merge 2.4/dev

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>

setup/so-functions

@@ -531,7 +531,8 @@ configure_minion() {
 		"  x509_v2: true"\
 		"log_level: info"\
 		"log_level_logfile: info"\
-		"log_file: /opt/so/log/salt/minion" >> "$minion_config"
+		"log_file: /opt/so/log/salt/minion"\
+		"#startup_states: highstate" >> "$minion_config"
 
 	info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "$MNIC"}}'"
 	salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="{'host': {'mainint': $MNIC}}"
@@ -545,8 +546,8 @@ configure_minion() {
 checkin_at_boot() {
 	local minion_config=/etc/salt/minion
 
-	info "Enabling checkin at boot" 
-	echo "startup_states: highstate" >> "$minion_config"
+	info "Enabling checkin at boot"
+	sed -i 's/#startup_states: highstate/startup_states: highstate/' "$minion_config"
 }
 
 check_requirements() {
@@ -1413,7 +1414,7 @@ make_some_dirs() {
 	mkdir -p $local_salt_dir/salt/firewall/portgroups
 	mkdir -p $local_salt_dir/salt/firewall/ports
 
-	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni curator soc soctopus docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert global;do
+	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc soctopus docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert stig global;do
 	mkdir -p $local_salt_dir/pillar/$THEDIR
 	touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
 	touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls
@@ -1558,7 +1559,6 @@ reserve_group_ids() {
 	logCmd "groupadd -g 931 logstash"
 	logCmd "groupadd -g 932 kibana"
 	logCmd "groupadd -g 933 elastalert"
-	logCmd "groupadd -g 934 curator"
 	logCmd "groupadd -g 937 zeek"
 	logCmd "groupadd -g 940 suricata"
 	logCmd "groupadd -g 941 stenographer"
@@ -1603,6 +1603,9 @@ reinstall_init() {
 			salt-call -l info saltutil.kill_all_jobs --local
 		fi
 
+		logCmd "salt-call state.apply ca.remove -linfo --local --file-root=../salt"
+		logCmd "salt-call state.apply ssl.remove -linfo --local --file-root=../salt"
+
 		# Kill any salt processes (safely)
 		for service in "${salt_services[@]}"; do
 			# Stop the service in the background so we can exit after a certain amount of time
@@ -1624,9 +1627,6 @@ reinstall_init() {
 			done
 		done
 
-		logCmd "salt-call state.apply ca.remove -linfo --local --file-root=../salt"
-		logCmd "salt-call state.apply ssl.remove -linfo --local --file-root=../salt"
-
 		# Remove all salt configs
 		rm -rf /etc/salt/engines/* /etc/salt/grains /etc/salt/master /etc/salt/master.d/* /etc/salt/minion /etc/salt/minion.d/* /etc/salt/pki/* /etc/salt/proxy /etc/salt/proxy.d/* /var/cache/salt/
 
@@ -1651,8 +1651,8 @@ reinstall_init() {
 		backup_dir /nsm/kratos "$date_string"
 		backup_dir /nsm/influxdb "$date_string"
 
-		# Remove the old launcher package in case the config changes
-		remove_package launcher-final
+		# Uninstall local Elastic Agent, if installed
+		logCmd "elastic-agent uninstall -f"
 
 		if [[ $is_deb ]]; then
 			info "Unholding previously held packages."
@@ -1815,7 +1815,7 @@ repo_sync_local() {
 		mkdir -p /nsm/repo
 		mkdir -p /opt/so/conf/reposync/cache
 		echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /opt/so/conf/reposync/mirror.txt
-		echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/2.4/oracle/9" >> /opt/so/conf/reposync/mirror.txt
+		echo "https://repo-alt.securityonion.net/prod/2.4/oracle/9" >> /opt/so/conf/reposync/mirror.txt
 		echo "[main]" > /opt/so/conf/reposync/repodownload.conf
 		echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
 		echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
@@ -1936,7 +1936,11 @@ saltify() {
 			logCmd "dnf -y install salt-$SALTVERSION salt-master-$SALTVERSION salt-minion-$SALTVERSION"
 		else
 			# We just need the minion
-			logCmd "dnf -y install salt-$SALTVERSION salt-minion-$SALTVERSION"
+			if [[ $is_airgap ]]; then
+			    logCmd "dnf -y install salt salt-minion"
+			else
+			    logCmd "dnf -y install salt-$SALTVERSION salt-minion-$SALTVERSION"
+			fi
 		fi
 	fi
 
@@ -2152,11 +2156,12 @@ set_default_log_size() {
 	esac
 
 	local disk_dir="/"
-	if [ -d /nsm ]; then
+	if mountpoint -q /nsm; then
 		disk_dir="/nsm"
 	fi
-	if [ -d /nsm/elasticsearch ]; then
+	if mountpoint -q /nsm/elasticsearch; then
 		disk_dir="/nsm/elasticsearch"
+		percentage=80
 	fi
 	
 	local disk_size_1k
@@ -2336,6 +2341,8 @@ verify_setup() {
 	result=$?
 	set +o pipefail
 	if [[ $result -eq 0 ]]; then
+		# Remove ISO sudoers entry if present
+                sed -i '/so-setup/d' /etc/sudoers
 		whiptail_setup_complete
 	else
 		whiptail_setup_failed

setup/so-setup

@@ -706,10 +706,8 @@ if ! [[ -f $install_opt_file ]]; then
 		logCmd "so-minion -o=setup" 
 		title "Creating Global SLS"
 
-		if [[ $is_airgap ]]; then
-			# Airgap Rules
-			airgap_rules
-		fi
+		# Airgap Rules
+		airgap_rules
 
 		manager_pillar
 
@@ -828,7 +826,6 @@ if ! [[ -f $install_opt_file ]]; then
 		configure_minion "$minion_type"
 		check_sos_appliance
 		drop_install_options
-		checkin_at_boot
 		logCmd "salt-call state.apply setup.highstate_cron --local --file-root=../salt/"
 		verify_setup
 	fi

setup/so-variables

@@ -112,12 +112,6 @@ export sensoroni_pillar_file
 adv_sensoroni_pillar_file="$local_salt_dir/pillar/sensoroni/adv_sensoroni.sls"
 export adv_sensoroni_pillar_file
 
-curator_pillar_file="$local_salt_dir/pillar/curator/soc_curator.sls"
-export curator_pillar_file
-
-adv_curator_pillar_file="$local_salt_dir/pillar/curator/adv_curator.sls"
-export adv_curator_pillar_file
-
 soctopus_pillar_file="$local_salt_dir/pillar/soctopus/soc_soctopus.sls"
 export soctopus_pillar_file
 

setup/so-verify

@@ -33,13 +33,17 @@ log_has_errors() {
     # Ignore Failed: 0 since that is the salt state output, and we detect state failures
     # via Result: False already.
 
-    # This is ignored for Ubuntu
+    # This is ignored for Ubuntu:
     # Failed to restart snapd.mounts-pre.target: Operation refused, unit snapd.mounts-pre.target
     # may be requested by dependency only (it is configured to refuse manual start/stop).
 
     # Command failed with exit code is output during retry loops.
 
     # "remove failed" is caused by a warning generated by upgrade of libwbclient
+
+    # Exit code 100 failure is likely apt-get running in the background, we wait for it to unlock.
+
+    # Failed to deduce dest mapping appears to occur when a shard isn't yet ready. Temporary.
     
     grep -E "FAILED|Failed|failed|ERROR|Result: False|Error is not recoverable" "$setup_log" | \
         grep -vE "The Salt Master has cached the public key for this node" | \
@@ -58,10 +62,12 @@ log_has_errors() {
         grep -vE "remove failed" | \
         grep -vE "Failed to restart snapd" | \
         grep -vE "Login Failed Details" | \
+        grep -vE "Failed to deduce dest mappings" | \
         grep -vE "response from daemon: unauthorized" | \
         grep -vE "Reading first line of patchfile" | \
         grep -vE "Command failed with exit code" | \
-        grep -vE "Running scope as unit" &> "$error_log"
+        grep -vE "Running scope as unit" | \
+        grep -vE "log-.*-pipeline_failed_attempts" &> "$error_log"
     
     if [[ $? -eq 0 ]]; then
         # This function succeeds (returns 0) if errors are detected

setup/so-whiptail

@@ -195,10 +195,12 @@ whiptail_create_web_user() {
 	[ -n "$TESTING" ] && return
 
 	WEBUSER=$(whiptail --title "$whiptail_title" --inputbox \
-	"Please enter an email address to create an administrator account for the Security Onion Console (SOC) web interface.\n\nThis will also be used for Elasticsearch and Kibana." 12 60 "$1" 3>&1 1>&2 2>&3)
+	"Please enter an email address to create an administrator account for the Security Onion Console (SOC) web interface.\n\nThis will also be used for Elasticsearch and Kibana.\n\nMust only include letters, numbers, or + - _ % . @ characters. All capitalized letters will be converted to lowercase." 15 60 "$1" 3>&1 1>&2 2>&3)
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
+
+	WEBUSER=${WEBUSER,,}
 }
 
 whiptail_create_web_user_password1() {
@@ -286,9 +288,9 @@ whiptail_dhcp_or_static() {
 	[ -n "$TESTING" ] && return
 
 	address_type=$(whiptail --title "$whiptail_title" --menu \
-	"Choose how to set up your management interface:" 20 78 4 \
-	"STATIC" "Set a static IPv4 address" \
-	"DHCP" "Use DHCP to configure the Management Interface" 3>&1 1>&2 2>&3 )
+	"Choose how to set up your management interface. We recommend using a static IP address." 20 78 4 \
+	"STATIC" "Set a static IPv4 address (recommended)" \
+	"DHCP" "Use DHCP to configure the management interface" 3>&1 1>&2 2>&3 )
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus