Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion into dev

2025-12-07 09:42:46 +01:00 · 2021-01-19 11:28:27 -05:00
parent 76c7c46887 d91913e58e
commit 3ef8106d8d
12 changed files with 202 additions and 164 deletions
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -48,7 +48,7 @@ add_interface_bond0() {
 	esac
 	for i in rx tx sg tso ufo gso gro lro; do
-		if [[ $verbose != true ]]; then
+		if [[ $verbose == true ]]; then
 			ethtool -K "$BNIC" $i off
 		else
 			ethtool -K "$BNIC" $i off &>/dev/null
@@ -75,7 +75,7 @@ add_interface_bond0() {
 	ip link set dev "$BNIC" arp off multicast off allmulticast off promisc on
 	# Bring the slave interface up
-	if [[ $verbose != true ]]; then
+	if [[ $verbose == true ]]; then
 		nmcli con up "bond0-slave-$BNIC"
 	else
 		nmcli con up "bond0-slave-$BNIC" &>/dev/null
--- a/salt/common/tools/sbin/so-monitor-add
+++ b/salt/common/tools/sbin/so-monitor-add
@@ -2,6 +2,4 @@
 . /usr/sbin/so-common
 set -e
 add_interface_bond0 "$1"
--- a/salt/common/tools/sbin/so-test
+++ b/salt/common/tools/sbin/so-test
@@ -15,4 +15,4 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-so-tcpreplay /opt/samples/*
+so-tcpreplay /opt/samples/* 2> /dev/null
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -103,7 +103,7 @@ update_registry() {
 check_airgap() {
  # See if this is an airgap install
-  AIRGAP=$(cat /opt/so/saltstack/local/pillar/global.sls | grep airgap | awk '{print $2}')
+  AIRGAP=$(cat /opt/so/saltstack/local/pillar/global.sls | grep airgap: | awk '{print $2}')
  if [[ "$AIRGAP" == "True" ]]; then
      is_airgap=0
      UPDATE_DIR=/tmp/soagupdate/SecurityOnion
--- a/salt/influxdb/etc/influxdb.conf
+++ b/salt/influxdb/etc/influxdb.conf
@@ -550,6 +550,25 @@
  #   "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
  #   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  # ]
  ciphers = [
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
      "TLS_RSA_WITH_AES_128_CBC_SHA",
      "TLS_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_RSA_WITH_AES_256_CBC_SHA",
      "TLS_RSA_WITH_AES_256_GCM_SHA384",
  ]
  # Minimum version of the tls protocol that will be negotiated. If not specified, uses the
  # default settings from Go's crypto/tls package.
--- a/salt/soc/files/soc/custom.js
+++ b/salt/soc/files/soc/custom.js
@@ -0,0 +1,24 @@
 // Copyright 2019 Jason Ertel (jertel). All rights reserved.
 // Copyright 2021 Security Onion Solutions, LLC. All rights reserved.
 //
 // This program is distributed under the terms of version 2 of the
 // GNU General Public License.  See LICENSE for further details.
 //
 // This program is distributed in the hope that it will be useful,
 // but WITHOUT ANY WARRANTY; without even the implied warranty of
 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 /* 
   *** WARNING *** WARNING *** WARNING ***
   Future upgrades of Security Onion are NOT guaranteed to work
   with any content added to this file. Knowing this, it is strongly
   suggested to avoid and/or minimize the extent of any
   content placed here so that upgrading to newer version of 
   Security Onion do not become a burden.
 	 Example:
 	   i18n.translations["en-US"].loginHeader = "Unauthorized use of this computer system is prohibited...";
 */
--- a/salt/soc/init.sls
+++ b/salt/soc/init.sls
@@ -46,6 +46,15 @@ socchanges:
    - mode: 600
    - template: jinja
 soccustom:
  file.managed:
    - name: /opt/so/conf/soc/custom.js
    - source: salt://soc/files/soc/custom.js
    - user: 939
    - group: 939
    - mode: 600
    - template: jinja
 so-soc:
  docker_container.running:
    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }}
@@ -55,6 +64,7 @@ so-soc:
      - /nsm/soc/jobs:/opt/sensoroni/jobs:rw
      - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
      - /opt/so/conf/soc/changes.json:/opt/sensoroni/html/changes.json:ro
      - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
      - /opt/so/log/soc/:/opt/sensoroni/logs/:rw
    {%- if salt['pillar.get']('nodestab', {}) %}
    - extra_hosts:
--- a/setup/automation/distributed-airgap-search
+++ b/setup/automation/distributed-airgap-search
@@ -49,7 +49,7 @@ MANAGERUPDATES=1
 MNIC=eth0
 # MSEARCH=
 MSRV=distributed-manager
-MSRVIP=10.66.166.42
+MSRVIP=10.66.166.52
 # MTU=
 # NIDS=Suricata
 # NODE_ES_HEAP_SIZE=
--- a/setup/automation/distributed-airgap-sensor
+++ b/setup/automation/distributed-airgap-sensor
@@ -49,7 +49,7 @@ MANAGERUPDATES=1
 MNIC=eth0
 # MSEARCH=
 MSRV=distributed-manager
-MSRVIP=10.66.166.42
+MSRVIP=10.66.166.52
 # MTU=
 # NIDS=Suricata
 # NODE_ES_HEAP_SIZE=
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -129,19 +129,6 @@ add_admin_user() {
 }
 add_manager_hostfile() {
 	[ -n "$TESTING" ] && return
 	echo "Checking if I can resolve manager. If not add to hosts file" >> "$setup_log" 2>&1
 	# Pop up an input to get the IP address
 	MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter your Manager Server IP Address:" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 }
 add_mngr_ip_to_hosts() {
 	echo "$MSRVIP   $MSRV" >> /etc/hosts
 }
@@ -361,7 +348,7 @@ collect_adminuser_inputs() {
 	while ! valid_username "$ADMINUSER"; do
 		whiptail_invalid_input
-		whiptail_create_admin_user
+		whiptail_create_admin_user "$ADMINUSER"
 	done
 	APMATCH=no
@@ -373,62 +360,62 @@ collect_adminuser_inputs() {
 }
 collect_cur_close_days() {
-	whiptail_cur_close_days
+	whiptail_cur_close_days "$CURCLOSEDAYS"
 	while ! valid_int "$CURCLOSEDAYS" "1"; do
 		whiptail_invalid_input
-		whiptail_cur_close_days
+		whiptail_cur_close_days "$CURCLOSEDAYS"
 	done
 }
 collect_dns() {
-	whiptail_management_interface_dns
+	whiptail_management_interface_dns "8.8.8.8,8.8.4.4"
 	while ! valid_dns_list "$MDNS"; do
 		whiptail_invalid_input
-		whiptail_management_interface_dns
+		whiptail_management_interface_dns "$MDNS"
 	done
 	MDNS=$(echo "$MDNS" | tr -s "," " ") # MDNS needs to be space separated, we prompt for comma separated for consistency
 }
 collect_dns_domain() {
-	whiptail_management_interface_dns_search
+	whiptail_management_interface_dns_search "searchdomain.local"
 	while ! valid_fqdn "$MSEARCH"; do
 		whiptail_invalid_input
-		whiptail_management_interface_dns_search
+		whiptail_management_interface_dns_search "$MSEARCH"
 	done
 }
 collect_dockernet() {
 	if ! whiptail_dockernet_check; then
-		whiptail_dockernet_net
+		whiptail_dockernet_net "172.17.0.0"
 		while ! valid_ip4 "$DOCKERNET"; do
 			whiptail_invalid_input
-			whiptail_dockernet_net
+			whiptail_dockernet_net "$DOCKERNET"
 		done
 	fi
 }
 collect_es_cluster_name() {
 	if whiptail_manager_adv_escluster; then
-		whiptail_manager_adv_escluster_name
+		whiptail_manager_adv_escluster_name "securityonion"
 		while ! valid_string "$ESCLUSTERNAME"; do
 			whiptail_invalid_string "ES cluster name"
-			whiptail_manager_adv_escluster_name
+			whiptail_manager_adv_escluster_name "$ESCLUSTERNAME"
 		done
 	fi
 }
 collect_es_space_limit() {
-	whiptail_log_size_limit
+	whiptail_log_size_limit "$log_size_limit"
 	while ! valid_int "$log_size_limit" "1"; do # Upper/lower bounds?
 		whiptail_invalid_input
-		whiptail_log_size_limit
+		whiptail_log_size_limit "$log_size_limit"
 	done
 }
@@ -437,20 +424,17 @@ collect_fleet_custom_hostname_inputs() {
 	while ! valid_fqdn "$FLEETCUSTOMHOSTNAME" || [[ $FLEETCUSTOMHOSTNAME != "" ]]; do
 		whiptail_invalid_input
-		whiptail_fleet_custom_hostname
+		whiptail_fleet_custom_hostname "$FLEETCUSTOMHOSTNAME"
 	done
 }
 # Get a username & password for the Fleet admin user
 collect_fleetuser_inputs() {
 	# Get a username & password for the Fleet admin user
 	local valid_user=no
 	while [[ $valid_user != yes ]]; do
 	whiptail_create_fleet_node_user
-		if so-user valemail "$FLEETNODEUSER" >> "$setup_log" 2>&1; then
+	
-			valid_user=yes
+	while ! so-user valemail "$FLEETNODEUSER" >> "$setup_log" 2>&1; do
 		else
 		whiptail_invalid_user_warning
-		fi
+		whiptail_create_fleet_node_user "$FLEETNODEUSER"
 	done
 	FPMATCH=no
@@ -470,7 +454,7 @@ collect_gateway() {
 	while ! valid_ip4 "$MGATEWAY"; do
 		whiptail_invalid_input
-		whiptail_management_interface_gateway
+		whiptail_management_interface_gateway "$MGATEWAY"
 	done
 }
@@ -479,11 +463,11 @@ collect_helix_key() {
 }
 collect_homenet_mngr() {
-	whiptail_homenet_manager
+	whiptail_homenet_manager "10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"
 	while ! valid_cidr_list "$HNMANAGER"; do
 		whiptail_invalid_input
-		whiptail_homenet_manager
+		whiptail_homenet_manager "$HNMANAGER"
 	done
 }
@@ -491,24 +475,23 @@ collect_homenet_snsr() {
 	if whiptail_homenet_sensor_inherit; then
 		export HNSENSOR=inherit
 	else
-		whiptail_homenet_sensor
+		whiptail_homenet_sensor "10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"
 		while ! valid_cidr_list "$HNSENSOR"; do
 			whiptail_invalid_input
-			whiptail_homenet_sensor
+			whiptail_homenet_sensor "$HNSENSOR"
 		done
 	fi
 }
 collect_hostname() {
-	HOSTNAME=$(cat /etc/hostname)
+	if [[ $automated == no ]] && [[ "$HOSTNAME" == *'localhost'* ]]; then HOSTNAME=securityonion; fi
 	if [[ "$HOSTNAME" == *'localhost'* ]]; then HOSTNAME=securityonion; fi
-	whiptail_set_hostname
+	whiptail_set_hostname "$HOSTNAME"
 	while ! valid_hostname "$HOSTNAME"; do
 		whiptail_invalid_hostname
-		whiptail_set_hostname
+		whiptail_set_hostname "$HOSTNAME"
 	done
 }
@@ -517,7 +500,7 @@ collect_int_ip_mask() {
 	while ! valid_cidr "$manager_ip_mask"; do
 		whiptail_invalid_input
-		whiptail_management_interface_ip_mask
+		whiptail_management_interface_ip_mask "$manager_ip_mask"
 	done
 	MIP=$(echo "$manager_ip_mask" | sed 's/\/.*//' )
@@ -529,74 +512,81 @@ collect_mngr_hostname() {
 	while ! valid_hostname "$MSRV"; do
 		whiptail_invalid_hostname
-		whiptail_management_server
+		whiptail_management_server "$MSRV"
 	done
 	if ! getent hosts "$MSRV"; then
-		add_manager_hostfile
+		whiptail_manager_ip
 		while ! valid_ip4 "$MSRVIP"; do
 			whiptail_invalid_input
 			whiptail_manager_ip "$MSRVIP"
 		done
 	else
 		MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}')
 	fi
 }
 collect_mtu() {
-	whiptail_bond_nics_mtu
+	whiptail_bond_nics_mtu "1500"
 	while ! valid_int "$MTU" "68"; do
 		whiptail_invalid_input
-		whiptail_bond_nics_mtu
+		whiptail_bond_nics_mtu "$MTU"
 	done
 }
 collect_node_es_heap() {
-	whiptail_node_es_heap
+	whiptail_node_es_heap "$ES_HEAP_SIZE"
 	while ! valid_int "$NODE_ES_HEAP_SIZE"; do
 		whiptail_invalid_input
-		whiptail_node_es_heap
+		whiptail_node_es_heap "$NODE_ES_HEAP_SIZE"
 	done
 }
 collect_node_ls_heap() {
-	whiptail_node_ls_heap
+	whiptail_node_ls_heap "$LS_HEAP_SIZE"
 	while ! valid_int "$NODE_LS_HEAP_SIZE"; do
 		whiptail_invalid_input
-		whiptail_node_ls_heap
+		whiptail_node_ls_heap "$NODE_LS_HEAP_SIZE"
 	done
 }
 collect_node_ls_input() {
-	whiptail_node_ls_input_threads
+	whiptail_node_ls_input_threads "1"
 	while ! valid_int "$LSINPUTTHREADS"; do
 		whiptail_invalid_input
-		whiptail_node_ls_input_threads
+		whiptail_node_ls_input_threads "$LSINPUTTHREADS"
 	done
 }
 collect_node_ls_pipeline_batch_size() {
-	whiptail_node_ls_pipline_batchsize
+	whiptail_node_ls_pipline_batchsize "125"
 	while ! valid_int "$LSPIPELINEBATCH"; do
 		whiptail_invalid_input
-		whiptail_node_ls_pipline_batchsize
+		whiptail_node_ls_pipline_batchsize "$LSPIPELINEBATCH"
 	done
 }
 collect_node_ls_pipeline_worker_count() {
-	whiptail_node_ls_pipeline_worker
+	whiptail_node_ls_pipeline_worker "$num_cpu_cores"
 	while ! valid_int "$LSPIPELINEWORKERS"; do
 		whiptail_invalid_input
-		whiptail_node_ls_pipeline_worker
+		whiptail_node_ls_pipeline_worker "$LSPIPELINEWORKERS"
 	done
 }
 collect_oinkcode() {
 	whiptail_oinkcode
 	while ! valid_string "$OINKCODE" "" "128"; do #TODO: verify max length here
 		whiptail_invalid_input
-		whiptail_oinkcode
+		whiptail_oinkcode "$OINKCODE"
 	done
 }
@@ -627,7 +617,7 @@ collect_patch_schedule_name_new() {
 	while ! valid_string "$PATCHSCHEDULENAME"; do
 		whiptail_invalid_string "schedule name"
-		whiptail_patch_name_new_schedule
+		whiptail_patch_name_new_schedule "$PATCHSCHEDULENAME"
 	done
 }
@@ -636,25 +626,26 @@ collect_patch_schedule_name_import() {
 	while ! valid_string "$PATCHSCHEDULENAME"; do
 		whiptail_invalid_string "schedule name"
-		whiptail_patch_schedule_import
+		whiptail_patch_schedule_import "$PATCHSCHEDULENAME"
 	done
 }
 collect_redirect_host() {
-	whiptail_set_redirect_host
+	whiptail_set_redirect_host "$HOSTNAME"
 	while ! valid_ip4 "$REDIRECTHOST" && ! valid_hostname "$REDIRECTHOST" && ! valid_fqdn "$REDIRECTHOST"; do
 		whiptail_invalid_input
-		whiptail_set_redirect_host
+		whiptail_set_redirect_host "$REDIRECTHOST"
 	done
 }
 collect_so_allow() {
 	if whiptail_so_allow_yesno; then
 		whiptail_so_allow
 		while ! valid_cidr "$ALLOW_CIDR" && ! valid_ip4 "$ALLOW_CIDR"; do
 			whiptail_invalid_input
-			whiptail_so_allow
+			whiptail_so_allow "$ALLOW_CIDR"
 		done
 	fi
 }
@@ -670,24 +661,21 @@ collect_soremote_inputs() {
 }
 collect_suri() {
-	whiptail_basic_suri
+	whiptail_basic_suri "$PROCS"
 	while ! valid_int "$BASICSURI"; do
 		whiptail_invalid_input
-		whiptail_basic_suri
+		whiptail_basic_suri "$BASICSURI"
 	done
 }
 # Get an email & password for the web admin user
 collect_webuser_inputs() {
 	# Get a password for the web admin user
 	local valid_user=no
 	while [[ $valid_user != yes ]]; do
 	whiptail_create_web_user
-		if so-user valemail "$WEBUSER" >> "$setup_log" 2>&1; then
+
-			valid_user=yes
+	while ! so-user valemail "$WEBUSER" >> "$setup_log" 2>&1; do
 		else
 		whiptail_invalid_user_warning
-		fi
+		whiptail_create_web_user "$WEBUSER"
 	done
 	WPMATCH=no
@@ -707,11 +695,11 @@ collect_webuser_inputs() {
 }
 collect_zeek() {
-	whiptail_basic_zeek
+	whiptail_basic_zeek "$PROCS"
 	while ! valid_int "$BASICZEEK"; do
 		whiptail_invalid_input
-		whiptail_basic_zeek
+		whiptail_basic_zeek "$BASICZEEK"
 	done
 }
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -461,6 +461,12 @@ if [[ $is_sensor && ! $is_eval ]]; then
