merge with dev, resolve conflicts

2026-04-24 13:42:05 +02:00 · 2021-04-28 10:19:01 -04:00
parent 28982e0e0b bd454c7f25
commit d9cb018a7d
49 changed files with 280 additions and 330 deletions
@@ -1,6 +1,6 @@
-## Security Onion 2.3.40
+## Security Onion 2.3.50
-Security Onion 2.3.40 is here!
+Security Onion 2.3.50 is here!
 ## Screenshots
@@ -1,16 +1,17 @@
-### 2.3.40 ISO image built on 2021/03/22
+### 2.3.50 ISO image built on 2021/04/27
 ### Download and Verify
-2.3.40 ISO image:  
+2.3.50 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.40.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso
-MD5: FB72C0675F262A714B287BB33CE82504  
+MD5: C39CEA68B5A8AFC5CFFB2481797C0374  
-SHA1: E8F5A9AA23990DF794611F9A178D88414F5DA81C  
+SHA1: 00AD9F29ABE3AB495136989E62EBB8FA00DA82C6  
-SHA256: DB125D6E770F75C3FD35ABE3F8A8B21454B7A7618C2B446D11B6AC8574601070 
+SHA256: D77AE370D7863837A989F6735413D1DD46B866D8D135A4C363B0633E3990387E 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.40.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -24,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.40.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.40.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.40.iso.sig securityonion-2.3.40.iso
+gpg --verify securityonion-2.3.50.iso.sig securityonion-2.3.50.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 22 Mar 2021 09:35:50 AM EDT using RSA key ID FE507013
+gpg: Signature made Tue 27 Apr 2021 02:17:25 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
@@ -0,0 +1,2 @@
 {%- set VERSION = salt['pillar.get']('global:soversion') -%}
 {{ VERSION }}
@@ -0,0 +1,6 @@
 " Activates filetype detection
 filetype plugin indent on
 " Sets .sls files to use YAML syntax highlighting
 autocmd BufNewFile,BufRead *.sls set syntax=yaml
 set number
@@ -69,6 +69,13 @@ salttmp:
    - group: 939
    - makedirs: True
 # VIM config
 vimconfig:
  file.managed:
    - name: /root/.vimrc
    - source: salt://common/files/vimrc
    - replace: False
 # Install common packages
 {% if grains['os'] != 'CentOS' %}     
 commonpkgs:
@@ -95,6 +102,7 @@ commonpkgs:
      - python3-mysqldb
      - python3-packaging
      - git
      - vim
 heldpackages:
  pkg.installed:
@@ -134,6 +142,7 @@ commonpkgs:
      - lvm2
      - openssl
      - git
      - vim-enhanced
 heldpackages:
  pkg.installed:
@@ -269,6 +278,14 @@ backupdir:
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% else %}
 soversionfile:
  file.managed:
    - name: /etc/soversion
    - source: salt://common/files/soversion
    - mode: 644
    - template: jinja
 {% endif %}
 # Manager daemon.json
@@ -122,6 +122,10 @@ check_elastic_license() {
 	fi  
 }
 disable_fastestmirror() {
 	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
 }
 elastic_license() {
 read -r -d '' message <<- EOM
@@ -19,6 +19,6 @@
 # Check to see if we are already running
 IS_RUNNING=$(ps aux | pgrep -f "so-playbook-sync" | wc -l)
-[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0
+[ "$IS_RUNNING" -gt 3 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0
 docker exec so-soctopus python3 playbook_play-sync.py
@@ -116,7 +116,7 @@ clean() {
 # Check to see if we are already running
 IS_RUNNING=$(ps aux | pgrep -f "so-sensor-clean" | wc -l)
-[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0
+[ "$IS_RUNNING" -gt 3 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0
 if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
 	while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; do
@@ -453,18 +453,18 @@ up_2.3.3X_to_2.3.50_repo() {
  if [[ "$OS" == "centos" ]]; then
    # Import GPG Keys
    gpg_rpm_import
    echo "Disabling fastestmirror."
    disable_fastestmirror
    echo "Deleting unneeded repo files."
    DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh')
    for DELREPO in "${DELREPOS[@]}"; do
      if [[ -f "/etc/yum.repos.d/$DELREPO.repo" ]]; then
        echo "Deleting $DELREPO.repo"
        rm -f "/etc/yum.repos.d/$DELREPO.repo"
      fi
    done
    if [ $is_airgap -eq 1 ]; then
      echo "Deleting unneeded repo files."
      DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh')
      for DELREPO in "${DELREPOS[@]}"; do
        if [[ -f "/etc/yum.repos.d/$DELREPO.repo" ]]; then
          echo "Deleting $DELREPO.repo"
          rm -f "/etc/yum.repos.d/$DELREPO.repo"
        fi
      done
      # Copy the new repo file if not airgap
      cp $UPDATE_DIR/salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
      yum clean all
@@ -474,6 +474,34 @@ up_2.3.3X_to_2.3.50_repo() {
 }
 up_2.3.3X_to_2.3.50() {
  cat <<EOF > /tmp/supersed.txt
 /so-zeek:/ {
  p;
  n;
  /shards:/ {
    p;
    n;
    /warm:/ {
      p;
      n;
      /close:/ {
        s/close: 365/close: 45/;
        p;
        n;
        /delete:/ {
          s/delete: 45/delete: 365/;
          p;
          d;
        }
      }
    }
  }
 }
 p;
 EOF
  sed -n -i -f /tmp/supersed.txt /opt/so/saltstack/local/pillar/global.sls
  rm /tmp/supersed.txt
  INSTALLEDVERSION=2.3.50
 }
@@ -687,6 +715,9 @@ echo ""
 echo "Updating dockers to $NEWVERSION."
 if [ $is_airgap -eq 0 ]; then
  airgap_update_dockers
  update_centos_repo
  yum clean all
  check_os_updates
 else
  update_registry
  update_docker_containers "soup"
@@ -708,10 +739,6 @@ preupgrade_changes_2.3.50_repo
 if [ "$UPGRADESALT" == "1" ]; then
  echo "Upgrading Salt"
  # Update the repo files so it can actually upgrade
  if [ $is_airgap -eq 0 ]; then
    update_centos_repo
    yum clean all
  fi
  upgrade_salt
 fi
@@ -796,13 +823,12 @@ unmount_update
 thehive_maint
 if [ "$UPGRADESALT" == "1" ]; then
  echo ""
  echo "Upgrading Salt on the remaining Security Onion nodes from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
  if [ $is_airgap -eq 0 ]; then
-    salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone' cmd.run "yum clean all"
+    echo ""
    echo "Cleaning repos on remote Security Onion nodes."
    salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all"
    echo ""
  fi
  salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone' -b $BATCHSIZE state.apply salt.minion queue=True
  echo ""
 fi
 check_sudoers
@@ -4322,139 +4322,6 @@
        "align": false,
        "alignLevel": null
      }
    },
    {
      "aliasColors": {},
      "bars": false,
      "dashLength": 10,
      "dashes": false,
      "datasource": "InfluxDB",
      "fieldConfig": {
        "defaults": {
          "custom": {}
        },
        "overrides": []
      },
      "fill": 1,
      "fillGradient": 0,
      "gridPos": {
        "h": 6,
        "w": 8,
        "x": 16,
        "y": 31
      },
      "hiddenSeries": false,
      "id": 76,
      "legend": {
        "avg": false,
        "current": false,
        "max": false,
        "min": false,
        "show": false,
        "total": false,
        "values": false
      },
      "lines": true,
      "linewidth": 1,
      "nullPointMode": "connected",
      "options": {
        "alertThreshold": true
      },
      "percentage": false,
      "pluginVersion": "7.3.4",
      "pointradius": 2,
      "points": false,
      "renderer": "flot",
      "seriesOverrides": [],
      "spaceLength": 10,
      "stack": false,
      "steppedLine": false,
      "targets": [
        {
          "alias": "EPS",
          "groupBy": [
            {
              "params": [
                "$__interval"
              ],
              "type": "time"
            },
            {
              "params": [
                "null"
              ],
              "type": "fill"
            }
          ],
          "measurement": "esteps",
          "orderByTime": "ASC",
          "policy": "default",
          "queryType": "randomWalk",
          "refId": "A",
          "resultFormat": "time_series",
