Convert a privileged deployment to an unprivileged deployment
As of Splunk Phantom 4.10.0, it is possible to convert an privileged deployment of Splunk Phantom to an unprivileged deployment. The tool to do the conversion only works for converting the Splunk Phantom 4.9.39220 release to the Splunk Phantom 4.9.39220 or 4.10.0 release.
Converting a privileged Splunk Phantom instance to an unprivileged instance cannot be undone. Make sure you wish to convert before running the upgrade.
If you have already upgraded a privileged Splunk Phantom deployment to 4.10.0 or 4.10.1 or later, and wish to convert to an unprivileged deployment:
- Revert to Splunk Phantom version 4.9.39220.
- Convert to an unprivileged deployment as part of an upgrade to Splunk Phantom 4.10.0.
In most cases, converting a privileged installation to an unprivileged happens during an upgrade, see Upgrade a single unprivileged Splunk Phantom instance or Upgrade an unprivileged Splunk Phantom Cluster.
Changes to a privileged deployment when converting to an unprivileged deployment
Unprivileged instances of Splunk Phantom run as a user other than the root user.
- New Splunk Phantom 4.10 OVA or AMI deployments run under the user account phantom.
- Privileged deployments converted during upgrade run under the user account phantom.
- Manually installed unprivileged deployments run under the user account specified during installation.
These changes are made to a deployment which is converted from privileged to unprivileged during an upgrade.
- RPM dependencies that are replaced with unprivileged versions are uninstalled.
- pgbouncer
- nginx
- postgresql
- git
- Splunk Phantom RPM files are removed from the RPM database. Existing files are not removed, only the RPM database entries.
- Change the owner of everything under <PHANTOM_HOME> to the owner phantom:phantom.
- Disable SElinux
- Install the unprivileged versions of dependency items.
- pgbouncer
- nginx
- postgresql
- git
- Reconfigures auto-boot.
- Modifies logging config setting for all the Splunk Phantom daemons in the phantom database.
- Remove rsyslog configuration.
- Updates the necessary configuration files, mostly for updating logging paths.
- Moves phantom logs from /var/log/phantom to <PHANTOM_HOME>/var/log/phantom
- Replaces the root shell with bash. Privileged installs normally use a setup shell provided by Splunk Phantom.
- Ensures that the phantom user has a gecos/full name attribute set.
- Configure a firewall port forward from the custom unprivileged HTTPS port to 443 (requires firewalld).
Manually converting a privileged deployment to an unprivileged deployment
Normally a conversion from a privileged deployment to an unprivileged one is done during an upgrade. If you need to convert your deployment prior to upgrading, you can use this process, in conjunction with Splunk Phantom's support team to manually convert your deployment.
Converting a privileged Splunk Phantom instance to an unprivileged instance cannot be undone. Make sure you wish to convert before running the upgrade.
If you want to manually convert a privileged deployment of Splunk Phantom 4.9.39220 to an unprivileged Splunk Phantom 4.9.39220 deployment do the following:
- Contact Splunk Phantom Support to get access to the correct installer tar file. Once access has been granted, you can download the file from the Splunk Phantom community website.
- Download the Official Unprivileged Tarball file for your operating system from the Splunk Phantom community website Product Downloads page.
- Make sure that firewalld is active and running. The migration script requires firewalld to be active so it can be configured.
- Check the status of firewalld. Example output from an active firewalld:
sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-03-02 00:37:43 GMT; 2 months 3 days ago - (Conditional) If firewalld is not active, enable it, then activate it.
sudo systemctl enable firewalld
sudo systemctl start firewalld
- Check the status of firewalld.
- Copy the installation tar file to the directory where Splunk Phantom is installed. This is the PHANTOM_HOME directory. For a privileged deployment, this should be /opt/phantom/.
- Extract the installation tar file.
tar -xvzf phantom-<version>.tgz
- As the root user, run the migration script.
phenv python migrate_priv_to_nri.pyc
If the script fails to complete the migration, an error message is displayed on stdout that will contain a the error encountered and the log file to consult for further troubleshooting.
Splunk Phantom repositories and signing keys packages | Upgrade a single Splunk Phantom instance |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10
Feedback submitted, thanks!