 		whiptail_suricata_pins
 		collect_mtu
 	else
 		if [[ $is_node && $is_sensor && ! $is_eval ]]; then
 			PROCS=$(( lb_procs / 2 ))
 			if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi
 		else
 			PROCS=$lb_procs
 		fi
 		[[ $ZEEKVERSION == "ZEEK" ]] && collect_zeek
 		collect_suri
 	fi
@@ -857,8 +863,6 @@ if [[ -n $SO_ERROR ]]; then
 else 
 	echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1
 	{
 		[[ -n "$TESTING" ]] && logCmd so-test
 		export percentage=95 # set to last percentage used in previous subshell
 		if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then 
 			set_progress_str 96 "Stopping SOC prior to adjusting firewall rules"
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -32,15 +32,8 @@ whiptail_basic_suri() {
 	[ -n "$TESTING" ] && return
 	if [[ $is_node && $is_sensor && ! $is_eval ]]; then
 	  local PROCS=$(expr $lb_procs / 2)
      if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi
 	else
 	  local PROCS=$lb_procs
 	fi
 	BASICSURI=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Enter the number of Suricata processes:" 10 75 "$PROCS" 3>&1 1>&2 2>&3)
+	"Enter the number of Suricata processes:" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -51,15 +44,8 @@ whiptail_basic_zeek() {
 	[ -n "$TESTING" ] && return
 	if [[ $is_node && $is_sensor && ! $is_eval ]]; then
 	  local PROCS=$(expr $lb_procs / 2)
      if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi
 	else
 	  local PROCS=$lb_procs
 	fi
 	BASICZEEK=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Enter the number of zeek processes:" 10 75 "$PROCS" 3>&1 1>&2 2>&3)
+	"Enter the number of zeek processes:" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -71,7 +57,7 @@ whiptail_bond_nics_mtu() {
 	# Set the MTU on the monitor interface
 	MTU=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Enter the MTU for the monitor NICs:" 10 75 1500 3>&1 1>&2 2>&3)
+	"Enter the MTU for the monitor NICs:" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -117,7 +103,7 @@ whiptail_create_admin_user() {
 	[ -n "$TESTING" ] && return
 	ADMINUSER=$(whiptail --title "Security Onion Install" --inputbox \
-	"Please enter a username for a new system admin user: \nThe local onion account will be disabled during this install" 10 60 3>&1 1>&2 2>&3)
+	"Please enter a username for a new system admin user: \nThe local onion account will be disabled during this install" 10 60 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -151,7 +137,7 @@ whiptail_create_fleet_node_user() {
 	[ -n "$TESTING" ] && return
 	FLEETNODEUSER=$(whiptail --title "Security Onion Install" --inputbox \
-	"Please enter an email for use as the username for the Fleet admin user:" 10 60 3>&1 1>&2 2>&3)
+	"Please enter an email for use as the username for the Fleet admin user:" 10 60 "$1" 3>&1 1>&2 2>&3)
 }
@@ -215,7 +201,7 @@ whiptail_create_web_user() {
 	[ -n "$TESTING" ] && return
 	WEBUSER=$(whiptail --title "Security Onion Install" --inputbox \
-	"Please enter an email address to create an administrator account for the web interface: \nThis will also be used for TheHive, Cortex, and Fleet." 10 60 3>&1 1>&2 2>&3)
+	"Please enter an email address to create an administrator account for the web interface: \nThis will also be used for TheHive, Cortex, and Fleet." 10 60 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -306,7 +292,7 @@ whiptail_cur_close_days() {
 	[ -n "$TESTING" ] && return
