Remove support for non-Oracle Linux 9 operating systems

Security Onion now exclusively supports Oracle Linux 9. This removes
detection, setup, and update logic for Ubuntu, Debian, CentOS, Rocky,
AlmaLinux, and RHEL.

.github/DISCUSSION_TEMPLATE/2-4.yml

@@ -33,7 +33,7 @@ body:
         - 2.4.200
         - 2.4.201
         - 2.4.210
-        - 3.0.0
+        - 2.4.211
         - Other (please provide detail below)
     validations:
       required: true

.github/DISCUSSION_TEMPLATE/3-0.yml

@@ -0,0 +1,177 @@
+body:
+  - type: markdown
+    attributes:
+      value: |
+        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
+  - type: dropdown
+    attributes:
+      label: Version
+      description: Which version of Security Onion are you asking about?
+      options:
+        -
+        - 3.0.0
+        - Other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Installation Method
+      description: How did you install Security Onion?
+      options:
+        -
+        - Security Onion ISO image
+        - Cloud image (Amazon, Azure, Google)
+        - Network installation on Oracle 9 (unsupported)
+        - Other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Description
+      description: >
+        Is this discussion about installation, configuration, upgrading, or other?
+      options:
+        -
+        - installation
+        - configuration
+        - upgrading
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Installation Type
+      description: >
+        When you installed, did you choose Import, Eval, Standalone, Distributed, or something else?
+      options:
+        -
+        - Import
+        - Eval
+        - Standalone
+        - Distributed
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Location
+      description: >
+        Is this deployment in the cloud, on-prem with Internet access, or airgap?
+      options:
+        -
+        - cloud
+        - on-prem with Internet access
+        - airgap
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Hardware Specs
+      description: >
+        Does your hardware meet or exceed the minimum requirements for your installation type as shown at https://securityonion.net/docs/hardware?
+      options:
+        -
+        - Meets minimum requirements
+        - Exceeds minimum requirements
+        - Does not meet minimum requirements
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: CPU
+      description: How many CPU cores do you have?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: RAM
+      description: How much RAM do you have?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Storage for /
+      description: How much storage do you have for the / partition?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Storage for /nsm
+      description: How much storage do you have for the /nsm partition?
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Network Traffic Collection
+      description: >
+        Are you collecting network traffic from a tap or span port?
+      options:
+        -
+        - tap
+        - span port
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Network Traffic Speeds
+      description: >
+        How much network traffic are you monitoring?
+      options:
+        -
+        - Less than 1Gbps
+        - 1Gbps to 10Gbps
+        - more than 10Gbps
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Status
+      description: >
+        Does SOC Grid show all services on all nodes as running OK?
+      options:
+        -
+        - Yes, all services on all nodes are running OK
+        - No, one or more services are failed (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Salt Status
+      description: >
+        Do you get any failures when you run "sudo salt-call state.highstate"?
+      options:
+        -
+        - Yes, there are salt failures (please provide detail below)
+        - No, there are no failures
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Logs
+      description: >
+        Are there any additional clues in /opt/so/log/?
+      options:
+        -
+        - Yes, there are additional clues in /opt/so/log/ (please provide detail below)
+        - No, there are no additional clues
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Detail
+      description: Please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and then provide detailed information to help us help you.
+      placeholder: |-
+        STOP! Before typing, please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 in their entirety!
+
+        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Guidelines
+      options:
+        - label: I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines.
+          required: true

pillar/top.sls

@@ -87,8 +87,6 @@ base:
     - zeek.adv_zeek
     - bpf.soc_bpf
     - bpf.adv_bpf
-    - pcap.soc_pcap
-    - pcap.adv_pcap
     - suricata.soc_suricata
     - suricata.adv_suricata
     - minions.{{ grains.id }}
@@ -134,8 +132,6 @@ base:
     - zeek.adv_zeek
     - bpf.soc_bpf
     - bpf.adv_bpf
-    - pcap.soc_pcap
-    - pcap.adv_pcap
     - suricata.soc_suricata
     - suricata.adv_suricata
     - minions.{{ grains.id }}
@@ -185,8 +181,6 @@ base:
     - zeek.adv_zeek
     - bpf.soc_bpf
     - bpf.adv_bpf
-    - pcap.soc_pcap
-    - pcap.adv_pcap
     - suricata.soc_suricata
     - suricata.adv_suricata
     - minions.{{ grains.id }}
@@ -209,8 +203,6 @@ base:
     - zeek.adv_zeek
     - bpf.soc_bpf
     - bpf.adv_bpf
-    - pcap.soc_pcap
-    - pcap.adv_pcap
     - suricata.soc_suricata
     - suricata.adv_suricata
     - strelka.soc_strelka
@@ -297,8 +289,6 @@ base:
     - zeek.adv_zeek
     - bpf.soc_bpf
     - bpf.adv_bpf
-    - pcap.soc_pcap
-    - pcap.adv_pcap
     - suricata.soc_suricata
     - suricata.adv_suricata
     - strelka.soc_strelka

salt/allowed_states.map.jinja

@@ -38,7 +38,6 @@
 ] %}
 
 {% set sensor_states = [
-    'pcap',
     'suricata',
     'healthcheck',
     'tcpreplay',

salt/bpf/pcap.map.jinja

@@ -1,21 +1,15 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% set PCAP_BPF_STATUS = 0  %}
-{% set STENO_BPF_COMPILED = "" %}
 
-{% if GLOBALS.pcap_engine == "TRANSITION" %}
-{%   set PCAPBPF = ["ip and host 255.255.255.1 and port 1"] %}
-{% else %}
 {%   import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {%   set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
 {%   import 'bpf/macros.jinja' as MACROS %}
 {{   MACROS.remove_comments(BPFMERGED, 'pcap') }}
 {%   set PCAPBPF = BPFMERGED.pcap %}
-{% endif %}
 
 {% if PCAPBPF %}
    {% set PCAP_BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %}
    {% if PCAP_BPF_CALC['retcode'] == 0 %}
       {% set PCAP_BPF_STATUS = 1 %}
-      {% set STENO_BPF_COMPILED =  ",\\\"--filter=" + PCAP_BPF_CALC['stdout'] + "\\\""  %}
    {% endif %}
 {% endif %}

salt/common/files/daemon.json

@@ -8,5 +8,12 @@
       "base": "172.17.0.0/24",
       "size": 24
     }
-  ]
+  ],
+  "default-ulimits": {
+      "nofile": {
+        "Name": "nofile",
+        "Soft": 1048576,
+        "Hard": 1048576
+      }
+  }
 }

salt/common/tools/sbin/so-bpf-compile

@@ -16,7 +16,7 @@
 
 if [ "$#" -lt 2 ]; then
   cat 1>&2 <<EOF
-$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
+$0 compiles a BPF expression to be passed to PCAP to apply a socket filter.
 Its first argument is the interface (link type is required) and all other arguments
 are passed to TCPDump.
 

salt/common/tools/sbin/so-common

@@ -349,21 +349,16 @@ get_random_value() {
 }
 
 gpg_rpm_import() {
-	if [[ $is_oracle ]]; then
-	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
-	    else
-	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
-	    fi
-		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
-		for RPMKEY in "${RPMKEYS[@]}"; do
-    	        rpm --import $RPMKEYSLOC/$RPMKEY
-	        echo "Imported $RPMKEY"
-	    done
-	elif [[ $is_rpm ]]; then
-		echo "Importing the security onion GPG key"
-		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
+	if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
+		local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
+	else
+		local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	fi
+	RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+	for RPMKEY in "${RPMKEYS[@]}"; do
+		rpm --import $RPMKEYSLOC/$RPMKEY
+		echo "Imported $RPMKEY"
+	done
 }
 
 header() {
@@ -615,69 +610,19 @@ salt_minion_count() {
 }
 
 set_os() {
-	if [ -f /etc/redhat-release ]; then
-		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
-			OS=rocky
-			OSVER=9
-			is_rocky=true
-			is_rpm=true
-		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
-			OS=centos
-			OSVER=9
-			is_centos=true
-			is_rpm=true
-		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
-			OS=alma
-			OSVER=9
-			is_alma=true
-			is_rpm=true
-		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
-			if [ -f /etc/oracle-release ]; then
-				OS=oracle
-				OSVER=9
-				is_oracle=true
-				is_rpm=true
-			else
-				OS=rhel
-				OSVER=9
-				is_rhel=true
-				is_rpm=true
-			fi
-		fi
-		cron_service_name="crond"
-	elif [ -f /etc/os-release ]; then
-		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
-			OSVER=focal
-			UBVER=20.04
-			OS=ubuntu
-			is_ubuntu=true
-			is_deb=true
-		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
-			OSVER=jammy
-			UBVER=22.04
-			OS=ubuntu
-			is_ubuntu=true
-			is_deb=true
-		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
-			OSVER=bookworm
-			DEBVER=12
-			is_debian=true
-			OS=debian
-			is_deb=true
-		fi
-		cron_service_name="cron"
+	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
+		OS=oracle
+		OSVER=9
+		is_oracle=true
+		is_rpm=true
 	fi
+	cron_service_name="crond"
 }
 
 set_minionid() {
 	MINIONID=$(lookup_grain id)
 }
 
-set_palette() {
-	if [[ $is_deb ]]; then
-	    update-alternatives --set newt-palette /etc/newt/palette.original
-    fi
-}
 
 set_version() {
 	CURRENTVERSION=0.0.0

salt/common/tools/sbin/so-image-common

@@ -32,7 +32,6 @@ container_list() {
       "so-nginx"
       "so-pcaptools"
       "so-soc"
-      "so-steno"
       "so-suricata"
       "so-telegraf"
       "so-zeek"
@@ -58,7 +57,6 @@ container_list() {
       "so-pcaptools"
       "so-redis"
       "so-soc"
-      "so-steno"
       "so-strelka-backend"
       "so-strelka-manager"
       "so-suricata"
@@ -71,7 +69,6 @@ container_list() {
       "so-logstash"
       "so-nginx"
       "so-redis"
-      "so-steno"
       "so-suricata"
       "so-soc"
       "so-telegraf"

salt/common/tools/sbin/so-log-check

@@ -179,7 +179,6 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|salt-minion-check"            # bug in early 2.4 place Jinja script in non-jinja salt dir causing cron output errors
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics"           # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf"            # known issue with reposync on pre-2.4.20 
-    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record"      # stenographer corrupt index
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field."                   # known ingest type collisions issue with earlier versions of SO
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error parsing signature"      # Malformed Suricata rule, from upstream provider
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sticky buffer has no matches" # Non-critical Suricata error

salt/common/tools/sbin/so-nsm-clear

@@ -55,19 +55,22 @@ if [ $SKIP -ne 1 ]; then
 fi
 
 delete_pcap() {
-  PCAP_DATA="/nsm/pcap/"
-  [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
+  PCAP_DATA="/nsm/suripcap/"
+  [ -d $PCAP_DATA ] && rm -rf $PCAP_DATA/*
 }
 delete_suricata() {
   SURI_LOG="/nsm/suricata/"
-  [ -d $SURI_LOG ] && so-suricata-stop && rm -rf $SURI_LOG/* && so-suricata-start
+  [ -d $SURI_LOG ] && rm -rf $SURI_LOG/*
 }
 delete_zeek() {
   ZEEK_LOG="/nsm/zeek/logs/"
   [ -d $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
 }
 
+so-suricata-stop
 delete_pcap
 delete_suricata
 delete_zeek
+so-suricata-start
+
 

salt/common/tools/sbin/so-restart

@@ -23,7 +23,6 @@ if [ $# -ge 1 ]; then
         fi
 
         case $1 in
-                "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
                 "elastic-fleet") docker stop so-elastic-fleet && docker rm so-elastic-fleet && salt-call state.apply elasticfleet queue=True;;
                 *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
         esac

salt/common/tools/sbin/so-sensor-clean

@@ -72,7 +72,7 @@ clean() {
 		done
 	fi
 
-	## Clean up extracted pcaps from Steno
+	## Clean up extracted pcaps
 	PCAPS='/nsm/pcapout'
 	OLDEST_PCAP=$(find $PCAPS -type f -printf '%T+ %p\n' | sort -n | head -n 1)
 	if [ -z "$OLDEST_PCAP" -o "$OLDEST_PCAP" == ".." -o "$OLDEST_PCAP" == "." ]; then

salt/common/tools/sbin/so-start

@@ -23,7 +23,6 @@ if [ $# -ge 1 ]; then
 
 	case $1 in
    		"all") salt-call state.highstate queue=True;;
-   		"steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
    		"elastic-fleet") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply elasticfleet queue=True; fi ;; 
    		*) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 	esac

salt/docker/defaults.yaml

@@ -174,11 +174,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-    'so-steno':
-      final_octet: 99
-      custom_bind_mounts: []
-      extra_hosts: []
-      extra_env: []
     'so-suricata':
       final_octet: 99
       custom_bind_mounts: []

salt/docker/soc_docker.yaml

@@ -62,7 +62,6 @@ docker:
     so-idh: *dockerOptions
     so-elastic-agent: *dockerOptions
     so-telegraf: *dockerOptions
-    so-steno: *dockerOptions
     so-suricata:
       final_octet:
         description: Last octet of the container IP address.

salt/global/defaults.yaml

@@ -1,3 +1,3 @@
 global:
-  pcapengine: STENO
+  pcapengine: SURICATA
   pipeline: REDIS

salt/global/soc_global.yaml

@@ -18,13 +18,11 @@ global:
     regexFailureMessage: You must enter either ZEEK or SURICATA.
     global: True
   pcapengine:
-    description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION.
-    regex: ^(STENO|SURICATA|TRANSITION)$
+    description: Which engine to use for generating pcap. Currently only SURICATA is supported.
+    regex: ^(SURICATA)$
     options:
-      - STENO
       - SURICATA
-      - TRANSITION
-    regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION.
+    regexFailureMessage: You must enter either SURICATA.
     global: True
   ids:
     description: Which IDS engine to use. Currently only Suricata is supported.

salt/influxdb/templates/alarm_steno_packet_loss.json

@@ -1,27 +0,0 @@
-[{
-	"apiVersion": "influxdata.com/v2alpha1",
-	"kind": "CheckThreshold",
-	"metadata": {
-		"name": "steno-packet-loss"
-	},
-	"spec": {
-		"description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level.",
-		"every": "1m",
-		"name": "Stenographer Packet Loss",
-		"query": "from(bucket: \"telegraf/so_short_term\")\n  |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"stenodrop\")\n  |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n  |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n  |\u003e yield(name: \"mean\")",
-		"status": "active",
-		"statusMessageTemplate": "Stenographer Packet Loss on node ${r.host} has reached the ${ r._level } threshold. The current packet loss is ${ r.drop }%.",
-		"thresholds": [
-			{
-				"level": "CRIT",
-				"type": "greater", 
-				"value": 5
-			},
-			{
-				"level": "WARN",
-				"type": "greater",
-				"value": 3
-			}
-		]
-	}
-}]

salt/logrotate/defaults.yaml

@@ -180,16 +180,6 @@ logrotate:
       - extension .log
       - dateext
       - dateyesterday
-    /opt/so/log/stenographer/*_x_log:
-      - daily
-      - rotate 14
-      - missingok
-      - copytruncate
-      - compress
-      - create
-      - extension .log
-      - dateext
-      - dateyesterday
     /opt/so/log/salt/so-salt-minion-check:
       - daily
       - rotate 14

salt/logrotate/soc_logrotate.yaml

@@ -112,13 +112,6 @@ logrotate:
       multiline: True
       global: True
       forcedType: "[]string"
-    "/opt/so/log/stenographer/*_x_log":
-      description: List of logrotate options for this file.
-      title: /opt/so/log/stenographer/*.log
-      advanced: True
-      multiline: True
-      global: True
-      forcedType: "[]string"
     "/opt/so/log/salt/so-salt-minion-check":
       description: List of logrotate options for this file.
       title: /opt/so/log/salt/so-salt-minion-check

salt/manager/tools/sbin/so-minion

@@ -462,19 +462,14 @@ function add_sensor_to_minion() {
         echo "      lb_procs: '$CORECOUNT'"
         echo "suricata:"
         echo "  enabled: True "
+        echo "  pcap:"
+        echo "    enabled: True"
         if [[ $is_pcaplimit ]]; then
-            echo "  pcap:"
             echo "    maxsize: $MAX_PCAP_SPACE"
         fi
         echo "  config:"
         echo "    af-packet:"
         echo "      threads: '$CORECOUNT'"
-        echo "pcap:"
-        echo "  enabled: True"
-        if [[ $is_pcaplimit ]]; then
-            echo "  config:"
-            echo "    diskfreepercentage: $DFREEPERCENT"
-        fi
         echo "  "
     } >> $PILLARFILE
     if [ $? -ne 0 ]; then

salt/manager/tools/sbin/so-yaml.py

@@ -256,7 +256,7 @@ def replacelistobject(args):
 def addKey(content, key, value):
     pieces = key.split(".", 1)
     if len(pieces) > 1:
-        if not pieces[0] in content:
+        if pieces[0] not in content or content[pieces[0]] is None:
             content[pieces[0]] = {}
         addKey(content[pieces[0]], pieces[1], value)
     elif key in content:
@@ -346,7 +346,12 @@ def get(args):
         print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr)
         return 2
 
-    print(yaml.safe_dump(output))
+    if isinstance(output, bool):
+        print(str(output).lower())
+    elif isinstance(output, (dict, list)):
+        print(yaml.safe_dump(output).strip())
+    else:
+        print(output)
     return 0
 
 

salt/manager/tools/sbin/so-yaml_test.py

@@ -393,7 +393,7 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key1.child2.deep1"])
             self.assertEqual(result, 0)
-            self.assertIn("45\n...", mock_stdout.getvalue())
+            self.assertEqual("45\n", mock_stdout.getvalue())
 
     def test_get_str(self):
         with patch('sys.stdout', new=StringIO()) as mock_stdout:
@@ -404,7 +404,18 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key1.child2.deep1"])
             self.assertEqual(result, 0)
-            self.assertIn("hello\n...", mock_stdout.getvalue())
+            self.assertEqual("hello\n", mock_stdout.getvalue())
+
+    def test_get_bool(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get([filename, "key2"])
+            self.assertEqual(result, 0)
+            self.assertEqual("false\n", mock_stdout.getvalue())
 
     def test_get_list(self):
         with patch('sys.stdout', new=StringIO()) as mock_stdout:

salt/nginx/etc/nginx.conf

@@ -387,15 +387,13 @@ http {
 		error_page 429 = @error429;
 
 		location @error401 {
-			if ($request_uri ~* (^/connect/.*|^/oauth2/.*)) {
+			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
 				return    401;
 			}
 
-			if ($request_uri ~* ^/(?!(^/api/.*))) {
-				add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
-			}
+			add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
 
-			if ($request_uri ~* ^/(?!(api/|login|auth|oauth2|$))) {
+			if ($request_uri ~* ^/(?!(login|auth|oauth2|$))) {
 				add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
 			}
 			return        302 /auth/self-service/login/browser;

salt/pcap/ca.sls

@@ -1,22 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states or sls in allowed_states%}
-
-stenoca:
-  file.directory:
-    - name: /opt/so/conf/steno/certs
-    - user: 941
-    - group: 939
-    - makedirs: True
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/pcap/cleanup.sls

@@ -0,0 +1,59 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+{% if GLOBALS.is_sensor %}
+
+delete_so-steno_so-status.conf:
+  file.line:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - mode: delete
+    - match: so-steno
+
+remove_stenographer_user:
+  user.absent:
+    - name: stenographer
+    - force: True
+
+remove_stenographer_log_dir:
+  file.absent:
+    - name: /opt/so/log/stenographer
+
+remove_stenoloss_script:
+  file.absent:
+    - name: /opt/so/conf/telegraf/scripts/stenoloss.sh
+
+remove_steno_conf_dir:
+  file.absent:
+    - name: /opt/so/conf/steno
+
+remove_so_pcap_export:
+  file.absent:
+    - name: /usr/sbin/so-pcap-export
+
+remove_so_pcap_restart:
+  file.absent:
+    - name: /usr/sbin/so-pcap-restart
+
+remove_so_pcap_start:
+  file.absent:
+    - name: /usr/sbin/so-pcap-start
+
+remove_so_pcap_stop:
+  file.absent:
+    - name: /usr/sbin/so-pcap-stop
+
+so-steno:
+  docker_container.absent:
+    - force: True
+
+{% else %}
+
+{{sls}}.non_sensor_node:
+  test.show_notification:
+    - text: "Stenographer cleanup not applicable on non-sensor nodes."
+
+{% endif %}

salt/pcap/config.map.jinja

@@ -1,13 +0,0 @@
-{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-   https://securityonion.net/license; you may not use this file except in compliance with the
-   Elastic License 2.0. #}
-
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% import_yaml 'pcap/defaults.yaml' as PCAPDEFAULTS %}
-{% set PCAPMERGED = salt['pillar.get']('pcap', PCAPDEFAULTS.pcap, merge=True) %}
-
-{# disable stenographer if the pcap engine is set to SURICATA #}
-{% if GLOBALS.pcap_engine == "SURICATA" %}
-{%   do PCAPMERGED.update({'enabled': False}) %}
-{% endif %}

salt/pcap/config.sls

@@ -1,87 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from "pcap/config.map.jinja" import PCAPMERGED %}
-{% from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC, STENO_BPF_COMPILED %}
-
-# PCAP Section
-stenographergroup:
-  group.present:
-    - name: stenographer
-    - gid: 941
-
-stenographer:
-  user.present:
-    - uid: 941
-    - gid: 941
-    - home: /opt/so/conf/steno
-
-stenoconfdir:
-  file.directory:
-    - name: /opt/so/conf/steno
-    - user: 941
-    - group: 939
-    - makedirs: True
-
-pcap_sbin:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://pcap/tools/sbin
-    - user: 939
-    - group: 939
-    - file_mode: 755
-
-{% if PCAPBPF and not PCAP_BPF_STATUS %}
-stenoPCAPbpfcompilationfailure:
-  test.configurable_test_state:
-   - changes: False
-   - result: False
-  - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ PCAP_BPF_CALC['stderr'] }}"
-{% endif %}
-
-stenoconf:
-  file.managed:
-    - name: /opt/so/conf/steno/config
-    - source: salt://pcap/files/config.jinja
-    - user: stenographer
-    - group: stenographer
-    - mode: 644
-    - template: jinja
-    - defaults:
-        PCAPMERGED: {{ PCAPMERGED }}
-        STENO_BPF_COMPILED: "{{ STENO_BPF_COMPILED }}"
-
-pcaptmpdir:
-  file.directory:
-    - name: /nsm/pcaptmp
-    - user: 941
-    - group: 941
-    - makedirs: True
-
-pcapindexdir:
-  file.directory:
-    - name: /nsm/pcapindex
-    - user: 941
-    - group: 941
-    - makedirs: True
-
-stenolog:
-  file.directory:
-    - name: /opt/so/log/stenographer
-    - user: 941
-    - group: 941
-    - makedirs: True
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/pcap/defaults.yaml

@@ -1,11 +0,0 @@
-pcap:
-  enabled: False
-  config:
-    maxdirectoryfiles: 30000
-    diskfreepercentage: 10
-    blocks: 2048
-    preallocate_file_mb: 4096
-    aiops: 128
-    pin_to_cpu: False
-    cpus_to_pin_to: []
-    disks: []

salt/pcap/disabled.sls

@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-
-include:
-  - pcap.sostatus
-  
-so-steno:
-  docker_container.absent:
-    - force: True
-
-so-steno_so-status.disabled:
-  file.comment:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-steno$
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/pcap/enabled.sls

@@ -1,63 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
-
-
-include:
-  - pcap.ca
-  - pcap.config
-  - pcap.sostatus
-
-so-steno:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-steno:{{ GLOBALS.so_version }}
-    - start: True
-    - network_mode: host
-    - privileged: True
-    - binds:
-      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
-      - /opt/so/conf/steno/config:/etc/stenographer/config:rw
-      - /nsm/pcap:/nsm/pcap:rw
-      - /nsm/pcapindex:/nsm/pcapindex:rw
-      - /nsm/pcaptmp:/tmp:rw
-      - /opt/so/log/stenographer:/var/log/stenographer:rw
-    {% if DOCKER.containers['so-steno'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-steno'].custom_bind_mounts %}
-      - {{ BIND }}
-        {% endfor %}
-      {% endif %}
-    {% if DOCKER.containers['so-steno'].extra_hosts %}
-    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-steno'].extra_hosts %}
-      - {{ XTRAHOST }}
-      {% endfor %}
-    {% endif %}
-    {% if DOCKER.containers['so-steno'].extra_env %}
-    - environment:
-      {% for XTRAENV in DOCKER.containers['so-steno'].extra_env %}
-      - {{ XTRAENV }}
-      {% endfor %}
-    {% endif %}
-    - watch:
-      - file: stenoconf
-    - require:
-      - file: stenoconf
-
-delete_so-steno_so-status.disabled:
-  file.uncomment:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-steno$
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/pcap/files/config.jinja

@@ -1,11 +0,0 @@
-{
-  "Threads": [
-    { "PacketsDirectory": "/nsm/pcap", "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ PCAPMERGED.config.maxdirectoryfiles }}, "DiskFreePercentage": {{ PCAPMERGED.config.diskfreepercentage }} }
-  ]
-  , "StenotypePath": "/usr/bin/stenotype"
-  , "Interface": "{{ pillar.sensor.interface }}"
-  , "Port": 1234
-  , "Host": "127.0.0.1"
-  , "Flags": ["-v", "--blocks={{ PCAPMERGED.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ STENO_BPF_COMPILED }}]
-  , "CertPath": "/etc/stenographer/certs"
-}

salt/pcap/init.sls

@@ -1,41 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'pcap/config.map.jinja' import PCAPMERGED %}
-
-include:
-{% if PCAPMERGED.enabled and GLOBALS.role != 'so-import'%}
-  - pcap.enabled
-{% elif GLOBALS.role == 'so-import' %}
-  - pcap.config
-  - pcap.disabled
-{% else %}
-  - pcap.disabled
-{% endif %}
-
-# This directory needs to exist regardless of whether STENO is enabled or not, in order for
-# Sensoroni to be able to look at old steno PCAP data
-
-# if stenographer has never run as the pcap engine no 941 user is created, so we use socore as a placeholder.
-# /nsm/pcap is empty until stenographer is used as pcap engine
-{% set pcap_id = 941 %}
-{% set user_list = salt['user.list_users']() %}
-{% if GLOBALS.pcap_engine == "SURICATA" and 'stenographer' not in user_list %}
-{%   set pcap_id = 939 %}
-{% endif %}
-pcapdir:
-  file.directory:
-    - name: /nsm/pcap
-    - user: {{ pcap_id }}
-    - group: {{ pcap_id }}
-    - makedirs: True
-
-pcapoutdir:
-  file.directory:
-    - name: /nsm/pcapout
-    - user: 939
-    - group: 939
-    - makedirs: True

salt/pcap/soc_pcap.yaml

@@ -1,35 +0,0 @@
-pcap:
-  enabled: 
-    description: Enables or disables the Stenographer packet recording process. This process may already be disabled if Suricata is being used as the packet capture process.
-    helpLink: stenographer.html
-  config:
-    maxdirectoryfiles:
-      description: By default, Stenographer limits the number of files in the pcap directory to 30000 to avoid limitations with the ext3 filesystem. However, if you're using the ext4 or xfs filesystems, then it is safe to increase this value. So if you have a large amount of storage and find that you only have 3 weeks worth of PCAP on disk while still having plenty of free space, then you may want to increase this default setting.
-      helpLink: stenographer.html
-    diskfreepercentage:
-      description: Stenographer will purge old PCAP on a regular basis to keep the disk free percentage at this level. If you have a distributed deployment with dedicated Sensor nodes, then the default value of 10 should be reasonable since Stenographer should be the main consumer of disk space in the /nsm partition. However, if you have systems that run both Stenographer and Elasticsearch at the same time (like eval and standalone installations), then you’ll want to make sure that this value is no lower than 21 so that you avoid Elasticsearch hitting its watermark setting at 80% disk usage. If you have an older standalone installation, then you may need to manually change this value to 21.
-      helpLink: stenographer.html
-    blocks:
-      description: The number of 1MB packet blocks used by Stenographer and AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. 
-      advanced: True
-      helpLink: stenographer.html
-    preallocate_file_mb:
-      description: File size to pre-allocate for individual Stenographer PCAP files. You shouldn't need to change this. 
-      advanced: True
-      helpLink: stenographer.html
-    aiops:
-      description: The max number of async writes to allow for Stenographer at once.
-      advanced: True
-      helpLink: stenographer.html
-    pin_to_cpu:
-      description: Enable CPU pinning for Stenographer PCAP.
-      advanced: True
-      helpLink: stenographer.html
-    cpus_to_pin_to:
-      description: CPU to pin Stenographer PCAP to. Currently only a single CPU is supported.
-      advanced: True
-      helpLink: stenographer.html
-    disks:
-      description: List of disks to use for Stenographer PCAP. This is currently not used.
-      advanced: True
-      helpLink: stenographer.html

salt/pcap/sostatus.sls

@@ -1,21 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-
-append_so-steno_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-steno
-    - unless: grep -q so-steno /opt/so/conf/so-status/so-status.conf
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/pcap/tools/sbin/so-pcap-export

@@ -1,18 +0,0 @@
-#!/bin/bash
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-if [ $# -lt 2 ]; then
-  echo "Usage: $0 <steno-query> Output-Filename"
-  exit 1
-fi
-
-docker exec -t so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap
-
-echo ""
-echo "If successful, the output was written to: /nsm/pcapout/$2.pcap"

salt/pcap/tools/sbin/so-pcap-restart

@@ -1,12 +0,0 @@
-#!/bin/bash
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-restart steno $1

salt/pcap/tools/sbin/so-pcap-start

@@ -1,12 +0,0 @@
-#!/bin/bash
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-start steno $1

salt/pcap/tools/sbin/so-pcap-stop

@@ -1,12 +0,0 @@
-#!/bin/bash
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-. /usr/sbin/so-common
-
-/usr/sbin/so-stop steno $1

salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja

@@ -29,7 +29,11 @@ sool9_{{host}}:
     hypervisor_host: {{host ~ "_" ~ role}}
   preflight_cmds:
     - |
-      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ MANAGERHOSTNAME }}"
+      {%- set hostnames = [MANAGERHOSTNAME] %}
+      {%- if not (URL_BASE | ipaddr) and URL_BASE != MANAGERHOSTNAME %}
+      {%-   do hostnames.append(URL_BASE) %}
+      {%- endif %}
+      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ hostnames | join('  ') }}"
     - |
       timeout 600 bash -c 'trap "echo \"Preflight Check: Failed to establish repo connectivity\"; exit 1" TERM; \
         while ! dnf makecache --repoid=securityonion >/dev/null 2>&1; do echo "Preflight Check: Waiting for repo connectivity..."; \

salt/salt/cloud/config.sls

@@ -14,6 +14,7 @@
 {%   if 'vrt' in salt['pillar.get']('features', []) %}
 {%     set HYPERVISORS = salt['pillar.get']('hypervisor:nodes', {} ) %}
 {%     from 'salt/map.jinja' import SALTVERSION %}
+{%     from 'vars/globals.map.jinja' import GLOBALS %}
 
 {%     if HYPERVISORS %}
 cloud_providers:
@@ -34,6 +35,7 @@ cloud_profiles:
         MANAGERHOSTNAME: {{ grains.host }}
         MANAGERIP: {{ pillar.host.mainip }}
         SALTVERSION: {{ SALTVERSION }}
+        URL_BASE: {{ GLOBALS.url_base }}
     - template: jinja
     - makedirs: True
 {%     else %}

salt/salt/engines/master/virtual_node_manager.py

@@ -805,11 +805,6 @@ def process_vm_creation(hypervisor_path: str, vm_config: dict) -> None:
                     mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
                                         {'nsm_size': 'Invalid nsm_size: must be positive integer'})
                     return
-                if size > 10000:  # 10TB reasonable maximum
-                    log.error("VM: %s - nsm_size %dGB exceeds reasonable maximum (10000GB)", vm_name, size)
-                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
-                                        {'nsm_size': f'Invalid nsm_size: {size}GB exceeds maximum (10000GB)'})
-                    return
                 log.debug("VM: %s - nsm_size validated: %dGB", vm_name, size)
             except (ValueError, TypeError) as e:
                 log.error("VM: %s - nsm_size must be a valid integer, got: %s", vm_name, vm_config.get('nsm_size'))

salt/sensoroni/enabled.sls

@@ -8,9 +8,6 @@
 
 
 include:
-{% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %}
-  - pcap.ca
-{% endif %}
   - sensoroni.config
   - sensoroni.sostatus
 
@@ -19,10 +16,6 @@ so-sensoroni:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
     - network_mode: host
     - binds:
-      {% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %}
-      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
-      {% endif %}
-      - /nsm/pcap:/nsm/pcap:rw
       - /nsm/import:/nsm/import:rw
       - /nsm/pcapout:/nsm/pcapout:rw
       - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro

salt/sensoroni/files/sensoroni.json

@@ -32,11 +32,6 @@
         "apiKey": "{{ GLOBALS.sensoroni_key }}"
 {%  if GLOBALS.is_sensor %}
       },     
-      "stenoquery": {
-        "executablePath": "/opt/sensoroni/scripts/stenoquery.sh",
-        "pcapInputPath": "/nsm/pcap",
-        "pcapOutputPath": "/nsm/pcapout"
-      },     
       "suriquery": {
         "pcapInputPath": "/nsm/suripcap",
         "pcapOutputPath": "/nsm/pcapout",

salt/suricata/config.sls

@@ -10,7 +10,7 @@
 {%   from 'suricata/map.jinja' import SURICATAMERGED %}
 {%   from 'bpf/suricata.map.jinja' import SURICATABPF, SURICATA_BPF_STATUS, SURICATA_BPF_CALC %}
 
-{%   if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
+{%   if GLOBALS.pcap_engine in ["SURICATA"] %}
 {%     from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC %}
 # BPF compilation and configuration
 {%     if PCAPBPF and not PCAP_BPF_STATUS %}

salt/suricata/defaults.yaml

@@ -1,6 +1,7 @@
 suricata:
   enabled: False
   pcap:
+    enabled: "no"
     filesize: 1000mb
     maxsize: 25
     compression: "none"
@@ -141,8 +142,6 @@ suricata:
         enabled: "no"
       tls-store:
         enabled: "no"
-      pcap-log:
-        enabled: "no"
       alert-debug:
         enabled: "no"
       alert-prelude:

salt/suricata/map.jinja

@@ -9,15 +9,20 @@
 {% set surimeta_filestore_index = [] %}
 
 {# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
-{% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
+{% if GLOBALS.pcap_engine in ["SURICATA"] %}
+
+{# initialize pcap-log in config.outputs since we dont put it in defaults #}
+{%   if 'pcap-log' not in SURICATAMERGED.config.outputs %}
+{%     do SURICATAMERGED.config.outputs.update({'pcap-log': {}}) %}
+{%   endif %}
 
 {%   from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS %}
 {%   if PCAPBPF and PCAP_BPF_STATUS %}
 {%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
 {%   endif %}
 
-{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
+{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': SURICATAMERGED.pcap.enabled}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-level': SURICATAMERGED.pcap['lz4-level']}) %}

salt/suricata/pcap.sls

@@ -2,7 +2,7 @@
 {% from 'suricata/map.jinja' import SURICATAMERGED %}
 
 # This directory needs to exist regardless of whether SURIPCAP is enabled or not, in order for
-# Sensoroni to be able to look at old Suricata PCAP data
+# Sensoroni to mount it
 suripcapdir:
   file.directory:
     - name: /nsm/suripcap
@@ -11,7 +11,14 @@ suripcapdir:
     - mode: 775
     - makedirs: True
 
