#!/bin/bash

# Copyright 2014-2023 Security Onion Solutions, LLC

#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.

# Make sure you are root before doing anything
uid="$(id -u)"
if [ "$uid" -ne 0 ]; then
	echo "This script must be run using sudo!"
	exit 1
fi

# Save the original argument array since we modify it
original_args=("$@")

cd "$(dirname "$0")" || exit 255

echo "Getting started..."

# Source the generic function libraries that are also used by the product after
# setup. These functions are intended to be reusable outside of the setup process.
source ../salt/common/tools/sbin/so-common
source ../salt/common/tools/sbin/so-image-common

# Setup bash functionality is divided into functions and user-facing prompts. 
# Do not attempt to re-use any of this functionality outside of setup. Instead, 
# if needed, migrated generic functions into so-common.
source ./so-functions
source ./so-whiptail

# Finally, source the default variable definitions, which require availability of
# functions sourced above.
source ./so-variables

# Parse command line arguments
setup_type=$1
automation=$2
WHATWOULDYOUSAYYAHDOHERE=setup

while [[ $# -gt 0 ]]; do
	arg="$1"
	shift
	case "$arg" in
		"--turbo="* ) 
			export TURBO="http://${arg#*=}";;
		"--proxy="* ) 
			export {http,https,ftp,rsync,all}_proxy="${arg#*=}";;
		"--allow-role="* )
			export ALLOW_ROLE="${arg#*=}";;
		"--allow-cidr="* )
			export ALLOW_CIDR="${arg#*=}";;
		"--skip-reboot" )
			export SKIP_REBOOT=1;;
		* )
			if [[ "$arg" == "--"* ]]; then
				echo "Invalid option"
			fi
	esac
done

detect_os
is_analyst=
if [ "$setup_type" = 'analyst' ]; then
    is_analyst=true
    # Check to see if this is an ISO
    if [ -d /root/SecurityOnion ]; then
        is_analyst_iso=true
    fi
fi

if [[ "$setup_type" == 'iso' ]]; then
	if [[ $is_centos ]]; then
		is_iso=true
	else
		echo "Only use 'so-setup iso' for an ISO install on CentOS. Please run 'so-setup network' instead."
		exit 1
	fi
fi

# Check to see if this is an analyst install. If it is let's run things differently

if [[ $is_analyst ]]; then

	# Make sure it's CentOS
	if [[ ! $is_centos ]]; then
		echo "Analyst Workstation is only supported on CentOS 7"
		exit 1
	fi

	if ! whiptail_analyst_install; then
		if [[ $is_analyst_iso ]]; then
			if whiptail_analyst_nongrid_iso; then
				# Remove setup from auto launching
				parse_install_username
				sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1
				echo "Enabling graphical interface and setting it to load at boot"
				systemctl set-default graphical.target
				startx
				exit 0
			else
				# Abort!
				exit 0
			fi
		else
			if whiptail_analyst_nongrid_network; then
				echo ""
				echo ""
				echo "Kicking off the automated setup of the analyst workstation. This can take a while depending on your network connection."
				echo ""
				echo ""
				analyst_salt_local
			else
				# Abort!
				exit 0
			fi
		fi
	fi

	# If you got this far then you want to join the grid
	is_minion=true

fi
    


if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[ $(pwd) != /root/manager_setup/securityonion/setup ]]; then
	exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}"
fi

if [[ -f /root/accept_changes ]]; then
	is_reinstall=true

	# Move last setup log to backup
	mv "$setup_log" "$setup_log.bak"
	[ -f "$error_log" ] && mv "$error_log" "$error_log.bak"
fi

parse_install_username

if ! [ -f $install_opt_file ]; then
	# Begin Installation pre-processing
	title "Initializing Setup"
	info "Installing as the $INSTALLUSERNAME user"

	analyze_system
fi

# Set up handler for setup to exit early (use `kill -SIGUSR1 "$setup_proc"; exit 1` in child scripts)
trap 'catch $LINENO' SIGUSR1
setup_proc="$$"
catch() {
	info "Fatal error occurred at $1 in so-setup, failing setup."
	grep --color=never "ERROR" "$setup_log" > "$error_log"
	whiptail_setup_failed
	exit 1
}
automated=no
progress() {
	local msg=${1:-'Please wait while installing...'}

	if [ $automated == no ]; then
		whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text
	else
		cat >> $setup_log 2>&1
	fi		
}

if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then
	echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1
	source automation/$automation
	automated=yes

	attempt=1
	attempts=60
	ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1
	while [ $? -ne 0 ]; do
		ip a >> $setup_log 2>&1
		if [ $attempt -gt $attempts ]; then
			echo "Network unavailable - setup cannot continue" >> $setup_log 2>&1
			exit 1
		fi
		echo "Waiting for network to come up (attempt $attempt of $attempts)" >> $setup_log 2>&1
		attempt=$((attempt + 1))
		sleep 10;
		ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1
	done
	echo "Network is up on $MNIC" >> $setup_log 2>&1

	if [[ ! $is_iso ]]; then
		echo "Installing sshpass for automated testing." >> $setup_log 2>&1
		if [ "$OS" == ubuntu ]; then
			retry 50 10 "apt-get -y install sshpass" >> $setup_log 2>&1 || exit 1
		else
			yum -y install sshpass >> $setup_log 2>&1
		fi
	fi
fi

case "$setup_type" in
	iso | network | analyst) # Accepted values
		echo "Beginning Security Onion $setup_type install" >> $setup_log 2>&1
		;;
	*)
		echo "Invalid install type, must be 'iso', 'network' or 'analyst'." | tee -a $setup_log
		exit 1
		;;
esac

#set ssh commands that will be used based on if this is an automated test install or not
set_ssh_cmds $automated

# Allow execution of SO tools during setup
local_sbin="$(pwd)/../salt/common/tools/sbin"
export PATH=$PATH:$local_sbin

set_palette >> $setup_log 2>&1

# Kernel messages can overwrite whiptail screen #812
# https://github.com/Security-Onion-Solutions/securityonion/issues/812
dmesg -D

# Kernel consoleblank is causing whiptail progress screen to appear to hang #1084
# https://github.com/Security-Onion-Solutions/securityonion/issues/1084
if [ "$automated" == no ]; then
	TTY=$(tty)
	echo "Setup is running on TTY $TTY" >> $setup_log 2>&1
	if echo $TTY | grep -q "/dev/tty"; then 
		CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank)
		echo "Kernel consoleblank value before: $CONSOLEBLANK" >> $setup_log 2>&1
		if [ $CONSOLEBLANK -gt 0 ]; then 
			echo "Running 'setterm -blank 0' for TTY $TTY" >> $setup_log 2>&1
			TERM=linux setterm -blank 0 >$TTY <$TTY
			CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank)
			echo "Kernel consoleblank value after: $CONSOLEBLANK" >> $setup_log 2>&1
		fi
	fi
fi

if ! [[ -f $install_opt_file ]]; then
	if (whiptail_you_sure); then
		true
	else
		echo "User cancelled setup." | tee -a "$setup_log"
		whiptail_cancel
	fi
	if [[ $is_analyst ]]; then
		collect_hostname
		if [[ $is_analyst_iso ]]; then
			# Prompt Network Setup
			whiptail_management_nic
			whiptail_dhcp_or_static
			
			if [ "$address_type" != 'DHCP' ]; then
				collect_int_ip_mask
				collect_gateway
				collect_dns
				collect_dns_domain
			fi
		
		fi
		if [[ ! $is_analyst_iso ]]; then
			# This should be a network install
			whiptail_network_notice
			whiptail_dhcp_warn
			whiptail_management_nic
		fi
		whiptail_network_init_notice
		network_init
		printf '%s\n' \
			"MNIC=$MNIC" \
			"HOSTNAME=$HOSTNAME" > "$net_init_file"
		set_main_ip
		compare_main_nic_ip

	fi

	if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then
		whiptail_first_menu_iso
		if [[ $option == "CONFIGURENETWORK" ]]; then
			collect_hostname
			network_init_whiptail
			whiptail_network_init_notice
			network_init
			printf '%s\n' \
				"MNIC=$MNIC" \
				"HOSTNAME=$HOSTNAME" > "$net_init_file"
			set_main_ip
			compare_main_nic_ip
			whiptail_net_setup_complete
		else
			true
		fi
	fi
	if [[ ! $is_analyst ]]; then
		whiptail_install_type
	fi
else
	source $install_opt_file
fi

if [ "$install_type" = 'EVAL' ]; then
	is_node=true
	is_manager=true
	is_sensor=true
	is_eval=true
	STRELKARULES=1
elif [ "$install_type" = 'STANDALONE' ]; then
	is_manager=true
	is_distmanager=true
	is_node=true
	is_sensor=true
elif [ "$install_type" = 'MANAGERSEARCH' ]; then
	is_manager=true
	is_distmanager=true
	is_node=true
elif [ "$install_type" = 'MANAGER' ]; then
	is_manager=true
	is_distmanager=true
elif [ "$install_type" = 'SENSOR' ]; then
	is_sensor=true
	is_minion=true
elif [[ "$install_type" =~ ^('SEARCHNODE'|'HOTNODE'|'WARMNODE')$ ]]; then
	is_node=true
	is_minion=true
elif [ "$install_type" = 'HEAVYNODE' ]; then
	is_node=true
	is_minion=true
	is_sensor=true
elif [ "$install_type" = 'FLEET' ]; then
	is_minion=true
	is_fleet_standalone=true
	OSQUERY=1
elif [ "$install_type" = 'IDH' ]; then
	is_minion=true
	is_idh=true
	IDH=1
elif [ "$install_type" = 'HELIXSENSOR' ]; then
	is_helix=true
elif [ "$install_type" = 'IMPORT' ]; then
	is_import=true
elif [ "$install_type" = 'RECEIVER' ]; then
	is_minion=true
	is_receiver=true
elif [ "$install_type" = 'ANALYST' ]; then
	if [ "$setup_type" != 'analyst' ]; then
		exec bash so-setup analyst
	fi
fi

if [[ $is_manager || $is_import ]]; then
	check_elastic_license
fi

if ! [[ -f $install_opt_file ]]; then
	if [[ $is_manager && $is_sensor ]]; then
		check_requirements "standalone"
	elif [[ $is_fleet_standalone ]]; then
		check_requirements "dist" "fleet"
	elif [[ $is_idh ]]; then
		check_requirements "dist" "idh"
	elif [[ $is_sensor && ! $is_eval ]]; then
		check_requirements "dist" "sensor"
	elif [[ $is_distmanager || $is_minion ]] && [[ ! ( $is_import || $is_analyst ) ]]; then
		check_requirements "dist"
	elif [[ $is_import ]]; then
		check_requirements "import"
	fi

	[[ -f $net_init_file ]] && whiptail_net_reinit && reinit_networking=true

	if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then
		collect_hostname
	fi

	[[ ! ( $is_eval || $is_import ) ]] && whiptail_node_description

	if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then
		network_init_whiptail
	else
		source "$net_init_file"
	fi

	if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then
		whiptail_network_init_notice
		network_init
	fi

	set_main_ip
	compare_main_nic_ip

	if [[ $is_minion ]]; then
		collect_mngr_hostname
		add_mngr_ip_to_hosts
		whiptail_ssh_key_copy_notice
		copy_ssh_key >> $setup_log 2>&1
	fi

	if [[ $is_idh ]]; then
	  collect_idh_services
	  collect_idh_preferences
    fi

	# Check if this is an airgap install
	if [[ ( $is_manager || $is_import) && $is_iso ]]; then
		whiptail_airgap
		if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
			is_airgap=true
		fi
	elif [[ $is_minion && ( $is_iso || $is_analyst ) ]]; then
		$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1
		airgap_check=$?
		[[ $airgap_check == 0 ]] && is_airgap=true >> $setup_log 2>&1
	fi

	reset_proxy
	if [[ -z $is_airgap ]]; then
		collect_net_method
		[[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1
	fi

	if [[ $is_minion ]] && ! (compare_versions); then
		info "Installer version mismatch, downloading correct version from manager"
		printf '%s\n' \
			"install_type=$install_type" \
			"MNIC=$MNIC" \
			"HOSTNAME=$HOSTNAME" \
			"MSRV=$MSRV" \
			"MSRVIP=$MSRVIP" \
			"is_airgap=$is_airgap" \
			"NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file"
		[[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file"
		download_repo_tarball
		exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}"
	fi
else
	rm -rf $install_opt_file >> "$setup_log" 2>&1
fi

if [[ -z $is_airgap ]]; then
	percentage=0
	{
		installer_progress_loop 'Running preflight checks...' &
		progress_bg_proc=$!
		./so-preflight true "$setup_log" >> $setup_log 2>&1
		preflight_ret=$?
		echo "$preflight_ret" > /tmp/preflight_ret
		kill -9 "$progress_bg_proc"
		wait "$progress_bg_proc" &> /dev/null
	} | progress '...'
	[[ -f /tmp/preflight_ret ]] && preflight_ret=$(cat /tmp/preflight_ret)
	rm /tmp/preflight_ret
	if [[ -n $preflight_ret && $preflight_ret -gt 0 ]] && ! ( whiptail_preflight_err ); then
		whiptail_cancel
	fi
fi

percentage=0
{
	installer_progress_loop 'Checking that all required packages are installed and enabled...' & # Run progress bar to 98 in ~8 minutes while waiting for package installs
	progress_bg_proc=$!
	installer_prereq_packages
	install_success=$?
	kill -9 "$progress_bg_proc"
	wait "$progress_bg_proc" &> /dev/null # Kill just sends signal, redirect output of wait to catch stdout
	if [[ $install_success -gt 0 ]]; then
		echo "Could not install packages required for setup, exiting now." >> "$setup_log" 2>&1
		kill -SIGUSR1 "$setup_proc"; exit 1
	fi
} | progress '...'

detect_cloud

short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}')

if [[ $is_analyst ]]; then
	MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]')
fi
if [[ ! $is_analyst ]]; then
	MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]')
fi
export MINION_ID

echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1

minion_type=$(get_minion_type)

# Set any variables needed
set_default_log_size >> $setup_log 2>&1

if [[ $is_helix ]]; then
	RULESETUP=${RULESETUP:-ETOPEN}
	NSMSETUP=${NSMSETUP:-BASIC}
	HNSENSOR=${HNSENSOR:-inherit}
	MANAGERUPDATES=${MANAGERUPDATES:-0}
fi

if [[ $is_helix || ( $is_manager && $is_node ) ]]; then
	RULESETUP=${RULESETUP:-ETOPEN}
	NSMSETUP=${NSMSETUP:-BASIC}
fi

if [[ $is_manager && $is_node ]]; then
	LSPIPELINEWORKERS=${LSPIPELINEWORKERS:-1}
	LSPIPELINEBATCH=${LSPIPELINEBATCH:-125}
	LSINPUTTHREADS=${LSINPUTTHREADS:-1}
	LSPIPELINEWORKERS=${LSPIPELINEBATCH:-125}
	NIDS=${NIDS:-Suricata}
	ZEEKVERSION=${ZEEKVERSION:-ZEEK}
fi

if [[ $is_import ]]; then
	PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-auto}
	MTU=${MTU:-1500}
	RULESETUP=${RULESETUP:-ETOPEN}
	NSMSETUP=${NSMSETUP:-BASIC}
	HNSENSOR=${HNSENSOR:-inherit}
	MANAGERUPDATES=${MANAGERUPDATES:-0}
	MANAGERADV=${MANAGERADV:-BASIC}
	INTERFACE=${INTERFACE:-bond0}
	ZEEKVERSION=${ZEEKVERSION:-ZEEK}
	NIDS=${NIDS:-Suricata}
	RULESETUP=${RULESETUP:-ETOPEN}
	GRAFANA=${GRAFANA:-0}
	OSQUERY=${OSQUERY:-0}
	WAZUH=${WAZUH:-0}
	PLAYBOOK=${PLAYBOOK:-0}
fi

if [[ $is_airgap ]]; then
	PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual}
	[[ ! $is_minion ]] && MANAGERUPDATES=${MANAGERUPDATES:-0} || MANAGERUPDATES=${MANAGERUPDATES:-1}
fi

# Start user prompts

if [[ $is_helix ]]; then
	collect_helix_key
fi

if [[ $is_helix || $is_sensor ]]; then
	echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1
	check_network_manager_conf
	set_network_dev_status_list
	whiptail_sensor_nics
fi

if [[ $is_helix || $is_sensor || $is_import ]]; then
	calculate_useable_cores
fi

if [[ ! $is_airgap && ! $is_import ]]; then
	collect_patch_schedule
fi

if [[ $is_helix ||  $is_manager || $is_import ]]; then
	collect_homenet_mngr
fi

#set base elasticsearch heap size
if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then
	es_heapsize
fi

#set base logstash heap size
if [[ $is_helix || $is_manager || $is_node || $is_import || $is_receiver ]]; then
	ls_heapsize
fi

if [[ $is_manager && ! $is_eval ]]; then
	whiptail_manager_adv
	if [ "$MANAGERADV" = 'ADVANCED' ]; then
	  if [ "$install_type" = 'MANAGER' ] || [ "$install_type" = 'MANAGERSEARCH' ]; then
	  	collect_es_cluster_name
	  fi
	fi

	whiptail_metadata_tool
	
	[[ $MANAGERADV == "ADVANCED" ]] && [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_manager_adv_service_zeeklogs

	# Don't run this function for now since Snort is not yet supported
	# whiptail_nids
	NIDS=Suricata
	whiptail_rule_setup

	if [ "$RULESETUP" != 'ETOPEN' ]; then
		collect_oinkcode
	fi
fi

if [[ $is_manager ]]; then
	whiptail_enable_components

	if [[ "$STRELKA" = 1 ]]; then
		info "Enabling Strelka rules"
		STRELKARULES=1
	else
		info "Disabling Strelka rules: STRELKA='$STRELKA'"
	fi

	collect_dockernet
fi

if [[ $is_manager || $is_import ]]; then
	collect_webuser_inputs
	get_redirect
fi

if [[ $is_distmanager ]]; then
	collect_soremote_inputs
fi

if [[ $is_sensor && ! $is_eval ]]; then
	[[ $is_manager ]] || collect_homenet_snsr
	whiptail_sensor_config
	if [ $NSMSETUP == 'ADVANCED' ]; then
		if [[ $is_manager ]]; then
			[[ $ZEEKVERSION == "ZEEK" ]] && whiptail_zeek_pins
		else
			whiptail_zeek_pins
		fi
		
