From 4672b0c15c1d077c7cb85eef6b47db525489e03c Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 23 Nov 2021 10:06:14 -0500
Subject: [PATCH 1/4] Fix #6317 - Do not attempt to whitelist when wazuh isn't
 enabled

---
 salt/common/tools/sbin/so-allow | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index 769dcc1e9..6a66876e7 100755
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -79,10 +79,10 @@ def ip_prompt() -> str:
 
 
 def wazuh_enabled() -> bool:
-  for file in os.listdir(f'{LOCAL_SALT_DIR}/pillar'):
-    with open(file, 'r') as pillar:
-      if 'wazuh: 1' in pillar.read():
-        return True
+  file = f'{LOCAL_SALT_DIR}/pillar/global.sls'
+  with open(file, 'r') as pillar:
+    if 'wazuh: 1' in pillar.read():
+      return True
   return False
 
 
@@ -124,7 +124,7 @@ def apply(role: str, ip: str) -> int:
   else:
     return cmd.returncode
   if cmd.returncode == 0:
-    if wazuh_enabled and role=='analyst':
+    if wazuh_enabled() and role=='analyst':
       try:
         add_wl(ip)
         print(f'Added whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr)

From af4c04be5970388da7bdf272e728f5d7306cfef6 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 23 Nov 2021 10:57:21 -0500
Subject: [PATCH 2/4] Fix #6325 - Prevent XML header from outputting to
 ossec.conf

---
 salt/common/tools/sbin/so-allow | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index 6a66876e7..6aa20df1e 100755
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -23,7 +23,6 @@ import sys
 import argparse
 import re
 from lxml import etree as ET
-from xml.dom import minidom
 from datetime import datetime as dt
 from datetime import timezone as tz
 
@@ -87,12 +86,7 @@ def wazuh_enabled() -> bool:
 
 
 def root_to_str(root: ET.ElementTree) -> str:
-    xml_str = ET.tostring(root, encoding='unicode', method='xml').replace('\n', '')
-    xml_str = re.sub(r'(?:(?<=>) *)', '', xml_str)
-    xml_str = re.sub(r'       -', '', xml_str)
-    xml_str = re.sub(r'      -->', ' -->', xml_str)
-    dom = minidom.parseString(xml_str)
-    return dom.toprettyxml(indent="  ")
+    return ET.tostring(root, encoding='unicode', method='xml', xml_declaration=False, pretty_print=True)
 
 
 def add_wl(ip):

From c67b2b693650e6a35c6146c9dae8f6aaf22c91d7 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Tue, 23 Nov 2021 11:14:10 -0500
Subject: [PATCH 3/4] Update soup

only check if salt was upgraded if upgrade_salt function was called
---
 salt/common/tools/sbin/soup | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index 55efde5a9..b497d9c24 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -933,21 +933,21 @@ main() {
       echo "Upgrading Salt"
       # Update the repo files so it can actually upgrade
       upgrade_salt
-    fi
-
-    echo "Checking if Salt was upgraded."
-    echo ""
-    # Check that Salt was upgraded
-    SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}')
-    if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then
-      echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG."
-      echo "Once the issue is resolved, run soup again."
-      echo "Exiting."
-      echo ""
-      exit 0
-    else
-      echo "Salt upgrade success."
+    
+      echo "Checking if Salt was upgraded."
       echo ""
+      # Check that Salt was upgraded
+      SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}')
+      if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then
+        echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG."
+        echo "Once the issue is resolved, run soup again."
+        echo "Exiting."
+        echo ""
+        exit 0
+      else
+        echo "Salt upgrade success."
+        echo ""
+      fi
     fi
 
     preupgrade_changes

From 0dd251e2a9c24efbaefd5bf7837614aed3190d83 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 23 Nov 2021 11:19:53 -0500
Subject: [PATCH 4/4] Fix typo in whiptail prompt

---
 setup/so-whiptail | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/so-whiptail b/setup/so-whiptail
index 5a0b7a819..c49e7396a 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -753,7 +753,7 @@ whiptail_install_type_dist() {
 
 	dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \
 		"New Deployment         " "Create a new Security Onion deployment" \
-		"Existing Deployment    " "Join to an exisiting Security Onion deployment " \
+		"Existing Deployment    " "Join to an existing Security Onion deployment " \
 		 3>&1 1>&2 2>&3
 	)
 	local exitstatus=$?