          "select": [
            [
              {
                "params": [
                  "eps"
                ],
                "type": "field"
              },
              {
                "params": [],
                "type": "mean"
              }
            ]
          ],
          "tags": [
            {
              "key": "host",
              "operator": "=",
              "value": "{{ SERVERNAME }}"
            }
          ]
        }
      ],
      "thresholds": [],
      "timeFrom": null,
      "timeRegions": [],
      "timeShift": null,
      "title": "{{ SERVERNAME }} - Estimated EPS",
      "tooltip": {
        "shared": true,
        "sort": 0,
        "value_type": "individual"
      },
      "type": "graph",
      "xaxis": {
        "buckets": null,
        "mode": "time",
        "name": null,
        "show": true,
        "values": []
      },
      "yaxes": [
        {
          "format": "short",
          "label": "EPS",
          "logBase": 1,
          "max": null,
          "min": null,
          "show": true
        },
        {
          "format": "short",
          "label": null,
          "logBase": 1,
          "max": null,
          "min": null,
          "show": false
        }
      ],
      "yaxis": {
        "align": false,
        "alignLevel": null
      }
    }
  ],
  "refresh": false,
@@ -5157,7 +5157,7 @@
              "type": "fill"
            }
          ],
-          "measurement": "esteps",
+          "measurement": "consumptioneps",
          "orderByTime": "ASC",
          "policy": "default",
          "queryType": "randomWalk",
@@ -5562,7 +5562,7 @@
              "type": "fill"
            }
          ],
-          "measurement": "esteps",
+          "measurement": "consumptioneps",
          "orderByTime": "ASC",
          "policy": "default",
          "queryType": "randomWalk",
@@ -90,3 +90,7 @@ PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirr
 # MaxDlSpeed: 500
 # MaxInresponsiveDlSize: 64000
 # BadRedirDetectMime: text/html
 {% set proxy = salt['pillar.get']('manager:proxy') -%}
 {% if proxy -%}
 Proxy: {{ proxy }}
 {% endif -%}
@@ -18,7 +18,6 @@
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
 {% set managerproxy = salt['pillar.get']('global:managerupdate', '0') %}
 {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
 socore_own_saltstack:
@@ -35,8 +34,6 @@ socore_own_saltstack:
    - mode: 750
    - replace: False
 {% if managerproxy == 1 %}
 # Create the directories for apt-cacher-ng
 aptcacherconfdir:
  file.directory:
@@ -60,11 +57,12 @@ aptcacherlogdir:
    - makedirs: true
 # Copy the config
 acngcopyconf:
  file.managed:
    - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
    - source: salt://manager/files/acng/acng.conf
    - template: jinja
    - show_changes: False
 # Install the apt-cacher-ng container
 so-aptcacherng:
@@ -84,8 +82,6 @@ append_so-aptcacherng_so-status.conf:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-aptcacherng
 {% endif %}
 strelka_yara_update_old_1:
  cron.absent:
    - user: root
@@ -12,7 +12,7 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
 bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
 distroverpkg=centos-release
 clean_requirements_on_remove=1
-{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', '0') -%}
+{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import']) and ( salt['pillar.get']('global:managerupdate', '0') or salt['pillar.get']('patch:os:source', 'direct') == 'manager' ) -%}
 proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142
 {% elif proxy -%}
 proxy={{ proxy }}
@@ -16,8 +16,9 @@ airgap_repo:
  pkgrepo.managed:
    - humanname: Airgap Repo
    - baseurl: https://{{ MANAGER }}/repo
-    - gpgcheck: 1
+    - gpgcheck: 0
    - sslverify: 0
 {% endif %}
 # from airgap and common
@@ -63,6 +64,7 @@ yumconf:
    - source: salt://repo/client/files/centos/yum.conf.jinja
    - mode: 644
    - template: jinja
    - show_changes: False
 {% endif %}
 cleanyum:
@@ -3,13 +3,15 @@
 {% if grains.os == 'Ubuntu' %}
  {% set SPLITCHAR = '+' %}
-  {% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep salt-* ; echo $?', python_shell=True) %}
+  {% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep -q salt ; echo $?', python_shell=True) %}
  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion'] %}
  {% set SALT_STATE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/states' %}
  {% set SALT_MODULE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/modules' %}
  {% set PYTHON3INFLUX= 'python3-influxdb' %}
 {% else %}
  {% set SPLITCHAR = '-' %}
-  {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep salt-* ; echo $?', python_shell=True) %}
+  {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %}
  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion'] %}
  {% set SALT_STATE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/states' %}
  {% set SALT_MODULE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/modules' %}
  {% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %}
@@ -19,9 +21,9 @@
 {% if grains.saltversion|string != SALTVERSION|string %}
  {% if grains.os|lower in ['centos', 'redhat'] %}
-      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*"' %}
+      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION %}
  {% elif grains.os|lower == 'ubuntu' %}
-    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion' %}
+    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION %}
  {% endif %}
 {% else %}
  {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
@@ -2,6 +2,7 @@
 {% from 'salt/map.jinja' import SALTVERSION %}
 {% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}
 {% from 'salt/map.jinja' import SALTNOTHELD %}
 {% from 'salt/map.jinja' import SALTPACKAGES %}
 {% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %}
 {% set service_start_delay = SALTMINION.salt.minion.service_start_delay %}
@@ -12,11 +13,14 @@ include:
 {% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}
-{% if SALTNOTHELD == 0 %}
+{% if SALTNOTHELD | int == 0 %}
 unhold_salt_packages:
  module.run:
    - pkg.unhold:
-      - name: 'salt-*'
+      - pkgs:
 {% for package in SALTPACKAGES %}
        - {{ package }}
 {% endfor %}
 {% endif %}
 install_salt_minion:
@@ -30,11 +34,14 @@ install_salt_minion:
 {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
-{% if SALTNOTHELD == 1 %}
+{% if SALTNOTHELD | int == 1 %}
 hold_salt_packages:
  module.run:
    - pkg.hold:
-      - name: 'salt-*'
+      - pkgs:
 {% for package in SALTPACKAGES %}
        - {{ package }}
 {% endfor %}
 {% endif %}
 set_log_levels:
@@ -1,6 +1,6 @@
 ## Getting Started
-New to Security Onion 2? Check out the [Online Help](/docs/) and [Cheatsheet](/docs/cheatsheet.pdf) to learn how to best utilize Security Onion to hunt for evil! Find them in the upper-right menu.
+New to Security Onion 2? Check out the [Online Help](/docs/) and [Cheatsheet](/docs/cheatsheet.pdf) to learn how to best utilize Security Onion to hunt for evil! Find them in the upper-right menu. Also, watch our free Security Onion 2 Essentials online course, available on our [Training](https://securityonionsolutions.com/training) website.
 If you're ready to dive-in, take a look at the [Alerts](/#/alerts) interface to see what Security Onion has detected so far. Or navigate to the [Hunt](/#/hunt) interface to hunt for evil that the alerts might have missed!
@@ -10,16 +10,18 @@ The release notes have moved to the upper-right menu. Click on the [What's New](
 ## Customize This Space
-Make this area your own by customizing the content. The content is stored in the `motd.md` file, which uses the common Markdown (.md) format. Visit [mardownguide.org](https://www.markdownguide.org/) to learn more about the simple Markdown format.
+Make this area your own by customizing the content. The content is stored in the `motd.md` file, which uses the common Markdown (.md) format. Visit [markdownguide.org](https://www.markdownguide.org/) to learn more about the simple Markdown format.
 To customize this content, login to the manager via SSH and execute the following command:
 ```bash
-cp -f /opt/so/saltstack/default/salt/soc/files/soc/motd.md /opt/so/saltstack/local/salt/soc/files/soc/motd.md
+sudo cp /opt/so/saltstack/default/salt/soc/files/soc/motd.md /opt/so/saltstack/local/salt/soc/files/soc/
 ```
-Now, edit the new file as desired. Finally, run this command:
+and edit the new file as desired. 
 Finally, run this command:
 ```bash
-salt-call state.apply soc queue=True
+sudo so-soc-restart
 ```
@@ -132,8 +132,9 @@ influxkeyperms:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 rediskeyperms:
  file.managed:
@@ -325,8 +326,9 @@ miniokeyperms:
      - x509: /etc/pki/elasticsearch.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 /etc/pki/elasticsearch.crt:
  x509.certificate_managed:
@@ -615,29 +615,18 @@
 #   ## Use TLS but skip chain & host verification
 #   # insecure_skip_verify = false
 {% if TRUE_CLUSTER %}
  {% if grains.role == 'so-manager' %}
 [[inputs.elasticsearch]]
   servers = ["https://{{ MANAGER }}:9200"]
   insecure_skip_verify = true
   local = false
   cluster_health = true
   cluster_stats = true
  {% endif %}
 {% else %}
 # # Read stats from one or more Elasticsearch servers or clusters
-  {% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone']   %}
+{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone']   %}
 [[inputs.elasticsearch]]
   servers = ["https://{{ MANAGER }}:9200"]
   insecure_skip_verify = true
-  {% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode']  %}
+{% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode']  %}
 [[inputs.elasticsearch]]
   servers = ["https://{{ NODEIP }}:9200"]
   insecure_skip_verify = true
  {% endif %}
 {% endif %}
 #
 #   ## Timeout for HTTP requests to the elastic search server(s)
 #   http_timeout = "5s"
@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=MANAGER
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=EVAL
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=0
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=IMPORT
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -41,7 +41,6 @@ install_type=STANDALONE
 # LSPIPELINEBATCH=
 # LSPIPELINEWORKERS=
 MANAGERADV=BASIC
 MANAGERUPDATES=1
 # MDNS=
 # MGATEWAY=
 # MIP=
@@ -478,6 +478,19 @@ collect_mtu() {
 	done
 }
 collect_net_method() {
 	whiptail_net_method
 	if [[ "$network_traffic" == *"_MANAGER" ]]; then
 		whiptail_manager_updates_warning
 		MANAGERUPDATES=1
 	fi
 	if [[ "$network_traffic" == "PROXY"* ]]; then
 		collect_proxy no_ask
 	fi
 }
 collect_node_es_heap() {
 	whiptail_node_es_heap "$ES_HEAP_SIZE"
 }
@@ -580,7 +593,9 @@ collect_patch_schedule_name_import() {
 collect_proxy() {
 	[[ -n $TESTING ]] && return
-	collect_proxy_details || return
+	local ask=${1:-true}
 	collect_proxy_details "$ask" || return
 	while ! proxy_validate; do
 		if whiptail_invalid_proxy; then
 			collect_proxy_details no_ask
@@ -1654,7 +1669,6 @@ manager_global() {
 		"  fleet_ip: 'N/A'"\
 		"  sensoronikey: '$SENSORONIKEY'"\
 		"  wazuh: $WAZUH"\
 		"  managerupdate: $MANAGERUPDATES"\
 		"  imagerepo: '$IMAGEREPO'"\
 		"  pipeline: 'redis'"\
 		"sensoroni:"\
@@ -1850,9 +1864,16 @@ patch_pillar() {
 	local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls
 	if [[ $MANAGERUPDATES == 1 ]]; then
 		local source="manager"
 	else
 		local source="direct"
 	fi
 	printf '%s\n'\
 		"patch:"\
 		"  os:"\
 		"    source: '$source'"\
 		"    schedule_name: '$PATCHSCHEDULENAME'"\
 		"    enabled: True"\
 		"    splay: 300"\
@@ -2306,24 +2327,25 @@ secrets_pillar(){
 securityonion_repo() {
 	# Remove all the current repos
 	if [[ "$OS" == "centos" ]]; then
-	    if [[ "$INTERWEBS" == "AIRGAP" ]]; then
+		if [[ "$INTERWEBS" == "AIRGAP" ]]; then
-		    echo "This is airgap I don't need to add this repo"
+			echo "This is airgap I don't need to add this repo"
 		else
-	        mkdir -p /root/oldrepos
+			mkdir -p /root/oldrepos
-	        mv -v /etc/yum.repos.d/* /root/oldrepos/
+			mv -v /etc/yum.repos.d/* /root/oldrepos/
 			ls -la /etc/yum.repos.d/
-		    rm -rf /etc/yum.repos.d
+			rm -rf /etc/yum.repos.d
 			yum clean all
 			yum repolist all
 			mkdir -p /etc/yum.repos.d
-		    if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then
+			if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then
-		        cp -f ../salt/repo/client/files/centos/securityonioncache.repo /etc/yum.repos.d/
+				cp -f ../salt/repo/client/files/centos/securityonioncache.repo /etc/yum.repos.d/
-		    else
+			else
-		        cp -f ../salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
+				cp -f ../salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
-		    fi
+			fi
 			yum repolist all
 		fi
 	else
-        echo "This is Ubuntu"
+		echo "This is Ubuntu"
 	fi
 }
@@ -2669,10 +2691,12 @@ set_redirect() {
 set_updates() {
 	if [ "$MANAGERUPDATES" = '1' ]; then
 		if [ "$OS" = 'centos' ]; then
-		    if [[ ! $is_airgap ]]; then
+			if [[ ! $is_airgap ]] && ! ( grep -q "$MSRV" /etc/yum.conf); then
-			    if ! grep -q "$MSRV" /etc/yum.conf; then
+				if grep -q "proxy=" /etc/yum.conf; then
-				    echo "proxy=http://$MSRV:3142" >> /etc/yum.conf
+					sed -i "s/proxy=.*/proxy=http:\/\/$MSRV:3142/" /etc/yum.conf
-			    fi
+				else
 					echo "proxy=http://$MSRV:3142" >> /etc/yum.conf
 				fi
 			fi
 		else
 			# Set it up so the updates roll through the manager
@@ -46,8 +46,7 @@ check_new_repos() {
 	if [[ $OS == 'centos' ]]; then
 		local repo_arr=( 
 			"https://download.docker.com/linux/centos/docker-ce.repo"
-			"https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3003/SALTSTACK-GPG-KEY.pub"
+			"https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub"
 			"https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3003/SALTSTACK-GPG-KEY.pub"
 			"https://download.docker.com/linux/ubuntu/gpg"
 			"https://packages.wazuh.com/key/GPG-KEY-WAZUH"
 			"https://packages.wazuh.com/3.x/yum/"
@@ -203,16 +203,13 @@ if ! [[ -f $install_opt_file ]]; then
 		if [[ $option == "CONFIGURENETWORK" ]]; then
 			collect_hostname
 			network_init_whiptail
-			whiptail_management_interface_setup
+			whiptail_network_init_notice
 			network_init
 			printf '%s\n' \
 				"MNIC=$MNIC" \
 				"HOSTNAME=$HOSTNAME" > "$net_init_file"
 			set_main_ip >> $setup_log 2>&1
 			compare_main_nic_ip
 			reset_proxy
 			collect_proxy
 			[[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1
 			whiptail_net_setup_complete
 		else
 			true
@@ -263,19 +260,19 @@ elif [ "$install_type" = 'ANALYST' ]; then
 	is_analyst=true
 fi
 # Check if this is an airgap install
 if [[ $is_iso || $is_minion ]]; then
 	whiptail_airgap
 	if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
 		is_airgap=true
 	fi
 fi
 if [[ $is_manager || $is_import ]]; then
 	check_elastic_license
 fi
 if ! [[ -f $install_opt_file ]]; then
 	# Check if this is an airgap install
 	if [[ ( $is_manager || $is_import || $is_minion ) && $is_iso ]]; then
 		whiptail_airgap
 		if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
 			is_airgap=true
 		fi
 	fi
 	if [[ $is_manager && $is_sensor ]]; then
 		check_requirements "standalone"
 	elif [[ $is_fleet_standalone ]]; then
@@ -302,11 +299,8 @@ if ! [[ -f $install_opt_file ]]; then
 		source "$net_init_file"
 	fi
 	if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then
 		whiptail_management_interface_setup
 	fi
 	if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then
 		whiptail_network_init_notice
 		network_init
 	fi
@@ -315,19 +309,17 @@ if ! [[ -f $install_opt_file ]]; then
 	if [[ $is_minion ]]; then
 		collect_mngr_hostname
 		add_mngr_ip_to_hosts
 	fi
 	reset_proxy
 	if [[ -z $is_airgap ]]; then
-		collect_proxy
+		collect_net_method
 		[[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1
 	fi
 	if [[ $is_minion ]]; then
-		add_mngr_ip_to_hosts
+		whiptail_ssh_key_copy_notice
 	fi
 	if [[ $is_minion ]]; then
 		copy_ssh_key >> $setup_log 2>&1
 	fi
@@ -339,6 +331,7 @@ if ! [[ -f $install_opt_file ]]; then
 			"HOSTNAME=$HOSTNAME" \
 			"MSRV=$MSRV" \
 			"MSRVIP=$MSRVIP" \
 			"is_airgap=$is_airgap" \
 			"NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file"
 		[[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file"
 		download_repo_tarball
@@ -428,7 +421,7 @@ fi
 if [[ $is_airgap ]]; then
 	PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual}
-	MANAGERUPDATES=${MANAGERUPDATES:-0} 
+	[[ ! $is_minion ]] && MANAGERUPDATES=${MANAGERUPDATES:-0} || MANAGERUPDATES=${MANAGERUPDATES:-1}
 fi
 # Start user prompts
@@ -499,13 +492,6 @@ if [[ $is_manager || $is_import ]]; then
 	get_redirect
 fi
 if [[ ! $is_airgap && ( $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ) ]]; then
 	whiptail_manager_updates
 	if [[ $setup_type == 'network' && $MANAGERUPDATES == 1 ]]; then
 		whiptail_manager_updates_warning
 	fi
 fi
 if [[ $is_distmanager ]]; then
 	collect_soremote_inputs
 fi
@@ -648,6 +634,8 @@ echo "1" > /root/accept_changes
 	set_progress_str 2 'Updating packages'
 	# Import the gpg keys
 	gpg_rpm_import >> $setup_log 2>&1
 	info "Disabling fastestmirror"
 	[[ $OS == 'centos' ]] && disable_fastestmirror
 	if [[ ! $is_airgap ]]; then
 	    securityonion_repo >> $setup_log 2>&1
 	    update_packages >> $setup_log 2>&1
@@ -616,7 +616,14 @@ whiptail_end_settings() {
 		fi
 	fi
-	whiptail --title "The following options have been set, would you like to proceed?" --yesno "$end_msg" 24 75 --scrolltext
+	local msg
 	read -r -d '' msg <<-EOM
 	$end_msg
 	Press TAB to select yes or no.
 	EOM
 	whiptail --title "The following options have been set, would you like to proceed?" --yesno "$msg" 24 75 --scrolltext
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -987,44 +994,65 @@ whiptail_management_nic() {
 }
-whiptail_management_interface_setup() {
+whiptail_net_method() {
 	[ -n "$TESTING" ] && return
-	local minion_msg
+	local pkg_mngr
-	local msg
+	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
-	local line_count
+
 	read -r -d '' options_msg <<- EOM
 	"Direct" - Internet requests connect directly to the Internet.
 	EOM
 	local options=(
 		" Direct " ""
 	)
 	local proxy_desc="proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment."
 	if [[ $is_minion ]]; then
-		line_count=11
+		read -r -d '' options_msg <<- EOM
-		minion_msg="copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ECDSA certificate and enter the password for soremote"
+		${options_msg}
 		"Direct + Manager" - all traffic passes to the Internet normally, but ${pkg_mngr} updates will instead be pulled from ${mngr_article} manager. 
