Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Convert a privileged deployment to an unprivileged deployment

From release 5.3.3 and higher of , you can convert an privileged deployment of Splunk SOAR (On-premises) to an unprivileged deployment.

When you upgrade to release 5.4.0 of the installer automatically converts any privileged deployment of Splunk SOAR (On-premises) to an unprivileged deployment.

Converting a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment cannot be undone. Make sure you are ready to convert before running the running the conversion tool or upgrading to release 5.4.0.

Before you begin

There are a few steps to perform before you begin the conversion.

  1. Make a full backup of your Splunk SOAR (On-premises) deployment. See Splunk SOAR (On-premises) backup and restore overview in Administer Splunk SOAR (On-premises.
  2. Disable any warm standby. See Disable warm standby for Splunk SOAR (On-premises) in Administer Splunk SOAR (On-premises.
  3. Disable any cron jobs or other automated processes that might try to make changes to your Splunk SOAR (On-premises) deployment during the conversion process.

Changes to a privileged deployment when converting to an unprivileged deployment

Unprivileged instances of run as a user other than the root user.

  • New OVA or AMI deployments run under the user account phantom.
  • Privileged deployments converted to unprivileged deployments run under the user account phantom.
  • Manually installed unprivileged deployments run under the user account specified during installation.

These changes are made to a deployment which is converted from privileged to unprivileged.

  • RPM dependencies that are replaced with unprivileged versions are uninstalled.
    • pgbouncer
    • nginx
    • postgresql
    • git
  • Splunk SOAR (On-premises) RPM files are removed from the RPM database. Existing files are not removed, only the RPM database entries. This largely impacts deployments which were upgraded from Splunk Phantom.
  • Change the owner of everything in the <PHANTOM_HOME> directory to the owner phantom:phantom.
  • Disable SElinux
  • Install the unprivileged versions of dependency items.
    • pgbouncer
    • nginx
    • postgresql
    • git
  • Reconfigures auto-boot.
  • Modifies logging config setting for all the Splunk SOAR daemons in the phantom database.
  • Remove rsyslog configuration.
  • Updates the necessary configuration files, mostly for updating logging paths.
  • Moves Splunk SOAR (On-premises) logs from /var/log/phantom to <PHANTOM_HOME>/var/log/phantom.
  • Ensures that the phantom user has a gecos/full name attribute set.
  • Configure a firewall port forward from the custom unprivileged HTTPS port (default is 8443) to HTTPS port 443. This item requires firewalld to be running.

Manually converting a privileged deployment to an unprivileged deployment

Once you have upgraded to the 5.3.3 release of Splunk SOAR (On-premises), you can convert your privileged deployment to unprivileged one at any time. The tool works for single instances or clusters.

Converting a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment cannot be undone. Make sure you are ready to convert before running the running the conversion tool.

If you want to manually convert a privileged deployment of Splunk SOAR (On-premises) to an unprivileged one, do the following:

  1. Make sure that firewalld is active and running. The migration script requires firewalld to be active so it can be configured.
    1. Check the status of firewalld.
      sudo systemctl status firewalld
      Example output from an active firewalld:
      ● firewalld.service - firewalld - dynamic firewall daemon
      

      Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

      Active: active (running) since Wed 2022-07-13 19:00:17 GMT; 1 weeks 1 days ago
    2. (Conditional) If firewalld is not active, enable it, then activate it.
      sudo systemctl enable firewalld
      sudo systemctl start firewalld
  2. Change directory to /opt/phantom.
    cd /opt/phantom
  3. Run the migration tool, and follow the prompts.
    phenv python migration/migrate.py

    The migrate.py tool supports two arguments:

    • Use --no-prompt or -y to run the tool without prompting the user for input.
    • Use --https-port or -p to specify your custom HTTPS port. If you do not specify port, 8443 is used.
  4. (Optional) If you are converting a privileged Splunk SOAR (On-premises) cluster, stop Splunk SOAR on all nodes, then repeat the preceeding steps for each cluster node.

    If you are converting a privileged cluster to an unprivileged one, you will need to configure your load balancer to listen for your custom HTTPS port. If you did not specify a port during the migration, the port 8443 is set for you.

If the script fails to complete the migration, an error message is displayed on stdout that will contain the error encountered and the log file to consult for further troubleshooting.

Last modified on 02 October, 2023
Prepare your Splunk SOAR (On-premises) deployment for upgrade   Upgrade a Splunk SOAR (On-premises) instance

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.5.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters