Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion-saltstack into dev

2025-12-06 17:22:49 +01:00 · 2020-04-06 13:41:18 -04:00
parent 304e43e2ae 0048ffde70
commit ed392ac4c2
25 changed files with 847 additions and 685 deletions
--- a/pillar/firewall/fleet_nodes.sls
+++ b/pillar/firewall/fleet_nodes.sls
@@ -1,3 +0,0 @@
 fleet_nodes:
  - 127.0.0.1
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -107,7 +107,7 @@ populate_container_lists() {
    systemctl is-active --quiet docker
    if [[ $? = 0 ]]; then
-        mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/v2/containers/json?all=1 \
+        mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/v1.40/containers/json?all=1 \
            | jq -c '.[] | { Name: .Names[0], State: .State }' \
            | tr -d '/{"}')
    else
--- a/salt/elasticsearch/files/ingest/ossec.alert
+++ b/salt/elasticsearch/files/ingest/ossec.alert
@@ -33,6 +33,7 @@
    { "rename":         { "field": "data.win.eventdata.user",                   "target_field": "user.name",            "ignore_missing": true  } },
    { "rename":         { "field": "data.win.system.eventID",                   "target_field": "event.code",           "ignore_missing": true  } },
    { "rename":         { "field": "predecoder.program_name",                   "target_field": "process.name",         "ignore_missing": true  } },
    { "rename":         { "field": "rule.description",                   "target_field": "rule.name",         "ignore_missing": true  } },
    { "set":            { "if": "ctx.rule.level == 1",          "field": "rule.category", "value": "None"                               } },
    { "set":            { "if": "ctx.rule.level == 2",          "field": "rule.category", "value": "System low priority notification"   } },
    { "set":            { "if": "ctx.rule.level == 3",          "field": "rule.category", "value": "Successful/authorized event"        } },
--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -5,7 +5,7 @@
    { "rename":         { "field": "message2.file",        "target_field": "file",          "ignore_missing": true  } },
    { "rename":         { "field": "message2.scan",        "target_field": "scan",          "ignore_missing": true  } },
    { "rename":         { "field": "message2.request",        "target_field": "request",          "ignore_missing": true  } },
-    { "rename":         { "field": "scan.hash",        "target_field": "file.hash",          "ignore_missing": true  } },
+    { "rename":         { "field": "scan.hash",        "target_field": "hash",          "ignore_missing": true  } },
    { "remove":         { "field": ["host", "path"],                                         "ignore_missing": true  } },
    { "pipeline":       { "name": "common"                                                                                   } }
  ]
--- a/salt/elasticsearch/files/ingest/zeek.dnp3
+++ b/salt/elasticsearch/files/ingest/zeek.dnp3
@@ -3,9 +3,9 @@
  "processors" : [
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.fc_request",	"target_field": "fc_request",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fc_request",	"target_field": "dnp3.fc_request",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fc_reply", 	"target_field": "fc_reply",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fc_reply", 	"target_field": "dnp3.fc_reply",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.iin", 		"target_field": "iin",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.iin", 		"target_field": "dnp3.iin",			"ignore_missing": true 	} },
    { "pipeline":       { "name": "zeek.common"                                                                                   } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/zeek.files
+++ b/salt/elasticsearch/files/ingest/zeek.files
@@ -4,8 +4,8 @@
    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
    { "rename": 	{ "field": "message2.fuid", 	 	"target_field": "log.id.fuid",			"ignore_missing": true 	} },
-    { "rename":         { "field": "message2.rx_hosts",         "target_field": "file.receive_ip",            "ignore_missing": true  } },
+    { "rename":         { "field": "message2.rx_hosts",         "target_field": "destination.ip",            "ignore_missing": true  } },
-    { "rename": 	{ "field": "message2.tx_hosts", 	"target_field": "file.transmit_ip",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.tx_hosts", 	"target_field": "source.ip",		"ignore_missing": true 	} },
    { "set":         { "field": "server.ip",         "value": "{{source.ip}}",            "ignore_failure": true  } },
    { "set":         { "field": "client.ip",         "value": "{{destination.ip}}",            "ignore_failure": true  } },
    { "rename": 	{ "field": "message2.conn_uids", 	"target_field": "log.id.uids",			"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/zeek.notice
+++ b/salt/elasticsearch/files/ingest/zeek.notice
@@ -7,20 +7,20 @@
    { "rename": 	{ "field": "message2.mime", 		"target_field": "file.mimetype",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.desc", 		"target_field": "file.description",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.note", 		"target_field": "note",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.note", 		"target_field": "notice.note",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.msg", 		"target_field": "msg",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.msg", 		"target_field": "notice.message",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.sub", 		"target_field": "sub_msg",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.sub", 		"target_field": "notice.sub_message",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.p", 		"target_field": "p",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.p", 		"target_field": "notice.p",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.n", 		"target_field": "n",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.n", 		"target_field": "notice.n",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.peer_descr",	"target_field": "peer_description",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.peer_descr",	"target_field": "notice.peer_description",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.actions", 		"target_field": "action",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.actions", 		"target_field": "notice.action",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.suppress_for", 	"target_field": "suppress_for",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.suppress_for", 	"target_field": "notice.suppress_for",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dropped", 		"target_field": "dropped",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dropped", 		"target_field": "notice.dropped",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_country_code",	"target_field": "destination_country_code",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_country_code",	"target_field": "geo.destination_country_code",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_region", 	"target_field": "destination_region",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_region", 	"target_field": "geo.destination_region",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_city", 	"target_field": "destination_city",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_city", 	"target_field": "geo.destination_city",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_latitude", 	"target_field": "destination_latitude",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_latitude", 	"target_field": "geo.destination_latitude",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_longitude", 	"target_field": "destination_longitude",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_longitude", 	"target_field": "geo.destination_longitude",	"ignore_missing": true 	} },
    { "pipeline":       { "name": "zeek.common"                                                                                   } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/zeek.rfb
+++ b/salt/elasticsearch/files/ingest/zeek.rfb
@@ -8,7 +8,7 @@
    { "rename": 	{ "field": "message2.server_major_version",	"target_field": "rfb.server_major_version",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.server_minor_version",	"target_field": "rfb.server_minor_version",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.authentication_method",	"target_field": "rfb.authentication.method","ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.auth", 			"target_field": "rfb.authenticaiton.success",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.auth", 			"target_field": "rfb.authentication.success",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.share_flag", 	"target_field": "rfb.share_flag",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.desktop_name", 	"target_field": "rfb.desktop.name",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.width", 		"target_field": "rfb.desktop.width",		"ignore_missing": true 	} },
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -7,8 +7,8 @@
 {%- set HOSTNAME = salt['grains.get']('host', '') %}
 {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %}
-{%- set WAZUHENABLED = salt['pillar.get']('static:wazuh_enabled', '1') %}
+{%- set WAZUHENABLED = salt['pillar.get']('master:wazuh_enabled', '0') %}
-{%- set STRELKAENABLED = salt['pillar.get']('static:strelka_enabled', '1') %}
+{%- set STRELKAENABLED = salt['pillar.get']('master:strelka_enabled', '0') %}
 {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -8,6 +8,8 @@
 {%- elif grains['role'] == 'so-fleet' %}
 {%- set ip = salt['pillar.get']('node:mainip', '') %}
 {%- endif %}
 {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
 {%- set FLEET_NODE_IP = salt['pillar.get']('static:fleet_ip') %}
 # Quick Fix for Docker being difficult
 iptables_fix_docker:
@@ -424,6 +426,22 @@ enable_forwardnode_sensoroni_9822_{{ip}}:
 {% endfor %}
 # Allow Fleet Node to send its beats traffic
 {% if FLEET_NODE %}
 enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:
  iptables.insert:
    - table: filter
    - chain: DOCKER-USER
    - jump: ACCEPT
    - proto: tcp
    - source: {{ FLEET_NODE_IP }}
    - dport: 5644
    - position: 1
    - save: True
 {% endif %}
 {% for ip in pillar.get('search_nodes')  %}
 enable_searchnode_redis_6379_{{ip}}:
--- a/salt/fleet/event_gen-packages.sls
+++ b/salt/fleet/event_gen-packages.sls
@@ -1,4 +1,4 @@
-{% set ENROLLSECRET = salt['pillar.get']('auth:fleet_enroll-secret') %}
+{% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %}
 so/fleet:
  event.send:
--- a/salt/fleet/files/dedicated-index.html
+++ b/salt/fleet/files/dedicated-index.html
@@ -86,40 +86,9 @@ a {
 			<p>
                <div style="text-align: center;">
                    <h1>Security Onion - Dedicated Fleet Node</h1>
 					<h2>Osquery Packages</h2>
 				</div>
 				<br/>
 				<h2>Notes</h2>
 				<ul>
 					<li>These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from <a href="https://osquery.io/downloads">osquery.io</a></li>
 					<li>Packages are not signed.</li>
 				</ul>
 				<br/>
 				<h2>Downloads</h2>
 				<div>
 					Generated: {{ PACKAGESTS }}
 					<br/>
 					<br/>
 					Packages:
 					<ul>
 						<li><a href="/launcher.msi" download="msi-launcher.msi">MSI (Windows)</a></li>
 						<li><a href="/launcher.deb" download="deb-launcher.deb">DEB (Debian)</a></li>
                        <li><a href="/launcher.rpm" download="rpm-launcher.rpm">RPM (RPM)</a></li>
                        <li><a href="/launcher.pkg" download="pkg-launcher.pkg">PKG (MacOS)</a></li>
 					</ul>
 					<br/>
 					<br/>
 					Config Files:
 					<ul>
 						<li><a href="/launcher.flags" download="launcher.flags.txt">RPM & DEB Flag File</a></li>
 						<li><a href="/launcher-msi.flags" download="launcher-msi.flags.txt">MSI Flag File</a></li>
 					</ul>
 				</div>
 				<br/>
 				<h2>Known Issues</h2>
 				<ul>
 					<li>None</li>
 				</ul>
 			  </p>
 		  </div>
 	</div>
--- a/salt/kibana/bin/so-kibana-config-load
+++ b/salt/kibana/bin/so-kibana-config-load
@@ -1,18 +1,18 @@
 {%- set MASTER = salt['pillar.get']('static:masterip', '') %}
 #!/bin/bash