 	CURCLOSEDAYS=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Please specify the threshold (in days) at which Elasticsearch indices will be closed:" 10 75 $CURCLOSEDAYS 3>&1 1>&2 2>&3)
+	"Please specify the threshold (in days) at which Elasticsearch indices will be closed:" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -385,7 +371,7 @@ whiptail_dockernet_net() {
 	[ -n "$TESTING" ] && return
 	DOCKERNET=$(whiptail --title "Security Onion Setup" --inputbox \
-	"\nEnter a /24 size network range for docker to use WITHOUT the /24 notation: \nThis range will be used on ALL nodes \n(Default value is pre-populated.)" 10 75 172.17.0.0 3>&1 1>&2 2>&3)
+	"\nEnter a /24 size network range for docker to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -441,7 +427,7 @@ whiptail_fleet_custom_hostname() {
 	[ -n "$TESTING" ] && return
 	FLEETCUSTOMHOSTNAME=$(whiptail --title "Security Onion Install" --inputbox \
-	"What FQDN should osquery clients use for connections to this Fleet node? Leave blank if the local system hostname will be used." 10 60 3>&1 1>&2 2>&3)
+	"What FQDN should osquery clients use for connections to this Fleet node? Leave blank if the local system hostname will be used." 10 60 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -477,7 +463,7 @@ whiptail_homenet_manager() {
 	[ -n "$TESTING" ] && return
 	HNMANAGER=$(whiptail --title "Security Onion Setup" --inputbox \
-		"Enter your home network(s), separating CIDR blocks with a comma (,):" 10 75 "10.0.0.0/8,192.168.0.0/16,172.16.0.0/12" 3>&1 1>&2 2>&3)
+		"Enter your home network(s), separating CIDR blocks with a comma (,):" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -495,7 +481,7 @@ whiptail_homenet_sensor() {
 	[ -n "$TESTING" ] && return
 	HNSENSOR=$(whiptail --title "Security Onion Setup" --inputbox \
-		"Enter your home network(s), separating CIDR blocks with a comma (,):" 10 75 "10.0.0.0/8,192.168.0.0/16,172.16.0.0/12" 3>&1 1>&2 2>&3)
+		"Enter your home network(s), separating CIDR blocks with a comma (,):" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -635,7 +621,7 @@ whiptail_log_size_limit() {
 	log_size_limit=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Please specify the amount of disk space (in GB) you would like to allocate for Elasticsearch data storage: \n\
-	By default, this is set to 80% of the disk space allotted for /nsm." 10 75 "$log_size_limit" 3>&1 1>&2 2>&3)
+	By default, this is set to 80% of the disk space allotted for /nsm." 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -669,7 +655,7 @@ whiptail_management_interface_dns() {
 	[ -n "$TESTING" ] && return
 	MDNS=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Enter your DNS servers separated by commas:" 10 60 "8.8.8.8,8.8.4.4" 3>&1 1>&2 2>&3)
+	"Enter your DNS servers separated by commas:" 10 60 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -681,7 +667,7 @@ whiptail_management_interface_dns_search() {
 	[ -n "$TESTING" ] && return
 	MSEARCH=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Enter your DNS search domain:" 10 60 searchdomain.local 3>&1 1>&2 2>&3)
+	"Enter your DNS search domain:" 10 60 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -692,7 +678,7 @@ whiptail_management_interface_gateway() {
 	[ -n "$TESTING" ] && return
 	MGATEWAY=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Enter your gateway's IPv4 address:" 10 60 3>&1 1>&2 2>&3)
