Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Convert a privileged deployment to an unprivileged deployment

During the upgrade of Splunk Phantom 4.10.7 to Splunk SOAR (On-premises) 5.0.1, it is possible to convert an privileged deployment to an unprivileged deployment.

Converting a privileged deployment to an unprivileged deployment can be done when moving from Splunk Phantom 4.10.7 to Splunk SOAR (On-premises) 5.0.1, and requires the assistance of Splunk Support.

Converting a privileged Splunk Phantom instance to an unprivileged instance cannot be undone. Make sure you wish to convert before running the upgrade.

In most cases, converting a privileged installation to an unprivileged happens during an upgrade, see Upgrade a single unprivileged Splunk Phantom instance or Upgrade an unprivileged Splunk Phantom Cluster.

Changes to a privileged deployment when converting to an unprivileged deployment

Unprivileged instances of Splunk Phantom run as a user other than the root user.

  • New Splunk Phantom 4.10 OVA or AMI deployments run under the user account phantom.
  • Privileged deployments converted during upgrade run under the user account phantom.
  • Manually installed unprivileged deployments run under the user account specified during installation.

These changes are made to a deployment which is converted from privileged to unprivileged during an upgrade.

  • RPM dependencies that are replaced with unprivileged versions are uninstalled.
    • pgbouncer
    • nginx
    • postgresql
    • git
  • Splunk Phantom RPM files are removed from the RPM database. Existing files are not removed, only the RPM database entries.
  • Change the owner of everything under <PHANTOM_HOME> to the owner phantom:phantom.
  • Disable SElinux
  • Install the unprivileged versions of dependency items.
    • pgbouncer
    • nginx
    • postgresql
    • git
  • Reconfigures auto-boot.
  • Modifies logging config setting for all the Splunk Phantom daemons in the phantom database.
  • Remove rsyslog configuration.
  • Updates the necessary configuration files, mostly for updating logging paths.
  • Moves phantom logs from /var/log/phantom to <PHANTOM_HOME>/var/log/phantom
  • Replaces the root shell with bash. Privileged installs normally use a setup shell provided by Splunk Phantom.
  • Ensures that the phantom user has a gecos/full name attribute set.
  • Configure a firewall port forward from the custom unprivileged HTTPS port to 443 (requires firewalld).

Manually converting a privileged deployment to an unprivileged deployment

Normally a conversion from a privileged deployment to an unprivileged one is done during an upgrade. If you need to convert your deployment prior to upgrading, you can use this process, in conjunction with Splunk Phantom's support team to manually convert your deployment.

Converting a privileged Splunk Phantom instance to an unprivileged instance cannot be undone. Make sure you wish to convert before running the upgrade.

If you want to manually convert a privileged deployment of Splunk Phantom 4.10.7 to an unprivileged Splunk SOAR (On-premises) 5.0.1 deployment do the following:

  1. Contact Splunk Phantom Support to get access to the necessary installer tar file, and additional script files. Once access has been granted, you can download the file from the Splunk Phantom community website.
    The files you need are:
    • Official Unprivileged Tarball file
    • migrate_priv_to_nri.pyc
    • phantom_tar_install.sh
  2. Download the Official Unprivileged Tarball file for your operating system from the Splunk Phantom community website Product Downloads page.
  3. Make sure that firewalld is active and running. To configure the migration script, firewalld must be active.
    1. Check the status of firewalld.
      sudo systemctl status firewalld
      Example output from an active firewalld:
      ● firewalld.service - firewalld - dynamic firewall daemon
      

      Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

      Active: active (running) since Tue 2021-03-02 00:37:43 GMT; 2 months 3 days ago
    2. (Conditional) If firewalld is not active, enable it, then activate it.
      sudo systemctl enable firewalld
      sudo systemctl start firewalld
  4. Copy the installation tar file to the directory where Splunk Phantom is installed. This is the PHANTOM_HOME​ directory. For a privileged deployment, this should be /opt/phantom/.
  5. Extract the installation tar file.
    tar -xvzf phantom-<version>.tgz
  6. Copy migrate_priv_to_nri.pyc into the the PHANTOM_HOME/bin directory, then copy phantom_tar_install.sh into the PHANTOM_HOME directory, overwriting existing files.
  7. As the root user, run the migration script.
    phenv python migrate_priv_to_nri.pyc 

If the script fails to complete the migration, an error message is displayed on stdout that will contain a the error encountered and the log file to consult for further troubleshooting.

Last modified on 25 January, 2023
Splunk Phantom repositories and signing keys packages   Upgrade a single Splunk Phantom instance

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters