Merge pull request #3940 from Security-Onion-Solutions/foxtrot

Foxtrot
2025-12-06 17:22:49 +01:00 · 2021-04-21 18:44:37 -04:00
parent 0a2d44131b c297031f6b
commit 81581711da
32 changed files with 157 additions and 128 deletions
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -122,6 +122,10 @@ check_elastic_license() {
 	fi  
 }
 disable_fastestmirror() {
 	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
 }
 elastic_license() {
 read -r -d '' message <<- EOM
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -453,8 +453,9 @@ up_2.3.3X_to_2.3.50_repo() {
  if [[ "$OS" == "centos" ]]; then
    # Import GPG Keys
    gpg_rpm_import
    if [ $is_airgap -eq 1 ]; then
      echo "Disabling fastestmirror."
      disable_fastestmirror
      echo "Deleting unneeded repo files."
      DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh')
--- a/salt/manager/files/acng/acng.conf
+++ b/salt/manager/files/acng/acng.conf
@@ -90,3 +90,7 @@ PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirr
 # MaxDlSpeed: 500
 # MaxInresponsiveDlSize: 64000
 # BadRedirDetectMime: text/html
 {% set proxy = salt['pillar.get']('manager:proxy') -%}
 {% if proxy -%}
 Proxy: {{ proxy }}
 {% endif -%}
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -18,7 +18,6 @@
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 {% set managerproxy = salt['pillar.get']('global:managerupdate', '0') %}
 {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
 socore_own_saltstack:
@@ -35,8 +34,6 @@ socore_own_saltstack:
    - mode: 750
    - replace: False
 {% if managerproxy == 1 %}
 # Create the directories for apt-cacher-ng
 aptcacherconfdir:
  file.directory:
@@ -60,11 +57,12 @@ aptcacherlogdir:
    - makedirs: true
 # Copy the config
 acngcopyconf:
  file.managed:
    - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
    - source: salt://manager/files/acng/acng.conf
    - template: jinja
    - show_changes: False
 # Install the apt-cacher-ng container
 so-aptcacherng:
@@ -84,8 +82,6 @@ append_so-aptcacherng_so-status.conf:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-aptcacherng
 {% endif %}
 strelka_yara_update_old_1:
  cron.absent:
    - user: root
--- a/salt/repo/client/files/centos/yum.conf.jinja
+++ b/salt/repo/client/files/centos/yum.conf.jinja
@@ -12,7 +12,7 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
 bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
 distroverpkg=centos-release
 clean_requirements_on_remove=1
-{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', '0') -%}
+{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', 'direct') == 'manager' -%}
 proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142
 {% elif proxy -%}
 proxy={{ proxy }}
--- a/salt/repo/client/init.sls
+++ b/salt/repo/client/init.sls
@@ -63,6 +63,7 @@ yumconf:
    - source: salt://repo/client/files/centos/yum.conf.jinja
    - mode: 644
    - template: jinja
    - show_changes: False
 {% endif %}
 cleanyum:
--- a/setup/automation/distributed-airgap-manager
+++ b/setup/automation/distributed-airgap-manager
@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/distributed-ami-manager
+++ b/setup/automation/distributed-ami-manager
@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/distributed-iso-manager
+++ b/setup/automation/distributed-iso-manager
@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/distributed-net-centos-manager
+++ b/setup/automation/distributed-net-centos-manager
@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/distributed-net-ubuntu-manager
+++ b/setup/automation/distributed-net-ubuntu-manager
@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/distributed-net-ubuntu-suricata-manager
+++ b/setup/automation/distributed-net-ubuntu-suricata-manager
@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/eval-airgap
+++ b/setup/automation/eval-airgap
@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/eval-ami
+++ b/setup/automation/eval-ami
@@ -41,7 +41,6 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/eval-iso
+++ b/setup/automation/eval-iso
@@ -41,7 +41,6 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/eval-net-centos
+++ b/setup/automation/eval-net-centos