		whiptail_suricata_pins
		collect_mtu
	else
		if [[ $is_node && $is_sensor && ! $is_eval ]]; then
			PROCS=$(( lb_procs / 2 ))
			if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi
		else
			PROCS=$lb_procs
		fi

		if [[ $is_manager ]]; then
			[[ $ZEEKVERSION == "ZEEK" ]] && collect_zeek
		else
			collect_zeek
		fi

		collect_suri
	fi
fi

[[ ( $is_iso || $is_analyst ) ]] && collect_ntp_servers

if [[ ($is_node || $is_receiver) && ! $is_eval ]]; then
	whiptail_node_advanced
	if [ "$NODESETUP" == 'NODEADVANCED' ]; then
		if [[ ! $is_receiver ]]; then 
			collect_node_es_heap
			collect_es_space_limit
		fi
		collect_node_ls_heap
		collect_node_ls_pipeline_worker_count
		collect_node_ls_pipeline_batch_size
		collect_node_ls_input
	else
		if [[ ! $is_receiver ]]; then
			NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE
		fi
		NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE
		LSPIPELINEWORKERS=$num_cpu_cores
		LSPIPELINEBATCH=125
		LSINPUTTHREADS=1
	fi
fi

if [ "$install_type" == 'FLEET' ]; then
	collect_fleetuser_inputs
	collect_fleet_custom_hostname_inputs
else
	FLEETNODEUSER=$WEBUSER
	FLEETNODEPASSWD1=$WEBPASSWD1
fi

if [[ $is_manager || $is_import ]]; then collect_so_allow; fi

# This block sets REDIRECTIT which is used by a function outside the below subshell
set_redirect >> $setup_log 2>&1

if [[ $is_minion ]] && ! check_manager_state; then
	echo "Manager was not in a good state" >> "$setup_log" 2>&1
	whiptail_manager_error
fi

whiptail_end_settings

# From here on changes will be made.
echo "1" > /root/accept_changes


# Begin install
{
	# Set initial percentage to 0
	export percentage=0

	# Show initial progress message
	set_progress_str 0 'Running initial configuration steps'

	[[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1

	if [[ ! $is_analyst ]]; then
	    reserve_ports
	fi
	
	set_path

	if [[ $is_reinstall ]]; then
		reinstall_init
	fi

	disable_auto_start

	{
		mark_version;
		clear_manager;
	} >> $setup_log 2>&1


	if [[ $is_manager || $is_import ]]; then
		{
			generate_passwords;
			secrets_pillar;
		} >> $setup_log 2>&1	
	fi

	if [[ $is_manager || $is_import || $is_helix ]]; then
		add_socore_user_manager >> $setup_log 2>&1
	fi

	if [[ $is_manager && ! $is_eval ]]; then
		add_soremote_user_manager >> $setup_log 2>&1
	fi
    if [[ ! $is_analyst ]]; then
        host_pillar >> $setup_log 2>&1
    fi
    if [[ $is_analyst ]]; then
        analyst_workstation_pillar
    fi
	ntp_pillar >> $setup_log 2>&1


	if [[ $is_minion || $is_import ]]; then
		set_updates >> $setup_log 2>&1
	fi

	if [[ ( $is_manager || $is_import ) && $is_airgap ]]; then
		info "Creating airgap repo"
		create_repo >> $setup_log 2>&1
		airgap_rules >> $setup_log 2>&1
	fi

	if [[ $is_minion ]]; then
		set_progress_str 1 'Configuring firewall'
		set_initial_firewall_policy >> $setup_log 2>&1
	fi

	set_progress_str 2 'Updating packages'
	# Import the gpg keys
	gpg_rpm_import >> $setup_log 2>&1
	info "Disabling fastestmirror"
	[[ $is_centos ]] && disable_fastestmirror
	if [[ ! $is_airgap ]]; then
		securityonion_repo >> $setup_log 2>&1
		update_packages >> $setup_log 2>&1
	else
		airgap_repo >> $setup_log 2>&1
	fi

	if [[ $is_sensor || $is_helix || $is_import ]]; then
		set_progress_str 3 'Generating sensor pillar'
		generate_sensor_vars
		sensor_pillar >> $setup_log 2>&1
		if [[ $is_sensor || $is_helix ]]; then
			steno_pillar >> $setup_log
		fi
	fi

	if [[ $is_sensor || $is_helix ]]; then
		set_progress_str 4 'Configuring sensor interface'
		configure_network_sensor >> $setup_log 2>&1
	fi

