysql.database_username: grr-user + Mysql.database_password: grr-password + Mysql.flow_processing_threads_max: 20 + AdminUI.url: http://localhost:8000 AdminUI.bind: 0.0.0.0 AdminUI.headless: true + AdminUI.use_precompiled_js: true + AdminUI.csrf_secret_key: random_passphrase_123____PLEASE_REPLACE___ + Logging.domain: localhost Logging.verbose: true Logging.engines: file,stderr @@ -18,25 +32,12 @@ Logging.filename: /grr/grr-server.log Monitoring.alert_email: grr-monitoring@localhost Monitoring.emergency_access_email: grr-emergency@localhost - Mysql.database_password: grr-password - Mysql.password: grr-password - Mysql.flow_processing_threads_max: 20 - Frontend.certificate: | -FRONTEND_CERTIFICATE + Client.executable_signing_public_key: | + %(/config/public-key.pem|file) + + PrivateKeys.executable_signing_private_key: | + %(/config/private-key.pem|file) + + - AdminUI.csrf_secret_key: O$YTx01F2BuxgT4DoVSI hJVuhWOxyuuxJhg#lg96ARF_fWLabzN5kjAy0UBcI9GDrUPo1v - b7PyF3vj4pqRrc8oegeJ8XgIyI5X - Server.fleetspeak_enabled: true - Client.fleetspeak_enabled: true - ClientBuilder.fleetspeak_bundled: true - Target:Linux: - ClientBuilder.fleetspeak_client_config: /grr/venv/fleetspeak-server-bin/etc/fleetspeak-server/linux_client.config - Target:Windows: - ClientBuilder.fleetspeak_client_config: /grr/venv/fleetspeak-server-bin/etc/fleetspeak-server/windows_client.config - Target:Darwin: - ClientBuilder.fleetspeak_client_config: /grr/venv/fleetspeak-server-bin/etc/fleetspeak-server/darwin_client.config - Server.fleetspeak_server: fleetspeak-admin:9091 - FleetspeakFrontend Context: - Server.fleetspeak_message_listen_address: 0.0.0.0:11111 - Server.initialized: true diff --git a/installing-and-running-grr/advanced-usecases/sandbox/containers/envoy/Dockerfile b/installing-and-running-grr/advanced-usecases/sandbox/containers/envoy/Dockerfile index 07508f2..e61b39c 100644 --- a/installing-and-running-grr/advanced-usecases/sandbox/containers/envoy/Dockerfile +++ b/installing-and-running-grr/advanced-usecases/sandbox/containers/envoy/Dockerfile @@ -13,8 +13,8 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ && apt-get -qq update -y \ && apt-get -qq install --no-install-recommends -y curl COPY --chmod=777 "$ENVOY_CONFIG" /etc/envoy.yaml -COPY --chmod=644 cert.pem /etc/cert.pem -COPY --chmod=644 key.pem /etc/key.pem +COPY --chmod=644 fleetspeak-cert.pem /etc/cert.pem +COPY --chmod=644 fleetspeak-key.pem /etc/key.pem CMD ["/usr/local/bin/envoy", "-c", "/etc/envoy.yaml"] FROM envoy-base as envoy-admin diff --git a/installing-and-running-grr/advanced-usecases/sandbox/containers/fleetspeak/Dockerfile b/installing-and-running-grr/advanced-usecases/sandbox/containers/fleetspeak/Dockerfile deleted file mode 100644 index 4fdc1fa..0000000 --- a/installing-and-running-grr/advanced-usecases/sandbox/containers/fleetspeak/Dockerfile +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -FROM golang:1.21 as builder - -RUN apt update && \ - apt install -y python3-venv && \ - apt install -y pip && \ - apt install -y git - -WORKDIR / - -SHELL ["/bin/bash", "-c"] - -RUN git clone https://github.com/google/fleetspeak.git && \ - cd fleetspeak && \ - go get -u golang.org/x/lint/golint && \ - go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.28.0 && \ - go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.2 - -RUN cd /fleetspeak && \ - python3 -m venv $HOME/.venv/FSENV && \ - source $HOME/.venv/FSENV/bin/activate && \ - pip install wheel pytest && \ - pip install -e ./fleetspeak_python[test] && \ - pip install -e ./frr_python && \ - ./fleetspeak/generate_go_py_protos.sh && \ - ./fleetspeak/build.sh - -FROM golang:1.21 - -RUN mkdir -p /app/bin - -COPY --from=builder /fleetspeak/fleetspeak/src/server/server/server /app/bin/ -COPY --from=builder /fleetspeak/fleetspeak/src/client/client/client /app/bin/ -COPY --from=builder /fleetspeak/fleetspeak/src/config/fleetspeak_config /app/bin/ diff --git a/installing-and-running-grr/advanced-usecases/sandbox/containers/grr/client/Dockerfile b/installing-and-running-grr/advanced-usecases/sandbox/containers/grr/client/Dockerfile deleted file mode 100644 index d31a756..0000000 --- a/installing-and-running-grr/advanced-usecases/sandbox/containers/grr/client/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -FROM fleetspeak AS fleetspeak - -FROM grr -COPY --from=fleetspeak /app/bin/client /usr/local/bin/fleetspeak-client -COPY config/grr-client/client.yaml /grr/venv/install_data/etc/client.yaml -WORKDIR / diff --git a/installing-and-running-grr/advanced-usecases/sandbox/containers/grr/server/Dockerfile b/installing-and-running-grr/advanced-usecases/sandbox/containers/grr/server/Dockerfile deleted file mode 100644 index 0056f38..0000000 --- a/installing-and-running-grr/advanced-usecases/sandbox/containers/grr/server/Dockerfile +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright 2023 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -FROM ubuntu:22.04 - -RUN apt-get update && apt-get install -y \ - git \ - python3-pip \ - python-is-python3 \ - python3.10-venv \ - python3-yaml \ - pkg-config \ - libmysqlclient-dev \ - openjdk-19-jre - -WORKDIR / - -RUN cd / && git clone https://github.com/google/grr - -RUN cd /grr/ \ - && python -m venv --system-site-packages venv \ - && . venv/bin/activate \ - && pip install mysqlclient nodeenv wheel \ - && nodeenv -p --prebuilt --node=16.13.0 - -RUN cd /grr \ - && . /grr/venv/bin/activate \ - && pip install -e grr/proto \ - && pip install -e grr/core \ - && pip install -e grr/client \ - && pip install -e grr/client_builder \ - && pip install -e api_client/python \ - && pip install -e grr/server diff --git a/installing-and-running-grr/advanced-usecases/sandbox/createConfig.sh b/installing-and-running-grr/advanced-usecases/sandbox/createConfig.sh index 2a83aa7..b55d516 100755 --- a/installing-and-running-grr/advanced-usecases/sandbox/createConfig.sh +++ b/installing-and-running-grr/advanced-usecases/sandbox/createConfig.sh @@ -1,26 +1,36 @@ #!/bin/bash -openssl ecparam -list_curves - -# generate a private key for a curve -openssl ecparam -name prime256v1 -genkey -noout -out key.pem - -# optional: generate corresponding public key -#openssl ec -in key.pem -pubout -out public-key.pem - -# create a self-signed certificate -openssl req -new -x509 -key key.pem -out cert.pem -days 365 -subj "/C=AU/CN=fleetspeak-server" -addext "subjectAltName = DNS:fleetspeak-server" -export FRONTEND_PEM="$(cat cert.pem | sed 's/^/ /g' | sed ':a;N;$!ba;s/\n/\\n/g' | sed 's/\$/\\$/g')" -export FRONTEND_CERT=$(sed ':a;N;$!ba;s/\n/\\\\n/g' cert.pem) -export FRONTEND_KEY=$(sed ':a;N;$!ba;s/\n/\\\\n/g' key.pem) +set -ex -echo $FRONTEND_PEM -echo $FRONTEND_CERT -echo $FRONTEND_KEY - -sed -i "s@FRONTEND_CERTIFICATE@${FRONTEND_PEM}@" ./config/grr-server/server.local.yaml - -sed -i 's@FRONTEND_CERTIFICATE@'"$FRONTEND_CERT"'@' ./config/fleetspeak-frontend/components.textproto -sed -i 's@FRONTEND_CERTIFICATE@'"$FRONTEND_CERT"'@' ./config/grr-client/config.textproto +openssl ecparam -list_curves -sed -i 's@FRONTEND_KEY@'"$FRONTEND_KEY"'@' ./config/fleetspeak-frontend/components.textproto +# Generate key pair .pem files, which is linked in the GRR client and +# server configs (client.yaml, server.local.yaml). +openssl genrsa -out config/private-key.pem +openssl rsa -in config/private-key.pem -pubout -out config/public-key.pem + +# Create a CA/trusted private key and cert for Fleetspeak. +openssl ecparam -name prime256v1 -genkey -noout \ + -out fleetspeak-ca-key.pem +openssl req -new -x509 -days 365 -subj "/CN=Fleetspeak CA"\ + -key fleetspeak-ca-key.pem \ + -out fleetspeak-ca-cert.pem \ + +# Create keys for CA signed key and cert for fleetspeak. Resulting files are also +# copied in the envoy container, see containers/envoy/Dockerfile). +openssl ecparam -name prime256v1 -genkey -noout \ + -out fleetspeak-key.pem +openssl req -new -x509 -days 365 -subj "/CN=Fleetspeak CA" -addext "subjectAltName = DNS:fleetspeak-server" \ + -key fleetspeak-key.pem \ + -out fleetspeak-cert.pem \ + -CA fleetspeak-ca-cert.pem \ + -CAkey fleetspeak-ca-key.pem + +# Replace placeholders in fleetspeak and grr-client textproto files. +TRUSTED_FLEETSPEAK_CERT=$(sed ':a;N;$!ba;s/\n/\\\\n/g' fleetspeak-ca-cert.pem) +FLEETSPEAK_KEY=$(sed ':a;N;$!ba;s/\n/\\\\n/g' fleetspeak-key.pem) +FLEETSPEAK_CERT=$(sed ':a;N;$!ba;s/\n/\\\\n/g' fleetspeak-cert.pem) + +sed -i 's@FLEETSPEAK_CERT@'"$FLEETSPEAK_CERT"'@' ./config/fleetspeak-frontend/components.textproto +sed -i 's@FLEETSPEAK_KEY@'"$FLEETSPEAK_KEY"'@' ./config/fleetspeak-frontend/components.textproto +sed -i 's@TRUSTED_FLEETSPEAK_CERT@'"$TRUSTED_FLEETSPEAK_CERT"'@' ./config/grr-client/config.textproto diff --git a/installing-and-running-grr/advanced-usecases/sandbox/docker-compose.yaml b/installing-and-running-grr/advanced-usecases/sandbox/docker-compose.yaml index d9dbed1..cdb8de3 100644 --- a/installing-and-running-grr/advanced-usecases/sandbox/docker-compose.yaml +++ b/installing-and-running-grr/advanced-usecases/sandbox/docker-compose.yaml @@ -1,17 +1,5 @@ services: - fleetspeak: - image: fleetspeak - build: - context: . - dockerfile: ./containers/fleetspeak/Dockerfile - - grr: - image: grr - build: - context: . - dockerfile: ./containers/grr/server/Dockerfile - mysql-fleetspeak: image: mysql:8.2 restart: always @@ -60,14 +48,19 @@ services: - "10000:10000" fleetspeak-admin: - build: - context: . - dockerfile: ./containers/fleetspeak/Dockerfile + image: ghcr.io/google/fleetspeak:latest hostname: fleetspeak-admin depends_on: mysql-fleetspeak: condition: service_healthy - entrypoint: ["/app/bin/server", "-components_config", "/config/fleetspeak-admin/components.textproto", "-services_config", "/config/fleetspeak-admin/services.textproto", "-alsologtostderr"] + entrypoint: [ + "server", + "-components_config", + "/config/fleetspeak-admin/components.textproto", + "-services_config", + "/config/fleetspeak-admin/services.textproto", + "-alsologtostderr" + ] volumes: - "./config:/config" ports: @@ -76,14 +69,19 @@ services: - '9091' fleetspeak-frontend: - build: - context: . - dockerfile: ./containers/fleetspeak/Dockerfile + image: ghcr.io/google/fleetspeak:latest hostname: fleetspeak-frontend depends_on: mysql-fleetspeak: condition: service_healthy - entrypoint: ["/app/bin/server", "-components_config", "/config/fleetspeak-frontend/components.textproto", "-services_config", "/config/fleetspeak-frontend/services.textproto", "-alsologtostderr"] + entrypoint: [ + "server", + "-components_config", + "/config/fleetspeak-frontend/components.textproto", + "-services_config", + "/config/fleetspeak-frontend/services.textproto", + "-alsologtostderr" + ] volumes: - "./config:/config" ports: @@ -100,64 +98,72 @@ services: retries: 10 grr-client: - build: - context: . - dockerfile: ./containers/grr/client/Dockerfile + image: ghcr.io/google/grr:latest hostname: grr-client depends_on: - fleetspeak-frontend: - condition: - service_healthy - fleetspeak: + front-envoy: condition: service_started - grr: + fleetspeak-frontend: condition: - service_started - entrypoint: ["fleetspeak-client", "-config" , "/config/config.textproto", "-alsologtostderr"] + service_healthy + entrypoint: [ + "/bin/bash", + "-c", + "grr_client_build repack_multiple --templates /client_templates/*/*.zip --repack_configs /config/grr-client/client.yaml --output_dir /installers && dpkg -i /installers/client/*.deb && fleetspeak-client -config /config/grr-client/config.textproto" + ] volumes: - - "./config/grr-client:/config" - + - "./config/:/config/" + grr-admin: - build: - context: . - dockerfile: ./containers/grr/server/Dockerfile + image: ghcr.io/google/grr:latest hostname: grr-admin depends_on: mysql-grr: condition: service_healthy - entrypoint: ["/grr/venv/bin/python", "-m", "grr_response_server.gui.admin_ui", "--logtostderr"] + command: + - -component + - admin_ui + - -config + - /config/grr-server/server.local.yaml + - --verbose volumes: - - "${PWD}/config/grr-server/server.local.yaml:/grr/grr/core/install_data/etc/server.local.yaml" + - "${PWD}/config/:/config/" ports: - '8000:8000' expose: - '8000' grr-frontend: - build: - context: . - dockerfile: ./containers/grr/server/Dockerfile + image: ghcr.io/google/grr:latest hostname: grr-frontend depends_on: mysql-grr: condition: service_healthy - entrypoint: ["/grr/venv/bin/python", "-m", "grr_response_server.bin.fleetspeak_frontend", "--logtostderr"] + command: + - -component + - frontend + - -config + - /configs/server.local.yaml + - --verbose volumes: - - "${PWD}/config/grr-server/server.local.yaml:/grr/grr/core/install_data/etc/server.local.yaml" + - "${PWD}/config/grr-server/:/configs/" ports: - '11111:11111' expose: - '11111' grr-worker: - build: - context: . - dockerfile: ./containers/grr/server/Dockerfile + image: ghcr.io/google/grr:latest hostname: grr-worker depends_on: mysql-grr: condition: service_healthy - entrypoint: ["/grr/venv/bin/python", "-m", "grr_response_server.bin.worker", "--logtostderr"] + command: + - -component + - worker + - -config + - /configs/server.local.yaml + - --verbose volumes: - - "${PWD}/config/grr-server/server.local.yaml:/grr/grr/core/install_data/etc/server.local.yaml" + - "${PWD}/config/grr-server/:/configs/"