Splunk SOAR (f.k.a. Phantom)

How can I encrypt the keystore partition of my Splunk Phantom deployment?

mconverse_splun
Splunk Employee
Splunk Employee

Introduction 

Splunk Phantom ingests objects from connected assets, such as your firewall, services like VirusTotal, MaxMind, and more. Many of these assets require that Splunk Phantom provide credentials, such as a username and password or an authentication token to connect. Splunk Phantom stores these credentials in an encrypted form in its database, but in order to use these credentials,  they must be decrypted first. The decryption keys are stored in Splunk Phantom's keystore partition. 

Cautions 

  • If you encrypt the keystore partition, an administrator with the decryption password must provide the password each time Splunk Phantom is booted or rebooted. 
  • Encrypting the keystore partition only protects the keystore partition when Splunk Phantom is shut down. If an attacker gains access to the operating system or the hypervisor while Splunk Phantom is running, that attacker can access the decrypted keystore.
  • Make a full backup of your Splunk Phantom deployment. See Splunk Phantom backup and restore overview 

Prerequisites 

  • SSH access to the operating system of your Splunk Phantom deployment on a user account with either root or sudo permissions.

Procedure

This procedure is for Splunk Phantom 4.x releases. Do this procedure during a maintenance window or other scheduled downtime.  

If you are encrypting the keystore partition in a clustered Splunk Phantom deployment, you must do this procedure on each Splunk Phantom node.  

WARNING: If you lose or forget the encryption passphrase, you cannot mount the Splunk Phantom keystore partition. 

  1.  SSH to your Splunk Phantom deployment. 

  2.  As root, or a user with sudo permissions, install the disk encryption package and any dependencies.
    # yum install cryptsetup-luks

  3.  Make a backup of the keystore partition.
    # mkdir /root/keystore# cp -p --preserve=context /opt/phantom/keystore/* /root/keystore

  4.  Unmount the keystore partition.
    # umount /opt/phantom/keystore

  5.  Format the keystore partition as an encrypted volume.
    # cryptsetup luksFormat /dev/mapper/centos-opt_phantom_keystore

  6.  Unlock the encrypted volume.
    # cryptsetup luksOpen /dev/mapper/centos-opt_phantom_keystore keystore

  7.  Create the filesystem on the encrypted volume.
    # mkfs.ext4 /dev/mapper/keystore

  8.  Edit /etc/crypttab to add this line:
    keystore /dev/mapper/centos-opt_phantom_keystore none luks

  9.  Edit /etc/fstab. Modify the keystore line from:
    /dev/mapper/centos-opt_phantom_keystore

    to this:
    /dev/mapper/keystore /opt/phantom/keystore   ext4    defaults,noexec,nosuid,nodev        1 2

  10. Mount the encrypted volume.
    # mount /opt/phantom/keystore

  11. Move the backup of the keystore to the encrypted volume. 
    # mv /root/keystore/* /opt/phantom/keystore 

  12. Disable the Splunk Phantom boot splash screen. Edit /etc/default/grub and remove the 'rhgb' parameter from this line:
    GRUB_CMDLINE_LINUX="rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet splash vga=791" 

  13. Reboot your Splunk Phantom instance.

Testing

Check to make sure Splunk Phantom is decrypting credentials. 

  1. Log in to the Splunk Phantom web ui. 
  2. From the Main Menu select Apps.
  3. Choose an app that requires credentials such as a username and password or authentication token. 
  4. Select a configured asset. 
  5. From the apps’ Asset Settings tab, click Test Connectivity.

Troubleshooting 

If Splunk Phantom does not mount the keystore partition: 

  1. SSH into your Splunk Phantom instance as root or a user with sudo permissions.

  2. Run this command:
    # mount / -o remount

If there are errors in either /etc/crypttab or /etc/fstab, correct them, then reboot Splunk Phantom. 

Labels (4)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!