• You must install Splunk UBA on a server that is running a supported operating system. See, Operating system requirements.
• Make sure your Red Hat Enterprise Linux license includes the proper subscription names. See, Additional RHEL requirements.
• Determine the interface of your system network configuration, for example eth0 , en0, etc. You will need this information later in the installation process.

Enable sudo permissions for the caspida user.

1. Use the visudo command to edit the /etc/sudoers file.
2. If the following line exists, comment the line Defaults requiretty.
3. Add the following lines at the end of the /etc/sudoers file.

   caspida ALL=(ALL) NOPASSWD:ALL
   Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
   

   /etc/sudoers file is read sequentially, so placing these lines at the end ensures that there is no impact to the caspida user from any existing accounts or group permissions.
4. Add the caspida user to the system. For example, assuming UID and GID 2018 is available:

   groupadd --gid 2018 caspida
   useradd --uid 2018 --gid 2018 -m -d /home/caspida -c "Caspida User" -s /bin/bash caspida
   

5. Set the password for caspida user:

   passwd caspida
   

6. Verify the caspida user permissions for newly created files and directories. See Validate the UMASK value.

Download the following Splunk UBA software and RHEL packages:

1. Obtain the Splunk UBA 5.4.2 software:
   1. Go to the Splunk UBA Software Installation Package page on Splunkbase.
   2. Download the file to the /home/caspida directory. The name of the package is splunk-uba-software-installation-package_542.tgz.

1. From the command line, log in to the server as the root user, or log in as a different user then use su or sudo to gain root user privileges.
2. Find the 1TB disks using the fdisk command:

   fdisk -l

   /dev/sdb and /dev/sdc.
3. Partition and format the partition on each disk found in step 2.
   1. Partition and format the partition on the /dev/sdb disk using the following series of commands. Verify that the align-check opt 1 command returns 1 aligned.

      parted -a optimal /dev/sdb
        mklabel gpt
        mkpart primary ext4 2048s 100%
        align-check opt 1
        quit
      

   2. Format the partition using the mkfs command.

      mkfs -t ext4 /dev/sdb1

   3. Repeat the commands to partition and format the partition on /dev/sdc:

      parted -a optimal /dev/sdc
        mklabel gpt
        mkpart primary ext4 2048s 100%
        align-check opt 1
        quit
      

   4. Format the partition using the mkfs command. When prompted, confirm that you want to continue.

      mkfs -t ext4 /dev/sdc1

4. Get the block ID for each disk using the blkid command. For example, to get the block IDs for /dev/sdb1 and /dev/sdc1 in our example:

   blkid -o value -s UUID /dev/sdb1
   blkid -o value -s UUID /dev/sdc1
   

   5c00b211-e751-4661-91c4-60d9f9315857.
5. Create new /var/vcap and /var/vcap2 directories.

   mkdir -p /var/vcap /var/vcap2

6. Add the block IDs for the /var/vcap and /var/vcap2 partitions to the /etc/fstab directory. For example:

   UUID=5c00b211-e751-4661-91c4-60d9f9315857 /var/vcap ext4 defaults 0 0
   UUID=e10ab5c0-c27a-4617-8945-daab6d597731 /var/vcap2 ext4 defaults 0 0
   

7. Mount the file systems.

   mount -a

8. Verify that the 1TB disks are mounted correctly using the df -h command. For example:

   root# df -h
   Filesystem      Size  Used Avail Use% Mounted on
   ...
   /dev/sdc1       493G   77M  467G   1% /var/vcap2
   /dev/sdb1       985G   43G  892G   5% /var/vcap
   ...
   

9. Inherit the permissions for the root user.

   chmod 755 /var/vcap /var/vcap2
   chown root:root /var/vcap /var/vcap2
   

10. Make a directory for caspida software packages.
    Note: This should be different from caspida home directory (/home/caspida).

    mkdir /opt/caspida
    chown caspida:caspida /opt/caspida
    chmod 755 /opt/caspida

11. Set the following environment variables for PostgreSQL in the /etc/locale.conf file:

    LANG="en_US.UTF-8"
    LC_CTYPE="en_US.UTF-8"
    

12. Run the following command to source the /etc/locale.conf file:

    source /etc/locale.conf

13. Verify that the host name resolves using the host <host name> command. If it does not, verify your host name lookup and DNS settings. See, Configure host name lookups and DNS.
14. Modify /etc/sysconfig/selinux set SELINUX=permissive.
    With SELINUX set to enforced, certain actions during installation and upgrade (for example, access to particular files) can be blocked. Set SELINUX to permissive to allow Splunk UBA the necessary access so that actions are not blocked, but instead logged in the audit logs.
15. Verify that the system date, time and time zone are correct using the timedatectl command, as shown below. The time zone in Splunk UBA should match the time zone configured in Splunk Enterprise.

    root# timedatectl status
          Local time: Mon 2019-04-08 14:30:02 UTC
      Universal time: Mon 2019-04-08 14:30:02 UTC
            RTC time: Mon 2019-04-08 14:30:01
           Time zone: UTC (UTC, +0000)
         NTP enabled: yes
    NTP synchronized: yes
     RTC in local TZ: no
          DST active: n/a
    

    Use the timedatectl command to change the time zone. For example, to change the time zone to UTC:

    timedatectl set-timezone UTC

    ntpq -p command to verify that NTP is pointing to the desired server.
16. Verify that /proc/sys/net/bridge/bridge-nf-call-iptables exists on your system and the content of bridge-nf-call-iptables is 1. Run the following command to verify:

    cat /proc/sys/net/bridge/bridge-nf-call-iptables

    Your situation	Take this action
    /proc/sys/net/bridge/bridge-nf-call-iptables exists on your system and the content is 1.	A. Run the following command to make sure this setting is preserved through any reboot operations: echo net.bridge.bridge-nf-call-iptables=1 > /etc/sysctl.d/splunkuba-bridge.conf B. Go to Step 18.
    /proc/sys/net/bridge/bridge-nf-call-iptables exists on your system but the content is not 1.	A. Run the following commands to set the content of the bridge-nf-call-iptables: sysctl -w net.bridge.bridge-nf-call-iptables=1 B. Run the following command to ensure that the settings persist through any reboot operations: echo net.bridge.bridge-nf-call-iptables=1 > /etc/sysctl.d/splunkuba-bridge.conf C. Go to Step 18.
    /proc/sys/net/bridge/bridge-nf-call-iptables does not exist on your system.	A. Run the following commands to create the file and ensure that it is loaded on reboot: modprobe br_netfilter echo br_netfilter > /etc/modules-load.d/br_netfilter.conf B. Run the following commands to create and set the content of the bridge-nf-call-iptables: sysctl -w net.bridge.bridge-nf-call-iptables=1 C. Run the following command to ensure that the settings persist through any reboot operations: echo net.bridge.bridge-nf-call-iptables=1 > /etc/sysctl.d/splunkuba-bridge.conf D. Go to Step 17.

17. Run the following command to ensure that /etc/sysctl.d/splunkuba-bridge.conf is readable by the caspida user:

    chmod o+r /etc/sysctl.d/splunkuba-bridge.conf 

    If that command returns without error, proceed to the next step.

18. Verify that IPv6 drivers are available. To do this, check that /proc/sys/net/ipv6/ exists. For example:

    root# ls -l /proc/sys/net/ipv6/
    total 0
    -rw-r--r-- 1 root root 0 Mar 12 16:52 anycast_src_echo_reply
    -rw-r--r-- 1 root root 0 Mar 12 16:52 auto_flowlabels
    -rw-r--r-- 1 root root 0 Mar 12 16:52 bindv6only
    dr-xr-xr-x 1 root root 0 Mar 12 16:52 conf
    -rw-r--r-- 1 root root 0 Mar 12 16:52 flowlabel_consistency
    -rw-r--r-- 1 root root 0 Mar 12 16:52 flowlabel_state_ranges
    -rw-r--r-- 1 root root 0 Mar 12 16:52 fwmark_reflect
    dr-xr-xr-x 1 root root 0 Mar 12 16:52 icmp
    -rw-r--r-- 1 root root 0 Mar 12 16:52 idgen_delay
    -rw-r--r-- 1 root root 0 Mar 12 16:52 idgen_retries
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip6frag_high_thresh
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip6frag_low_thresh
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip6frag_secret_interval
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip6frag_time
    -rw-r--r-- 1 root root 0 Mar 12 16:52 ip_nonlocal_bind
    -rw-r--r-- 1 root root 0 Mar 12 16:52 mld_max_msf
    -rw-r--r-- 1 root root 0 Mar 12 16:52 mld_qrv
    dr-xr-xr-x 1 root root 0 Mar 12 16:52 neigh
    dr-xr-xr-x 1 root root 0 Mar 12 16:52 route
    -rw-r--r-- 1 root root 0 Mar 12 16:52 xfrm6_gc_thresh
    

    If the IPv6 drivers exist, skip to the next step.

    If IPv6 drivers do not exist on your system, check if /etc/default/grub contains ipv6.disable=1. IPv6 drivers will not be available on a system if ipv6.disable=1 exists in /etc/default/grub. If ipv6.disable=1 is not present in /etc/default/grub and IPv6 drivers do not exist, consult with your system or network administrators. You will not be able to continue with the installation.
    If /etc/default/grub contains ipv6.disable=1, perform the following tasks as root:
    1. Remove ipv6.disable=1 from /etc/default/grub.
    2. Recreate the grub config:

       grub2-mkconfig -o /boot/grub2/grub.cfg

    3. Reboot the machines. After the system comes up, make sure /proc/sys/net/ipv6 exists.

    To disable IPv6 functionality for security, networking or performance reasons, create the /etc/sysctl.d/splunkuba-ipv6.conf file as root. This file should contain the following content:

    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1
    

    This procedure keeps the IPv6 drivers but turns off IPv6 addressing.
19. Create the /etc/security/limits.d/caspida.conf file and add the following security limits for the caspida user to this file:

    caspida soft nproc unlimited
    caspida soft nofile 32768
    caspida hard nofile 32768
    caspida soft core unlimited
    caspida soft stack unlimited
    caspida soft memlock unlimited
    caspida hard memlock unlimited
    

    Note: Make sure the root account does not have any security limits.
20. If you are not using IPv6 on your network, edit the /etc/yum.conf file and add the following entry so that only IPv4 addresses are used by yum/rpm:

    ip_resolve=4

21. If you have any firewall configuration enabled, such as firewalld, disable the configuration during installation. Run the following command:

    systemctl disable firewalld

22. Restart the system.

    init 6

23. After the system restarts, use the following command to verify that the host name matches your host name lookup and DNS settings. See Configure host name lookups and DNS.

    hostname --fqdn

Federal Information Processing Standard (FIPS) compliance is available with Splunk UBA version 5.4.0 and higher. Complete the following steps to turn on FIPS on each Splunk UBA node before running the install.sh script in the Install Splunk UBA section.

1. Run the following command to check the current status of FIPS:

   sudo fips-mode-setup --check

2. On each node, run the following command to turn on FIPS:

   sudo fips-mode-setup --enable

3. After successfully turning on FIPS, reboot the system:

   sudo reboot

4. Confirm FIPS is turned on:

   sudo fips-mode-setup --check

5. You can also verify the status using the following command.
   Note: You see a 1 if FIPS is turned on, otherwise 0.

   cat /proc/sys/crypto/fips_enabled

Perform the following steps to install Splunk UBA.

1. Log in to the command line as the caspida user using SSH.
2. Verify that the caspida user has umask permissions set to 0022 or 0002.

   umask

   If the returned values are not supported, edit the ~/.bash_profile and the ~/.bashrc files and append:

   umask 0022

3. Copy the file for Splunk UBA Software Installation from Splunkbase to the /home/caspida directory.
4. Untar the file for Splunk UBA Software Installation in /home/caspida directory.

   tar xvzf /home/caspida/splunk-uba-software-installation-package_542.tgz

5. Untar the Splunk UBA platform software to the /opt/caspida directory.

   tar xvzf /home/caspida/Splunk-UBA-Platform-5.4.2-20250304-24168929.tgz -C /opt/caspida/

6. Untar the Splunk UBA Packages for RHEL to the /home/caspida directory.

   tar xvzf /home/caspida/Splunk-UBA-5.4.2-Packages-RHEL-8.tgz -C /home/caspida

7. Run the installation script.

   /opt/caspida/bin/installer/redhat/INSTALL.sh /home/caspida/Splunk-UBA-5.4.2-Packages-RHEL-8
   