 KIBANA_VERSION="7.6.1"
 MAX_WAIT=60
 # Check to see if Kibana is available
-wait_step=0
+until curl "{{ MASTER }}:5601/nonexistenturl" 2>&1 |grep -q "Not Found" ; do
-  until curl -s -XGET http://localhost:5601 > /dev/null ; do
+        wait_step=$(( ${wait_step} + 1 ))
-  wait_step=$(( ${wait_step} + 1 ))
+        echo "Waiting on Kibana ({{ MASTER }}:5601)...Attempt #$wait_step"
  echo "Waiting on Kibana...Attempt #$wait_step"
        if [ ${wait_step} -gt ${MAX_WAIT} ]; then
                echo "ERROR: Kibana not available for more than ${MAX_WAIT} seconds."
                exit 5
        fi
-                  sleep 1s;
+        sleep 1s;
-  done
+done
 # Sleep additional JIC server is not ready
 sleep 30s
@@ -30,5 +30,10 @@ curl -X PUT "localhost:5601/api/saved_objects/config/$KIBANA_VERSION" -H 'kbn-xs
        }
 }'
 # Sub our IP for placholders
 for i in PLACEHOLDER FLEETPLACEHOLDER PCAPPLACEHOLDER SOCTOPUSPLACEHOLDER; do
        sed -i "s/$i/{{ MASTER }}/g" /opt/so/saltstack/salt/kibana/saved_objects.ndjson
 done
 # Load saved objects
 curl -X POST "localhost:5601/api/saved_objects/_import" -H "kbn-xsrf: true" --form file=@/opt/so/saltstack/salt/kibana/saved_objects.ndjson
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -84,6 +84,7 @@ so-kibana-config-load:
    - shell: /bin/bash
    - runas: socore
    - source: salt://kibana/bin/so-kibana-config-load
    - template: jinja
 # Keep the setting correct
 #KibanaHappy:
--- a/salt/kibana/saved_objects.ndjson
+++ b/salt/kibana/saved_objects.ndjson
--- a/salt/logstash/pipelines/templates/so/so-common-template.json
+++ b/salt/logstash/pipelines/templates/so/so-common-template.json
@@ -184,6 +184,10 @@
          "type":"object",
          "dynamic": true
        },
 	"irc":{
          "type":"object",
          "dynamic": true
        },
        "kerberos":{
          "type":"object",
          "dynamic": true
@@ -208,10 +212,18 @@
          "type":"object",
          "dynamic": true
        },
 	"mysql":{
          "type":"object",
          "dynamic": true
        },
        "network":{
          "type":"object",
          "dynamic": true
        },
 	"notice":{
          "type":"object",
          "dynamic": true
        },
        "ntlm":{
          "type":"object",
          "dynamic": true
@@ -316,6 +328,10 @@
          "type":"object",
          "dynamic": true
        },
 	"syslog":{
          "type":"object",
          "dynamic": true
        },
        "tags":{
          "type":"text",
          "fields":{
--- a/salt/reactor/fleet.sls
+++ b/salt/reactor/fleet.sls
@@ -15,9 +15,9 @@ def run():
  MAINIP = data['data']['mainip']
  STATICFILE = '/opt/so/saltstack/pillar/static.sls'
-  AUTHFILE = '/opt/so/saltstack/pillar/auth.sls'
+  SECRETSFILE = '/opt/so/saltstack/pillar/secrets.sls'
-  if MINIONID.split('_')[-1] in ['master','eval','fleet']:
+  if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']:
    if ACTION == 'enablefleet':
      logging.info('so/fleet enablefleet reactor')
@@ -29,8 +29,8 @@ def run():
          line = re.sub(r'fleet_master: \S*', f"fleet_master: True", line.rstrip())
        print(line) 
-      # Update the enroll secret in the auth pillar
+      # Update the enroll secret in the secrets pillar
-      for line in fileinput.input(AUTHFILE, inplace=True):
+      for line in fileinput.input(SECRETSFILE, inplace=True):
        line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip())
        print(line)      
--- a/salt/soctopus/files/SOCtopus.conf
+++ b/salt/soctopus/files/SOCtopus.conf
@@ -4,6 +4,10 @@
 [es]
 es_url = http://{{ip}}:9200
 es_user = YOURESUSER
 es_pass = YOURESPASS
 es_index_pattern = so-*
 es_verifycert = no
 [cortex]
 auto_analyze_alerts = no
@@ -20,6 +24,7 @@ fir_confidentiality = 1
 fir_detection = 2
 fir_plan = 8
 fir_severity = 4
 fir_verifycert = no
 [grr]
 grr_url = YOURGRRURL
@@ -30,12 +35,12 @@ grr_pass = YOURGRRPASS
 hive_url = https://{{ip}}/thehive/
 hive_key = {{ HIVEKEY }}
 hive_tlp = 3
-hive_verifycert = False
+hive_verifycert = no
 [misp]
 misp_url = YOURMISPURL
 misp_key = YOURMISPKEY
-misp_verifycert = False
+misp_verifycert = no
 distrib = 0
 threat = 4
 analysis = 0
@@ -47,6 +52,7 @@ rtir_user = YOURRTIRUSER
 rtir_pass = YOURRTIRPASS
 rtir_queue = Incidents
 rtir_creator = root
 rtir_verifycert = no
 [slack]
 slack_url = YOURSLACKWORKSPACE
@@ -55,6 +61,7 @@ slack_webhook = YOURSLACKWEBHOOK
 [playbook]
 playbook_url = https://{{ip}}/playbook
 playbook_key = a4a34538782804adfcb8dfae96262514ad70c37c
 playbook_verifycert = no
 [log]
 logfile = /var/log/SOCtopus/soctopus.log
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -10,12 +10,22 @@ soctopusdir:
 soctopussync:
  file.recurse:
-    - name: /opt/so/conf/soctopus
+    - name: /opt/so/conf/soctopus/templates
-    - source: salt://soctopus/files
+    - source: salt://soctopus/files/templates
    - user: 939
    - group: 939
    - template: jinja
 soctopusconf:
  file.managed:
    - name: /opt/so/conf/soctopus/SOCtopus.conf
    - source: salt://soctopus/files/SOCtopus.conf
    - user: 939
    - group: 939
    - replace: False
    - mode: 600
    - template: jinja
 soctopuslogdir:
  file.directory:
    - name: /opt/so/log/soctopus
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -142,7 +142,7 @@ fbcrtlink:
        backup: True
 {% endif %}
-{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-master' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' %}
+{% if grains['role'] == 'so-sensor' or grains['role'] == 'so-master' or grains['role'] == 'so-node' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' or grains['role'] == 'so-heavynode' or grains['role'] == 'so-fleet' %}
 fbcertdir:
  file.directory:
--- a/salt/strelka/init.sls
+++ b/salt/strelka/init.sls
@@ -89,6 +89,7 @@ strelka_backend:
      - /opt/so/conf/strelka/backend/yara:/etc/yara/:ro
    - name: so-strelka-backend
    - command: strelka-backend
    - restart_policy: on-failure
 strelka_manager:
  docker_container.running:
@@ -109,6 +110,6 @@ strelka_filestream:
 strelka_zeek_extracted_sync:
  cron.present:
-    - user: socore
+    - user: root
    - name: mv /nsm/zeek/extracted/complete/* /nsm/strelka
    - minute: '*'
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -6,7 +6,7 @@
 {%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
 {%- set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
-{%- set STRELKA = salt['pillar.get']('master:strelka', '1') -%}
+{%- set STRELKA = salt['pillar.get']('master:strelka', '0') -%}
 base:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -234,7 +234,7 @@ check_network_manager_conf() {
 		{
 			mv "$gmdconf" "${gmdconf}.bak"
 			touch "$gmdconf"
-			systemctl restart network-manager
+			systemctl restart NetworkManager
 		} >> $SETUPLOG 2>&1
 	fi
@@ -395,7 +395,7 @@ create_sensor_bond() {
 		ethernet.mtu $MTU \
 		connection.autoconnect "yes" >> $SETUPLOG 2>&1
-	for BNIC in "${BNICS[@]}"; do
+	for BNIC in ${BNICS[@]}; do
 		BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" # Strip the quotes from the NIC names
 		# Check if specific offload features are able to be disabled
@@ -458,8 +458,8 @@ detect_os() {
 		fi
 		# Install network manager so we can do interface stuff
 		apt-get install -y network-manager
-		/bin/systemctl enable network-manager
+		/bin/systemctl enable NetworkManager
-		/bin/systemctl start network-manager
+		/bin/systemctl start NetworkManager
 	else
 		echo "We were unable to determine if you are using a supported OS." >> $SETUPLOG 2>&1
 		exit
@@ -486,7 +486,7 @@ disable_onion_user() {
 }
 disable_misc_network_features() {
-	for UNUSED_NIC in "${FNICS[@]}"; do
+	for UNUSED_NIC in ${FNICS[@]}; do
 		# Disable DHCPv4/v6 and autoconnect
 		nmcli con mod "$UNUSED_NIC" \
 			ipv4.method disabled \
@@ -745,7 +745,7 @@ get_main_ip() {
 get_redirect() {
  whiptail_set_redirect_info
  whiptail_set_redirect
-  if [ $REDIRECTINFO == 'OTHER' ]; then
+  if [ "$REDIRECTINFO" == "OTHER" ]; then
    whiptail_set_redirect_host
  fi
 }
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -29,6 +29,9 @@ else
  INSTALLMETHOD="network"
 fi
 # Allow execution of SO tools during setup
 export PATH=$PATH:../salt/common/tools/sbin
