Install Splunk Phantom as an unprivileged user
Tar file distributions of Splunk Phantom are available for installations where Splunk Phantom will run as an unprivileged user.
If you install a stand-alone Splunk Phantom instance as an unprivileged user, underlying services such as the PostgreSQL database are installed in the user space for that user.
Prerequisites
Contact Phantom support to get this installation file.
Supported Operating Systems for this method:
- Red Hat Enterprise Linux 7.6 through 7.9
- CentOS 7.6 through 7.9
Prepare the system
Before you install Splunk Phantom as an unprivileged user, the root user or a user with sudo access must prepare the system.
Do all these tasks with root permissions, either by logging in as root or as a user with sudo permission.
Install the operating system dependencies
- Edit
/etc/selinux/config
to disable SELinux. Change theSELINUX=
entry to:SELINUX=disabled
- Clear yum caches.
yum clean all
- Update installed packages.
yum update
- Restart the operating system.
shutdown -r now
- Install dependencies.
yum install -y libevent libicu c-ares bind-utils java-1.8.0-openjdk-headless mailcap fontconfig ntpdate perl rsync xmlsec1 xmlsec1-openssl libxslt ntp zip net-tools policycoreutils-python libxml2 libcurl gnutls
- If you are using an external file share using GlusterFS, download the GlusterFS packages.
mkdir gfinstall cd gfsinstall curl -O https://repo.phantom.us/phantom/4.10/base/7/x86_64/glusterfs-7.5-1.el7.x86_64.rpm curl -O https://repo.phantom.us/phantom/4.10/base/7/x86_64/glusterfs-api-7.5-1.el7.x86_64.rpm curl -O https://repo.phantom.us/phantom/4.10/base/7/x86_64/glusterfs-cli-7.5-1.el7.x86_64.rpm curl -O https://repo.phantom.us/phantom/4.10/base/7/x86_64/glusterfs-client-xlators-7.5-1.el7.x86_64.rpm curl -O https://repo.phantom.us/phantom/4.10/base/7/x86_64/glusterfs-coreutils-0.2.0-1.el7.x86_64.rpm curl -O https://repo.phantom.us/phantom/4.10/base/7/x86_64/glusterfs-devel-7.5-1.el7.x86_64.rpm curl -O https://repo.phantom.us/phantom/4.10/base/7/x86_64/glusterfs-events-7.5-1.el7.x86_64.rpm curl -O https://repo.phantom.us/phantom/4.10/base/7/x86_64/glusterfs-fuse-7.5-1.el7.x86_64.rpm curl -O https://repo.phantom.us/phantom/4.10/base/7/x86_64/glusterfs-libs-7.5-1.el7.x86_64.rpm curl -O https://repo.phantom.us/phantom/4.10/base/7/x86_64/glusterfs-server-7.5-1.el7.x86_64.rpm
- If you are using an external file share using GlusterFS, install the GlusterFS packages.
yum install *.rpm
- Set firewall rules to allow the required ports listed in Splunk Phantom required ports.
- Synchronize the system clock.
ntpdate -v -u 0.centos.pool.ntp.org systemctl enable ntpd
- Create a file called
/etc/sysctl.d/50-phantom.conf
. Use this file to supply kernel settings required by Splunk Phantom.touch /etc/sysctl.d/50-phantom.conf - Edit the file /etc/sysctl.d/50-phantom.conf to add these settings.
# Turn off IP packet forwarding net.ipv4.ip_forward = 0 # Turn on source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality # of the kernel kernel.sysrq = 0 # Do not send redirects (This system is not a router.) net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 # Do not accept IP source routing net.ipv4.conf.all.accept_source_route=0 # Do not accept redirects, secure or not net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 # Log any unexpected packets net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 # Filter ICMP broadcast or bogus ones net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_responses=1 # Enable reverse path checking net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 # Controls whether core dumps will append the # PID to the core filename. # Useful for debugging multi-threaded applications. ### If directed by Splunk Phantom Support, uncomment these lines, ### replace <username> with the user name that runs Splunk ### Phantom, then run "sysctl -p" to enable core files. # kernel.core_uses_pid = 1 # kernel.core_pattern = /home/<username>/phantom/.cores/core-%e-%s-%u-%g-%p-%t # fs.suid_dumpable = 2 # Controls the use of TCP SYN cookies net.ipv4.tcp_syncookies = 1 # Controls the default maximum size of a message queue kernel.msgmnb = 65536 # Controls the maximum size of a message, in bytes kernel.msgmax = 65536 # Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736 # Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296
- Save the file.
- Apply the new kernel settings.
sysctl --system
Create the user account that will run Splunk Phantom
An unprivileged install of Splunk Phantom will run in the user space of a specific user.
When you create the user account that will run Splunk Phantom, do not use special characters other than a hyphen or underscore. A hyphen or underscore must not be the first character in the username. Other special characters are not supported.
- Create the user account that will be used to run Splunk Phantom.
adduser -c "Phantom User" <username> passwd <username>
- Create a directory for Splunk Phantom.
su - <username> -c "mkdir /home/<username>/<directory_name>"
- Create a file called
/etc/security/limits.d/25-phantom-limits.conf
. This file sets resource limits for the user that will run Splunk Phantom.touch /etc/security/limits.d/25-phantom-limits.conf - Edit the file /etc/security/limits.d/25-phantom-limits.conf to add these settings:
<username> hard nofile 64000 <username> soft nofile 64000 <username> hard nproc 64000 <username> soft nproc 64000
- Save the file.
- Apply the new security settings.
sysctl --system
Install Splunk Phantom from the tar file
- Log in as the user that will run Splunk Phantom. Do not perform these steps as the root user.
- Copy the installation tar file to the directory /home/<username>/<directory_name> created earlier.
- Verify your downloaded file's SHA256 hash against the SHA256 hash displayed on the Splunk Phantom Community site.
sha256sum phantom-<version>.tgz
- Extract the Splunk Phantom tar file. tar -xvzf phantom-<version>.tgz
- Run the installation script. Make sure to specify the ports for Splunk Phantom to use for HTTPS traffic. The HTTPS port cannot be a port which is already in use. This port must be a port greater than 1023. ./phantom_tar_install.sh install --https-port=<port>
For more installation command line options, see phantom_tar_install.sh options.
Next step: log in to verify the installation
You can log in to the Splunk Phantom web interface after the setup script completes to configure user accounts and additional settings. See Log in to the Splunk Phantom web interface.
Install Splunk Phantom on a system with limited internet access | Log in to the Splunk Phantom web interface |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10
Feedback submitted, thanks!