Merge pull request #3940 from Security-Onion-Solutions/foxtrot

Foxtrot

salt/common/tools/sbin/so-common

@@ -122,6 +122,10 @@ check_elastic_license() {
 	fi  
 }
 
+disable_fastestmirror() {
+	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
+}
+
 elastic_license() {
 
 read -r -d '' message <<- EOM

salt/common/tools/sbin/soup

@@ -453,8 +453,9 @@ up_2.3.3X_to_2.3.50_repo() {
   if [[ "$OS" == "centos" ]]; then
     # Import GPG Keys
     gpg_rpm_import
-
     if [ $is_airgap -eq 1 ]; then
+      echo "Disabling fastestmirror."
+      disable_fastestmirror
       echo "Deleting unneeded repo files."
       DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh')
 

salt/manager/files/acng/acng.conf

@@ -90,3 +90,7 @@ PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirr
 # MaxDlSpeed: 500
 # MaxInresponsiveDlSize: 64000
 # BadRedirDetectMime: text/html
+{% set proxy = salt['pillar.get']('manager:proxy') -%}
+{% if proxy -%}
+Proxy: {{ proxy }}
+{% endif -%}

salt/manager/init.sls

@@ -18,7 +18,6 @@
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
-{% set managerproxy = salt['pillar.get']('global:managerupdate', '0') %}
 {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
 
 socore_own_saltstack:
@@ -35,8 +34,6 @@ socore_own_saltstack:
     - mode: 750
     - replace: False
 
-{% if managerproxy == 1 %}
-
 # Create the directories for apt-cacher-ng
 aptcacherconfdir:
   file.directory:
@@ -60,11 +57,12 @@ aptcacherlogdir:
     - makedirs: true
 
 # Copy the config
-
 acngcopyconf:
   file.managed:
     - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
     - source: salt://manager/files/acng/acng.conf
+    - template: jinja
+    - show_changes: False
 
 # Install the apt-cacher-ng container
 so-aptcacherng:
@@ -84,8 +82,6 @@ append_so-aptcacherng_so-status.conf:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-aptcacherng
 
-{% endif %}
-
 strelka_yara_update_old_1:
   cron.absent:
     - user: root

salt/repo/client/files/centos/yum.conf.jinja

@@ -12,7 +12,7 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
 bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
 distroverpkg=centos-release
 clean_requirements_on_remove=1
-{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', '0') -%}
+{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', 'direct') == 'manager' -%}
 proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142
 {% elif proxy -%}
 proxy={{ proxy }}

salt/repo/client/init.sls

@@ -63,6 +63,7 @@ yumconf:
     - source: salt://repo/client/files/centos/yum.conf.jinja
     - mode: 644
     - template: jinja
+    - show_changes: False
 {% endif %}
 
 cleanyum:

setup/automation/distributed-airgap-manager

@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/distributed-ami-manager

@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/distributed-iso-manager

@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/distributed-net-centos-manager

@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/distributed-net-ubuntu-manager

@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/distributed-net-ubuntu-suricata-manager

@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/eval-airgap

@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/eval-ami

@@ -41,7 +41,6 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/eval-iso

@@ -41,7 +41,6 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/eval-net-centos

@@ -41,7 +41,6 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/eval-net-ubuntu

@@ -41,7 +41,6 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/import-airgap

@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/import-ami

@@ -41,7 +41,6 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/import-iso

@@ -41,7 +41,6 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/import-net-centos

@@ -41,7 +41,6 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/import-net-ubuntu

@@ -41,7 +41,6 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/standalone-airgap

@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/standalone-ami

@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/standalone-iso

@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/standalone-iso-suricata

@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/standalone-net-centos

@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/standalone-net-centos-proxy

@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/automation/standalone-net-ubuntu

@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
-MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=

setup/so-functions

@@ -478,6 +478,19 @@ collect_mtu() {
 	done
 }
 
+collect_net_method() {
+	whiptail_net_method
+
+	if [[ "$network_traffic" == *"_MANAGER" ]]; then
+		whiptail_manager_updates_warning
+		MANAGERUPDATES=1
+	fi
+
+	if [[ "$network_traffic" == "PROXY"* ]]; then
+		collect_proxy no_ask
+	fi
+}
+
 collect_node_es_heap() {
 	whiptail_node_es_heap "$ES_HEAP_SIZE"
 }
@@ -580,7 +593,9 @@ collect_patch_schedule_name_import() {
 
 collect_proxy() {
 	[[ -n $TESTING ]] && return
-	collect_proxy_details || return
+	local ask=${1:-true}
+
+	collect_proxy_details "$ask" || return
 	while ! proxy_validate; do
 		if whiptail_invalid_proxy; then
 			collect_proxy_details no_ask
@@ -1654,7 +1669,6 @@ manager_global() {
 		"  fleet_ip: 'N/A'"\
 		"  sensoronikey: '$SENSORONIKEY'"\
 		"  wazuh: $WAZUH"\
-		"  managerupdate: $MANAGERUPDATES"\
 		"  imagerepo: '$IMAGEREPO'"\
 		"  pipeline: 'redis'"\
 		"sensoroni:"\
@@ -1850,9 +1864,16 @@ patch_pillar() {
 
 	local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls
 
+	if [[ $MANAGERUPDATES == 1 ]]; then
+		local source="manager"
+	else
+		local source="direct"
+	fi
+
 	printf '%s\n'\
 		"patch:"\
 		"  os:"\
+		"    source: '$source'"\
 		"    schedule_name: '$PATCHSCHEDULENAME'"\
 		"    enabled: True"\
 		"    splay: 300"\
@@ -2669,8 +2690,10 @@ set_redirect() {
 set_updates() {
 	if [ "$MANAGERUPDATES" = '1' ]; then
 		if [ "$OS" = 'centos' ]; then
-		    if [[ ! $is_airgap ]]; then
-			    if ! grep -q "$MSRV" /etc/yum.conf; then
+			if [[ ! $is_airgap ]] && ! ( grep -q "$MSRV" /etc/yum.conf); then
+				if grep -q "proxy=" /etc/yum.conf; then
+					sed -i "s/proxy=.*/proxy=http:\/\/$MSRV:3142/" /etc/yum.conf
+				else
 					echo "proxy=http://$MSRV:3142" >> /etc/yum.conf
 				fi
 			fi

setup/so-setup

@@ -203,16 +203,13 @@ if ! [[ -f $install_opt_file ]]; then
 		if [[ $option == "CONFIGURENETWORK" ]]; then
 			collect_hostname
 			network_init_whiptail
-			whiptail_management_interface_setup
+			whiptail_network_init_notice
 			network_init
 			printf '%s\n' \
 				"MNIC=$MNIC" \
 				"HOSTNAME=$HOSTNAME" > "$net_init_file"
 			set_main_ip >> $setup_log 2>&1
 			compare_main_nic_ip
-			reset_proxy
-			collect_proxy
-			[[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1
 			whiptail_net_setup_complete
 		else
 			true
@@ -263,19 +260,19 @@ elif [ "$install_type" = 'ANALYST' ]; then
 	is_analyst=true
 fi
 
+if [[ $is_manager || $is_import ]]; then
+	check_elastic_license
+fi
+
+if ! [[ -f $install_opt_file ]]; then
 	# Check if this is an airgap install
-if [[ $is_iso || $is_minion ]]; then
+	if [[ ( $is_manager || $is_import || $is_minion ) && $is_iso ]]; then
 		whiptail_airgap
 		if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
 			is_airgap=true
 		fi
 	fi
 
-if [[ $is_manager || $is_import ]]; then
-	check_elastic_license
-fi
-
-if ! [[ -f $install_opt_file ]]; then
 	if [[ $is_manager && $is_sensor ]]; then
 		check_requirements "standalone"
 	elif [[ $is_fleet_standalone ]]; then
@@ -302,11 +299,8 @@ if ! [[ -f $install_opt_file ]]; then
 		source "$net_init_file"
 	fi
 
