Thoughts, stories and ideas on cyber security

Cleaning Up The Google Rapid Response Inventory

This post is inspired from Google Rapid Response (GRR) issue #49, and is relevant if you do testing against a GRR server instance for cleaning up historical debug clients in the inventory. If the client is offline, it will stay there, and yes it's quite annoying.

This receipe requires you to use the iPython console, which can be started on the server by running grr_console. There is a neat feature for searching the inventory, so say the client name is HOSTNAME - you may then run the following to get a listing of matching clients:

for client in SearchClients('host:HOSTNAME'):
  print(client)

Shows two matches, in this case one is live - the other one, C.12c35ccfe21a0312, should be scheduled for deletion:

(<VFSGRRClient@XXXXXXXXXXX = aff4:/C.1dc35fcfe41bb3cf>, 'HOSTNAME_X', '6.4', '2015-02-08 14:10:36')
(<VFSGRRClient@YYYYYYYYYYY = aff4:/C.12c35ccfe21a0312>, 'HOTNAME_Y', '6.7', '2015-02-08 10:56:15')

Quite straight forward, the client is removed by the following:

token = access_control.ACLToken(username="someone", reason="Why")
aff4.FACTORY.Delete(rdfvalue.ClientURN("C.12c35ccfe21a0312"))

Which will immediately be noticable in the web GUI as well.


Tommy

Tommy (B.Tech., M.Sc.) is a seasoned cyber security analyst with experience from both the government and private industry. He works daily with data- and intelligence-driven cyber security operations.