Cleaning Up The Google Rapid Response Inventory

This post is inspired from Google Rapid Response (GRR) issue #49, and is relevant if you do testing against a GRR server instance for cleaning up historical debug clients in the inventory. If the client is offline, it will stay there, and yes it's quite annoying.

This receipe requires you to use the iPython console, which can be started on the server by running grr_console. There is a neat feature for searching the inventory, so say the client name is HOSTNAME - you may then run the following to get a listing of matching clients:

for client in SearchClients('host:HOSTNAME'):
  print(client)

Shows two matches, in this case one is live - the other one, C.12c35ccfe21a0312, should be scheduled for deletion:

(<VFSGRRClient@XXXXXXXXXXX = aff4:/C.1dc35fcfe41bb3cf>, 'HOSTNAME_X', '6.4', '2015-02-08 14:10:36')
(<VFSGRRClient@YYYYYYYYYYY = aff4:/C.12c35ccfe21a0312>, 'HOTNAME_Y', '6.7', '2015-02-08 10:56:15')

Quite straight forward, the client is removed by the following:

token = access_control.ACLToken(username="someone", reason="Why")
aff4.FACTORY.Delete(rdfvalue.ClientURN("C.12c35ccfe21a0312"))

Which will immediately be noticable in the web GUI as well.

Tommy

Tommy is an analyst and incident handler with more than seven years of experience from the government and private industry. He holds an M.Sc. in Digital Forensics and a B.Tech. in information security