After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Install as an unprivileged user
TAR file distributions of are available for installations where runs as an unprivileged user.
As of version 5.3.0, RPM files are no longer available for Splunk SOAR (On-premises) installations. Follow the updated instructions for privileged and unprivileged installations. Unique tarballs are available for privileged and unprivileged installations.
If you install a stand-alone instance as an unprivileged user, underlying services such as the PostgreSQL database are installed in the user space for that user.
Prerequisites
The following operating systems are supported.
- Red Hat Enterprise Linux 7.6 through 7.9.
- CentOS 7.6 through 7.9.
Federal Information Processing Standard (FIPS) support
can be deployed in a FIPS compliant mode, if the operating system kernel is in FIPS mode.
- Your operating system, either RHEL or CentOS must be in FIPS mode.
- You must create a new, unprivileged deployment of , either as a single instance or as a cluster.
To determine whether your operating system kernel is in FIPS mode, run the following command.
If that command returns a 1, the kernel is in FIPS mode. If that command returns a 0, the kernel is not in FIPS mode.
Information about setting up RHEL 7.x or CentOS 7.x in Federal Information Processing Standard (FIPS) mode can be found in the Red Hat Security Guide in Chapter 9.
Install from the TAR file
- On the machine where you want to install Splunk SOAR (On-premises), make sure the operating system is updated.sudo yum clean allsudo yum update
- If the machine where you want to install Splunk SOAR (On-premises) required kernel updates, reboot the system before continuing with the installation.
- Download the unprivileged installer from the web site.
- If you downloaded the installer onto a local machine and need to copy it to the machine where you want to install Splunk SOAR (On-premises), you can use the following command. scp -r ./splunk_soar-unpriv-<version>.tgz <user>@<installation_address>
- Log in as a user with root privileges to the machine where you want to install Splunk SOAR (On-premises).
- Extract the TAR file. tar -xzvf ./splunk_soar-unpriv-<version>.tgz
- To prepare the system for the unprivileged installation, run a pre-install script using the following command:
./soar-prepare-system --splunk-soar-home <home_directory> --https-port <port_number>
. The arguments for the command are optional. If left undefined, the --splunk-soar-home argument defaults to the directory that contains the installation script and specifies the home directory for . That directory must exist and the user meant to run the installation must own that directory. The --https-port argument defaults to port 8443. When you run the pre-install script, it prompts you to configure the system.If a configuration requirements is already satisfied in your system, that prompt might not appear.
Install pre-requisite RPM packages required by Splunk SOAR (Y/n):
If prompted, you must answer Y to proceed.GlusterFS is only needed if you are using an external file share. This is common if you're constructing a Splunk SOAR cluster. Do you want to run this step? (Y/n):
You only need to answer Y if you are setting up certain cluster configurations of Splunk SOAR (On-premises), but you can answer Y even on individual instances.Enable the chronyd service to guarantee clock synchronization. Do you want to run this step? (Y/n):
Answer Y.Create a non-privileged user for running Splunk SOAR (On-premises). (Y/n):
If prompted, you must answer Y to proceed.Do you want to set a password for <non-privileged_user> now? (Y/n):
Answer Y if you created a non-privileged user for running Splunk SOAR (On-premises) in the previous step.Set system resource limits for Splunk SOAR user, particularly file descriptor limits, which are low by default. (Y/n):
Answer Y.- If the --splunk-soar-home location differs from the location where you extracted the TAR file, follow these steps to move it to the --splunk-soar-home location and then extract it there:
- Copy the TAR file to the --splunk-soar-home location. sudo cp ./splunk_soar-unpriv-<version>.tgz <home_directory>
- Go to the --splunk-soar-home location. cd <home_directory>
- Log in as the user meant to own the installation.
- Extract the TAR file. tar -xzvf ./splunk_soar-unpriv-<version>.tgz
- Ensure you are logged in as the user meant to own the installation. Do not perform the installation command as the root user.
- Run the soar-install installation script with the same arguments you included in the soar-prepare-system script.
Use the--splunk-soar-home
argument to specify the directory where will be installed. That directory must exist and must be owned by the user account that will run .
As an example,--splunk-soar-home /opt/soar
installs to the directory /opt/soar../soar-install --splunk-soar-home <home_directory> --https-port <port_number> - The soar-install installation script displays the installation and path and HTTPS port number, then asks
Do you want to proceed? (y/N)
. If the path and port are correct, answer y. - The soar-install installation script displays the installation and path and HTTPS port number, then asks
Do you want to proceed? (y/N)
. If the path and port are correct, answer y.
- The --https-port argument specifies what port webserver uses to expose the web user interface. If you ran the soar-prepare-system script to forward inbound traffic to port 443, the user interface is visible there, too.
Run the sudo ./soar-prepare-system --help
and sudo ./soar-install --help
commands to see what optional arguments are available.
Install as a privileged user | Log in to the web interface |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.5
Feedback submitted, thanks!