6 months have gone by since I first experienced Google Rapid Response (GRR), and GRR is still a pretty amazing concept and tool. The platform support and powerful open source nature makes it an ideal tool for organizations looking for something that covers the reality, not just a narrow, illusive, and ideal enterprise environment.
You may also like my Remote forensics is the new black article, covering the basics of remote forensics and GRR.
Now it seems that Google is preparing a 126.96.36.199 release, deemed from the prebuild client templates. And that said, the development team isn't especially great at conveying such messages to the masses. The 188.8.131.52 client template also fixes problems for instance for the Linux client, which previously wouldn't install (with 184.108.40.206) on the current Debian Wheezy release. By the way, if you have a go at it - you may have to clean out
/etc/init/grr.conf and do a second install.
Other than that the server seems to be quite stable on Debian "Jessie" 8.0.
Issues with locale
Google GRR have always had problems when locales is not set on the server. It also obviously have issues when it's not set to english flavours. When flows didn't start when assigned to a client, starting the worker manually showed it complaining on the locale (which was set to
nb_NO.UTF-8). Changing it back seems to have done the trick:
export LANGUAGE=en_US.UTF-8. Also adding it to
/etc/environment will help you out when it comes to persistence:
As you'll notice when you start assigning flows for the clients, the locale problem goes for the clients as well. So configure it right from the start.
And that's how it goes, GRR is still a little green but it's getting there.
Edit FEB 10th 2015: I see that Google's been pushing version 0.3.0.5 which seems to resolve a lot of issues.
Conclusion: This is going to be even greater than great!