Convert a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment

From release 5.3.5 of , you can convert a privileged deployment of Splunk SOAR (On-premises) to an unprivileged deployment.

Converting a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment cannot be undone. Make sure you are ready to convert before running the running the conversion tool.

Before you begin

There are a few steps to perform before you begin the conversion.

1. Make a full backup of your Splunk SOAR (On-premises) deployment. See Splunk SOAR (On-premises) backup and restore overview in Administer Splunk SOAR (On-premises.
2. Disable any warm standby. See Disable warm standby for Splunk SOAR (On-premises) in Administer Splunk SOAR (On-premises).
3. Disable any cron jobs or other automated processes that might try to make changes to your Splunk SOAR (On-premises) deployment during the conversion process.

Changes to a privileged deployment when converting to an unprivileged deployment

Unprivileged instances of run as a user other than the root user.

• New unprivileged deployments run under the user account phantom, or under the user account specified during installation.
• Privileged deployments converted to unprivileged deployments run under the user account phantom.

These changes are made to a deployment which is converted from privileged to unprivileged.

• RPM dependencies that are replaced with unprivileged versions are uninstalled.
  • pgbouncer
  • nginx
  • postgresql
  • git
• Splunk SOAR (On-premises) RPM files are removed from the RPM database. Existing files are not removed, only the RPM database entries. This largely impacts deployments which were upgraded from Splunk Phantom.
• Change the owner of everything in the <PHANTOM_HOME> directory to the owner phantom:phantom.
• Disable SElinux
• Install the unprivileged versions of dependency items.
  • pgbouncer
  • nginx
  • postgresql
  • git
• Reconfigures auto-boot.
• Modifies logging config setting for all the Splunk SOAR daemons in the phantom database.
• Remove rsyslog configuration.
• Updates the necessary configuration files, mostly for updating logging paths.
• Ensures that the phantom user has a gecos/full name attribute set.
• Configure a firewall port forward from the custom unprivileged HTTPS port (default is 8443) to HTTPS port 443. This item requires firewalld to be running.

Manually converting a privileged deployment to an unprivileged deployment

After you have upgraded to the 5.3.5 release of Splunk SOAR (On-premises), you can convert your privileged deployment to unprivileged one at any time. The tool works for single instances or clusters.

Converting a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment cannot be undone. Make sure you are ready to convert before running the running the conversion tool.

If you want to manually convert a privileged deployment of Splunk SOAR (On-premises) to an unprivileged one, do the following:

1. Make sure that firewalld is active and running. The migration script requires firewalld to be active so it can be configured.

   If firewalld is not running, the migration script cannot make Splunk SOAR (On-premises) available on the default HTTPS port (443); Splunk SOAR (On-premises) will only be accessible through port 8443.

   1. Check the status of firewalld.

      sudo systemctl status firewalld

      Example output from an active firewalld:

      ● firewalld.service - firewalld - dynamic firewall daemon
      Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
      
      Active: active (running) since Wed 2022-07-13 19:00:17 GMT; 1 weeks 1 days ago

   2. (Conditional) If firewalld is not active, enable it, then activate it.

      sudo systemctl enable firewalld

      sudo systemctl start firewalld

2. Download the unprivileged installer from the Splunk SOAR site. The unprivileged installer prepackages its dependencies and can be installed on systems that cannot reach out to the internet.
   The unprivileged installer is named in the format splunk_soar-unpriv-<major>.<minor>.<patch>.<build>-<commit_short_sha>-<os>-x86_64.tgz.
3. Conditional: If you have previously upgraded this instance of Splunk SOAR (On-premises), you may still have a directory at <$PHANTOM_HOME>/splunk-soar. If that is true, remove that directory.

   rm -rf <$PHANTOM_HOME>/splunk-soar

4. Extract the TAR file you downloaded into the Splunk SOAR (On-premises) installation directory.

   tar -xvf <installer>.tgz -C <$PHANTOM_HOME>

   This creates a new directory in the Splunk SOAR (On-premises) home directory, <$PHANTOM_HOME>/splunk-soar.
5. Make sure that that your current installation of is running.

   <$PHANTOM_HOME>/bin/start_phantom.sh

6. Change directory to the <$PHANTOM_HOME>/splunk-soar directory.

   cd <$PHANTOM_HOME>/splunk-soar

7. Run the migration tool as the root user.

   ./soar-prepare-system --migrate-priv-to-unpriv --no-prompt --splunk-soar-home /opt/phantom

Use --https-port to specify your custom HTTPS port. If you do not specify port, 8443 is used.

8. (Optional) If you are converting a privileged Splunk SOAR (On-premises) cluster, stop Splunk SOAR on all nodes, then repeat the preceding steps for each cluster node.

   If you are converting a privileged cluster to an unprivileged one, you will need to configure your load balancer to listen for your custom HTTPS port. If you did not specify a port during the migration, the port 8443 is set for you.

If the script fails to complete the migration, an error message is displayed on stdout that will contain the error encountered and the log file to consult for further troubleshooting.