Convert a privileged deployment to an unprivileged deployment

From release 5.3.3 and higher of , you can convert an privileged deployment of Splunk SOAR (On-premises) to an unprivileged deployment.

Converting a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment cannot be undone. Make sure you are ready to convert before running the running the conversion tool.

Before you begin

There are a few steps to perform before you begin the conversion.

1. Make a full backup of your Splunk SOAR (On-premises) deployment. See Splunk SOAR (On-premises) backup and restore overview in Administer Splunk SOAR (On-premises.
2. Disable any warm standby. See Disable warm standby for Splunk SOAR (On-premises) in Administer Splunk SOAR (On-premises).
3. Disable any cron jobs or other automated processes that might try to make changes to your Splunk SOAR (On-premises) deployment during the conversion process.

Changes to a privileged deployment when converting to an unprivileged deployment

Unprivileged instances of run as a user other than the root user.

• New OVA or AMI deployments run under the user account phantom.
• Privileged deployments converted to unprivileged deployments run under the user account phantom.
• Manually installed unprivileged deployments run under the user account specified during installation.

These changes are made to a deployment which is converted from privileged to unprivileged.

• RPM dependencies that are replaced with unprivileged versions are uninstalled.
  • pgbouncer
  • nginx
  • postgresql
  • git
• Splunk SOAR (On-premises) RPM files are removed from the RPM database. Existing files are not removed, only the RPM database entries. This largely impacts deployments which were upgraded from Splunk Phantom.
• Change the owner of everything in the <PHANTOM_HOME> directory to the owner phantom:phantom.
• Disable SElinux
• Install the unprivileged versions of dependency items.
  • pgbouncer
  • nginx
  • postgresql
  • git
• Reconfigures auto-boot.
• Modifies logging config setting for all the Splunk SOAR daemons in the phantom database.
• Remove rsyslog configuration.
• Updates the necessary configuration files, mostly for updating logging paths.
• Moves Splunk SOAR (On-premises) logs from /var/log/phantom to <PHANTOM_HOME>/var/log/phantom.
• Ensures that the phantom user has a gecos/full name attribute set.
• Configure a firewall port forward from the custom unprivileged HTTPS port (default is 9999) to HTTPS port 443. This item requires firewalld to be running.

Manually converting a privileged deployment to an unprivileged deployment

After you have upgraded to the 5.3.3 or higher release of Splunk SOAR (On-premises), you can convert your privileged deployment to unprivileged one at any time. The tool works for single instances or clusters.

Converting a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment cannot be undone. Make sure you are ready to convert before running the running the conversion tool.

If you want to manually convert a privileged deployment of Splunk SOAR (On-premises) to an unprivileged one, do the following:

1. Make sure that firewalld is active and running. The migration script requires firewalld to be active so it can be configured.

   If firewalld is not running, the migration script can fail, and leave your deployment in an unusable state.

   If your deployment cannot use firewalld, see If you cannot use firewalld in your deployment.
   1. Check the status of firewalld.

      sudo systemctl status firewalld

      Example output from an active firewalld:

      ● firewalld.service - firewalld - dynamic firewall daemon
      Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
      
      Active: active (running) since Wed 2022-07-13 19:00:17 GMT; 1 weeks 1 days ago

   2. (Conditional) If firewalld is not active, enable it, then activate it.

      sudo systemctl enable firewalld

      sudo systemctl start firewalld

2. Change directory to /opt/phantom.

   cd /opt/phantom

3. Run the migration tool, and follow the prompts.

   phenv python migration/migrate.py

   The migrate.py tool supports two arguments:

   • Use --no-prompt or -y to run the tool without prompting the user for input.
   • Use --https-port or -p to specify your custom HTTPS port. If you do not specify port, 9999 is used.
4. (Optional) If you are converting a privileged Splunk SOAR (On-premises) cluster, stop Splunk SOAR on all nodes, then repeat the preceding steps for each cluster node.

   If you are converting a privileged cluster to an unprivileged one, you will need to configure your load balancer to listen for your custom HTTPS port. If you did not specify a port during the migration, the port 9999 is set for you.

If the script fails to complete the migration, an error message is displayed on stdout that will contain the error encountered and the log file to consult for further troubleshooting.

If you cannot use firewalld in your deployment

Some deployments cannot use firewalld. If this is the case for your organization, do these additional tasks to make Splunk SOAR (On-premises) available on port 8443:

1. Download an alternate version of the migrate.py script. File: alternate_5.3.5_migrate_py.zip
2. Extract the file, replacing the original migrate.py in /opt/phantom/migration/
3. Manually convert your Splunk SOAR (On-premises) release 5.3.5 deployment from privileged to unprivileged. As the root user:

   cd /opt/phantom
   /opt/phantom/bin/phenv python3 migration/migrate.py --no-prompt --https-port 8443

When you migrate this way, you must manually update all assets configured to use port 443 to use port 8443.