For details, see:
General system requirements
Splunk SOAR (On-premises) requires certain minimum system requirements. Your environment must meet or exceed these requirements. This section details operating systems, web browsers, system storage, Linux file systems, and other requirements for operating Splunk SOAR (On-premises).
Supported operating systems
Splunk SOAR (On-premises) supports these operating systems and versions:
- Red Hat Enterprise Linux 8.0
- Red Hat Enterprise Linux 9.0
- Amazon Linux 2023
- Oracle Linux 8
- Oracle Linux 9
- Amazon Linux 2
Support for this operating system is deprecated.
You can use any minor release of a supported operating system. For example, you can use Red Hat Enterprise Linux 8.0 through 8.10.
Splunk SOAR (On-premises) cannot be installed inside of a Docker or Podman container.
Federal Information Processing Standard (FIPS) support
Splunk SOAR (On-premises) can be deployed in a FIPS compliant mode, if the operating system kernel is in FIPS mode.
- Your operating system, either RHEL or CentOS must be in FIPS mode.
- You must create a new, unprivileged deployment of Splunk SOAR (On-premises), either as a single instance or as a cluster.
You can learn more about setting your operating system to use FIPS mode from the operating system vendor's websites:
- RHEL 8.x in the Red Hat Security Guide in Chapter 3.
- RHEL 9.x in the Red Hat Enterprise Linux 9 documentation, Chapter 2. Switching RHEL to FIPS mode.
- Amazon Linux 2 in the AWS Public Sector blog post Enabling FIPS mode in Amazon Linux 2.
- Amazon Linux 2023 in the Amazon Linux 2023 User Guide, in the topic Enable FIPS Mode on AL2023.
- Oracle Linux 8 FIPS 140-2 Compliance in Oracle Linux 8
- Oracle Linux 9 Installing and Configuring FIPS Mode
Supported browsers
Splunk SOAR (On-premises) requires a web browser that supports HTML 5, SVG graphics, and TLS.
Use the latest, fully patched version of one of the following browsers:
- Google Chrome
- Mozilla Firefox
- Microsoft Edge
- Apple Safari
Operating system accounts
On unprivileged deployments, only a single operating system user account, phantom, is created and used.
Supported file systems and required directories
Splunk SOAR (On-premises) supports any file system where the user account running the application can be given write permissions.
In a clustered environment, Splunk SOAR (On-premises) implements GlusterFS for its file shares. If your organization requires a different file system for your Splunk SOAR (On-premises) cluster, make sure that the user account running Splunk SOAR (On-premises) has write permissions to the required directories.
Required directories for an installation as an unprivileged user:
- <phantom_install_dir>/apps
- <phantom_install_dir>/local_data/app_states
- <phantom_install_dir>/scm
- <phantom_install_dir>/vault
- <phantom_install_dir>/tmp/shared
File permissions
Splunk SOAR (On-premises) is installed:
- On an unprivileged deployment - the home directory of the user account that will run Splunk SOAR (On-premises), also called <$PHANTOM_HOME>.
The installer expects a umask of 0022 during installation. Applying a different umask may lead to unexpected behavior.
In general, you should not modify file permissions for Splunk SOAR (On-premises). Changing the file permissions can cause errors, or prevent Splunk SOAR (On-premises) from working.
You can check to see if an access control list has been applied using the Linux getfacl command, clear any access control list which is incorrectly being applied using the setfacl -b command, or apply correct permissions to a file with the chmod command. If you have changed file permissions, you will need to restart Splunk SOAR (On-premises).
| Directory | Permissions (symbolic) |
Permissions (numeric) |
Owner | Group | Notes |
|---|---|---|---|---|---|
| /opt/phantom | drwxr-xr-x | 755 | phantom | phantom | This is the default Splunk SOAR (On-premises) 'root' directory. On an unprivileged deployment, it changes to be the user account that runs Splunk SOAR (On-premises). Referred to as <$PHANTOM_HOME> in the documentation. |
| /opt/phantom/apps | drwxrwxr-x | 775 | phantom | phantom | Required to allow the web-based UI to install apps. Apps installed by the web-based UI will be owned by nginx in the phantom group. |
| /opt/phantom/local_data | drwxrwxr-x | 775 | phantom | phantom | |
| /opt/phantom/local_data/
app_states |
drwxrwxr-x | 775 | phantom | phantom | |
| /opt/phantom/scm | drwxrwx--- | 770 | phantom | phantom | Allows for non-nginx users of to have write access to playbooks. |
| /opt/phantom/spool | drwxrwxr-x | 775 | phantom | phantom | Allows the nginx user of the phantom group to have access to create items, such as the uwsgi sub-directory. |
| /opt/phantom/tmp | drwxrwx--- | 770 | phantom | phantom | Allows non-root users of the phantom group to have write access. |
| /opt/phantom/vault | drwxrwxr-x | 775 | phantom | phantom | Allow non-phantom user of phantom group, such as the nginx user, to have the write access to add the file to vault, to create reports, and so on. |
| /opt/phantom/var/log | drwxr-xr-x | 755 | phantom | phantom | Allows the web-based UI and other tools to create and write log files for Splunk SOAR (On-premises) actions. You should not modify the permissions for this directory. If logs cannot be written, app installation or other actions may fail. |
| /opt/phantom/var/log/
phantom/app_install.log |
-rw-rw-r-- | 664 | phantom | phantom | Allows the web-based UI to write to the app_install.log and other tools to read it. You should not modify the permissions for this file. If this log cannot be written to, the Splunk SOAR (On-premises) web-based UI displays the error message "internal server error." |
| /opt/phantom/var/log/
phantom/app_interface.log |
-rw-rw---- | 660 | phantom | phantom | Contains logs from the app-interface module, REST handlers, and apps that provide custom views. |
| Uninstall Splunk SOAR (On-premises) | System requirements for evaluation use |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.4.0
Download manual
Feedback submitted, thanks!