 # Global Variables
 HOSTNAME=$(cat /etc/hostname)
 TOTAL_MEM=`grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//'`
@@ -141,7 +144,7 @@ if (whiptail_you_sure) ; then
  if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
    MASTERUPDATES=OPEN
    filter_unused_nics
-    whiptail_bond_nics
+    [[ $SKIP_BOND != 'yes' ]] && whiptail_bond_nics
    whiptail_helix_apikey
    whiptail_homenet_master
    RULESETUP=ETOPEN
@@ -244,6 +247,32 @@ if (whiptail_you_sure) ; then
  fi
  function collect_webuser_inputs() {
    # Get a password for the web admin user
    VALIDUSER=no
    while [ $VALIDUSER != yes ]; do
      whiptail_create_web_user
      so-user valemail "$WEBUSER"
      if [ $? == 0 ]; then
        VALIDUSER=yes
      else
        whiptail_invalid_user_warning
      fi
    done
    WPMATCH=no
    while [ $WPMATCH != yes ]; do
      whiptail_create_web_user_password1
      echo "$WEBPASSWD1" | so-user valpass
      if [ $? == 0 ]; then
        whiptail_create_web_user_password2
        check_web_pass
      else
        whiptail_invalid_pass_warning
      fi
    done
  }
  ####################
  ##     Master     ##
  ####################
@@ -292,14 +321,7 @@ if (whiptail_you_sure) ; then
      check_soremote_pass
    done
-    # Get a password for the web admin user
+    collect_webuser_inputs
    whiptail_create_web_user
    WPMATCH=no
    while [ $WPMATCH != yes ]; do
      whiptail_create_web_user_password1
      whiptail_create_web_user_password2
      check_web_pass
    done
    get_redirect
    # Last Chance to back out
    whiptail_make_changes
@@ -446,7 +468,7 @@ if (whiptail_you_sure) ; then
  if [ $INSTALLTYPE == 'SENSOR' ]; then
    filter_unused_nics
-    whiptail_bond_nics
+    [[ $SKIP_BOND != 'yes' ]] && whiptail_bond_nics
    whiptail_management_server
    whiptail_master_updates
    set_updates
@@ -506,6 +528,8 @@ if (whiptail_you_sure) ; then
      salt-call state.apply pcap >> $SETUPLOG 2>&1
      echo -e "XXX\n60\nInstalling IDS components... \nXXX"
      salt-call state.apply suricata >> $SETUPLOG 2>&1
      echo -e "XXX\n70\nInstalling Strelka... \nXXX"
      salt-call state.apply strelka >> $SETUPLOG 2>&1
      checkin_at_boot >> $SETUPLOG 2>&1
      echo -e "XX\n97\nFinishing touches... \nXXX"
      filter_unused_nics >> $SETUPLOG 2>&1
@@ -535,7 +559,7 @@ if (whiptail_you_sure) ; then
    if [ $INSTALLTYPE == 'EVAL' ]; then
      TYPE='eval'
      # Select which NICs are in the bond
-      whiptail_bond_nics
+      [[ $SKIP_BOND != 'yes' ]] && whiptail_bond_nics
    elif [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
      TYPE='mastersearch'
    fi
@@ -573,14 +597,7 @@ if (whiptail_you_sure) ; then
        check_soremote_pass
      done
    fi
-    # Get a password for the web admin user
+    collect_webuser_inputs
    whiptail_create_web_user
    WPMATCH=no
    while [ $WPMATCH != yes ]; do
      whiptail_create_web_user_password1
      whiptail_create_web_user_password2
      check_web_pass
    done
    get_redirect
    whiptail_make_changes
    set_hostname
@@ -832,7 +849,7 @@ if (whiptail_you_sure) ; then
  if [ $INSTALLTYPE == 'HEAVYNODE' ]; then
    filter_unused_nics
-    whiptail_bond_nics
+    [[ $SKIP_BOND != 'yes' ]] && whiptail_bond_nics
    whiptail_management_server
    whiptail_master_updates
    set_updates
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -163,8 +163,13 @@ whiptail_create_web_user() {
  WEBUSER=$(whiptail --title "Security Onion Install" --inputbox \
  "Please enter an email address to create an administrator account for the web interface." 10 60 3>&1 1>&2 2>&3)
  local exitstatus=$?
  whiptail_check_exitstatus $exitstatus
 }
 whiptail_invalid_user_warning() {
  whiptail --title "Security Onion Setup" --msgbox "Please enter a valid email address." 8 75
 }
 whiptail_create_web_user_password1() {
@@ -185,6 +190,9 @@ whiptail_create_web_user_password2() {
 }
 whiptail_invalid_pass_warning() {
  whiptail --title "Security Onion Setup" --msgbox "Please choose a more secure password." 8 75
 }
 whiptail_cur_close_days() {