	set_progress_str 5 'Installing Salt and dependencies'
	saltify 2>> $setup_log
    
	if [[ ! $is_analyst ]]; then
		set_progress_str 6 'Installing Docker and dependencies'
		docker_install >> $setup_log 2>&1
	fi

	set_progress_str 7 'Generating patch pillar'
	patch_pillar >> $setup_log 2>&1

	set_progress_str 8 'Initializing Salt minion'
	configure_minion "$minion_type" >> $setup_log 2>&1

	if [[ ! $is_analyst ]]; then
		check_sos_appliance >> $setup_log 2>&1
	fi
	
	update_sudoers_for_testing >> $setup_log 2>&1

	if [[ $is_manager || $is_helix || $is_import ]]; then
		set_progress_str 9 'Configuring Salt master'
		{
			create_local_directories;
			addtotab_generate_templates;
			copy_salt_master_config;
			setup_salt_master_dirs;
			firewall_generate_templates;
		} >> $setup_log 2>&1
		
		set_progress_str 10 'Updating sudoers file for soremote user'
		update_sudoers >> $setup_log 2>&1
		
		set_progress_str 11 'Generating manager global pillar'
		#minio_generate_keys
		manager_global >> $setup_log 2>&1
		
		set_progress_str 12 'Generating manager pillar'
		manager_pillar >> $setup_log 2>&1
		zeek_logs_enabled >> $setup_log 2>&1
	fi
	
	set_progress_str 16 'Running first Salt checkin'
	salt_firstcheckin >> $setup_log 2>&1

	if [[ $is_helix ]]; then
		set_progress_str 17 'Generating the FireEye pillar'
		fireeye_pillar >> $setup_log 2>&1
	fi
	
	if [[ $is_node ]]; then
		set_progress_str 18 'Setting node type'
		set_node_type >> $setup_log 2>&1

		if ! [[ $is_manager || $is_helix ]]; then
			set_progress_str 19 'Generating search node pillar'
			elasticsearch_pillar >> $setup_log 2>&1
		fi
	fi

	if [[ ($is_node || $is_receiver) && !($is_manager || $is_helix) ]]; then
		set_progress_str 19 'Generating logstash pillar'
		logstash_pillar >> $setup_log 2>&1
	fi

	if [[ $is_idh ]]; then
		# Write out services to minion pillar file
		set_progress_str 19 'Generating IDH services pillar'
		write_out_idh_services
	fi


	if [[ $is_minion ]]; then
		set_progress_str 20 'Accepting Salt key on manager'
		retry 20 10	accept_salt_key_remote "going to be accepted" >> $setup_log 2>&1
	fi

	if [[ $is_manager || $is_import || $is_helix ]]; then
		set_progress_str 20 'Accepting Salt key'
		retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted" >> $setup_log 2>&1
	fi

	set_progress_str 21 'Copying minion pillars to manager'
	copy_minion_tmp_files >> $setup_log 2>&1

	if [[ $is_minion ]]; then
		set_progress_str 22 'Checking if the Salt Minion needs to be updated'
		salt-call state.apply -l info salt.minion >> $setup_log 2>&1
	fi

	if [[ $is_manager || $is_helix || $is_import ]]; then
		set_progress_str 23 'Generating CA'
		generate_ca >> $setup_log 2>&1
	fi

	if [[ ! $is_analyst ]]; then
		set_progress_str 24 'Generating SSL'
		generate_ssl >> $setup_log 2>&1
	fi

	if [[ $is_manager || $is_helix || $is_import ]]; then
		set_progress_str 25 'Configuring firewall'
		set_initial_firewall_policy >> $setup_log 2>&1
		
		# create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf
		mkdir -p /opt/so/conf/so-status/ >> $setup_log 2>&1
		touch /opt/so/conf/so-status/so-status.conf >> $setup_log 2>&1

		if [[ "$setup_type" == 'iso' ]]; then
			set_progress_str 26 'Copying containers from iso'
		else
			set_progress_str 26 'Downloading containers from the internet'
		fi
		import_registry_docker >> $setup_log 2>&1
		salt-call state.apply -l info registry >> $setup_log 2>&1
		docker_seed_registry # ~ 60% when finished
		
		set_progress_str 60 "$(print_salt_state_apply 'manager')"
		salt-call state.apply -l info manager >> $setup_log 2>&1

		echo "Executing so-elastic-auth..." >> $setup_log 2>&1
		ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth true >> $setup_log 2>&1
		echo "Finished so-elastic-auth..." >> $setup_log 2>&1
	fi

	if [[ ! $is_analyst ]]; then
		set_progress_str 61 "$(print_salt_state_apply 'firewall')"
		salt-call state.apply -l info firewall >> $setup_log 2>&1
	fi

