Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Convert a privileged deployment to an unprivileged deployment

As of Splunk Phantom 4.10.0, it is possible to convert an privileged deployment of Splunk Phantom to an unprivileged deployment. The tool to do the conversion only works for converting the Splunk Phantom 4.9.39220 release to the Splunk Phantom 4.9.39220 or 4.10.0 release.

Converting a privileged Splunk Phantom instance to an unprivileged instance cannot be undone. Make sure you wish to convert before running the upgrade.

If you have already upgraded a privileged Splunk Phantom deployment to 4.10.0 or 4.10.1 or later, and wish to convert to an unprivileged deployment:

  1. Revert to Splunk Phantom version 4.9.39220.
  2. Convert to an unprivileged deployment as part of an upgrade to Splunk Phantom 4.10.0.

In most cases, converting a privileged installation to an unprivileged happens during an upgrade, see Upgrade a single unprivileged Splunk Phantom instance or Upgrade an unprivileged Splunk Phantom Cluster.

Changes to a privileged deployment when converting to an unprivileged deployment

Unprivileged instances of Splunk Phantom run as a user other than the root user.

  • New Splunk Phantom 4.10 OVA or AMI deployments run under the user account phantom.
  • Privileged deployments converted during upgrade run under the user account phantom.
  • Manually installed unprivileged deployments run under the user account specified during installation.

These changes are made to a deployment which is converted from privileged to unprivileged during an upgrade.

  • RPM dependencies that are replaced with unprivileged versions are uninstalled.
    • pgbouncer
    • nginx
    • postgresql
    • git
  • Splunk Phantom RPM files are removed from the RPM database. Existing files are not removed, only the RPM database entries.
  • Change the owner of everything under <PHANTOM_HOME> to the owner phantom:phantom.
  • Disable SElinux
  • Install the unprivileged versions of dependency items.
    • pgbouncer
    • nginx
    • postgresql
    • git
  • Reconfigures auto-boot.
  • Modifies logging config setting for all the Splunk Phantom daemons in the phantom database.
  • Remove rsyslog configuration.
  • Updates the necessary configuration files, mostly for updating logging paths.
  • Moves phantom logs from /var/log/phantom to <PHANTOM_HOME>/var/log/phantom
  • Replaces the root shell with bash. Privileged installs normally use a setup shell provided by Splunk Phantom.
  • Ensures that the phantom user has a gecos/full name attribute set.
  • Configure a firewall port forward from the custom unprivileged HTTPS port to 443 (requires firewalld).

Manually converting a privileged deployment to an unprivileged deployment

Normally a conversion from a privileged deployment to an unprivileged one is done during an upgrade. If you need to convert your deployment prior to upgrading, you can use this process, in conjunction with Splunk Phantom's support team to manually convert your deployment.

Converting a privileged Splunk Phantom instance to an unprivileged instance cannot be undone. Make sure you wish to convert before running the upgrade.

If you want to manually convert a privileged deployment of Splunk Phantom 4.9.39220 to an unprivileged Splunk Phantom 4.9.39220 deployment do the following:

  1. Contact Splunk Phantom Support to get access to the correct installer tar file. Once access has been granted, you can download the file from the Splunk Phantom community website.
  2. Download the Official Unprivileged Tarball file for your operating system from the Splunk Phantom community website Product Downloads page.
  3. Make sure that firewalld is active and running. The migration script requires firewalld to be active so it can be configured.
    1. Check the status of firewalld. 
      sudo systemctl status firewalld
      Example output from an active firewalld:
      ● firewalld.service - firewalld - dynamic firewall daemon

      Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

      
Active: active (running) since Tue 2021-03-02 00:37:43 GMT; 2 months 3 days ago
    2. (Conditional) If firewalld is not active, enable it, then activate it. 
      sudo systemctl enable firewalld
      sudo systemctl start firewalld
  4. Copy the installation tar file to the directory where Splunk Phantom is installed. This is the PHANTOM_HOME​ directory. For a privileged deployment, this should be /opt/phantom/.
  5. Extract the installation tar file. 
    tar -xvzf phantom-<version>.tgz
  6. As the root user, run the migration script. 
    phenv python migrate_priv_to_nri.pyc

If the script fails to complete the migration, an error message is displayed on stdout that will contain a the error encountered and the log file to consult for further troubleshooting.

Last modified on 04 May, 2021
PREVIOUS
Splunk Phantom repositories and signing keys packages 		  NEXT
Upgrade a single Splunk Phantom instance

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters