topic Re: Splunk Phantom Underprivileged Installation in Splunk SOAR

Splunk Phantom Underprivileged Installation

zubairaizatron — Wed, 19 Jan 2022 15:18:34 GMT

Hi guys

I tried installing Splunk Phantom as an underprivileged user as per the documentation:

https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Install/InstallUnprivileged

Although I pretty much get through the process without problems, when I get to the last step i get warnings about storage

The installation does continue and then completes (i think)

I then navigate to the ./bin directory and run the ./start_phantom.sh script but it gives me a connection to postgres error

Postgres is installed so i dont know what the issue could be. Note this is a standalone instance of phantom

Has anyone experienced something similar?

Also I cannot access the frontend but I assume this is because phantom is not running

Re: Splunk Phantom Underprivileged Installation

phanTom — Wed, 19 Jan 2022 15:27:59 GMT

@zubairaizatron

I am not sure what is going on with your install without checking some of the logs around the postgres startup.

However, the instructions you are following are if you want to use any other account than the default. 5.x is unprivileged by default and now runs under the phantom user rather than the root user as it did previously.

I suspect you will have more luck simply installing the latest version on SOAR either via OVA or RPM.

As per the 1st paragraph on the OVA install: https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Install/InstallOVA

"The virtual machine image of Splunk SOAR (On-premises) is for an unprivileged installation, meaning the the application runs under the phantom user account, not as the root user."

If this is just for personal use then I would just go with the above. If it's for professional/licensed use then I would raise a support case under your customer entitlement.

Re: Splunk Phantom Underprivileged Installation

zubairaizatron — Wed, 19 Jan 2022 22:03:59 GMT

Thank you very much for your reply. This is for professional use however is is not an actual deployment, more of a poc and requires this kind of installation according to the needs of the customer.

That being said it seems the problem was the lack of a postgres "phantom" database.

I then created on and that got rid of that error. however now I am still getting the error for a supervisord.

This is the start of the installation but then it gives this error

on the installation logs i found the following errors

This one i assume i fixed by creating the phantom database in postgres

Any suggestions?

Re: Splunk Phantom Underprivileged Installation

phanTom — Thu, 20 Jan 2022 09:02:18 GMT

@zubairaizatron I have not had to install the unpriv install in this way before so I am afraid I am not sure what else I can offer.

All of the requirements should have been installed and no additional configuration, outside of the installation instructions, should need to be performed to get the system up and running.

I think you need to start again and be sure you didn't miss or misunderstand a step.

Re: Splunk Phantom Underprivileged Installation

zubairaizatron — Sun, 23 Jan 2022 20:22:08 GMT

Hey @phanTom

Thanks a lot man

I tried a earlier install of phantom and it worked.