	if [[ $is_centos ]]; then
		set_progress_str 61 'Installing Yum utilities'
		salt-call state.apply -l info yum.packages >> $setup_log 2>&1
	fi

	if [[ ! $is_analyst ]]; then
		set_progress_str 62 "$(print_salt_state_apply 'common')"
		salt-call state.apply -l info common >> $setup_log 2>&1
	fi

	if [[ ! $is_helix && ! $is_receiver && ! $is_idh && ! $is_analyst ]]; then
		set_progress_str 62 "$(print_salt_state_apply 'nginx')"
		salt-call state.apply -l info nginx >> $setup_log 2>&1
	fi

	if [[ $is_manager || $is_helix || $is_import ]]; then
		set_progress_str 63 "$(print_salt_state_apply 'idstools')"
		create_local_nids_rules >> $setup_log 2>&1
		salt-call state.apply -l info idstools >> $setup_log 2>&1

		set_progress_str 63 "$(print_salt_state_apply 'suricata.manager')"
		salt-call state.apply -l info suricata.manager >> $setup_log 2>&1
	fi

	if [[ $is_manager || $is_node || $is_import || $is_helix ]]; then
		set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')"
		salt-call state.apply -l info elasticsearch >> $setup_log 2>&1
	fi

	if [[ $is_sensor || $is_import ]]; then
		set_progress_str 65 "$(print_salt_state_apply 'pcap')"
		salt-call state.apply -l info pcap >> $setup_log 2>&1
	fi

	if [[ $is_sensor || $is_import || $is_helix ]]; then
		set_progress_str 66 "$(print_salt_state_apply 'suricata')"
		salt-call state.apply -l info suricata >> $setup_log 2>&1

		if [[ $(lookup_pillar "mdengine") == 'ZEEK' ]]; then
			set_progress_str 67 "$(print_salt_state_apply 'zeek')"
			salt-call state.apply -l info zeek >> $setup_log 2>&1
		fi
	fi

	if [[ $is_node ]]; then
		set_progress_str 68 "$(print_salt_state_apply 'curator')"
		salt-call state.apply -l info curator >> $setup_log 2>&1
	fi

	if [[ $is_manager || $is_import ]]; then
		set_progress_str 69 "$(print_salt_state_apply 'soc')"
		salt-call state.apply -l info soc >> $setup_log 2>&1

		set_progress_str 70 "$(print_salt_state_apply 'kibana')"
		salt-call state.apply -l info kibana.so_config_load >> $setup_log 2>&1
		salt-call state.apply -l info kibana.so_securitySolution_load >> $setup_log 2>&1
		salt-call state.apply -l info kibana.so_dashboard_load >> $setup_log 2>&1

		set_progress_str 70 "Setting up default Space in Kibana"
		so-kibana-space-defaults >> $setup_log 2>&1
	fi

	if [[ "$PLAYBOOK" = 1 ]]; then
		set_progress_str 71 "$(print_salt_state_apply 'playbook.db_init')"
		salt-call state.apply -l info playbook.db_init >> $setup_log 2>&1

		set_progress_str 71 "$(print_salt_state_apply 'playbook')"
		salt-call state.apply -l info playbook >> $setup_log 2>&1

		set_progress_str 71 "$(print_salt_state_apply 'playbook.automation_user_create')"
		salt-call state.apply -l info playbook.automation_user_create >> $setup_log 2>&1
	fi

	if [[ $is_manager ]]; then
		set_progress_str 72 "$(print_salt_state_apply 'elastalert')"
		salt-call state.apply -l info elastalert >> $setup_log 2>&1

		set_progress_str 73 "$(print_salt_state_apply 'soctopus')"
		salt-call state.apply -l info soctopus >> $setup_log 2>&1

		if [[ "$PLAYBOOK" = 1 ]]; then
			set_progress_str 73 "Update playbook rules"
			so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 &
		fi

		if [[ "$GRAFANA" = 1 ]]; then
			set_progress_str 74 "Installing InfluxDB and Grafana"
			salt-call state.apply -l info influxdb >> $setup_log 2>&1
			salt-call state.apply -l info grafana >> $setup_log 2>&1
		fi

	fi
	
	if [[ "$OSQUERY" = 1 ]]; then

		set_progress_str 75 "$(print_salt_state_apply 'fleet.event_enable-fleet')"
		salt-call state.apply -l info fleet.event_enable-fleet >> $setup_log 2>&1

		set_progress_str 75 "$(print_salt_state_apply 'fleet')"
		salt-call state.apply -l info fleet >> $setup_log 2>&1

		set_progress_str 76 "$(print_salt_state_apply 'redis')"
		salt-call state.apply -l info redis >> $setup_log 2>&1

