Update Validation

.github/DISCUSSION_TEMPLATE/2-4.yml

@@ -33,7 +33,6 @@ body:
         - 2.4.180
         - 2.4.190
         - 2.4.200
-        - 2.4.210
         - Other (please provide detail below)
     validations:
       required: true

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,17 +1,17 @@
-### 2.4.200-20251216 ISO image released on 2025/12/16
+### 2.4.190-20251024 ISO image released on 2025/10/24
 
 
 ### Download and Verify
 
-2.4.200-20251216 ISO image:  
+2.4.190-20251024 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.200-20251216.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.190-20251024.iso
  
-MD5: 07B38499952D1F2FD7B5AF10096D0043  
+MD5: 25358481FB876226499C011FC0710358  
-SHA1: 7F3A26839CA3CAEC2D90BB73D229D55E04C7D370  
+SHA1: 0B26173C0CE136F2CA40A15046D1DFB78BCA1165  
-SHA256: 8D3AC735873A2EA8527E16A6A08C34BD5018CBC0925AC4096E15A0C99F591D5F  
+SHA256: 4FD9F62EDA672408828B3C0C446FE5EA9FF3C4EE8488A7AB1101544A3C487872  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.200-20251216.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.190-20251024.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.200-20251216.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.190-20251024.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.200-20251216.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.190-20251024.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.200-20251216.iso.sig securityonion-2.4.200-20251216.iso
+gpg --verify securityonion-2.4.190-20251024.iso.sig securityonion-2.4.190-20251024.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 15 Dec 2025 05:24:11 PM EST using RSA key ID FE507013
+gpg: Signature made Thu 23 Oct 2025 07:21:46 AM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.4.210
+2.4.200

salt/manager/tools/sbin/so-minion

@@ -126,16 +126,130 @@ ADVPILLARFILE=/opt/so/saltstack/local/pillar/minions/adv_$MINION_ID.sls
 
 function getinstallinfo() {
 	log "INFO" "Getting install info for minion $MINION_ID"
-	# Pull from file
+
-	INSTALLVARS=$(sudo salt "$MINION_ID" cp.get_file_str /opt/so/install.txt --out=newline_values_only)
+	local install_json
-	if [ $? -ne 0 ]; then
+	local install_text
+
+	# Reset any prior values so we fail closed if the file is missing keys
+	MAINIP=""
+	MNIC=""
+	NODE_DESCRIPTION=""
+	ES_HEAP_SIZE=""
+	PATCHSCHEDULENAME=""
+	INTERFACE=""
+	NODETYPE=""
+	CORECOUNT=""
+	LSHOSTNAME=""
+	LSHEAP=""
+	CPUCORES=""
+	IDH_MGTRESTRICT=""
+	IDH_SERVICES=""
+
+	# Pull from file (treat it as data, not code)
+	install_json=$(sudo salt "$MINION_ID" cp.get_file_str /opt/so/install.txt --out=json 2>/dev/null)
+	if [ $? -ne 0 ] || [ -z "$install_json" ]; then
 		log "ERROR" "Failed to get install info from $MINION_ID"
 		return 1
 	fi
-	
+
-	export $(echo "$INSTALLVARS" | xargs)
+	install_text=$(jq -r --arg id "$MINION_ID" '.[$id] // empty' <<<"$install_json" 2>/dev/null)
-	if [ $? -ne 0 ]; then
+	if [ $? -ne 0 ] || [ -z "$install_text" ] || [ "$install_text" == "null" ]; then
-		log "ERROR" "Failed to source install variables"
+		log "ERROR" "Failed to parse install info response for $MINION_ID"
+		return 1
+	fi
+
+	while IFS= read -r line; do
+		# Trim trailing CR (in case of CRLF files)
+		line=${line%$'\r'}
+
+		# Skip empty/comment lines
+		[[ -z "$line" || "$line" =~ ^[[:space:]]*# ]] && continue
+
+		if [[ "$line" =~ ^[[:space:]]*([A-Z0-9_]+)[[:space:]]*=(.*)$ ]]; then
+			local key="${BASH_REMATCH[1]}"
+			local value="${BASH_REMATCH[2]}"
+
+			# Trim leading whitespace from value (writers shouldn't include it, but tolerate it)
+			value="${value#"${value%%[![:space:]]*}"}"
+
+			# Strip a single layer of surrounding quotes
+			if [[ "$value" =~ ^\".*\"$ ]]; then
+				value="${value:1:${#value}-2}"
+			elif [[ "$value" =~ ^\'.*\'$ ]]; then
+				value="${value:1:${#value}-2}"
+			fi
+
+			case "$key" in
+				MAINIP)
+					[[ "$value" =~ ^[A-Za-z0-9.:-]+$ ]] || { log "ERROR" "Invalid MAINIP in install info"; return 1; }
+					MAINIP="$value"
+					;;
+				MNIC)
+					[[ "$value" =~ ^[A-Za-z0-9_.:-]+$ ]] || { log "ERROR" "Invalid MNIC in install info"; return 1; }
+					MNIC="$value"
+					;;
+				NODE_DESCRIPTION)
+					# Allow spaces and common punctuation, but reject control chars
+					[[ "$value" =~ ^[[:print:]]{0,256}$ ]] || { log "ERROR" "Invalid NODE_DESCRIPTION in install info"; return 1; }
+					NODE_DESCRIPTION="$value"
+					;;
+				ES_HEAP_SIZE)
+					[[ "$value" =~ ^[0-9]+[kKmMgGtTpPeE]?$ ]] || { log "ERROR" "Invalid ES_HEAP_SIZE in install info"; return 1; }
+					ES_HEAP_SIZE="$value"
+					;;
+				PATCHSCHEDULENAME)
+					[[ "$value" =~ ^[A-Za-z0-9._-]*$ ]] || { log "ERROR" "Invalid PATCHSCHEDULENAME in install info"; return 1; }
+					PATCHSCHEDULENAME="$value"
+					;;
+				INTERFACE)
+					[[ "$value" =~ ^[A-Za-z0-9._:,-]+$ ]] || { log "ERROR" "Invalid INTERFACE in install info"; return 1; }
+					INTERFACE="$value"
+					;;
+				NODETYPE)
+					[[ "$value" =~ ^[A-Z0-9_]+$ ]] || { log "ERROR" "Invalid NODETYPE in install info"; return 1; }
+					if ! declare -F "create${value}" >/dev/null; then
+						log "ERROR" "Unknown NODETYPE '$value' in install info"
+						return 1
+					fi
+					NODETYPE="$value"
+					;;
+				CORECOUNT)
+					[[ "$value" =~ ^[0-9]+$ ]] || { log "ERROR" "Invalid CORECOUNT in install info"; return 1; }
+					CORECOUNT="$value"
+					;;
+				LSHOSTNAME)
+					[[ "$value" =~ ^[A-Za-z0-9.-]+$ ]] || { log "ERROR" "Invalid LSHOSTNAME in install info"; return 1; }
+					LSHOSTNAME="$value"
+					;;
+				LSHEAP)
+					[[ "$value" =~ ^[0-9]+[kKmMgGtTpPeE]?$ ]] || { log "ERROR" "Invalid LSHEAP in install info"; return 1; }
+					LSHEAP="$value"
+					;;
+				CPUCORES)
+					[[ "$value" =~ ^[0-9]+$ ]] || { log "ERROR" "Invalid CPUCORES in install info"; return 1; }
+					CPUCORES="$value"
+					;;
+				IDH_MGTRESTRICT)
+					[[ "$value" == "True" || "$value" == "False" ]] || { log "ERROR" "Invalid IDH_MGTRESTRICT in install info"; return 1; }
+					IDH_MGTRESTRICT="$value"
+					;;
+				IDH_SERVICES)
+					[[ "$value" =~ ^[[:print:]]{0,512}$ ]] || { log "ERROR" "Invalid IDH_SERVICES in install info"; return 1; }
+					IDH_SERVICES="$value"
+					;;
+				*)
+					# Ignore unknown keys for forward compatibility
+					:
+					;;
+			esac
+		else
+			log "ERROR" "Invalid install info line from $MINION_ID"
+			return 1
+		fi
+	done <<<"$install_text"
+
+	if [[ -z "$NODETYPE" || -z "$MAINIP" || -z "$MNIC" ]]; then
+		log "ERROR" "Missing required install variables from $MINION_ID"
 		return 1
 	fi
 }
@@ -996,7 +1110,7 @@ function setupMinionFiles() {
 	log "INFO" "Setting up minion files for $MINION_ID"
 	
 	# Check to see if nodetype is set
-	if [ -z $NODETYPE ]; then
+	if [ -z "$NODETYPE" ]; then
 		error_msg="No node type specified"
 		log "ERROR" "$error_msg"
 		echo "$error_msg"
@@ -1018,7 +1132,12 @@ function setupMinionFiles() {
 	fi
 
 	# Create node-specific configuration
-	create$NODETYPE || return 1
+	local create_func="create${NODETYPE}"
+	if ! declare -F "$create_func" >/dev/null; then
+		log "ERROR" "Unknown node type '$NODETYPE'"
+		return 1
+	fi
+	"$create_func" || return 1
 	
 	# Ensure proper ownership after all content is written
 	ensure_socore_ownership || return 1

setup/so-functions

@@ -1504,7 +1504,13 @@ networking_needful() {
 	if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then
 		collect_hostname
 	fi
-	[[ ! ( $is_eval || $is_import ) ]] && whiptail_node_description
+	if [[ ! ( $is_eval || $is_import ) ]]; then
+		whiptail_node_description
+		while [[ "$NODE_DESCRIPTION" =~ [[:cntrl:]] ]]; do
+			whiptail_error_message "Node description cannot contain control characters. Please enter a new description."
+			whiptail_node_description
+		done
+	fi
 	if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then
 		network_init_whiptail
 	else
@@ -1756,6 +1762,50 @@ backup_dir() {
 }
 
 drop_install_options() {
+	# Ensure values written to install.txt won't later fail manager-side parsing in so-minion
+	strip_control_chars() {
+		# bash: remove ASCII control characters (incl. newlines/tabs/ESC)
+		printf '%s' "$1" | tr -d '[:cntrl:]'
+	}
+
+	validate_install_txt_vars() {
+		# Sanitize first (fail closed if still invalid)
+		MAINIP="$(strip_control_chars "$MAINIP")"
+		MNIC="$(strip_control_chars "$MNIC")"
+		NODE_DESCRIPTION="$(strip_control_chars "$NODE_DESCRIPTION")"
+		ES_HEAP_SIZE="$(strip_control_chars "$ES_HEAP_SIZE")"
+		PATCHSCHEDULENAME="$(strip_control_chars "$PATCHSCHEDULENAME")"
+		INTERFACE="$(strip_control_chars "$INTERFACE")"
+		HOSTNAME="$(strip_control_chars "$HOSTNAME")"
+		LS_HEAP_SIZE="$(strip_control_chars "$LS_HEAP_SIZE")"
+		IDH_MGTRESTRICT="$(strip_control_chars "$IDH_MGTRESTRICT")"
+		IDH_SERVICES="$(strip_control_chars "$IDH_SERVICES")"
+
+		valid_ip4 "$MAINIP" || return 1
+		[[ "$MNIC" =~ ^[A-Za-z0-9_.:-]+$ ]] || return 1
+		[[ "$NODE_DESCRIPTION" =~ ^[[:print:]]{0,256}$ ]] || return 1
+		[[ "$ES_HEAP_SIZE" =~ ^[0-9]+[kKmMgGtTpPeE]?$ ]] || return 1
+		[[ "$PATCHSCHEDULENAME" =~ ^[A-Za-z0-9._-]*$ ]] || return 1
+		[[ "$INTERFACE" =~ ^[A-Za-z0-9._:,-]+$ ]] || return 1
+		valid_hostname "$HOSTNAME" || return 1
+		[[ "$LS_HEAP_SIZE" =~ ^[0-9]+[kKmMgGtTpPeE]?$ ]] || return 1
+		[[ "$lb_procs" =~ ^[0-9]+$ ]] || return 1
+		[[ "$num_cpu_cores" =~ ^[0-9]+$ ]] || return 1
+		[[ -z "$IDH_MGTRESTRICT" || "$IDH_MGTRESTRICT" == "True" || "$IDH_MGTRESTRICT" == "False" ]] || return 1
+		[[ -z "$IDH_SERVICES" || "$IDH_SERVICES" =~ ^[[:print:]]{0,512}$ ]] || return 1
+
+		return 0
+	}
+
+	if ! validate_install_txt_vars; then
+		if declare -F whiptail_error_message >/dev/null; then
+			whiptail_error_message "One or more setup values were invalid and would cause the manager to reject this node when adding it. Please re-run setup and verify hostname, management IP/interface, and node description."
+		else
+			echo "Error: invalid setup values detected; refusing to write /opt/so/install.txt"
+		fi
+		return 1
+	fi
+
 	# Drop the install Variable
 	echo "MAINIP=$MAINIP" > /opt/so/install.txt
 	echo "MNIC=$MNIC" >> /opt/so/install.txt

setup/so-whiptail

@@ -903,8 +903,9 @@ whiptail_management_nic() {
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 
-	while [ -z "$MNIC" ]
+	while [ -z "$MNIC" ] || [[ "$MNIC" =~ [[:cntrl:]] ]] || [[ ! "$MNIC" =~ ^[A-Za-z0-9_.:-]+$ ]]
 	do
+		whiptail_invalid_input
 		MNIC=$(whiptail --title "$whiptail_title" --menu "Please select the NIC you would like to use for management.\n\nUse the arrow keys to move around and the Enter key to select." 22 75 12 "${nic_list_management[@]}" 3>&1 1>&2 2>&3 )	
 		local exitstatus=$?
 		whiptail_check_exitstatus $exitstatus
@@ -1098,6 +1099,14 @@ whiptail_node_description() {
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
+
+	while [[ "$NODE_DESCRIPTION" =~ [[:cntrl:]] ]]; do
+		whiptail_error_message "Node description cannot contain control characters. Please enter a new description."
+		NODE_DESCRIPTION=$(whiptail --title "$whiptail_title" \
+			--inputbox "Enter a short description for the node or press ENTER to leave blank:" 10 75 3>&1 1>&2 2>&3)
+		local exitstatus=$?
+		whiptail_check_exitstatus $exitstatus
+	done
 }
 
 whiptail_ntp_ask() {