+	"Enter your gateway's IPv4 address:" 10 60 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -702,7 +688,7 @@ whiptail_management_interface_ip_mask() {
 	[ -n "$TESTING" ] && return
 	manager_ip_mask=$(whiptail --title "Security Onion Setup" --inputbox \
-		"Enter your IPv4 address with CIDR mask (e.g. 192.168.1.2/24):" 10 60 3>&1 1>&2 2>&3)
+		"Enter your IPv4 address with CIDR mask (e.g. 192.168.1.2/24):" 10 60 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -802,13 +788,23 @@ whiptail_management_server() {
 	[ -n "$TESTING" ] && return
 	MSRV=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Enter your Manager Server hostname: \nIt is CASE SENSITIVE!" 10 75 XXXX 3>&1 1>&2 2>&3)
+	"Enter your Manager Server hostname: \nIt is CASE SENSITIVE!" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_manager_ip() {
 	[ -n "$TESTING" ] && return
 	MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
 		"Enter your Manager Server IP Address:" 10 60 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 }
 # Ask if you want to do advanced setup of the Manager
 whiptail_manager_adv() {
@@ -840,7 +836,7 @@ whiptail_manager_adv_escluster_name(){
 	[ -n "$TESTING" ] && return
 	ESCLUSTERNAME=$(whiptail --title "Security Onion Setup" --inputbox \
-		"Enter a name for your ES cluster!" 10 75 securityonion 3>&1 1>&2 2>&3)
+		"Enter a name for your ES cluster!" 10 75 "$1" 3>&1 1>&2 2>&3)
 }
 # Ask which additional components to install
@@ -931,6 +927,12 @@ whiptail_manager_updates_warning() {
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_manager_unreachable() {
 	[ -n "$TESTING" ] && return
 	whiptail --title "Security Onion Setup" --msgbox "Setup cannot determine if $1 is listening on port 22. Please check the address entered and try again." 7 75
 }
 whiptail_metadata_tool() {
 	[ -n "$TESTING" ] && return
@@ -994,7 +996,7 @@ whiptail_node_es_heap() {
 	[ -n "$TESTING" ] && return
 	NODE_ES_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \
-	"\nEnter ES heap size: \n \n(Recommended value is pre-populated)" 10 75 $ES_HEAP_SIZE 3>&1 1>&2 2>&3)
+	"Enter ES heap size:" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -1006,31 +1008,7 @@ whiptail_node_ls_heap() {
 	[ -n "$TESTING" ] && return
 	NODE_LS_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \
-	"\nEnter Logstash heap size: \n \n(Recommended value is pre-populated)" 10 75 $LS_HEAP_SIZE 3>&1 1>&2 2>&3)
+	"Enter Logstash heap size:" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_node_ls_pipline_batchsize() {
 	[ -n "$TESTING" ] && return
 	LSPIPELINEBATCH=$(whiptail --title "Security Onion Setup" --inputbox \
 	"\nEnter Logstash pipeline batch size: \n \n(Default value is pre-populated)" 10 75 125 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_node_ls_pipeline_worker() {
 	[ -n "$TESTING" ] && return
 	LSPIPELINEWORKERS=$(whiptail --title "Security Onion Setup" --inputbox \
 	"\nEnter number of Logstash pipeline workers: \n \n(Recommended value is pre-populated)" 10 75 "$num_cpu_cores" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -1042,7 +1020,32 @@ whiptail_node_ls_input_threads() {
 	[ -n "$TESTING" ] && return
 	LSINPUTTHREADS=$(whiptail --title "Security Onion Setup" --inputbox \
-		"\nEnter number of Logstash input threads: \n \n(Default value is pre-populated)" 10 75 1 3>&1 1>&2 2>&3)
+		"Enter number of Logstash input threads:" 10 75 "$1" 3>&1 1>&2 2>&3)
 		local exitstatus=$?