		if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then
			set_progress_str 77 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')"
			pillar_override="{\"global\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}"
			salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1
			rm -f /etc/pki/managerssl.crt
			salt-call state.apply -l info ssl >> $setup_log 2>&1
		fi
	
		set_progress_str 78 "$(print_salt_state_apply 'so-fleet-setup')"	
		so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1

	fi

	if [[ $is_idh ]]; then
		set_progress_str 79 "$(print_salt_state_apply 'idh')"
		salt-call state.apply -l info idh >> $setup_log 2>&1

	fi

	if [[ "$WAZUH" = 1 ]]; then
		set_progress_str 79 "$(print_salt_state_apply 'wazuh')"
		salt-call state.apply -l info wazuh >> $setup_log 2>&1
	fi

	if [[ "$STRELKA" = 1 ]]; then
		if [[ $is_sensor ]]; then
			set_progress_str 81 "$(print_salt_state_apply 'strelka')"
			salt-call state.apply -l info strelka >> $setup_log 2>&1
		fi
		if [[ "$STRELKARULES" = 1 ]]; then
			logCmd /usr/sbin/so-yara-update
		else
			info "Skipping running yara update: STRELKARULES='$STRELKARULES'"
		fi
	fi

	if [[ $is_manager || $is_import ]]; then		
		set_progress_str 82 "$(print_salt_state_apply 'utility')"
		salt-call state.apply -l info utility >> $setup_log 2>&1
	fi

	if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then
		set_progress_str 83 "$(print_salt_state_apply 'logstash')"
		salt-call state.apply -l info logstash >> $setup_log 2>&1

		set_progress_str 84 "$(print_salt_state_apply 'filebeat')"
		salt-call state.apply -l info filebeat >> $setup_log 2>&1
	fi

	if [[ ! $is_analyst ]]; then
		set_progress_str 85 'Applying finishing touches'
		filter_unused_nics >> $setup_log 2>&1
		network_setup >> $setup_log 2>&1
		so-ssh-harden >> $setup_log 2>&1
	fi
	
	if [[ $is_manager || $is_import ]]; then
		set_progress_str 87 'Adding user to SOC'
		add_web_user >> $setup_log 2>&1
	fi
	
	if [[ $is_analyst ]]; then
		# Remove access to the manager from the analyst workstation
		rm -rf /root/.ssh/so.key*
	fi

	set_progress_str 90 'Enabling checkin at boot'
	checkin_at_boot >> $setup_log 2>&1

	set_progress_str 95 'Verifying setup'
	salt-call -l info state.highstate queue=True >> $setup_log 2>&1

} | progress

success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}')
if [[ $success != 0 ]]; then SO_ERROR=1; fi

# Check entire setup log for errors or unexpected salt states and ensure cron jobs are not reporting errors to root's mailbox
# Ignore "Status .* was not found" due to output from salt http.query or http.wait_for_successful_query states used with retry
# Uncaught exception, closing connection|Exception in callback None - this is seen during influxdb / http.wait_for_successful_query state for ubuntu reinstall
if grep -E "ERROR|Result: False" $setup_log | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100|Running scope as unit" || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then
	SO_ERROR=1
	grep --color=never "ERROR" "$setup_log" | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100|Running scope as unit" > "$error_log"
fi

if [[ -n $SO_ERROR ]]; then 
	echo "Errors detected during setup; skipping post-setup steps to allow for analysis of failures." >> $setup_log 2>&1

	SKIP_REBOOT=1
	whiptail_setup_failed
else 
	echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1
	{
		export percentage=95 # set to last percentage used in previous subshell
		if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then 
			set_progress_str 96 "Stopping SOC prior to adjusting firewall rules"
			so-soc-stop # Stop SOC so it doesn't accept external requests prior to the reboot
			
			set_progress_str 97 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}"
			IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1
		fi

		if [[ $is_manager ]]; then
			set_progress_str 98 "Generating archive for setup directory"
			generate_repo_tarball >> "$setup_log" 2>&1
		fi

		if [[ -n $LEARN_LOGSCAN_ENABLE ]]; then
			set_progress_str 99 'Enabling logscan'
			so-learn enable logscan --apply >> $setup_log 2>&1
		fi

		if [[ -n $ENDGAMEHOST ]]; then
			set_progress_str 99 'Configuring firewall for Endgame SMP'
			so-firewall --apply includehost endgame $ENDGAMEHOST   >> $setup_log 2>&1
		fi

	} | whiptail_gauge_post_setup "Running post-installation steps..."

	echo "Post-installation steps have completed. Awaiting user input to clean up installer." >> $setup_log 2>&1
	whiptail_setup_complete
	[[ $setup_type != 'iso' && ! $is_idh ]] && whiptail_ssh_warning
fi

install_cleanup >> "$setup_log" 2>&1

if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi
