Merge pull request #2979 from Security-Onion-Solutions/foxtrot

Setup fixes/improvements

setup/automation/eval-net-centos

@@ -34,7 +34,7 @@ GRAFANA=1
 # HELIXAPIKEY=
 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
 HNSENSOR=inherit
-HOSTNAME=standalone
+HOSTNAME=eval
 install_type=EVAL
 # LSINPUTBATCHCOUNT=
 # LSINPUTTHREADS=

setup/automation/eval-net-ubuntu

@@ -34,8 +34,8 @@ GRAFANA=1
 # HELIXAPIKEY=
 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
 HNSENSOR=inherit
-HOSTNAME=standalone
+HOSTNAME=eval
-install_type=STANDALONE
+install_type=EVAL
 # LSINPUTBATCHCOUNT=
 # LSINPUTTHREADS=
 # LSPIPELINEBATCH=

setup/so-functions

@@ -398,6 +398,13 @@ collect_hostname() {
 
 	whiptail_set_hostname "$HOSTNAME"
 
+
+	if [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once
+		if ! (whiptail_avoid_default_hostname); then
+			whiptail_set_hostname
+		fi
+	fi
+
 	while ! valid_hostname "$HOSTNAME"; do
 		whiptail_invalid_hostname
 		whiptail_set_hostname "$HOSTNAME"
@@ -963,15 +970,16 @@ installer_prereq_packages() {
 	elif [ "$OS" == ubuntu ]; then
 		# Print message to stdout so the user knows setup is doing something
 		echo "Installing required packages to run installer..."
+		retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || exit 1
 		# Install network manager so we can do interface stuff
 		if ! command -v nmcli > /dev/null 2>&1; then
-			retry 50 10 "apt-get install -y network-manager" >> "$setup_log" 2>&1 || exit 1
+			retry 50 10 "apt-get -y install network-manager" >> "$setup_log" 2>&1 || exit 1
 			{
 				systemctl enable NetworkManager
 				systemctl start NetworkManager
 			} >> "$setup_log" 2<&1
 		fi
-		retry 50 10 "apt-get install -y bc curl"  >> "$setup_log" 2>&1 || exit 1
+		retry 50 10 "apt-get -y install bc curl"  >> "$setup_log" 2>&1 || exit 1
 	fi
 }
 
@@ -1790,7 +1798,7 @@ reinstall_init() {
 	local service_retry_count=20
 
 	{
-		if command -v salt-call &> /dev/null; then
+		if command -v salt-call &> /dev/null && grep -q "master:" /etc/salt/minion 2> /dev/null; then
 			# Disable schedule so highstate doesn't start running during the install
 			salt-call -l info schedule.disable
 
@@ -1950,9 +1958,7 @@ saltify() {
 		} >> "$setup_log" 2>&1
 		yum versionlock salt*
 	else
-		if ! (DEBIAN_FRONTEND=noninteractive retry 50 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1); then
+		DEBIAN_FRONTEND=noninteractive retry 50 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || exit 1
-			exit 1
-		fi
 
 		if [ $OSVER != "xenial" ]; then
 			# Switch to Python 3 as default if this is not xenial

setup/so-setup

@@ -379,6 +379,11 @@ if [[ $is_import ]]; then
 	PLAYBOOK=0
 fi
 
+if [[ $is_airgap ]]; then
+	PATCHSCHEDULENAME=manual
+	MANAGERUPDATES=0 
+fi
+
 # Start user prompts
 
 if [[ $is_helix ]]; then
@@ -393,7 +398,7 @@ if [[ $is_helix || $is_sensor || $is_import ]]; then
 	calculate_useable_cores
 fi
 
-if [[ ! $is_import ]]; then
+if [[ ! $is_airgap && ! $is_import ]]; then
 	collect_patch_schedule
 fi
 
@@ -446,7 +451,7 @@ if [[ $is_manager || $is_import ]]; then
 	get_redirect
 fi
 
-if [[ $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then
+if [[ ! $is_airgap && ( $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ) ]]; then
 	whiptail_manager_updates
 	if [[ $setup_type == 'network' && $MANAGERUPDATES == 1 ]]; then
 		whiptail_manager_updates_warning

setup/so-whiptail

@@ -28,6 +28,20 @@ whiptail_airgap() {
 	whiptail_check_exitstatus $exitstatus
 }
 
+whiptail_avoid_default_hostname() {
+	[ -n "$TESTING" ] && return
+
+	read -r -d '' message <<- EOM
+	To prevent hostname conflicts, avoid using the default 'securityonion' hostname in a distributed environment.
+
+	You can choose to use this default hostname anyway, or change it to a new hostname.
+	EOM
+
+	whiptail --title "Security Onion Setup" \
+		--yesno "$message" 11 75 \
+		--yes-button "Use Anyway" --no-button "Change" --defaultno
+}
+
 whiptail_basic_suri() {
 
 	[ -n "$TESTING" ] && return
@@ -937,13 +951,25 @@ whiptail_metadata_tool() {
 
 	[ -n "$TESTING" ] && return
 
+	read -r -d '' message <<- EOM
+		What tool would you like to use to generate metadata?
+		
+		This question is asking specifically about metadata, which would be things like the connection log, DNS log, HTTP log, etc. This does not include NIDS alerts.
+		
+		If you choose Zeek for metadata, Suricata will still run to generate NIDS alerts.
+
+		If you choose Suricata for metadata, it will generate NIDS alerts and metadata, and Zeek will not run at all.
+	EOM
+
 	# Legacy variable naming
-	ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 \
+	ZEEKVERSION=$(whiptail --title "Security Onion Setup" --menu "$message" 20 75 2 \
-	"ZEEK" "Zeek (formerly known as Bro)"  ON \
+	"Zeek      " "Use Zeek (Bro) for metadata and Suricata for NIDS alerts" \
-	"SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3)
+	"Suricata  " "Use Suricata for both metadata and NIDS alerts" 3>&1 1>&2 2>&3)
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
+
+	ZEEKVERSION=$(echo "${ZEEKVERSION^^}" | tr -d ' ')
 }
 
 whiptail_nids() {