After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Install as an unprivileged user
TAR file distributions of are available for installing .
All services such as the PostgreSQL database are installed in the user space for the user account that runs Splunk SOAR (On-premises).
Prerequisites
Make sure that your system is running one of the supported operating systems.
- Red Hat Enterprise Linux 7.6 through 7.9
- Red Hat Enterprise Linux 8.0 and and any of the minor versions of 8
- CentOS 7.6 through 7.9
- Amazon Linux 2
- Amazon Linux 2 users should use the Splunk SOAR On-premises Unprivileged CentOS/RHEL 7 installer package. See Get Splunk SOAR (On-premises).
Check and set each of these items before installing:
The mirror for GlusterFS packages has moved, changing the URL Splunk SOAR (On-premises) uses download those packages. You will need to update the file install_common.py
before you can build or upgrade a clustered deployment, or use a GlusterFS external fileshare.
- With a text editor, update
install_common.py
.
On or around line 208, modify theGLUSTER_RPM_SOURCE_BASE_URL_EL8
declaration.
Change the word "mirror" in the URL to the word "vault."GLUSTER_RPM_SOURCE_BASE_URL_EL8 = ("https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/") - Make sure the firewalld daemon is running. Additionally, review required ports and endpoints. See Splunk SOAR (On-premises) ports and endpoints.
● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2023-01-10 19:06:30 GMT; 1 months 0 days ago Docs: man:firewalld(1) Main PID: 967 (firewalld) CGroup: /system.slice/firewalld.service └─967 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
- If the firewalld daemon is not running, or not installed, install firewalld and start it.
- Install firewalld.sudo yum install firewalld
- Start firewalld.sudo systemctl start firewalld
- Set firewalld to run whenever the system starts.sudo systemctl enable firewalld
- (Conditional) Set some basic firewall rules so that you can access the system during the install and for maintenance. You may need to implement other rules to comply with your organization's security policies.
- sudo firewall-cmd --permanent --zone public --add-port 22/tcp
- sudo firewall-cmd --permanent --zone public --add-port 2222/tcp
- sudo firewall-cmd --reload
- If you are installing on Amazon Linux 2, install libxcrypt-compat.
Federal Information Processing Standard (FIPS) support
can be deployed in a FIPS compliant mode, if the operating system kernel is in FIPS mode.
- Your operating system, either RHEL or CentOS must be in FIPS mode.
- You must create a new, unprivileged deployment of , either as a single instance or as a cluster.
To determine whether your operating system kernel is in FIPS mode, run the following command.
If that command returns a 1, the kernel is in FIPS mode. If that command returns a 0, the kernel is not in FIPS mode.
You can learn more about setting your operating system to use FIPS mode from the operating system vendor's websites:
- RHEL 7.x or CentOS 7.x in the Red Hat Security Guide in Chapter 9.
- RHEL 8.x in the Red Hat Security Guide in Chapter 3.
- Amazon Linux 2 in the AWS Public Sector blog post Enabling FIPS mode in Amazon Linux 2.
Install from the TAR file
Install in a two stage process, preparing the system for installation, then installing .
Prepare the system for installation
- On the machine where you want to install Splunk SOAR (On-premises), make sure the operating system is updated.sudo yum clean allsudo yum update
- If the machine where you want to install Splunk SOAR (On-premises) required kernel updates, reboot the system before continuing with the installation.
- Download the unprivileged installer from the Splunk SOAR Free Trial page.
- If you downloaded the installer onto a local machine and need to copy it to the machine where you want to install Splunk SOAR (On-premises), you can use the following command. scp -r ./splunk_soar-unpriv-<version>.tgz <user>@<installation_address>
- Log in as a user with root privileges to the machine where you want to install Splunk SOAR (On-premises).
- Extract the TAR file. tar -xzvf ./splunk_soar-unpriv-<version>.tgz
- Use the following command to prepare the system for the unprivileged installation: ./soar-prepare-system --splunk-soar-home <home_directory> --https-port <port_number>When you run the pre-install script, it prompts you to configure the system. All arguments for the script are optional.
Run the
./soar-prepare-system --help
command to see all the available arguments- The
--splunk-soar-home
argument specifies the home directory for Splunk SOAR (On-premises). That directory must exist and the user meant to run the installation must own that directory. If the--splunk-soar-home
argument is not specified, the installation defaults to the directory where the installation package was extracted. - Use the
--https-port
argument to expose the web interface on the specified port, which must be a port between 1024 and 65535.The
--https-port
argument defaults to port 8443. The firewalld daemon must be running. The--port-forward
argument will expose the Splunk SOAR (On-premises) web interface on port 443 in addition to the port specified with--https-port
. Do not use the--port-forward
argument if you are not using firewalld or if you are building a Splunk SOAR (On-premises) cluster.
- The
- Answer each of the presented prompts:
If a configuration requirement is already satisfied in your system, the prompt for that requirement might not appear.Install pre-requisite RPM packages required by Splunk SOAR (Y/n):
If prompted, you must answer Y to proceed.GlusterFS is only needed if you are using an external file share. This is common if you're constructing a Splunk SOAR cluster. Do you want to run this step? (Y/n):
You only need to answer Y if you are setting up certain cluster configurations of Splunk SOAR (On-premises), but you can answer Y even on individual instances.Enable the chronyd service to guarantee clock synchronization. Do you want to run this step? (Y/n):
Answer Y.Create a non-privileged user for running Splunk SOAR (On-premises). (Y/n):
If prompted, you must answer Y to proceed.Do you want to set a password for <non-privileged_user> now? (Y/n):
Answer Y if you created a non-privileged user for running Splunk SOAR (On-premises) in the previous step.Set system resource limits for Splunk SOAR user, particularly file descriptor limits, which are low by default. (Y/n):
Answer Y.
Install
Make sure you are logged in as the user meant to own the installation. Do not perform the installation command as the root user.
- Run the soar-install installation script with the same arguments you included in the soar-prepare-system script.
Use the--splunk-soar-home
argument to specify the directory where will be installed. That directory must exist and must be owned by the user account that will run .
As an example,--splunk-soar-home /opt/soar
installs to the directory /opt/soar../soar-install --splunk-soar-home <home_directory> --https-port <port_number> - The soar-install installation script displays the installation and path and HTTPS port number, then asks
Do you want to proceed? (y/N)
. If the path and port are correct, answer y.The
--https-port
argument specifies what port the Splunk SOAR (On-premises) web server uses to expose the web user interface. - The soar-install installation script displays the installation and path and HTTPS port number, then asks
Do you want to proceed? (y/N)
. If the path and port are correct, answer y.
Run the sudo ./soar-prepare-system --help
and sudo ./soar-install --help
commands to see what optional arguments are available.
See Splunk SOAR (On-premises) default credentials, script options, and sample configuration files.
Install using the Amazon Marketplace Image | Log in to the web interface |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.1.1
Feedback submitted, thanks!