Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Convert a privileged deployment to an unprivileged deployment

During the upgrade of Splunk Phantom 4.10.7 to Splunk SOAR (On-premises) 5.0.1, it is possible to convert an privileged deployment to an unprivileged deployment.

Converting a privileged deployment to an unprivileged deployment can be done when moving from Splunk Phantom 4.10.7 to Splunk SOAR (On-premises) 5.0.1, and requires the assistance of Splunk Support.

Converting a privileged Splunk Phantom instance to an unprivileged instance cannot be undone. Make sure you wish to convert before running the upgrade.

In most cases, converting a privileged installation to an unprivileged happens during an upgrade, see Upgrade a single unprivileged instance or Upgrade an unprivileged Cluster.

Changes to a privileged deployment when converting to an unprivileged deployment

Unprivileged instances of Splunk Phantom run as a user other than the root user.

  • New Splunk Phantom 4.10.7 OVA or AMI deployments run under the user account phantom.
  • Privileged deployments converted during upgrade run under the user account phantom.
  • Manually installed unprivileged deployments run under the user account specified during installation.

These changes are made to a deployment which is converted from privileged to unprivileged during an upgrade.

  • RPM dependencies that are replaced with unprivileged versions are uninstalled.
    • pgbouncer
    • nginx
    • postgresql
    • git
  • Splunk Phantom RPM files are removed from the RPM database. Existing files are not removed, only the RPM database entries.
  • Change the owner of everything under <PHANTOM_HOME> to the owner phantom:phantom.
  • Disable SElinux
  • Install the unprivileged versions of dependency items.
    • pgbouncer
    • nginx
    • postgresql
    • git
  • Reconfigures auto-boot.
  • Modifies logging config setting for all the Splunk Phantom daemons in the phantom database.
  • Remove rsyslog configuration.
  • Updates the necessary configuration files, mostly for updating logging paths.
  • Moves phantom logs from /var/log/phantom to <PHANTOM_HOME>/var/log/phantom
  • Replaces the root shell with bash. Privileged installs normally use a setup shell provided by Splunk Phantom.
  • Ensures that the phantom user has a gecos/full name attribute set.
  • Configure a firewall port forward from the custom unprivileged HTTPS port to 443 (requires firewalld).

Manually converting a privileged deployment to an unprivileged deployment

Normally a conversion from a privileged deployment to an unprivileged one is done during an upgrade. If you need to convert your deployment prior to upgrading, you can use this process, in conjunction with Splunk SOAR's support team to manually convert your deployment.

Converting a privileged Splunk Phantom instance to an unprivileged Splunk SOAR instance cannot be undone. Make sure you wish to convert before running the upgrade.

If you want to manually convert a privileged deployment of Splunk Phantom 4.10.7 to an unprivileged Splunk SOAR (On-premises) 5.0.1 deployment do the following:

  1. Contact Splunk Phantom Support to get access to the necessary installer tar file, and additional script files. Once access has been granted, you can download the file from the Splunk Phantom community website.
    The files you need are:
    • Official Unprivileged Tarball file
    • migrate_priv_to_nri.pyc
    • phantom_tar_install.sh
  2. Download the Official Unprivileged Tarball file for your operating system from the Splunk SOAR site..
  3. Make sure that firewalld is active and running. The migration script requires firewalld to be active so it can be configured.
    1. Check the status of firewalld. 
      sudo systemctl status firewalld
      Example output from an active firewalld:
      ● firewalld.service - firewalld - dynamic firewall daemon

      Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

      
Active: active (running) since Tue 2021-03-02 00:37:43 GMT; 2 months 3 days ago
    2. (Conditional) If firewalld is not active, enable it, then activate it. 
      sudo systemctl enable firewalld
      sudo systemctl start firewalld
  4. Copy the installation tar file to the directory where Splunk SOAR is installed. This is the PHANTOM_HOME​ directory. For a privileged deployment, this should be /opt/phantom/.
  5. Extract the installation tar file. 
    tar -xvzf phantom-<version>.tgz
  6. Copy migrate_priv_to_nri.pyc into the the <$PHANTOM_HOME>/bin directory, then copy phantom_tar_install.sh into the <$PHANTOM_HOME> directory, overwriting existing files.
  7. As the root user, run the migration script. 
    phenv python migrate_priv_to_nri.pyc

If the script fails to complete the migration, an error message is displayed on stdout that will contain a the error encountered and the log file to consult for further troubleshooting.

Last modified on 14 September, 2023
PREVIOUS
repositories and signing keys packages 		  NEXT
Upgrade a single instance

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters