GRR Files

Regular release.

Removed

• GRR server Debian package. We stopped providing the GRR server Debian package as the main way of distributing GRR server and client binaries. Instead we make GRR Docker image a preferred way for running GRR in a demo or production environment. See the documentation here.
• Removed support for Chipsec based flows.
• Removed ClientArtifactCollector flow and related client actions.
• Removed indexing endpoints on snapshot uname (searching is still possible by individual and combination of system name, release and version).
• Removed support for foreman rules using uname of an endpoint (this can be simulated by using 3 rules for system name, release and version).
• Removed the provides field from the Artifact message. This change has been done in anticipation of the removal of the same field from the official GitHub repository (ForensicArtifacts/artifacts#275).
• Artifact parsers. ArtifactCollector flow supported parsing collected files and output of executed commands. Its parsers were not properly maintained, were often outdated and fragile. We're converted selected parsers into standalone flows (CollectDistroInfo, CollectInstalledSoftware, CollectHardwareInfo) and removed the artifact parsing subsystem. The ArtifactCollector now works as if "apply_parsers" arguments attribute is set to False. At some point the "apply_parsers" attribute will be deprecated completely.

Added

• GRR docker image which contains all grr server components and client templates. It is available for every new GRR version for download at https://github.com/google/grr/pkgs/container/grr
• Docker compose configuration file to run all GRR/Fleetspeak components in separate Docker containers.
• Python API was extended by a function (DecodeCrowdStrikeQuarantineEncoding) to decode a crowdstrike quarantine encoded file, given as a BinaryChunkIterator.

Fixed

• YARA memory scanning improvements (matching context options, consuming less bandwidth).

API removed

• GetClientLoadStats API method (/api/clients/<client_id>/load-stats/<metric>). Client load stats collection functionality was removed from GRR, as it was rarely used and Fleetspeak already collects basic client stats anyway. Instead of fixing/maintaining the GRR client load stats logic, we will better to invest into Fleetspeak's client load stats enhancements.
• ApiReportData definition (used by GetReport, /api/stats/reports/<name>) changed: support for stack, line and pie charts removed. All stack/line/pie chart report plugins removed (namely: GRRVersion1ReportPlugin, GRRVersion7ReportPlugin, GRRVersion30ReportPlugin, LastActiveReportPlugin, OSBreakdown1ReportPlugin, OSBreakdown7ReportPlugin, OSBreakdown14ReportPlugin, OSBreakdown30ReportPlugin, OSReleaseBreakdown1ReportPlugin, OSReleaseBreakdown7ReportPlugin, OSReleaseBreakdown14ReportPlugin, OSReleaseBreakdown30ReportPlugin, SystemFlowsReportPlugin, UserFlowsReportPlugin, MostActiveUsersReportPlugin, UserActivityReportPlugin).
• GetFileDecoders API method (/api/clients/<client_id>/vfs-decoders/<path:file_path>). Getting file decoders functionality was removed as it was not used before.
• GetDecodedFileBlob API method (/api/clients/<client_id>/vfs-decoded-blob/). Get decoded file blob functionality was removed as it was unused before. Only one decoder for decoding crowdstrike quarantine encoded files was implemented, this functionality is now exposed via the Python API.