-{%   if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
+pcapoutdir:
+  file.directory:
+    - name: /nsm/pcapout
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+{%   if GLOBALS.pcap_engine in ["SURICATA"] %}
 
 {# there should only be 1 interface in af-packet so we can just reference the first list item #}
 {% for i in range(1, SURICATAMERGED.config['af-packet'][0].threads + 1) %}

salt/suricata/soc_suricata.yaml

@@ -22,6 +22,10 @@ suricata:
       title: Classifications
       helpLink: suricata.html
   pcap:
+    enabled:
+      description: Enables or disables the Suricata packet recording process.
+      forcedType: bool
+      helpLink: suricata.html
     filesize: 
       description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time.
       advanced: True
@@ -209,12 +213,6 @@ suricata:
               header:
                 description: Header name where the actual IP address will be reported.
                 helpLink: suricata.html
-      pcap-log:
-        enabled:
-          description: This value is ignored by SO. pcapengine in globals takes precedence.
-          readonly: True
-          helpLink: suricata.html
-          advanced: True        
     asn1-max-frames:
       description: Maximum nuber of asn1 frames to decode.
       helpLink: suricata.html

salt/suricata/tools/sbin_jinja/so-suricata-testrule

@@ -31,8 +31,9 @@ mkdir -p /tmp/nids-testing/output
 chown suricata:socore /tmp/nids-testing/output
 mkdir -p /tmp/nids-testing/rules
 
-cp /opt/so/conf/suricata/rules/all.rules /tmp/nids-testing/rules/all.rules
-cat $TESTRULE >> /tmp/nids-testing/rules/all.rules
+cp /opt/so/rules/suricata/all-rulesets.rules /tmp/nids-testing/rules/all-rulesets.rules
+cat $TESTRULE >> /tmp/nids-testing/rules/all-rulesets.rules
+
 
 echo "==== Begin Suricata Output ==="
 

salt/telegraf/defaults.yaml

@@ -19,7 +19,6 @@ telegraf:
       - os.sh
       - raid.sh
       - sostatus.sh
-      - stenoloss.sh
       - suriloss.sh
       - surirules.sh
       - zeekcaptureloss.sh
@@ -35,7 +34,6 @@ telegraf:
       - raid.sh
       - redis.sh
       - sostatus.sh
-      - stenoloss.sh
       - suriloss.sh
       - surirules.sh
       - zeekcaptureloss.sh
@@ -81,7 +79,6 @@ telegraf:
       - os.sh
       - raid.sh
       - sostatus.sh
-      - stenoloss.sh
       - suriloss.sh
       - surirules.sh
       - zeekcaptureloss.sh
@@ -96,7 +93,6 @@ telegraf:
       - raid.sh
       - redis.sh
       - sostatus.sh
-      - stenoloss.sh
       - suriloss.sh
       - surirules.sh
       - zeekcaptureloss.sh

salt/telegraf/enabled.sls

@@ -47,7 +47,6 @@ so-telegraf:
       - /etc/pki/telegraf.crt:/etc/telegraf/telegraf.crt:ro
       - /etc/pki/telegraf.key:/etc/telegraf/telegraf.key:ro
       - /opt/so/conf/telegraf/scripts:/scripts:ro
-      - /opt/so/log/stenographer:/var/log/stenographer:ro
       - /opt/so/log/suricata:/var/log/suricata:ro
       - /opt/so/log/raid:/var/log/raid:ro
       - /opt/so/log/sostatus:/var/log/sostatus:ro

salt/telegraf/map.jinja

@@ -14,13 +14,6 @@
 {%     do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekloss.sh') %}
 {%     do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekcaptureloss.sh') %}
 {%   endif %}
-
-{%   from 'pcap/config.map.jinja' import PCAPMERGED %}
-{#   PCAPMERGED.enabled is set false in soc ui or if suricata is the pcap engine #}
-{%   if not PCAPMERGED.enabled %}
-{%     do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('stenoloss.sh') %}
-{%   endif %}
-
 {% endif %}
 
 {% if GLOBALS.pipeline != 'REDIS' %}

salt/telegraf/scripts/oldpcap.sh

@@ -5,11 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{%- if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
 PCAPLOC=/host/nsm/suripcap
-{%- else %}
-PCAPLOC=/host/nsm/pcap
-{%- endif %}
 
 # if this script isn't already running
 if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then

salt/telegraf/scripts/stenoloss.sh

@@ -1,39 +0,0 @@
-#!/bin/bash
-#
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-
-# if this script isn't already running
-if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
-
-    CHECKIT=$(grep "Thread 0 stats" /var/log/stenographer/stenographer.log |tac |head -2|wc -l)
-    STENOGREP=$(grep "Thread 0 stats" /var/log/stenographer/stenographer.log |tac |head -2)
-
-    declare RESULT=($STENOGREP)
-
-    CURRENT_PACKETS=$(echo ${RESULT[9]} | awk -F'=' '{print $2 }')
-    CURRENT_DROPS=$(echo ${RESULT[12]} | awk -F'=' '{print $2 }')
-    PREVIOUS_PACKETS=$(echo ${RESULT[23]} | awk -F'=' '{print $2 }')
-    PREVIOUS_DROPS=$(echo ${RESULT[26]} | awk -F'=' '{print $2 }')
-
-    DROPPED=$((CURRENT_DROPS - PREVIOUS_DROPS))
-    TOTAL_CURRENT=$((CURRENT_PACKETS + CURRENT_DROPS))
-    TOTAL_PAST=$((PREVIOUS_PACKETS + PREVIOUS_DROPS))
-    TOTAL=$((TOTAL_CURRENT - TOTAL_PAST))
-
-    if [ $CHECKIT == 2 ]; then
-      if [ $DROPPED == 0 ]; then
-        echo "stenodrop drop=$DROPPED"
-      else
-        LOSS=$(echo "4 k $DROPPED $TOTAL / 100 * p" | dc)
-        echo "stenodrop drop=$LOSS"
-      fi
-    fi
-
-fi
-
-exit 0

salt/top.sls

@@ -78,7 +78,6 @@ base:
     - elasticsearch
     - elastic-fleet-package-registry
     - kibana
-    - pcap
     - suricata
     - zeek
     - strelka
@@ -86,6 +85,7 @@ base:
     - elastalert
     - utility
     - elasticfleet
+    - pcap.cleanup
 
   '*_standalone and G@saltversion:{{saltversion}} and not I@node_data:False':
     - match: compound
@@ -108,7 +108,6 @@ base:
     - redis
     - elastic-fleet-package-registry
     - kibana
-    - pcap
     - suricata
     - zeek
     - strelka
@@ -118,6 +117,7 @@ base:
     - elasticfleet
     - stig
     - kafka
+    - pcap.cleanup
 
   '*_manager or *_managerhype and G@saltversion:{{saltversion}} and not I@node_data:False':
     - match: compound
@@ -192,7 +192,6 @@ base:
     - sensoroni
     - telegraf
     - firewall
-    - pcap
     - elasticsearch
     - elastic-fleet-package-registry
     - kibana
@@ -200,6 +199,7 @@ base:
     - suricata
     - zeek
     - elasticfleet
+    - pcap.cleanup
 
   '*_searchnode and G@saltversion:{{saltversion}}':
     - match: compound
@@ -220,13 +220,13 @@ base:
     - telegraf
     - firewall
     - nginx
-    - pcap
     - suricata
     - healthcheck
     - zeek
     - strelka
     - elasticfleet.install_agent_grid
     - stig
+    - pcap.cleanup
 
   '*_heavynode and G@saltversion:{{saltversion}}':
     - match: compound
@@ -240,11 +240,11 @@ base:
     - redis
     - curator.disabled
     - strelka
-    - pcap
     - suricata
     - zeek
     - elasticfleet.install_agent_grid
     - elasticagent
+    - pcap.cleanup
 
   '*_receiver and G@saltversion:{{saltversion}}':
     - match: compound

setup/so-functions

@@ -852,74 +852,14 @@ detect_cloud() {
 
 detect_os() {
 	title "Detecting Base OS"
-	if [ -f /etc/redhat-release ]; then
-		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
-			OS=rocky
-			OSVER=9
-			is_rocky=true
-			is_rpm=true
-			not_supported=true
-			unset is_supported
-		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
-			OS=centos
-			OSVER=9
-			is_centos=true
-			is_rpm=true
-			not_supported=true
-			unset is_supported
-		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
-			OS=alma
-			OSVER=9
-			is_alma=true
-			is_rpm=true
-			not_supported=true
-			unset is_supported
-		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
-			if [ -f /etc/oracle-release ]; then
-				OS=oracle
-				OSVER=9
-				is_oracle=true
-				is_rpm=true
-				is_supported=true
-			else
-				OS=rhel
-				OSVER=9
-				is_rhel=true
-				is_rpm=true
-				not_supported=true
-				unset is_supported
-			fi
-		fi
-	elif [ -f /etc/os-release ]; then
-		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
-			OSVER=focal
-			UBVER=20.04
-			OS=ubuntu
-			is_ubuntu=true
-			is_deb=true
-			not_supported=true
-			unset is_supported
-		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
-			OSVER=jammy
-			UBVER=22.04
-			OS=ubuntu
-			is_ubuntu=true
-			is_deb=true
-			not_supported=true
-			unset is_supported
-		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
-			OSVER=bookworm
-			DEBVER=12
-			is_debian=true
-			OS=debian
-			is_deb=true
-			not_supported=true
-			unset is_supported
-		fi
-		installer_prereq_packages
-
+	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
+		OS=oracle
+		OSVER=9
+		is_oracle=true
+		is_rpm=true
+		is_supported=true
 	else
-		info "We were unable to determine if you are using a supported OS."
+		info "This OS is not supported. Security Onion requires Oracle Linux 9."
 		fail_setup
 	fi
 
@@ -932,23 +872,6 @@ download_elastic_agent_artifacts() {
 	fi
 }
 
-installer_prereq_packages() {	
-	if [[ $is_deb ]]; then
-		# Print message to stdout so the user knows setup is doing something
-		info "Running apt-get update"
-		retry 150 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
-		# Install network manager so we can do interface stuff
-		if ! command -v nmcli > /dev/null 2>&1; then
-			info "Installing network-manager"
-			retry 150 10 "apt-get -y install network-manager ethtool" >> "$setup_log" 2>&1 || fail_setup
-			logCmd "systemctl enable NetworkManager"
-			logCmd "systemctl start NetworkManager"
-		fi
-		if ! command -v curl > /dev/null 2>&1; then
-			retry 150 10 "apt-get -y install curl"  >> "$setup_log" 2>&1 || fail_setup
-		fi
-	fi
-}
 
 disable_auto_start() {
 	
@@ -1382,9 +1305,7 @@ create_global() {
 	echo "  registry_host: '$HOSTNAME'" >> $global_pillar_file
 	echo "  endgamehost: '$ENDGAMEHOST'" >> $global_pillar_file
 
-	if [[ $is_standalone || $is_eval ]]; then
-        	echo "  pcapengine: SURICATA" >> $global_pillar_file
-	fi
+   	echo "  pcapengine: SURICATA" >> $global_pillar_file
 }
 
 create_sensoroni_pillar() {
@@ -1446,7 +1367,7 @@ make_some_dirs() {
 	mkdir -p $local_salt_dir/salt/firewall/portgroups
 	mkdir -p $local_salt_dir/salt/firewall/ports
 
-	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idh elastalert stig global kafka versionlock hypervisor vm; do
+	for THEDIR in bpf elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idh elastalert stig global kafka versionlock hypervisor vm; do
 	mkdir -p $local_salt_dir/pillar/$THEDIR
 	touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
 	touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls
@@ -1462,7 +1383,7 @@ network_init() {
 	title "Initializing Network"
 	disable_ipv6
 	set_hostname
-	if [[ ( $is_iso || $is_desktop_iso || $is_debian ) ]]; then
+	if [[ ( $is_iso || $is_desktop_iso ) ]]; then
 		set_management_interface
 	fi
 }
@@ -1600,7 +1521,6 @@ reserve_group_ids() {
 	logCmd "groupadd -g 940 suricata"
 	logCmd "groupadd -g 948 elastic-agent-pr"
 	logCmd "groupadd -g 949 elastic-agent"
-	logCmd "groupadd -g 941 stenographer"
 	logCmd "groupadd -g 947 elastic-fleet"
 	logCmd "groupadd -g 960 kafka"
 }
@@ -1697,11 +1617,6 @@ reinstall_init() {
 		# Uninstall local Elastic Agent, if installed
 		elastic-agent uninstall -f
 
-		if [[ $is_deb ]]; then
-			echo "Unholding previously held packages."
-			apt-mark unhold $(apt-mark showhold)
-		fi
-
 	} >> "$setup_log" 2>&1
 
 	info "System reinstall init has been completed."
@@ -1718,11 +1633,7 @@ reset_proxy() {
 
 	[[ -f /etc/gitconfig ]] && rm -f /etc/gitconfig
 	
-	if [[ $is_rpm ]]; then
-		sed -i "/proxy=/d" /etc/dnf/dnf.conf
-	else
-		[[ -f /etc/apt/apt.conf.d/00-proxy.conf ]] && rm -f /etc/apt/apt.conf.d/00-proxy.conf
-	fi
+	sed -i "/proxy=/d" /etc/dnf/dnf.conf
 }
 
 restore_file() {
@@ -1768,14 +1679,8 @@ drop_install_options() {
 
 remove_package() {
 	local package_name=$1
-	if [[ $is_rpm ]]; then
-		if rpm -qa | grep -q "$package_name"; then
-			logCmd "dnf remove -y $package_name"
-		fi
-	else
-		if dpkg -l | grep -q "$package_name"; then
-			retry 150 10 "apt purge -y \"$package_name\""
-		fi
+	if rpm -qa | grep -q "$package_name"; then
+		logCmd "dnf remove -y $package_name"
 	fi
 }
 
@@ -1789,122 +1694,91 @@ remove_package() {
 
 securityonion_repo() {
 	# Remove all the current repos
-	if [[ $is_oracle ]]; then
-		logCmd "dnf -v clean all"
-		logCmd "mkdir -vp /root/oldrepos"
-		if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then
-			logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/"
-		fi
-		if ! $is_desktop_grid; then
-			gpg_rpm_import
-			if [[ ! $is_airgap ]]; then
-				echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /etc/yum/mirror.txt
-				echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/3/oracle/9" >> /etc/yum/mirror.txt
-				echo "[main]" > /etc/yum.repos.d/securityonion.repo
-				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-				echo "installonly_limit=3" >> /etc/yum.repos.d/securityonion.repo
-				echo "clean_requirements_on_remove=True" >> /etc/yum.repos.d/securityonion.repo
-				echo "best=True" >> /etc/yum.repos.d/securityonion.repo
-				echo "skip_if_unavailable=False" >> /etc/yum.repos.d/securityonion.repo
-				echo "cachedir=/opt/so/conf/reposync/cache" >> /etc/yum.repos.d/securityonion.repo
-				echo "keepcache=0" >> /etc/yum.repos.d/securityonion.repo
-				echo "[securityonionsync]" >> /etc/yum.repos.d/securityonion.repo
-				echo "name=Security Onion Repo repo" >> /etc/yum.repos.d/securityonion.repo
-				echo "mirrorlist=file:///etc/yum/mirror.txt" >> /etc/yum.repos.d/securityonion.repo
-				echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
-				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-				logCmd "dnf repolist"
-			else
-				echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
-				echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
-				echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
-				echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
-				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-				echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
-				logCmd "dnf repolist"
-			fi
-		elif [[ ! $waitforstate ]]; then
+	logCmd "dnf -v clean all"
+	logCmd "mkdir -vp /root/oldrepos"
+	if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then
+		logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/"
+	fi
+	if ! $is_desktop_grid; then
+		gpg_rpm_import
+		if [[ ! $is_airgap ]]; then
+			echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /etc/yum/mirror.txt
+			echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/3/oracle/9" >> /etc/yum/mirror.txt
+			echo "[main]" > /etc/yum.repos.d/securityonion.repo
+			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+			echo "installonly_limit=3" >> /etc/yum.repos.d/securityonion.repo
+			echo "clean_requirements_on_remove=True" >> /etc/yum.repos.d/securityonion.repo
+			echo "best=True" >> /etc/yum.repos.d/securityonion.repo
+			echo "skip_if_unavailable=False" >> /etc/yum.repos.d/securityonion.repo
+			echo "cachedir=/opt/so/conf/reposync/cache" >> /etc/yum.repos.d/securityonion.repo
+			echo "keepcache=0" >> /etc/yum.repos.d/securityonion.repo
+			echo "[securityonionsync]" >> /etc/yum.repos.d/securityonion.repo
+			echo "name=Security Onion Repo repo" >> /etc/yum.repos.d/securityonion.repo
+			echo "mirrorlist=file:///etc/yum/mirror.txt" >> /etc/yum.repos.d/securityonion.repo
+			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
+			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+			logCmd "dnf repolist"
+		else
 			echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
 			echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
 			echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
 			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
 			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-			echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo		
-		elif [[ $waitforstate ]]; then
-			echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
-			echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
-			echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo
-			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
-			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+			echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
+			logCmd "dnf repolist"
 		fi
+	elif [[ ! $waitforstate ]]; then
+		echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
+		echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
+		echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
+		echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
+		echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+		echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
+	elif [[ $waitforstate ]]; then
+		echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
+		echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
+		echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo
+		echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
+		echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
 	fi
-	if [[ $is_rpm ]]; then logCmd "dnf repolist all"; fi
+	logCmd "dnf repolist all"
 	if [[ $waitforstate ]]; then
-		if [[ $is_rpm ]]; then
-				# Build the repo locally so we can use it
-				echo "Syncing Repos"
-				repo_sync_local
-		fi
+		# Build the repo locally so we can use it
+		echo "Syncing Repos"
+		repo_sync_local
 	fi
 }
 
 repo_sync_local() {
 	SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
 	info "Repo Sync"
-	if [[ $is_supported ]]; then
-		# Sync the repo from the the SO repo locally.
-		# Check for reposync
-		info "Adding Repo Download Configuration"
-		mkdir -p /nsm/repo
-		mkdir -p /opt/so/conf/reposync/cache
-		echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /opt/so/conf/reposync/mirror.txt
-		echo "https://repo-alt.securityonion.net/prod/3/oracle/9" >> /opt/so/conf/reposync/mirror.txt
-		echo "[main]" > /opt/so/conf/reposync/repodownload.conf
-		echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
-		echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
-		echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf
-		echo "best=True" >> /opt/so/conf/reposync/repodownload.conf
-		echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf
-		echo "cachedir=/opt/so/conf/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf
-		echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf
-		echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf
-		echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf
-		echo "mirrorlist=file:///opt/so/conf/reposync/mirror.txt" >> /opt/so/conf/reposync/repodownload.conf
-		echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf
-		echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
-	
-		logCmd "dnf repolist"
-		
-		if [[ ! $is_airgap ]]; then
-        	curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
-			retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup
-			# After the download is complete run createrepo
-			create_repo
-		fi
-	else
-		# Add the proper repos for unsupported stuff
-		echo "Adding Repos"
-		if [[ $is_rpm ]]; then
-			if [[ $is_rhel ]]; then
-				logCmd "subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms"
-				info "Install epel for rhel" 
-				logCmd "dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
-				logCmd "dnf -y install https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm"
-			else  
-				logCmd "dnf config-manager --set-enabled crb"
-				logCmd "dnf -y install epel-release"
-			fi
-			dnf install -y yum-utils device-mapper-persistent-data lvm2
-			curl -fsSL https://repo.securityonion.net/file/so-repo/prod/3/so/so.repo | tee /etc/yum.repos.d/so.repo
-			rpm --import https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public
-			dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
-			curl -fsSL "https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo" | tee /etc/yum.repos.d/salt.repo
-			dnf repolist
-			curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
-		else
-			echo "Not sure how you got here."
-			exit 1
-		fi
+	# Sync the repo from the SO repo locally.
+	info "Adding Repo Download Configuration"
+	mkdir -p /nsm/repo
+	mkdir -p /opt/so/conf/reposync/cache
+	echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /opt/so/conf/reposync/mirror.txt
+	echo "https://repo-alt.securityonion.net/prod/3/oracle/9" >> /opt/so/conf/reposync/mirror.txt
+	echo "[main]" > /opt/so/conf/reposync/repodownload.conf
+	echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
+	echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
+	echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf
+	echo "best=True" >> /opt/so/conf/reposync/repodownload.conf
+	echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf
+	echo "cachedir=/opt/so/conf/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf
+	echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf
+	echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf
+	echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf
+	echo "mirrorlist=file:///opt/so/conf/reposync/mirror.txt" >> /opt/so/conf/reposync/repodownload.conf
+	echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf
+	echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
+
+	logCmd "dnf repolist"
+
+	if [[ ! $is_airgap ]]; then
+		curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
+		retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup
+		# After the download is complete run createrepo
+		create_repo
 	fi
 }
 
@@ -1912,57 +1786,13 @@ saltify() {
 	SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
 	info "Installing Salt $SALTVERSION"
 	chmod u+x ../salt/salt/scripts/bootstrap-salt.sh
-	if [[ $is_deb ]]; then
 
-		DEBIAN_FRONTEND=noninteractive retry 30 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup
-		if [ $OSVER == "focal" ]; then update-alternatives --install /usr/bin/python python /usr/bin/python3.10 10; fi
-		local pkg_arr=(
-			'apache2-utils'
-			'ca-certificates'
-			'curl'
-			'software-properties-common'
-			'apt-transport-https'
-			'openssl'
-			'netcat-openbsd'
-			'jq'
-			'gnupg'
-		)
-		retry 30 10 "apt-get -y install ${pkg_arr[*]}" || fail_setup
-
-		logCmd "mkdir -vp /etc/apt/keyrings"
-		logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg"
-
-		if [[ $is_ubuntu ]]; then
-			# Add Docker Repo
-			add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" 
-		
-		else
-			# Add Docker Repo
-			curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
-			echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list 
-		fi
-
-		logCmd "apt-key add /etc/apt/keyrings/docker.pub"
-
-		retry 30 10 "apt-get update" "" "Err:" || fail_setup
-		if [[ $waitforstate ]]; then
-			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -M -X stable $SALTVERSION" || fail_setup
-			retry 30 10 "apt-mark hold salt-minion salt-common salt-master" || fail_setup
-			retry 30 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1
-		else
-			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -X stable $SALTVERSION" || fail_setup
-			retry 30 10 "apt-mark hold salt-minion salt-common" || fail_setup
-		fi
-	fi
-		
-	if [[ $is_rpm ]]; then
-		if [[ $waitforstate ]]; then 
-			# install all for a manager
-			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
-		else
-			# just a minion
-			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
-		fi
+	if [[ $waitforstate ]]; then
+		# install all for a manager
+		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
+	else
+		# just a minion
+		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
 	fi
 
 	salt_install_module_deps
@@ -2108,14 +1938,7 @@ set_proxy() {
 		"}" > /root/.docker/config.json
 
 	# Set proxy for package manager
-	if [[ $is_rpm ]]; then
-		echo "proxy=$so_proxy" >> /etc/yum.conf
-	else
-		# Set it up so the updates roll through the manager
-		printf '%s\n'\
-			"Acquire::http::Proxy \"$so_proxy\";"\
-			"Acquire::https::Proxy \"$so_proxy\";" > /etc/apt/apt.conf.d/00-proxy.conf
-	fi
+	echo "proxy=$so_proxy" >> /etc/yum.conf
 
 	# Set global git proxy
 	printf '%s\n'\
@@ -2305,23 +2128,13 @@ update_sudoers_for_testing() {
 }
 
 update_packages() {
-	if [[ $is_oracle ]]; then
-		logCmd "dnf repolist"
-		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
-		RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo")
-		info "Removing repo files added by oracle-repos package update"
-		for FILE in ${RMREPOFILES[@]}; do
-			logCmd "rm -f /etc/yum.repos.d/$FILE"
-		done
-	elif [[ $is_deb ]]; then
-		info "Running apt-get update"
-		retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
-		info "Running apt-get upgrade"
-		retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || fail_setup
-	else
-		info "Updating packages"
-		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
-	fi
+	logCmd "dnf repolist"
+	logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
+	RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo")
+	info "Removing repo files added by oracle-repos package update"
+	for FILE in ${RMREPOFILES[@]}; do
+		logCmd "rm -f /etc/yum.repos.d/$FILE"
+	done
 }
 
 # This is used for development to speed up network install tests.
@@ -2331,15 +2144,7 @@ use_turbo_proxy() {
 		return
 	fi
 
-	if [[ $OS == 'centos' ]]; then
-		printf '%s\n' "proxy=${TURBO}:3142" >> /etc/yum.conf
-	else
-		printf '%s\n'\
-			"Acquire {"\
-			"  HTTP::proxy \"${TURBO}:3142\";"\
-			"  HTTPS::proxy \"${TURBO}:3142\";"\
-			"}" > /etc/apt/apt.conf.d/proxy.conf
-	fi
+	printf '%s\n' "proxy=${TURBO}:3142" >> /etc/yum.conf
 }
 
 wait_for_file() {

setup/so-preflight

@@ -34,32 +34,19 @@ check_default_repos() {
 		printf '%s' "$repo_str" | tee -a "$preflight_log"
 	fi
 
-	if [[ $OS == 'centos' ]]; then
-		if [[ $script_run == true ]]; then
-			printf '%s' 'yum update.'
-		else
-			printf '%s' 'yum update.' | tee -a "$preflight_log"
-		fi
-		echo "" >> "$preflight_log"
-		yum -y check-update >> $preflight_log 2>&1
-		ret_code=$?
-		if [[ $ret_code == 0 || $ret_code == 100 ]]; then
-			printf '%s\n' '  SUCCESS'
-			ret_code=0
-		else
-			printf '%s\n' '  FAILURE'
-		fi
+	if [[ $script_run == true ]]; then
+		printf '%s' 'yum update.'
 	else
-		if [[ $script_run == true ]]; then
-			printf '%s' 'apt update.'
-		else
-			printf '%s' 'apt update.' | tee -a "$preflight_log"
-		fi
-		echo "" >> "$preflight_log"
-		retry 150 10 "apt-get -y update" >> $preflight_log 2>&1
-		ret_code=$?
-		[[ $ret_code == 0 ]] && printf '%s\n' '  SUCCESS' || printf '%s\n' '  FAILURE'
-
+		printf '%s' 'yum update.' | tee -a "$preflight_log"
+	fi
+	echo "" >> "$preflight_log"
+	yum -y check-update >> $preflight_log 2>&1
+	ret_code=$?
+	if [[ $ret_code == 0 || $ret_code == 100 ]]; then
+		printf '%s\n' '  SUCCESS'
+		ret_code=0
+	else
+		printf '%s\n' '  FAILURE'
 	fi
 
 	return $ret_code
@@ -73,21 +60,11 @@ check_new_repos() {
 		printf '%s' "$repo_url_str" | tee -a "$preflight_log"
 	fi
 
-	if [[ $OS == 'centos' ]]; then
-		local repo_arr=( 
-			"https://download.docker.com/linux/centos/docker-ce.repo"
-			"https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub"
-			"https://download.docker.com/linux/ubuntu/gpg"
-			)
-	else
-		local ubuntu_version
-		ubuntu_version=$(grep VERSION_ID /etc/os-release 2> /dev/null | awk -F '[ "]' '{print $2}')
-		local repo_arr=(
-			"https://download.docker.com/linux/ubuntu/gpg"
-			"https://download.docker.com/linux/ubuntu"
-			"https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/SALTSTACK-GPG-KEY.pub"
+	local repo_arr=(
+		"https://download.docker.com/linux/centos/docker-ce.repo"
+		"https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub"
+		"https://download.docker.com/linux/ubuntu/gpg"
 		)
-	fi
 
 	__check_url_arr "${repo_arr[@]}"
 	local ret_code=$?
@@ -155,17 +132,6 @@ __check_url_arr() {
 	return $ret_code
 }
 
-preflight_prereqs() {
-	local ret_code=0
-	
-	if [[ $OS == 'centos' ]]; then
-		: # no-op to match structure of other checks for $OS var
-	else
-		retry 150 10 "apt-get -y install curl" >> "$preflight_log" 2>&1 || ret_code=1
-	fi
-
-	return $ret_code
-}
 
 main() {
 	local intro_str="Beginning pre-flight checks."
@@ -183,7 +149,6 @@ main() {
 	fi
 
 	check_default_repos &&\
-	preflight_prereqs &&\
 	check_new_repos &&\
 	check_misc_urls
 

setup/so-setup

@@ -66,36 +66,6 @@ set_timezone
 # Let's see what OS we are dealing with here
 detect_os
 
-# Ubuntu/Debian whiptail pallete to make it look the same as CentOS and Rocky.
-set_palette >> $setup_log 2>&1
-
-if [[ $not_supported ]] && [ -z "$test_profile" ]; then
-	if [[ "$OSVER" == "focal" ]]; then
-		if (whiptail_focal_warning); then
-			true
-		else
-			info "User cancelled setup."
-			whiptail_cancel
-		fi
-	else
-		if (whiptail_unsupported_os_warning); then
-			true
-		else
-			info "User cancelled setup."
-			whiptail_cancel
-		fi
-	fi
-fi
-
-# we need to upgrade packages on debian prior to install and reboot if there are due to iptables-restore not running properly
-# if packages are updated and the box isn't rebooted
-if [[ $is_debian ]]; then
-	update_packages
-	if [[ -f "/var/run/reboot-required" ]] && [ -z "$test_profile" ]; then
-		whiptail_debian_reboot_required
-		reboot
-	fi
-fi
 
 # Check to see if this is the setup type of "desktop".
 is_desktop=
@@ -108,7 +78,7 @@ if [ "$setup_type" = 'desktop' ]; then
 	fi
 fi
 
-# Make sure if ISO is specified that we are dealing with CentOS or Rocky
+# Make sure if ISO is specified that we are dealing with an RPM-based install
 title "Detecting if this is an ISO install"
 if [[ "$setup_type" == 'iso' ]]; then
 	if [[ $is_rpm ]]; then

setup/so-whiptail

@@ -27,23 +27,6 @@ whiptail_airgap() {
 	fi
 }
 
-whiptail_debian_reboot_required() {
-
-	[ -n "$TESTING" ] && return
-
-	read -r -d '' message <<- EOM
-
-	Packages were upgraded and a reboot is required prior to Security Onion installation.
-
-	Once the reboot has completed, rerun Security Onion setup.
-
-	Press TAB and then the ENTER key to reboot the system.
-
-	EOM
-
-	whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext
-}
-
 whiptail_desktop_install() {
 
 	[ -n "$TESTING" ] && return
@@ -496,27 +479,6 @@ __append_end_msg() {
 	EOM
 }
 
-whiptail_focal_warning() {
-
-	[ -n "$TESTING" ] && return
-
-	read -r -d '' focal_warning_continue <<- EOM
-
-	WARNING: Ubuntu 20.04 is only supported as a minion role.
-
-	This node may not install or operate as expected if installed
-	as a manager, managersearch, standalone, eval, or import.
-
-	Would you like to continue the install?
-
-	EOM
-	whiptail --title "$whiptail_title" \
-		--yesno "$focal_warning_continue" 14 75 --defaultno
-
-	local exitstatus=$?
-	return $exitstatus
-
-}
 
 whiptail_gauge_post_setup() {
 
@@ -586,23 +548,15 @@ whiptail_install_type() {
 	[ -n "$TESTING" ] && return
 
 	# What kind of install are we doing?
-	if [[ "$OSVER" != "focal" ]]; then
-		install_type=$(whiptail --title "$whiptail_title" --menu \
-		"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
-			"IMPORT" "Import PCAP or log files " \
-			"EVAL" "Evaluation mode (not for production) " \
-			"STANDALONE" "Standalone production install " \
-			"DISTRIBUTED" "Distributed deployment " \
-			"DESKTOP" "Security Onion Desktop" \
-			3>&1 1>&2 2>&3
-		)
-	elif [[ "$OSVER" == "focal" ]]; then
-		install_type=$(whiptail --title "$whiptail_title" --menu \
-		"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
-			"DISTRIBUTED" "Distributed install submenu " \
-			3>&1 1>&2 2>&3
-		)
-	fi
+	install_type=$(whiptail --title "$whiptail_title" --menu \
+	"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
+		"IMPORT" "Import PCAP or log files " \
+		"EVAL" "Evaluation mode (not for production) " \
+		"STANDALONE" "Standalone production install " \
+		"DISTRIBUTED" "Distributed deployment " \
+		"DESKTOP" "Security Onion Desktop" \
+		3>&1 1>&2 2>&3
+	)
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -623,18 +577,11 @@ whiptail_install_type_dist() {
 
 	[ -n "$TESTING" ] && return
 
-	if [[ "$OSVER" != "focal" ]]; then
 	dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \
 		"New Deployment         " "Create a new Security Onion deployment" \
 		"Existing Deployment    " "Join to an existing Security Onion deployment " \
 		 3>&1 1>&2 2>&3
 	)
-	elif [[ "$OSVER" == "focal" ]]; then
-	dist_option=$(whiptail --title "$whiptail_title" --menu "Since this is Ubuntu, this box can only be connected to \nan existing deployment." 11 75 2 \
-		"Existing Deployment    " "Join to an existing Security Onion deployment " \
-		 3>&1 1>&2 2>&3
-	)
-	fi
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -916,7 +863,7 @@ whiptail_net_method() {
 	[ -n "$TESTING" ] && return
 
 	local pkg_mngr
-	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
+	pkg_mngr="yum"
 
 	read -r -d '' options_msg <<- EOM
 	"Direct" - Internet requests connect directly to the Internet.
@@ -1151,7 +1098,7 @@ whiptail_proxy_ask() {
 	[ -n "$TESTING" ] && return
 
 	local pkg_mngr
-	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
+	pkg_mngr="yum"
 	whiptail --title "$whiptail_title" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno
 }
 
@@ -1434,48 +1381,6 @@ whiptail_storage_requirements() {
 	whiptail_check_exitstatus $exitstatus
 }
 
-whiptail_ubuntu_notsupported() {
-	[ -n "$TESTING" ] && return
-	
-	read -r -d '' message <<- EOM
-		Ubuntu is not supported for this node type.
-
-		Please use a supported OS or install via ISO.
-	EOM
-	whiptail --title "$whiptail_title"  --msgbox "$message" 14 75
-}
-
-whiptail_ubuntu_warning() {
-	[ -n "$TESTING" ] && return
-	
-	read -r -d '' message <<- EOM
-		Ubuntu support for this node type is limited.
-
-		Please consider using a fully supported OS or install via ISO.
-	EOM
-	whiptail --title "$whiptail_title"  --msgbox "$message" 14 75
-
-}
-
-whiptail_unsupported_os_warning() {
-
-	[ -n "$TESTING" ] && return
-
-	read -r -d '' unsupported_os_continue <<- EOM
-	
-	WARNING: An unsupported operating system has been detected. 
-	Security Onion may not install or operate as expected. 
-
-	Would you like to continue the install?
-
-	EOM
-	whiptail --title "$whiptail_title" \
-		--yesno "$unsupported_os_continue" 14 75 --defaultno
-
-	local exitstatus=$?
-	return $exitstatus
-
-}
 
 whiptail_uppercase_warning() {