Merge remote-tracking branch 'origin/2.4/dev' into reyesj2/kafka

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>

setup/so-functions

@@ -762,21 +762,6 @@ copy_salt_master_config() {
 	logCmd "systemctl restart salt-master"
 }
 
-create_local_directories() {
-	info "Creating local pillar and salt directories"
-	PILLARSALTDIR=${SCRIPTDIR::-5}
-	for i in "pillar" "salt"; do
-		for d in $(find $PILLARSALTDIR/$i -type d); do
-			suffixdir=${d//$PILLARSALTDIR/}
-			if [ ! -d "$local_salt_dir/$suffixdir" ]; then
-				logCmd "mkdir -pv $local_salt_dir$suffixdir"
-			fi
-		done
-		logCmd "chown -R socore:socore $local_salt_dir/$i"
-	done
-
-}
-
 create_local_nids_rules() {
 	title "Create a local.rules file so it doesn't get removed on updates"
 	logCmd "mkdir -p /opt/so/saltstack/local/salt/idstools"
@@ -1272,12 +1257,27 @@ soc_pillar() {
 		"      srvKey: '$SOCSRVKEY'"\
 		"      modules:"\
 		"        elastalertengine:"\
-		"          allowRegex: '$ELASTALERT_ALLOW_REGEX'"\
+		"          allowRegex: '$ELASTALERT_ALLOW_REGEX'" > "$soc_pillar_file"
+	if [[ -n "$ELASTALERT_FAIL_ERROR_COUNT" ]]; then
+		printf '%s\n'\
+	    "          failAfterConsecutiveErrorCount: $ELASTALERT_FAIL_ERROR_COUNT" >> "$soc_pillar_file"
+	fi
+	
+	printf '%s\n'\
 		"        strelkaengine:"\
-		"          allowRegex: '$STRELKA_ALLOW_REGEX'"\
+		"          allowRegex: '$STRELKA_ALLOW_REGEX'" >> "$soc_pillar_file"
+	if [[ -n "$STRELKA_FAIL_ERROR_COUNT" ]]; then
+	 	printf '%s\n'\
+		"          failAfterConsecutiveErrorCount: $STRELKA_FAIL_ERROR_COUNT" >> "$soc_pillar_file"
+	fi
+	
+	printf '%s\n'\
 		"        suricataengine:"\
-		"          allowRegex: '$SURICATA_ALLOW_REGEX'"\
-		"" > "$soc_pillar_file"
+		"          allowRegex: '$SURICATA_ALLOW_REGEX'" >> "$soc_pillar_file"
+	if [[ -n "$SURICATA_FAIL_ERROR_COUNT" ]]; then
+		printf '%s\n'\
+		"          failAfterConsecutiveErrorCount: $SURICATA_FAIL_ERROR_COUNT" >> "$soc_pillar_file"
+	fi
 
 	if [[ $telemetry -ne 0 ]]; then
 		echo "  telemetryEnabled: false" >> $soc_pillar_file

setup/so-setup

@@ -246,8 +246,11 @@ if [ -n "$test_profile" ]; then
 	WEBPASSWD1=0n10nus3r
 	WEBPASSWD2=0n10nus3r
 	STRELKA_ALLOW_REGEX="EquationGroup_Toolset_Apr17__ELV_.*"
+	STRELKA_FAIL_ERROR_COUNT=1
 	ELASTALERT_ALLOW_REGEX="Security Onion"
+	ELASTALERT_FAIL_ERROR_COUNT=1
 	SURICATA_ALLOW_REGEX="(200033\\d|2100538|2102466)"
+	SURICATA_FAIL_ERROR_COUNT=1
 
 	update_sudoers_for_testing
 fi
@@ -679,7 +682,7 @@ if ! [[ -f $install_opt_file ]]; then
 		# Add the socore user
 		add_socore_user_manager
 		
-		create_local_directories
+		create_local_directories ${SCRIPTDIR::-5}
 		setup_salt_master_dirs
 		create_manager_pillars
 
@@ -771,16 +774,10 @@ if ! [[ -f $install_opt_file ]]; then
 		if [[ ! $is_airgap ]]; then
 			title "Downloading IDS Rules"
 			logCmd "so-rule-update"
-			title "Downloading YARA rules"
-			logCmd "su socore -c '/usr/sbin/so-yara-download'"
 			if [[ $monints || $is_import ]]; then
 				title "Restarting Suricata to pick up the new rules"
 				logCmd "so-suricata-restart"
 			fi
-			if [[ $monints ]]; then
-				title "Restarting Strelka to use new rules"
-				logCmd "so-strelka-restart"
-			fi
 		fi
 		title "Setting up Kibana Default Space"
 		logCmd "so-kibana-space-defaults"

setup/so-whiptail

@@ -451,7 +451,7 @@ whiptail_end_settings() {
 		done
 	fi
 
-	if [[ ! $is_airgap ]]; then
+	if [[ ! $is_airgap ]] && [[ $waitforstate ]]; then
 		if [[ $telemetry -eq 0 ]]; then
 			__append_end_msg "SOC Telemetry: enabled"
 		else
@@ -475,7 +475,7 @@ whiptail_end_settings() {
 	read -r -d '' msg <<-EOM
 	$end_msg
 
-	Press the Tab key to select yes or no.
+	Press the TAB key to select yes or no.
 	EOM
 
 	whiptail --title "The following options have been set, would you like to proceed?" --yesno "$msg" 24 75 --scrolltext