Home Explore Help
Register Sign In
AFS
/
infrastructure-notes
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

phantom, phantom upgrade

Brad Poulton 2 years ago
parent
1fefdc7f3d
commit
3a518c0ed9
2 changed files with 31 additions and 10 deletions
Split View Show Diff Stats
  1. 25 6
      Phantom Notes.md
  2. 6 4
      Phantom Upgrade Notes.md

+ 25 - 6
Phantom Notes.md
View File 

@@ -38,24 +38,43 @@ Ensure FIPS is enable
 
 
 `cat /proc/sys/crypto/fips_enabled`
 
 
-set home directory to /opt/splunksoar
 
-set port to 8443
 
+Why use /opt/phantom? So i don't have to change the notes and i am afraid of hidden errors where splunk team forgot to change the code and it still has a static folder reference to /opt/phantom. 
 
-Download the .tar.gz file to your home dir
 
+`cd /opt`
 
+Download the .tar.gz file to /opt/ (it has enough room for the large size)
 
 Extract .tar
 
 
-as your XDR user run `sudo splunk-soar/soar-prepare-system --no-spinners --splunk-soar-home /opt/splunksoar --https-port 8443`
 
+as your XDR user run `sudo ./splunk-soar/soar-prepare-system --no-spinners --splunk-soar-home /opt/phantom --https-port 8443`
 
 
+Yes download packages in the the default repos
 
 No GlusterFS we are not using external file share
 
 No ntpd ( we are using chronyd )
 
 Yes to basic firewall
 
 No to https redirect ( let the LB do that)
 
-Yes to create phantom user
 
+Yes to create non-priviledged user
 
+Yes to create password for phantom user
 
+Yes to adjust file descriptor limits (/etc/security/limits.d/25-phantom-limits.conf)
 
 
-`splunk-soar/soar-install --splunk-soar-home /opt/splunksoar --https-port 8443 --ignore-warnings`
 
+copy the .tar, change it's owner to phantom and extract it again in /opt/phantom as hte phantom user. 
+
 
+Give phantom cron permissions
 
+```
 
+chmod +w /etc/cron.allow
 
+vim /etc/cron.allow
 
+chmod -w /etc/cron.allow
 
+
 
+tmux
 
+splunk-soar/soar-install --splunk-soar-home /opt/phantom --https-port 8443 --ignore-warnings
 
+```
 
 
 ignore warnings about space issues if in TEST. 
 
+### External DB setup
 
+
 
+Follow docs associated with AWS RDS 
+
 
+psql --host splunk-soar.c5cmrfedysrr.us-gov-east-1.rds.amazonaws.com --port 5432 --username postgres --echo-all --dbname phantom --command "CREATE ROLE pgbouncer WITH PASSWORD '[input-password-here]' login;"
 
+
 
 ## Phantom pgbouncer Issue (legacy)
 
 
 ```

+ 6 - 4
Phantom Upgrade Notes.md
View File 

@@ -111,15 +111,16 @@ https://my.phantom.us/login/?next=/downloads/
 
 - Copy the URL and use wget to download the file. 
 ```
 
 cd /opt/phantom
 
-wget -O splunk_soar-priv-5.3.3.92213-ebef80f6-el7-x86_64.tgz "https://s3.amazonaws.com/phantom-downloads/5.3.3.92213/splunk_soar-priv-5.3.3.92213-ebef80f6-el7-x86_64.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=1800&X-Amz-Credential=AKIAJQB2QCTG3EQYKMQQ%2F20220902%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20220902T160123Z&X-Amz-Signature=e3b9d9565e2a07fead71f6e2e98309f20b00bb312fc68394636fa9d3afb5e242"
 
+wget -O splunk_soar-priv-5.3.3.92213-ebef80f6-el7-x86_64.tgz "https://s3.amazonaws.com/phantom-downloads/5.3.3.92213/splunk_soar-priv-5.3.3.92213-ebef80f6-el7-x86_64.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=1800&X-Amz-Credential=AKIAJQB2QCTG3EQYKMQQ%2F20220908%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20220908T192344Z&X-Amz-Signature=005f79ac9aab5166496797bd1ae06ef715a52359c8e2330d2edb614e875fac01"
 
 
-wget -O splunk_soar-unpriv-5.3.3.92213-ebef80f6-el7-x86_64.tgz "https://s3.amazonaws.com/phantom-downloads/5.3.3.92213/splunk_soar-unpriv-5.3.3.92213-ebef80f6-el7-x86_64.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=1800&X-Amz-Credential=AKIAJQB2QCTG3EQYKMQQ%2F20220829%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20220829T211748Z&X-Amz-Signature=e61ed4cba3f5a768018a3748bc2ce61af0dedcdf9e8c9cc2e805296647d1205e"
 
+wget -O splunk_soar-unpriv-5.3.3.92213-ebef80f6-el7-x86_64.tgz "https://s3.amazonaws.com/phantom-downloads/5.3.3.92213/splunk_soar-unpriv-5.3.3.92213-ebef80f6-el7-x86_64.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=1800&X-Amz-Credential=AKIAJQB2QCTG3EQYKMQQ%2F20220907%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20220907T230817Z&X-Amz-Signature=5a9ad90d41f4f1195b0d05c77ac1e7509d5543207d600aa4abe82e3e92adeafa"
 
 
 ```
 
 
 - Check the sha256 with `sha256sum <installer>.tgz` and verify with the download webpage. 
 - Extract the installer `tar -xf <installer>.tgz`
 
-- WARNING: Do not extract in the /root folder. This may fill up the drive! Move the .tgz to /opt/phantom then extract it.
 
+- WARNING: Do not extract in the /root folder. This may fill up the drive! Move the .tgz to /opt/phantom then extract it. 
+- EXTRACT it as the phantom user
 
 
 ```
 
 mv splunk_soar-priv-5.3.3.92213-ebef80f6-el7-x86_64.tgz /opt/phantom
 
@@ -128,9 +129,10 @@ tar -xf /opt/phantom/splunk_soar-priv-5.3.3.92213-ebef80f6-el7-x86_64.tgz
 
 ```
 
 
 ## 3 Upgrade
 
-This takes a LONG time! Use TMUX to keep session alive! No need to upgrade apps at the same time as upgrading soar! Apps can be upgraded after soar is upgraded! 
+This takes a LONG time! Use TMUX to keep session alive! No need to upgrade apps at the same time as upgrading soar! Apps can be upgraded after soar is upgraded! For unprivleged installation, run as the phantom user. 
 
 ```
 
+su phantom
 
 tmux 
 cd splunk-soar
 
 ./soar-install --upgrade