   /var/log/caspida/install.log.
   1. If you do not use One-Time-Password (OTP) or Multi-Factor Authentication (MFA) methods, and you see the following error, run the command sudo yum remove krb5-workstation. If you do use OTP or MFA skip to sub-step b.

      error: Failed dependencies:
      krb5-libs(x86-64) = 1.18.2-22.el8_7 is needed by (installed) krb5-workstation-1.18.2-22.el8_7.x86_64
      libkadm5(x86-64) = 1.18.2-22.el8_7 is needed by (installed) krb5-workstation-1.18.2-22.el8_7.x86_64

   2. If you use One-Time-Password (OTP) or Multi-Factor Authentication (MFA) methods, and you see the following error, run the command sudo yum downgrade krb5-workstation.

      error: Failed dependencies:
      krb5-libs(x86-64) = 1.18.2-22.el8_7 is needed by (installed) krb5-workstation-1.18.2-22.el8_7.x86_64
      libkadm5(x86-64) = 1.18.2-22.el8_7 is needed by (installed) krb5-workstation-1.18.2-22.el8_7.x86_64

   3. Then rerun the installation script.

8. Generate SSH keys using the ssh-keygen -t rsa command. Press enter for all the prompts and accept all default values. For example:

   [caspida@ubahost-001]$ ssh-keygen -t rsa
   Generating public/private rsa key pair.
   Enter file in which to save the key (/home/caspida/.ssh/id_rsa):
   Created directory '/home/caspida/.ssh'.
   Enter passphrase (empty for no passphrase):
   Enter same passphrase again:
   Your identification has been saved in /home/caspida/.ssh/id_rsa.
   Your public key has been saved in /home/caspida/.ssh/id_rsa.pub.
   The key fingerprint is:
   SHA256:Ohe1oSpUtNT8siJzvn2lFLrHmVH7JGKke+c/5NRFb/g caspida@ubahost-001
   

9. Add the SSH keys to the server and adjust the permissions to allow the server to access them.

   cat /home/caspida/.ssh/id_rsa.pub >> /home/caspida/.ssh/authorized_keys
   chmod 600 /home/caspida/.ssh/authorized_keys

10. SSH to the server without a password using the host name or internal IP.

    ssh <uba host name>; exit

11. Check the system status with the uba_pre_check.sh shell script. Run the following command on a single-node deployment and be sure to replace <node1> with the actual host name of your system.

    /opt/caspida/bin/utils/uba_pre_check.sh <node1>

    Check system status before and after installation for more information about the script.
12. Run the setup script.

    /opt/caspida/bin/Caspida setup

    1. When prompted, accept the license agreement and confirm removal of existing metadata.
    2. When prompted, type the host name of the Splunk UBA server installation. For example, type uba01-prod if uba01-prod is the host name of your Splunk UBA server.
    3. When prompted, confirm that you want to continue setting up Splunk UBA.
    4. The log file is /var/log/caspida/caspida.out.
13. Verify the host name of all the nodes using the following command:

    hostname

14. Make sure all the nodes have a consistent setup. If using fully qualified domain names (FQDN) then all nodes should output FQDN in the host name command. If the short name is used, then all nodes should output the short name in the host name command.
    1. If FQDN is used then in the pre_check script provide the FQDN of all the nodes, for example:

       /opt/caspida/bin/utils/uba_pre_check.sh <NODE1_FQDN> <NODE2_FQDN> <NODE3_FQDN>

    2. When prompted for a list of host names in the setup script, if the output of the host name command is FQDN, then provide a CSV list of FQDN host names, for example:

       <NODE1_FQDN>,<NODE2_FQDN>,<NODE3_FQDN>

       Note: If you plan on connecting to Splunk Cloud Platform to run queries for datasources, use fully qualified domain names (FQDN), not short names, for your Splunk UBA hostnames.
15. After setup completes:
    1. Open a web browser and log in to the Splunk UBA server with the default admin credentials to confirm a successful installation. The default username is admin and password is changeme. See Secure the default account after installing Splunk UBA for information about the default accounts provided with Splunk UBA and how to secure them.
    2. See Verify successful installation for more information about verifying a successful installation.