@@ -41,7 +41,6 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/eval-net-ubuntu
+++ b/setup/automation/eval-net-ubuntu
@@ -41,7 +41,6 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/import-airgap
+++ b/setup/automation/import-airgap
@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/import-ami
+++ b/setup/automation/import-ami
@@ -41,7 +41,6 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/import-iso
+++ b/setup/automation/import-iso
@@ -41,7 +41,6 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/import-net-centos
+++ b/setup/automation/import-net-centos
@@ -41,7 +41,6 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/import-net-ubuntu
+++ b/setup/automation/import-net-ubuntu
@@ -41,7 +41,6 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/standalone-airgap
+++ b/setup/automation/standalone-airgap
@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/standalone-ami
+++ b/setup/automation/standalone-ami
@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/standalone-iso
+++ b/setup/automation/standalone-iso
@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/standalone-iso-suricata
+++ b/setup/automation/standalone-iso-suricata
@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/standalone-net-centos
+++ b/setup/automation/standalone-net-centos
@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/standalone-net-centos-proxy
+++ b/setup/automation/standalone-net-centos-proxy
@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/automation/standalone-net-ubuntu
+++ b/setup/automation/standalone-net-ubuntu
@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -478,6 +478,19 @@ collect_mtu() {
 	done
 }
 collect_net_method() {
 	whiptail_net_method
 	if [[ "$network_traffic" == *"_MANAGER" ]]; then
 		whiptail_manager_updates_warning
 		MANAGERUPDATES=1
 	fi
 	if [[ "$network_traffic" == "PROXY"* ]]; then
 		collect_proxy no_ask
 	fi
 }
 collect_node_es_heap() {
 	whiptail_node_es_heap "$ES_HEAP_SIZE"
 }
@@ -580,7 +593,9 @@ collect_patch_schedule_name_import() {
 collect_proxy() {
 	[[ -n $TESTING ]] && return
-	collect_proxy_details || return
+	local ask=${1:-true}
 	collect_proxy_details "$ask" || return
 	while ! proxy_validate; do
 		if whiptail_invalid_proxy; then
 			collect_proxy_details no_ask
@@ -1654,7 +1669,6 @@ manager_global() {
 		"  fleet_ip: 'N/A'"\
 		"  sensoronikey: '$SENSORONIKEY'"\
 		"  wazuh: $WAZUH"\
 		"  managerupdate: $MANAGERUPDATES"\
 		"  imagerepo: '$IMAGEREPO'"\
 		"  pipeline: 'redis'"\
 		"sensoroni:"\
@@ -1850,9 +1864,16 @@ patch_pillar() {
 	local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls
 	if [[ $MANAGERUPDATES == 1 ]]; then
 		local source="manager"
 	else
 		local source="direct"
 	fi
 	printf '%s\n'\
 		"patch:"\
 		"  os:"\
 		"    source: '$source'"\
 		"    schedule_name: '$PATCHSCHEDULENAME'"\
 		"    enabled: True"\
 		"    splay: 300"\
@@ -2306,24 +2327,24 @@ secrets_pillar(){
 securityonion_repo() {
 	# Remove all the current repos
 	if [[ "$OS" == "centos" ]]; then
-	    if [[ "$INTERWEBS" == "AIRGAP" ]]; then
+		if [[ "$INTERWEBS" == "AIRGAP" ]]; then
-		    echo "This is airgap I don't need to add this repo"
+			echo "This is airgap I don't need to add this repo"
 		else
-	        mkdir -p /root/oldrepos
+			mkdir -p /root/oldrepos
-	        mv -v /etc/yum.repos.d/* /root/oldrepos/
+			mv -v /etc/yum.repos.d/* /root/oldrepos/
 			ls -la /etc/yum.repos.d/
-		    rm -rf /etc/yum.repos.d
+			rm -rf /etc/yum.repos.d
 			yum clean all
 			yum repolist all
 			mkdir -p /etc/yum.repos.d
-		    if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then
+			if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then
-		        cp -f ../salt/repo/client/files/centos/securityonioncache.repo /etc/yum.repos.d/
+				cp -f ../salt/repo/client/files/centos/securityonioncache.repo /etc/yum.repos.d/
-		    else
+			else
-		        cp -f ../salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
+				cp -f ../salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
-		    fi
+			fi
 		fi
 	else
-        echo "This is Ubuntu"
+		echo "This is Ubuntu"
 	fi
 }
@@ -2669,10 +2690,12 @@ set_redirect() {
 set_updates() {
 	if [ "$MANAGERUPDATES" = '1' ]; then
 		if [ "$OS" = 'centos' ]; then
-		    if [[ ! $is_airgap ]]; then
+			if [[ ! $is_airgap ]] && ! ( grep -q "$MSRV" /etc/yum.conf); then
-			    if ! grep -q "$MSRV" /etc/yum.conf; then
+				if grep -q "proxy=" /etc/yum.conf; then
-				    echo "proxy=http://$MSRV:3142" >> /etc/yum.conf
+					sed -i "s/proxy=.*/proxy=http:\/\/$MSRV:3142/" /etc/yum.conf
-			    fi
+				else
 					echo "proxy=http://$MSRV:3142" >> /etc/yum.conf
 				fi
 			fi
 		else
 			# Set it up so the updates roll through the manager
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -203,16 +203,13 @@ if ! [[ -f $install_opt_file ]]; then
 		if [[ $option == "CONFIGURENETWORK" ]]; then
 			collect_hostname
 			network_init_whiptail
-			whiptail_management_interface_setup
+			whiptail_network_init_notice
 			network_init
 			printf '%s\n' \
 				"MNIC=$MNIC" \
 				"HOSTNAME=$HOSTNAME" > "$net_init_file"
 			set_main_ip >> $setup_log 2>&1
 			compare_main_nic_ip
 			reset_proxy
 			collect_proxy
 			[[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1
 			whiptail_net_setup_complete
 		else
 			true
@@ -263,19 +260,19 @@ elif [ "$install_type" = 'ANALYST' ]; then
 	is_analyst=true
 fi
 # Check if this is an airgap install
 if [[ $is_iso || $is_minion ]]; then
 	whiptail_airgap
 	if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
 		is_airgap=true
 	fi
 fi
 if [[ $is_manager || $is_import ]]; then
 	check_elastic_license
 fi
 if ! [[ -f $install_opt_file ]]; then
 	# Check if this is an airgap install
 	if [[ ( $is_manager || $is_import || $is_minion ) && $is_iso ]]; then
 		whiptail_airgap
 		if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
 			is_airgap=true
 		fi
 	fi
 	if [[ $is_manager && $is_sensor ]]; then
 		check_requirements "standalone"
 	elif [[ $is_fleet_standalone ]]; then
@@ -302,11 +299,8 @@ if ! [[ -f $install_opt_file ]]; then
 		source "$net_init_file"
 	fi
 	if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then
 		whiptail_management_interface_setup
 	fi
 	if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then
 		whiptail_network_init_notice
 		network_init
 	fi
@@ -315,19 +309,17 @@ if ! [[ -f $install_opt_file ]]; then
 	if [[ $is_minion ]]; then
 		collect_mngr_hostname
 		add_mngr_ip_to_hosts
 	fi
 	reset_proxy
 	if [[ -z $is_airgap ]]; then
-		collect_proxy
+		collect_net_method
 		[[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1
 	fi
 	if [[ $is_minion ]]; then
-		add_mngr_ip_to_hosts
+		whiptail_ssh_key_copy_notice
 	fi
 	if [[ $is_minion ]]; then
 		copy_ssh_key >> $setup_log 2>&1
 	fi
@@ -339,6 +331,7 @@ if ! [[ -f $install_opt_file ]]; then
 			"HOSTNAME=$HOSTNAME" \
 			"MSRV=$MSRV" \
 			"MSRVIP=$MSRVIP" \
 			"is_airgap=$is_airgap" \
 			"NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file"
 		[[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file"
 		download_repo_tarball
@@ -428,7 +421,7 @@ fi
 if [[ $is_airgap ]]; then
 	PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual}
-	MANAGERUPDATES=${MANAGERUPDATES:-0} 
+	[[ ! $is_minion ]] && MANAGERUPDATES=${MANAGERUPDATES:-0} || MANAGERUPDATES=${MANAGERUPDATES:-1}
 fi
 # Start user prompts
@@ -499,13 +492,6 @@ if [[ $is_manager || $is_import ]]; then
 	get_redirect
 fi
 if [[ ! $is_airgap && ( $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ) ]]; then
 	whiptail_manager_updates
 	if [[ $setup_type == 'network' && $MANAGERUPDATES == 1 ]]; then
 		whiptail_manager_updates_warning
 	fi
 fi
 if [[ $is_distmanager ]]; then
 	collect_soremote_inputs
 fi
@@ -648,6 +634,8 @@ echo "1" > /root/accept_changes
 	set_progress_str 2 'Updating packages'
 	# Import the gpg keys
 	gpg_rpm_import >> $setup_log 2>&1
 	info "Disabling fastestmirror"
 	[[ $OS == 'centos' ]] && disable_fastestmirror
 	if [[ ! $is_airgap ]]; then
 	    securityonion_repo >> $setup_log 2>&1
 	    update_packages >> $setup_log 2>&1
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -616,7 +616,14 @@ whiptail_end_settings() {
 		fi
 	fi
-	whiptail --title "The following options have been set, would you like to proceed?" --yesno "$end_msg" 24 75 --scrolltext
+	local msg
 	read -r -d '' msg <<-EOM
 	$end_msg
 	Press TAB to select yes or no.
 	EOM
 	whiptail --title "The following options have been set, would you like to proceed?" --yesno "$msg" 24 75 --scrolltext
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -987,44 +994,65 @@ whiptail_management_nic() {
 }
-whiptail_management_interface_setup() {
+whiptail_net_method() {
 	[ -n "$TESTING" ] && return
-	local minion_msg
+	local pkg_mngr
-	local msg
+	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
-	local line_count
+
 	read -r -d '' options_msg <<- EOM
 	"Direct" - Internet requests connect directly to the Internet.
 	EOM
 	local options=(
 		" Direct " ""
 	)
 	local proxy_desc="proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment."
 	if [[ $is_minion ]]; then
-		line_count=11
+		read -r -d '' options_msg <<- EOM
-		minion_msg="copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ECDSA certificate and enter the password for soremote"
+		${options_msg}
 		"Direct + Manager" - all traffic passes to the Internet normally, but ${pkg_mngr} updates will instead be pulled from ${mngr_article} manager. 
 		"Proxy" - ${proxy_desc}
 		"Proxy + Manager" - proxy all traffic from the "Proxy" option except ${pkg_mngr} updates, which will instead pull from the manager.
 		EOM
 		options+=(
 			" Direct + Manager " ""
 			" Proxy " ""
 			" Proxy + Manager " ""
 		)
 		local height=25
 	else
-		line_count=9
+		read -r -d '' options_msg <<- EOM
-		minion_msg=""
+			${options_msg}
 			"Proxy" - ${proxy_desc}
 		EOM
 		options+=(
 			" Proxy " ""
 		)
 		local height=17
 	fi
-	if [[ $is_iso ]]; then
+	local msg
-		if [[ $minion_msg != "" ]]; then
+	read -r -d '' msg <<- EOM
-			if [[ -f $net_init_file ]]; then
+	How would you like to connect to the Internet? 
 				msg=$minion_msg
 			else
 				msg="initialize networking and $minion_msg"
 			fi
 		else
 			msg="initialize networking"
 		fi
 	else
 		msg=$minion_msg
 	fi
-	read -r -d '' message <<- EOM
+	$options_msg
 		Setup will now $msg.
 		Select OK to continue.
 	EOM
-	whiptail --title "Security Onion Setup" --msgbox "$message" $line_count 75
+	local option_count=$(( ${#options[@]} / 2 ))
 	network_traffic=$(whiptail --title "Security Onion Setup" --menu "$msg" $height 75 $option_count "${options[@]}" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 	network_traffic=$(echo "${network_traffic^^}" | tr -d ' ' | tr '+' '_')
 }
 whiptail_net_setup_complete() {
@@ -1035,6 +1063,20 @@ whiptail_net_setup_complete() {
 	exit 0
 }
 whiptail_network_init_notice() {
 	[ -n "$TESTING" ] && return
 	read -r -d '' message <<- EOM
 		Setup will now initialize networking.
 		Select OK to continue.
 	EOM
 	whiptail --title "Security Onion Setup" --msgbox "$message" 9 75
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_management_server() {
 	[ -n "$TESTING" ] && return
@@ -1161,29 +1203,6 @@ whiptail_manager_error() {
 	whiptail --title "Security Onion Setup" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1
 }
 whiptail_manager_updates() {
 	[ -n "$TESTING" ] && return
 	local update_string
 	update_string=$(whiptail --title "Security Onion Setup" --radiolist \
 	"How would you like to download OS package updates for your grid?" 20 75 4 \
 	"MANAGER" "Manager node is proxy for updates" ON \
 	"OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 )
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 	case "$update_string" in
 		'MANAGER')
 			export MANAGERUPDATES='1'
 			;;
 		*)
 			export MANAGERUPDATES='0'
 			;;
 	esac
 }
 whiptail_manager_updates_warning() {
 	[ -n "$TESTING" ] && return
@@ -1485,7 +1504,9 @@ whiptail_patch_schedule_select_hours() {
 whiptail_proxy_ask() {
 	[ -n "$TESTING" ] && return
-	whiptail --title "Security Onion Setup" --yesno "Do you want to set a proxy server for this installation?" 7 60 --defaultno
+	local pkg_mngr
 	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
 	whiptail --title "Security Onion Setup" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno
 }
 whiptail_proxy_addr() {
@@ -1718,6 +1739,20 @@ whiptail_so_allow() {
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_ssh_key_copy_notice() {
 	[ -n "$TESTING" ] && return
 	read -r -d '' message <<- EOM
 		Setup will now copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ED25519 certificate and enter the password for soremote.
 		Select OK to continue.
 	EOM
 	whiptail --title "Security Onion Setup" --msgbox "$message" 11 75
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 }
 whitpail_ssh_warning() {
 	[ -n "$TESTING" ] && return