-	if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then
-		whiptail_management_interface_setup
-	fi
-
 	if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then
+		whiptail_network_init_notice
 		network_init
 	fi
 
@@ -315,19 +309,17 @@ if ! [[ -f $install_opt_file ]]; then
 
 	if [[ $is_minion ]]; then
 		collect_mngr_hostname
+		add_mngr_ip_to_hosts
 	fi
 
 	reset_proxy
 	if [[ -z $is_airgap ]]; then
-		collect_proxy
+		collect_net_method
 		[[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1
 	fi
 
 	if [[ $is_minion ]]; then
-		add_mngr_ip_to_hosts
-	fi
-
-	if [[ $is_minion ]]; then
+		whiptail_ssh_key_copy_notice
 		copy_ssh_key >> $setup_log 2>&1
 	fi
 
@@ -339,6 +331,7 @@ if ! [[ -f $install_opt_file ]]; then
 			"HOSTNAME=$HOSTNAME" \
 			"MSRV=$MSRV" \
 			"MSRVIP=$MSRVIP" \
+			"is_airgap=$is_airgap" \
 			"NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file"
 		[[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file"
 		download_repo_tarball
@@ -428,7 +421,7 @@ fi
 
 if [[ $is_airgap ]]; then
 	PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual}
-	MANAGERUPDATES=${MANAGERUPDATES:-0} 
+	[[ ! $is_minion ]] && MANAGERUPDATES=${MANAGERUPDATES:-0} || MANAGERUPDATES=${MANAGERUPDATES:-1}
 fi
 
 # Start user prompts
@@ -499,13 +492,6 @@ if [[ $is_manager || $is_import ]]; then
 	get_redirect
 fi
 
-if [[ ! $is_airgap && ( $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ) ]]; then
-	whiptail_manager_updates
-	if [[ $setup_type == 'network' && $MANAGERUPDATES == 1 ]]; then
-		whiptail_manager_updates_warning
-	fi
-fi
-
 if [[ $is_distmanager ]]; then
 	collect_soremote_inputs
 fi
@@ -648,6 +634,8 @@ echo "1" > /root/accept_changes
 	set_progress_str 2 'Updating packages'
 	# Import the gpg keys
 	gpg_rpm_import >> $setup_log 2>&1
+	info "Disabling fastestmirror"
+	[[ $OS == 'centos' ]] && disable_fastestmirror
 	if [[ ! $is_airgap ]]; then
 	    securityonion_repo >> $setup_log 2>&1
 	    update_packages >> $setup_log 2>&1

setup/so-whiptail

@@ -616,7 +616,14 @@ whiptail_end_settings() {
 		fi
 	fi
 
-	whiptail --title "The following options have been set, would you like to proceed?" --yesno "$end_msg" 24 75 --scrolltext
+	local msg
+	read -r -d '' msg <<-EOM
+	$end_msg
+
+	Press TAB to select yes or no.
+	EOM
+
+	whiptail --title "The following options have been set, would you like to proceed?" --yesno "$msg" 24 75 --scrolltext
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -987,44 +994,65 @@ whiptail_management_nic() {
 
 }
 
-whiptail_management_interface_setup() {
+whiptail_net_method() {
 	[ -n "$TESTING" ] && return
 
-	local minion_msg
-	local msg
-	local line_count
+	local pkg_mngr
+	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
+
+	read -r -d '' options_msg <<- EOM
+	"Direct" - Internet requests connect directly to the Internet.
+
+	EOM
+	local options=(
+		" Direct " ""
+	)
+	local proxy_desc="proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment."
 
 	if [[ $is_minion ]]; then
-		line_count=11
-		minion_msg="copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ECDSA certificate and enter the password for soremote"
-	else
-		line_count=9
-		minion_msg=""
-	fi
+		read -r -d '' options_msg <<- EOM
+		${options_msg}
 
-	if [[ $is_iso ]]; then
-		if [[ $minion_msg != "" ]]; then
-			if [[ -f $net_init_file ]]; then
-				msg=$minion_msg
-			else
-				msg="initialize networking and $minion_msg"
-			fi
-		else
-			msg="initialize networking"
-		fi
-	else
-		msg=$minion_msg
-	fi
+		"Direct + Manager" - all traffic passes to the Internet normally, but ${pkg_mngr} updates will instead be pulled from ${mngr_article} manager. 
 
-	read -r -d '' message <<- EOM
-		Setup will now $msg.
+		"Proxy" - ${proxy_desc}
 
-		Select OK to continue.
+		"Proxy + Manager" - proxy all traffic from the "Proxy" option except ${pkg_mngr} updates, which will instead pull from the manager.
 		EOM
 		
-	whiptail --title "Security Onion Setup" --msgbox "$message" $line_count 75
+		options+=(
+			" Direct + Manager " ""
+			" Proxy " ""
+			" Proxy + Manager " ""
+		)
+		local height=25
+	else
+		read -r -d '' options_msg <<- EOM
+			${options_msg}
+
+			"Proxy" - ${proxy_desc}
+		EOM
+		options+=(
+			" Proxy " ""
+		)
+		local height=17
+	fi
+
+	local msg
+	read -r -d '' msg <<- EOM
+	How would you like to connect to the Internet? 
+
+	$options_msg
+	EOM
+
+	local option_count=$(( ${#options[@]} / 2 ))
+
+	network_traffic=$(whiptail --title "Security Onion Setup" --menu "$msg" $height 75 $option_count "${options[@]}" 3>&1 1>&2 2>&3)
+
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
+	
+	network_traffic=$(echo "${network_traffic^^}" | tr -d ' ' | tr '+' '_')
 }
 
 whiptail_net_setup_complete() {
@@ -1035,6 +1063,20 @@ whiptail_net_setup_complete() {
 	exit 0
 }
 
+whiptail_network_init_notice() {
+	[ -n "$TESTING" ] && return
+
+	read -r -d '' message <<- EOM
+		Setup will now initialize networking.
+
+		Select OK to continue.
+	EOM
+
+	whiptail --title "Security Onion Setup" --msgbox "$message" 9 75
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
+
 whiptail_management_server() {
 
 	[ -n "$TESTING" ] && return
@@ -1161,29 +1203,6 @@ whiptail_manager_error() {
 	whiptail --title "Security Onion Setup" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1
 }
 
-whiptail_manager_updates() {
-
-	[ -n "$TESTING" ] && return
-
-	local update_string
-	update_string=$(whiptail --title "Security Onion Setup" --radiolist \
-	"How would you like to download OS package updates for your grid?" 20 75 4 \
-	"MANAGER" "Manager node is proxy for updates" ON \
-	"OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 )
-	local exitstatus=$?
-	whiptail_check_exitstatus $exitstatus
-
-	case "$update_string" in
-		'MANAGER')
-			export MANAGERUPDATES='1'
-			;;
-		*)
-			export MANAGERUPDATES='0'
-			;;
-	esac
-
-}
-
 whiptail_manager_updates_warning() {
 	[ -n "$TESTING" ] && return
 
@@ -1485,7 +1504,9 @@ whiptail_patch_schedule_select_hours() {
 whiptail_proxy_ask() {
 	[ -n "$TESTING" ] && return
 
-	whiptail --title "Security Onion Setup" --yesno "Do you want to set a proxy server for this installation?" 7 60 --defaultno
+	local pkg_mngr
+	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
+	whiptail --title "Security Onion Setup" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno
 }
 
 whiptail_proxy_addr() {
@@ -1718,6 +1739,20 @@ whiptail_so_allow() {
 	whiptail_check_exitstatus $exitstatus
 }
 
+whiptail_ssh_key_copy_notice() {
+	[ -n "$TESTING" ] && return
+
+	read -r -d '' message <<- EOM
+		Setup will now copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ED25519 certificate and enter the password for soremote.
+
+		Select OK to continue.
+	EOM
+
+	whiptail --title "Security Onion Setup" --msgbox "$message" 11 75
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
+
 whitpail_ssh_warning() {
 	[ -n "$TESTING" ] && return