 		whiptail_check_exitstatus $exitstatus
 }
 whiptail_node_ls_pipline_batchsize() {
 	[ -n "$TESTING" ] && return
 	LSPIPELINEBATCH=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter Logstash pipeline batch size:" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_node_ls_pipeline_worker() {
 	[ -n "$TESTING" ] && return
 	LSPIPELINEWORKERS=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter number of Logstash pipeline workers:" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -1054,7 +1057,7 @@ whiptail_oinkcode() {
 	[ -n "$TESTING" ] && return
 	OINKCODE=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Enter your ET Pro or oinkcode:" 10 75 XXXXXXX 3>&1 1>&2 2>&3)
+	"Enter your ET Pro or oinkcode:" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -1075,7 +1078,7 @@ whiptail_patch_name_new_schedule() {
 	[ -n "$TESTING" ] && return
 	PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
-	"What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 75 3>&1 1>&2 2>&3)
+	"What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -1102,20 +1105,10 @@ whiptail_patch_schedule_import() {
 	unset PATCHSCHEDULENAME
 	PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Enter the name of the OS patch schedule you want to inherit: \nAvailable schedules can be found on the manager under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 75 3>&1 1>&2 2>&3)
+	"Enter the name of the OS patch schedule you want to inherit. \nAvailable schedules can be found on the manager under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 	while [[ -z "$PATCHSCHEDULENAME"  ]]; do
 		whiptail --title "Security Onion Setup" --msgbox "Please enter a name for the OS patch schedule you want to inherit." 8 75
 		PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
 		"Enter the name of the OS patch schedule you want to inherit: \nAvailable schedules can be found on the manager under /opt/so/salt/patch/os/schedules/<schedulename>.yml" 10 75 3>&1 1>&2 2>&3)
 		local exitstatus=$?
 		whiptail_check_exitstatus $exitstatus
 	done
 }
 whiptail_patch_schedule_select_days() {
@@ -1274,7 +1267,7 @@ whiptail_set_hostname() {
 	[ -n "$TESTING" ] && return
 	HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \
-		"Enter the hostname (not FQDN) you would like to set:" 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3)
+		"Enter the hostname (not FQDN) you would like to set:" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -1298,7 +1291,7 @@ whiptail_set_redirect_host() {
 	[ -n "$TESTING" ] && return
 	REDIRECTHOST=$(whiptail --title "Security Onion Setup" --inputbox \
-	"Enter the Hostname, IP, or FQDN you would like to use for the web interface:" 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3)
+	"Enter the Hostname, IP, or FQDN you would like to use for the web interface:" 10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 }
@@ -1362,11 +1355,13 @@ whiptail_so_allow() {
 	ALLOW_CIDR=$(whiptail --title "Security Onion Setup" \
 		--inputbox "Enter a single IP address or an IP range, in CIDR notation, to allow:" \
-		10 75 3>&1 1>&2 2>&3)
+		10 75 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	export ALLOW_ROLE='a'
 	export ALLOW_CIDR
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_storage_requirements() {