 		"Proxy" - ${proxy_desc}
 		"Proxy + Manager" - proxy all traffic from the "Proxy" option except ${pkg_mngr} updates, which will instead pull from the manager.
 		EOM
 		options+=(
 			" Direct + Manager " ""
 			" Proxy " ""
 			" Proxy + Manager " ""
 		)
 		local height=25
 	else
-		line_count=9
+		read -r -d '' options_msg <<- EOM
-		minion_msg=""
+			${options_msg}
 			"Proxy" - ${proxy_desc}
 		EOM
 		options+=(
 			" Proxy " ""
 		)
 		local height=17
 	fi
-	if [[ $is_iso ]]; then
+	local msg
-		if [[ $minion_msg != "" ]]; then
+	read -r -d '' msg <<- EOM
-			if [[ -f $net_init_file ]]; then
+	How would you like to connect to the Internet? 
 				msg=$minion_msg
 			else
 				msg="initialize networking and $minion_msg"
 			fi
 		else
 			msg="initialize networking"
 		fi
 	else
 		msg=$minion_msg
 	fi
-	read -r -d '' message <<- EOM
+	$options_msg
 		Setup will now $msg.
 		Select OK to continue.
 	EOM
-	whiptail --title "Security Onion Setup" --msgbox "$message" $line_count 75
+	local option_count=$(( ${#options[@]} / 2 ))
 	network_traffic=$(whiptail --title "Security Onion Setup" --menu "$msg" $height 75 $option_count "${options[@]}" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 	network_traffic=$(echo "${network_traffic^^}" | tr -d ' ' | tr '+' '_')
 }
 whiptail_net_setup_complete() {
@@ -1035,6 +1063,20 @@ whiptail_net_setup_complete() {
 	exit 0
 }
 whiptail_network_init_notice() {
 	[ -n "$TESTING" ] && return
 	read -r -d '' message <<- EOM
 		Setup will now initialize networking.
 		Select OK to continue.
 	EOM
 	whiptail --title "Security Onion Setup" --msgbox "$message" 9 75
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_management_server() {
 	[ -n "$TESTING" ] && return
@@ -1161,29 +1203,6 @@ whiptail_manager_error() {
 	whiptail --title "Security Onion Setup" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1
 }
 whiptail_manager_updates() {
 	[ -n "$TESTING" ] && return
 	local update_string
 	update_string=$(whiptail --title "Security Onion Setup" --radiolist \
 	"How would you like to download OS package updates for your grid?" 20 75 4 \
 	"MANAGER" "Manager node is proxy for updates" ON \
 	"OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 )
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 	case "$update_string" in
 		'MANAGER')
 			export MANAGERUPDATES='1'
 			;;
 		*)
 			export MANAGERUPDATES='0'
 			;;
 	esac
 }
 whiptail_manager_updates_warning() {
 	[ -n "$TESTING" ] && return
@@ -1485,7 +1504,9 @@ whiptail_patch_schedule_select_hours() {
 whiptail_proxy_ask() {
 	[ -n "$TESTING" ] && return
-	whiptail --title "Security Onion Setup" --yesno "Do you want to set a proxy server for this installation?" 7 60 --defaultno
+	local pkg_mngr
 	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
 	whiptail --title "Security Onion Setup" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno
 }
 whiptail_proxy_addr() {
@@ -1718,6 +1739,20 @@ whiptail_so_allow() {
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_ssh_key_copy_notice() {
 	[ -n "$TESTING" ] && return
 	read -r -d '' message <<- EOM
 		Setup will now copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ED25519 certificate and enter the password for soremote.
 		Select OK to continue.
 	EOM
 	whiptail --title "Security Onion Setup" --msgbox "$message" 11 75
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 }
 whitpail_ssh_warning() {
 	[ -n "$TESTING" ] && return
		`@@ -0,0 +1,2 @@`
							`{%- set VERSION = salt['pillar.get']('global:soversion') -%}`
							`{{ VERSION }}`