GRR release 3.4.9.0

This is a regular GRR release.

IMPORTANT: It's the last release containing the legacg UI and the legacy API support (UIv1 and APIv1). In the next release:

• The APIv1 will be removed. If you use the GRR API Python client library, you shouldn't notice anything. If you use direct HTTP JSON requests to talk to GRR AdminUI, you need to ensure that you're using APIv2 (contains /v2/ in the URLs).
• The UIv1 (legacy AngularJS-based UI) will be removed and the much improved version of the Angular-based UIv2 will become the only UI available. Between the current and the next release UIv2 will get additional debugging capabilities, a denser UI layout, the implementation of missing flows, performance improvements etc.

Changelog for the current release:

Added

• Added support for listing %SystemDrive%\Users as a supplementary mechanism
  for collecting user profiles on Windows (additionally to using data from the
  registry).

Removed

• Removed the ListFlowApplicableParsers API method.
• Removed the ListParsedFlowResults API method.
• Removed support for the GREP artifact source (these were internal to GRR and
  not part of the official specification.
• Removed ApiClient.users field which contained duplicate information present in ApiClient.knowledge_base.users field.
• Removed no longer used or relevant configuration options:
  • Server.fleetspeak_enabled
  • Client.fleetspeak_enabled
  • Client.server_urls
  • Client.control_urls
  • Client.server_serial_number
  • Client.poll_min
  • Client.poll_max
  • Client.error_poll_min
  • Client.labels
  • Client.rss_max
  • Client.rss_max_hard
  • Frontend.bind_port
  • Frontend.port_max
  • Nanny.child_binary
  • Nanny.child_command_line
  • Nanny.service_name
  • Nanny.service_description
  • Nanny.statusfile
  • Nanny.binary
  • Nanny.service_binary_name

Changed

• Renamed restricted_flow_users and restricted_flow_groups to admin_users
  and admin_groups. The new entries can be used to grant access for
  Client/Hunt/CronJob approvals as well as restricted flows.

GRR release 3.4.7.5

This is a bugfix release:

• grr-api-client package issue is fixed (no implicit dependency on grr-response-core).
• Added support for listing %SystemDrive%\Users as a supplementary mechanism for collecting user profiles on Windows (additionally to using data from the registry).

GRR release 3.4.7.4

Regular release.

Removed

• GRR server Debian package. We stopped providing the GRR server Debian
  package as the main way of distributing GRR server and client binaries.
  Instead we make GRR Docker image a preferred way for running GRR in a
  demo or production environment. See the documentation here.
• Removed support for Chipsec based flows.
• Removed ClientArtifactCollector flow and related client actions.
• Removed indexing endpoints on snapshot uname (searching is still possible
  by individual and combination of system name, release and version).
• Removed support for foreman rules using uname of an endpoint (this can be
  simulated by using 3 rules for system name, release and version).
• Removed the provides field from the Artifact message. This change has been
  done in anticipation of the removal of the same field from the official GitHub
  repository (ForensicArtifacts/artifacts#275).
• Artifact parsers. ArtifactCollector flow supported parsing collected files
  and output of executed commands. Its parsers were not properly maintained,
  were often outdated and fragile. We're converted selected parsers
  into standalone flows (CollectDistroInfo, CollectInstalledSoftware,
  CollectHardwareInfo) and removed the artifact parsing subsystem.
  The ArtifactCollector now works as if "apply_parsers" arguments
  attribute is set to False. At some point the "apply_parsers" attribute will be
  deprecated completely.

Added

• GRR docker image which contains all grr server components and client
  templates. It is available for every new GRR version for download at
  https://github.com/google/grr/pkgs/container/grr
• Docker compose configuration file to run all GRR/Fleetspeak components in
  separate Docker containers.
• Python API was extended by a function (DecodeCrowdStrikeQuarantineEncoding)
  to decode a crowdstrike quarantine encoded file, given as a
  BinaryChunkIterator.

Fixed

• YARA memory scanning improvements (matching context options, consuming less bandwidth).

API removed

• GetClientLoadStats API method (/api/clients/<client_id>/load-stats/<metric>).
  Client load stats collection functionality was removed from GRR, as
  it was rarely used and Fleetspeak already collects basic client stats anyway.
  Instead of fixing/maintaining the GRR client load stats logic, we will
  better to invest into Fleetspeak's client load stats enhancements.
• ApiReportData definition (used by GetReport, /api/stats/reports/<name>)
  changed: support for stack, line and pie charts removed. All stack/line/pie
  chart report plugins removed (namely: GRRVersion1ReportPlugin,
  GRRVersion7ReportPlugin, GRRVersion30ReportPlugin, LastActiveReportPlugin,
  OSBreakdown1ReportPlugin, OSBreakdown7ReportPlugin, OSBreakdown14ReportPlugin,
  OSBreakdown30ReportPlugin, OSReleaseBreakdown1ReportPlugin,
  OSReleaseBreakdown7ReportPlugin, OSReleaseBreakdown14ReportPlugin,
  OSReleaseBreakdown30ReportPlugin, SystemFlowsReportPlugin,
  UserFlowsReportPlugin, MostActiveUsersReportPlugin, UserActivityReportPlugin).
• GetFileDecoders API method
  (/api/clients/<client_id>/vfs-decoders/<path:file_path>). Getting file
  decoders functionality was removed as it was not used before.
• GetDecodedFileBlob API method (/api/clients/<client_id>/vfs-decoded-blob/).
  Get decoded file blob functionality was removed as it was unused before. Only
  one decoder for decoding crowdstrike quarantine encoded files was implemented,
  this functionality is now exposed via the Python API.

GRR release 3.4.7.1

Note: this is the last release containing the following features:

• Artifact parsers. ArtifactCollector flow supports parsing collected files and output of executed commands. Its parsers are not properly maintained, are often outdated and fragile. We're going to convert selected parsers into standalone flows and remove the artifact parsing subsystem: the ArtifactCollector will always work as if "apply_parsers" arguments attribute is set to False. Afterwards the "apply_parsers" attribute will be deprecated completely. We will provide documentation on integrating GRR and ArtifactCollector with well-maintained parsing frameworks like Plaso.

• Built-in cron jobs. Built-in cron jobs are primarily used for periodic hunts. We will provide documentation on how to easily replicate the current functionality using external scheduling systems (like Linux cron, for example).

  If your workflow depends on GRR built in cron jobs and you anticipate problems when migrating it to external schedulers, please reach out to us via email or GitHub.

• GRR server Debian package. We will stop providing the GRR server Debian package as the main way of distributing GRR server and client binaries. Instead we will make GRR Docker image a preferred way for running GRR in a demo or production environment.

If your workflow depends on any of the above, please feel free reach out to us via grr-users Google Group or GitHub.

Added

• Created a flow for collecting an identifier of the CrowdStrike agent.
• Podman-based zero-setup development environment.
• Added StatMultipleFiles and HashMultipleFiles flows to be used in UIv2.

Changed

• Renamed AdminUI.new_hunt_wizard.default_output_plugin to AdminUI.new_hunt_wizard.default_output_plugins (note the "s" in the end). The new option accepts a comma-separated list of names.
• Newly interrogated clients now pick up active hunts automatically.
• Hunts workflow is now available in the new UI: creating hunts from a flow, duplicating existing hunts, monitoring hunt progress and inspecting results.

Removed

• Fully removed deprecated use_tsk flag.
• Removed deprecated plugin_args field from OutputPluginDescriptor.
• Removed deprecated flows: FingerprintFile, KeepAlive, FingerprintFile, FindFiles, SendFile, Uninstall, UpdateClient, CollectEfiHashes, DumpEfiImage.
• Deprecated GetFile flow in favor of MultiGetFile.
• Made FileFinder an alias to ClientFileFinder, using ClientFileFinder by default everywhere. Legacy FileFinder is still available as LegacyFileFinder. Fixed several inconsistencies in ClientFileFinder client action. Same for RegistryFinder.
• Removed deprecated client actions: EficheckCollectHashes, EficheckDumpImage, Uninstall, SendFile.
• Removed "Checks" functionality.

API removed

• Deprecated no-op "keep_client_alive" attribute in ApiCreateClientApprovalArgs.
• Deprecated ListClientActionRequests API call (was no-op after Fleetspeak migration).

GRR release 3.4.6.7

Updates:

• Server DEB package now targets Ubuntu 22.04 LTS.
• Agents are now Python 3.9-based (server deb package is Python 3.10-based).
• MySQL-based datastore performance considerably improved.
• UIv2 supports majority of flows and hunts.
• Third-party dependencies updated.
• A lot of minor bugfixes and improvements.

GRR release 3.4.6.0

Regular release for Q2 2022.

Download the server deb for Ubuntu 18.04 from here.

Please see the release notes.

GRR release 3.4.5.1

Mid-quarter release for Q3 2021.

Download the server deb for Ubuntu 18.04 from here.

Please see the release notes.

GRR release 3.4.3.1

Regular release for Q2 2021.

Download the server deb for Ubuntu 18.04 from here.

Please see the release notes.

GRR release 3.4.2.4

Minor bug-fix release on top of v3.4.2.3.

Download the server deb for Ubuntu 18.04 from here.

Please see the release notes.

GRR release 3.4.2.3

Quarterly release for Q3 2020.

Download the server deb for Ubuntu 18.04 from here.

Please see the release notes.