Keep JA4S_raw and JA4H_raw hardcoded to disabled

JA4 (BSD licensed) remains always enabled, but JA4+ variants (JA4S,
JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X) require a FoxIO license
and are now toggleable via the SOC UI. The toggle includes a license
agreement warning and defaults to disabled.

.github/workflows/pythontest.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.13"]
+        python-version: ["3.14"]
         python-code-path: ["salt/sensoroni/files/analyzers", "salt/manager/tools/sbin"]
 
     steps:

salt/common/tools/sbin/so-common

@@ -349,16 +349,21 @@ get_random_value() {
 }
 
 gpg_rpm_import() {
-	if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-		local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
-	else
-		local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
+	if [[ $is_oracle ]]; then
+	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
+	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
+	    else
+	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
+	    fi
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+		for RPMKEY in "${RPMKEYS[@]}"; do
+    	        rpm --import $RPMKEYSLOC/$RPMKEY
+	        echo "Imported $RPMKEY"
+	    done
+	elif [[ $is_rpm ]]; then
+		echo "Importing the security onion GPG key"
+		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
 	fi
-	RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
-	for RPMKEY in "${RPMKEYS[@]}"; do
-		rpm --import $RPMKEYSLOC/$RPMKEY
-		echo "Imported $RPMKEY"
-	done
 }
 
 header() {
@@ -610,19 +615,69 @@ salt_minion_count() {
 }
 
 set_os() {
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
-		OS=oracle
-		OSVER=9
-		is_oracle=true
-		is_rpm=true
+	if [ -f /etc/redhat-release ]; then
+		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
+			OS=rocky
+			OSVER=9
+			is_rocky=true
+			is_rpm=true
+		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
+			OS=centos
+			OSVER=9
+			is_centos=true
+			is_rpm=true
+		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
+			OS=alma
+			OSVER=9
+			is_alma=true
+			is_rpm=true
+		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
+			if [ -f /etc/oracle-release ]; then
+				OS=oracle
+				OSVER=9
+				is_oracle=true
+				is_rpm=true
+			else
+				OS=rhel
+				OSVER=9
+				is_rhel=true
+				is_rpm=true
+			fi
+		fi
+		cron_service_name="crond"
+	elif [ -f /etc/os-release ]; then
+		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
+			OSVER=focal
+			UBVER=20.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
+			OSVER=jammy
+			UBVER=22.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
+			OSVER=bookworm
+			DEBVER=12
+			is_debian=true
+			OS=debian
+			is_deb=true
+		fi
+		cron_service_name="cron"
 	fi
-	cron_service_name="crond"
 }
 
 set_minionid() {
 	MINIONID=$(lookup_grain id)
 }
 
+set_palette() {
+	if [[ $is_deb ]]; then
+	    update-alternatives --set newt-palette /etc/newt/palette.original
+    fi
+}
 
 set_version() {
 	CURRENTVERSION=0.0.0

salt/hydra/enabled.sls

@@ -67,7 +67,7 @@ delete_so-hydra_so-status.disabled:
 
 wait_for_hydra:
   http.wait_for_successful_query:
-    - name: 'http://{{ GLOBALS.manager }}:4444/'
+    - name: 'http://{{ GLOBALS.manager }}:4444/health/alive'
     - ssl: True
     - verify_ssl: False
     - status:

salt/manager/tools/sbin/so-client

@@ -134,8 +134,8 @@ function require() {
 function verifyEnvironment() {
   require "jq"
   require "curl"
-  response=$(curl -Ss -L ${hydraUrl}/)
-  [[ "$response" != *"Error 404"* ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
+  response=$(curl -Ss -L ${hydraUrl}/health/alive)
+  [[ "$response" != '{"status":"ok"}' ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
 }
 
 function createFile() {

salt/manager/tools/sbin/so-yaml.py

@@ -22,7 +22,7 @@ def showUsage(args):
     print('    removelistitem   - Remove a list item from a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr)
     print('    replacelistobject  - Replace a list object based on a condition. Requires KEY, CONDITION_FIELD, CONDITION_VALUE, and JSON_OBJECT args.', file=sys.stderr)
     print('    add              - Add a new key and set its value. Fails if key already exists. Requires KEY and VALUE args.', file=sys.stderr)
-    print('    get              - Displays (to stdout) the value stored in the given key. Requires KEY arg.', file=sys.stderr)
+    print('    get [-r]         - Displays (to stdout) the value stored in the given key. Requires KEY arg. Use -r for raw output without YAML formatting.', file=sys.stderr)
     print('    remove           - Removes a yaml key, if it exists. Requires KEY arg.', file=sys.stderr)
     print('    replace          - Replaces (or adds) a new key and set its value. Requires KEY and VALUE args.', file=sys.stderr)
     print('    help             - Prints this usage information.', file=sys.stderr)
@@ -332,6 +332,11 @@ def getKeyValue(content, key):
 
 
 def get(args):
+    raw = False
+    if len(args) > 0 and args[0] == '-r':
+        raw = True
+        args = args[1:]
+
     if len(args) != 2:
         print('Missing filename or key arg', file=sys.stderr)
         showUsage(None)
@@ -346,12 +351,15 @@ def get(args):
         print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr)
         return 2
 
-    if isinstance(output, bool):
-        print(str(output).lower())
-    elif isinstance(output, (dict, list)):
-        print(yaml.safe_dump(output).strip())
+    if raw:
+        if isinstance(output, bool):
+            print(str(output).lower())
+        elif isinstance(output, (dict, list)):
+            print(yaml.safe_dump(output).strip())
+        else:
+            print(output)
     else:
-        print(output)
+        print(yaml.safe_dump(output))
     return 0
 
 

salt/manager/tools/sbin/so-yaml_test.py

@@ -393,6 +393,17 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key1.child2.deep1"])
             self.assertEqual(result, 0)
+            self.assertIn("45\n...", mock_stdout.getvalue())
+
+    def test_get_int_raw(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
+            self.assertEqual(result, 0)
             self.assertEqual("45\n", mock_stdout.getvalue())
 
     def test_get_str(self):
@@ -404,6 +415,17 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key1.child2.deep1"])
             self.assertEqual(result, 0)
+            self.assertIn("hello\n...", mock_stdout.getvalue())
+
+    def test_get_str_raw(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: \"hello\" } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
+            self.assertEqual(result, 0)
             self.assertEqual("hello\n", mock_stdout.getvalue())
 
     def test_get_bool(self):
@@ -415,8 +437,31 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key2"])
             self.assertEqual(result, 0)
+            self.assertIn("false\n...", mock_stdout.getvalue())
+
+    def test_get_bool_raw(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get(["-r", filename, "key2"])
+            self.assertEqual(result, 0)
             self.assertEqual("false\n", mock_stdout.getvalue())
 
+    def test_get_dict_raw(self):
+        with patch('sys.stdout', new=StringIO()) as mock_stdout:
+            filename = "/tmp/so-yaml_test-get.yaml"
+            file = open(filename, "w")
+            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
+            file.close()
+
+            result = soyaml.get(["-r", filename, "key1"])
+            self.assertEqual(result, 0)
+            self.assertIn("child1: 123", mock_stdout.getvalue())
+            self.assertNotIn("...", mock_stdout.getvalue())
+
     def test_get_list(self):
         with patch('sys.stdout', new=StringIO()) as mock_stdout:
             filename = "/tmp/so-yaml_test-get.yaml"

salt/manager/tools/sbin/soup

@@ -396,7 +396,7 @@ migrate_pcap_to_suricata() {
 
   for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
     [[ -f "$pillar_file" ]] || continue
-    pcap_enabled=$(so-yaml.py get "$pillar_file" pcap.enabled 2>/dev/null) || continue
+    pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
     so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
     so-yaml.py remove "$pillar_file" pcap
   done
@@ -576,46 +576,78 @@ upgrade_check_salt() {
 upgrade_salt() {
   echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
   echo ""
-  # Check if salt-cloud is installed
-  if rpm -q salt-cloud &>/dev/null; then
-    SALT_CLOUD_INSTALLED=true
-  fi
-  # Check if salt-cloud is configured
-  if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
-    SALT_CLOUD_CONFIGURED=true
-  fi
-
-  echo "Removing yum versionlock for Salt."
-  echo ""
-  yum versionlock delete "salt"
-  yum versionlock delete "salt-minion"
-  yum versionlock delete "salt-master"
-  # Remove salt-cloud versionlock if installed
-  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
-    yum versionlock delete "salt-cloud"
-  fi
-  echo "Updating Salt packages."
-  echo ""
-  set +e
-  # Run with -r to ignore repos set by bootstrap
-  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+  # If rhel family
+  if [[ $is_rpm ]]; then
+    # Check if salt-cloud is installed
+    if rpm -q salt-cloud &>/dev/null; then
+      SALT_CLOUD_INSTALLED=true
+    fi
+    # Check if salt-cloud is configured
+    if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
+      SALT_CLOUD_CONFIGURED=true
+    fi
+    
+    echo "Removing yum versionlock for Salt."
+    echo ""
+    yum versionlock delete "salt"
+    yum versionlock delete "salt-minion"
+    yum versionlock delete "salt-master"
+    # Remove salt-cloud versionlock if installed
+    if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+      yum versionlock delete "salt-cloud"
+    fi
+    echo "Updating Salt packages."
+    echo ""
+    set +e
+    # if oracle run with -r to ignore repos set by bootstrap
+    if [[ $OS == 'oracle' ]]; then
+      # Add -L flag only if salt-cloud is already installed
+      if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+        run_check_net_err \
+        "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
+        "Could not update salt, please check $SOUP_LOG for details."
+      else
+        run_check_net_err \
+        "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
+        "Could not update salt, please check $SOUP_LOG for details."
+      fi
+    # if another rhel family variant we want to run without -r to allow the bootstrap script to manage repos
+    else
+      run_check_net_err \
+      "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
+      "Could not update salt, please check $SOUP_LOG for details."
+    fi
+    set -e
+    echo "Applying yum versionlock for Salt."
+    echo ""
+    yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
+    yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
+    yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
+    # Add salt-cloud versionlock if installed
+    if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+      yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
+    fi
+  # Else do Ubuntu things
+  elif [[ $is_deb ]]; then
+    # ensure these files don't exist when upgrading from 3006.9 to 3006.16
+    rm -f /etc/apt/keyrings/salt-archive-keyring-2023.pgp /etc/apt/sources.list.d/salt.list
+    echo "Removing apt hold for Salt."
+    echo ""
+    apt-mark unhold "salt-common"
+    apt-mark unhold "salt-master"
+    apt-mark unhold "salt-minion"
+    echo "Updating Salt packages."
+    echo ""
+    set +e
     run_check_net_err \
-    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
+    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
     "Could not update salt, please check $SOUP_LOG for details."
-  else
-    run_check_net_err \
-    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
-    "Could not update salt, please check $SOUP_LOG for details."
-  fi
-  set -e
-  echo "Applying yum versionlock for Salt."
-  echo ""
-  yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
-  yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
-  yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
-  # Add salt-cloud versionlock if installed
-  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
-    yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
+    set -e
+    echo "Applying apt hold for Salt."
+    echo ""
+    apt-mark hold "salt-common"
+    apt-mark hold "salt-master"
+    apt-mark hold "salt-minion"
   fi
 
   echo "Checking if Salt was upgraded."
@@ -1052,10 +1084,6 @@ main() {
   echo ""
   set_os
 
-  if [[ ! $is_oracle ]]; then
-    fail "This OS is not supported. Security Onion requires Oracle Linux 9."
-  fi
-
   check_salt_master_status 1 || fail  "Could not talk to salt master: Please run 'systemctl status salt-master' to ensure the salt-master service is running and check the log at /opt/so/log/salt/master."
 
   echo "Checking to see if this is a manager."
@@ -1165,6 +1193,14 @@ main() {
       echo "Upgrading Salt"
       # Update the repo files so it can actually upgrade
       upgrade_salt
+
+      # for Debian based distro, we need to stop salt again after upgrade output below is from bootstrap-salt
+      # *  WARN: Not starting daemons on Debian based distributions
+      #    is not working mostly because starting them is the default behaviour.
+      if [[ $is_deb ]]; then
+        stop_salt_minion
+        stop_salt_master
+      fi
     fi
 
     preupgrade_changes

salt/zeek/config.sls

@@ -156,6 +156,9 @@ zeekja4cfg:
     - source: salt://zeek/files/config.zeek.ja4
     - user: 937
     - group: 939
+    - template: jinja
+    - defaults:
+        JA4PLUS_ENABLED: {{ ZEEKMERGED.ja4plus_enabled }}
 
 # BPF compilation failed
 {% if ZEEKBPF and not ZEEK_BPF_STATUS %}

salt/zeek/defaults.yaml

@@ -1,5 +1,6 @@
 zeek:
   enabled: False
+  ja4plus_enabled: False
   config:
     node:
       lb_procs: 0

salt/zeek/files/config.zeek.ja4

@@ -8,20 +8,20 @@ export {
   option JA4_raw:        bool = F;
 
   # FoxIO license required for JA4+
-  option JA4S_enabled:   bool = F;
+  option JA4S_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
   option JA4S_raw:   bool = F;
 
-  option JA4D_enabled:  bool = F;
+  option JA4D_enabled:  bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
 
-  option JA4H_enabled:   bool = F;
+  option JA4H_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
   option JA4H_raw:   bool = F;
 
-  option JA4L_enabled:   bool = F;
-  
-  option JA4SSH_enabled: bool = F;
+  option JA4L_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
 
-  option JA4T_enabled: bool = F;
-  option JA4TS_enabled: bool = F;
+  option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
 
-  option JA4X_enabled:   bool = F;
+  option JA4T_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4TS_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+
+  option JA4X_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
 }

salt/zeek/soc_zeek.yaml

@@ -2,6 +2,10 @@ zeek:
   enabled:
     description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled.
     helpLink: zeek.html
+  ja4plus_enabled:
+    description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license (https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
+    forcedType: bool
+    helpLink: zeek.html
   config:
     local:
       load:

setup/so-functions

@@ -852,14 +852,74 @@ detect_cloud() {
 
 detect_os() {
 	title "Detecting Base OS"
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
-		OS=oracle
-		OSVER=9
-		is_oracle=true
-		is_rpm=true
-		is_supported=true
+	if [ -f /etc/redhat-release ]; then
+		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
+			OS=rocky
+			OSVER=9
+			is_rocky=true
+			is_rpm=true
+			not_supported=true
+			unset is_supported
+		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
+			OS=centos
+			OSVER=9
+			is_centos=true
+			is_rpm=true
+			not_supported=true
+			unset is_supported
+		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
+			OS=alma
+			OSVER=9
+			is_alma=true
+			is_rpm=true
+			not_supported=true
+			unset is_supported
+		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
+			if [ -f /etc/oracle-release ]; then
+				OS=oracle
+				OSVER=9
+				is_oracle=true
+				is_rpm=true
+				is_supported=true
+			else
+				OS=rhel
+				OSVER=9
+				is_rhel=true
+				is_rpm=true
+				not_supported=true
+				unset is_supported
+			fi
+		fi
+	elif [ -f /etc/os-release ]; then
+		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
+			OSVER=focal
+			UBVER=20.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+			not_supported=true
+			unset is_supported
+		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
+			OSVER=jammy
+			UBVER=22.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+			not_supported=true
+			unset is_supported
+		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
+			OSVER=bookworm
+			DEBVER=12
+			is_debian=true
+			OS=debian
+			is_deb=true
+			not_supported=true
+			unset is_supported
+		fi
+		installer_prereq_packages
+
 	else
-		info "This OS is not supported. Security Onion requires Oracle Linux 9."
+		info "We were unable to determine if you are using a supported OS."
 		fail_setup
 	fi
 
@@ -872,6 +932,23 @@ download_elastic_agent_artifacts() {
 	fi
 }
 
+installer_prereq_packages() {	
+	if [[ $is_deb ]]; then
+		# Print message to stdout so the user knows setup is doing something
+		info "Running apt-get update"
+		retry 150 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
+		# Install network manager so we can do interface stuff
+		if ! command -v nmcli > /dev/null 2>&1; then
+			info "Installing network-manager"
+			retry 150 10 "apt-get -y install network-manager ethtool" >> "$setup_log" 2>&1 || fail_setup
+			logCmd "systemctl enable NetworkManager"
+			logCmd "systemctl start NetworkManager"
+		fi
+		if ! command -v curl > /dev/null 2>&1; then
+			retry 150 10 "apt-get -y install curl"  >> "$setup_log" 2>&1 || fail_setup
+		fi
+	fi
+}
 
 disable_auto_start() {
 	
@@ -1383,7 +1460,7 @@ network_init() {
 	title "Initializing Network"
 	disable_ipv6
 	set_hostname
-	if [[ ( $is_iso || $is_desktop_iso ) ]]; then
+	if [[ ( $is_iso || $is_desktop_iso || $is_debian ) ]]; then
 		set_management_interface
 	fi
 }
@@ -1617,6 +1694,11 @@ reinstall_init() {
 		# Uninstall local Elastic Agent, if installed
 		elastic-agent uninstall -f
 
+		if [[ $is_deb ]]; then
+			echo "Unholding previously held packages."
+			apt-mark unhold $(apt-mark showhold)
+		fi
+
 	} >> "$setup_log" 2>&1
 
 	info "System reinstall init has been completed."
@@ -1633,7 +1715,11 @@ reset_proxy() {
 
 	[[ -f /etc/gitconfig ]] && rm -f /etc/gitconfig
 	
-	sed -i "/proxy=/d" /etc/dnf/dnf.conf
+	if [[ $is_rpm ]]; then
+		sed -i "/proxy=/d" /etc/dnf/dnf.conf
+	else
+		[[ -f /etc/apt/apt.conf.d/00-proxy.conf ]] && rm -f /etc/apt/apt.conf.d/00-proxy.conf
+	fi
 }
 
 restore_file() {
@@ -1679,8 +1765,14 @@ drop_install_options() {
 
 remove_package() {
 	local package_name=$1
-	if rpm -qa | grep -q "$package_name"; then
-		logCmd "dnf remove -y $package_name"
+	if [[ $is_rpm ]]; then
+		if rpm -qa | grep -q "$package_name"; then
+			logCmd "dnf remove -y $package_name"
+		fi
+	else
+		if dpkg -l | grep -q "$package_name"; then
+			retry 150 10 "apt purge -y \"$package_name\""
+		fi
 	fi
 }
 
@@ -1694,91 +1786,122 @@ remove_package() {
 
 securityonion_repo() {
 	# Remove all the current repos
-	logCmd "dnf -v clean all"
-	logCmd "mkdir -vp /root/oldrepos"
-	if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then
-		logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/"
-	fi
-	if ! $is_desktop_grid; then
-		gpg_rpm_import
-		if [[ ! $is_airgap ]]; then
-			echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /etc/yum/mirror.txt
-			echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/3/oracle/9" >> /etc/yum/mirror.txt
-			echo "[main]" > /etc/yum.repos.d/securityonion.repo
-			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-			echo "installonly_limit=3" >> /etc/yum.repos.d/securityonion.repo
-			echo "clean_requirements_on_remove=True" >> /etc/yum.repos.d/securityonion.repo
-			echo "best=True" >> /etc/yum.repos.d/securityonion.repo
-			echo "skip_if_unavailable=False" >> /etc/yum.repos.d/securityonion.repo
-			echo "cachedir=/opt/so/conf/reposync/cache" >> /etc/yum.repos.d/securityonion.repo
-			echo "keepcache=0" >> /etc/yum.repos.d/securityonion.repo
-			echo "[securityonionsync]" >> /etc/yum.repos.d/securityonion.repo
-			echo "name=Security Onion Repo repo" >> /etc/yum.repos.d/securityonion.repo
-			echo "mirrorlist=file:///etc/yum/mirror.txt" >> /etc/yum.repos.d/securityonion.repo
-			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
-			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-			logCmd "dnf repolist"
-		else
+	if [[ $is_oracle ]]; then
+		logCmd "dnf -v clean all"
+		logCmd "mkdir -vp /root/oldrepos"
+		if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then
+			logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/"
+		fi
+		if ! $is_desktop_grid; then
+			gpg_rpm_import
+			if [[ ! $is_airgap ]]; then
+				echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /etc/yum/mirror.txt
+				echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/3/oracle/9" >> /etc/yum/mirror.txt
+				echo "[main]" > /etc/yum.repos.d/securityonion.repo
+				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+				echo "installonly_limit=3" >> /etc/yum.repos.d/securityonion.repo
+				echo "clean_requirements_on_remove=True" >> /etc/yum.repos.d/securityonion.repo
+				echo "best=True" >> /etc/yum.repos.d/securityonion.repo
+				echo "skip_if_unavailable=False" >> /etc/yum.repos.d/securityonion.repo
+				echo "cachedir=/opt/so/conf/reposync/cache" >> /etc/yum.repos.d/securityonion.repo
+				echo "keepcache=0" >> /etc/yum.repos.d/securityonion.repo
+				echo "[securityonionsync]" >> /etc/yum.repos.d/securityonion.repo
+				echo "name=Security Onion Repo repo" >> /etc/yum.repos.d/securityonion.repo
+				echo "mirrorlist=file:///etc/yum/mirror.txt" >> /etc/yum.repos.d/securityonion.repo
+				echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
+				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+				logCmd "dnf repolist"
+			else
+				echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
+				echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
+				echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
+				echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
+				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+				echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
+				logCmd "dnf repolist"
+			fi
+		elif [[ ! $waitforstate ]]; then
 			echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
 			echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
 			echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
 			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
 			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-			echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
-			logCmd "dnf repolist"
+			echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo		
+		elif [[ $waitforstate ]]; then
+			echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
+			echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
+			echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo
+			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
+			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
 		fi
-	elif [[ ! $waitforstate ]]; then
-		echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
-		echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
-		echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
-		echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
-		echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-		echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
-	elif [[ $waitforstate ]]; then
-		echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
-		echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
-		echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo
-		echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
-		echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
 	fi
-	logCmd "dnf repolist all"
+	if [[ $is_rpm ]]; then logCmd "dnf repolist all"; fi
 	if [[ $waitforstate ]]; then
-		# Build the repo locally so we can use it
-		echo "Syncing Repos"
-		repo_sync_local
+		if [[ $is_rpm ]]; then
+				# Build the repo locally so we can use it
+				echo "Syncing Repos"
+				repo_sync_local
+		fi
 	fi
 }
 
 repo_sync_local() {
 	SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
 	info "Repo Sync"
-	# Sync the repo from the SO repo locally.
-	info "Adding Repo Download Configuration"
-	mkdir -p /nsm/repo
-	mkdir -p /opt/so/conf/reposync/cache
-	echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /opt/so/conf/reposync/mirror.txt
-	echo "https://repo-alt.securityonion.net/prod/3/oracle/9" >> /opt/so/conf/reposync/mirror.txt
-	echo "[main]" > /opt/so/conf/reposync/repodownload.conf
-	echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
-	echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
-	echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf
-	echo "best=True" >> /opt/so/conf/reposync/repodownload.conf
-	echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf
-	echo "cachedir=/opt/so/conf/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf
-	echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf
-	echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf
-	echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf
-	echo "mirrorlist=file:///opt/so/conf/reposync/mirror.txt" >> /opt/so/conf/reposync/repodownload.conf
-	echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf
-	echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
-
-	logCmd "dnf repolist"
-
-	if [[ ! $is_airgap ]]; then
-		curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
-		retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup
-		# After the download is complete run createrepo
-		create_repo
+	if [[ $is_supported ]]; then
+		# Sync the repo from the the SO repo locally.
+		# Check for reposync
+		info "Adding Repo Download Configuration"
+		mkdir -p /nsm/repo
+		mkdir -p /opt/so/conf/reposync/cache
+		echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /opt/so/conf/reposync/mirror.txt
+		echo "https://repo-alt.securityonion.net/prod/3/oracle/9" >> /opt/so/conf/reposync/mirror.txt
+		echo "[main]" > /opt/so/conf/reposync/repodownload.conf
+		echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
+		echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
+		echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf
+		echo "best=True" >> /opt/so/conf/reposync/repodownload.conf
+		echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf
+		echo "cachedir=/opt/so/conf/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf
+		echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf
+		echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf
+		echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf
+		echo "mirrorlist=file:///opt/so/conf/reposync/mirror.txt" >> /opt/so/conf/reposync/repodownload.conf
+		echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf
+		echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
+	
+		logCmd "dnf repolist"
+		
+		if [[ ! $is_airgap ]]; then
+        	curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
+			retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup
+			# After the download is complete run createrepo
+			create_repo
+		fi
+	else
+		# Add the proper repos for unsupported stuff
+		echo "Adding Repos"
+		if [[ $is_rpm ]]; then
+			if [[ $is_rhel ]]; then
+				logCmd "subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms"
+				info "Install epel for rhel" 
+				logCmd "dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
+				logCmd "dnf -y install https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm"
+			else  
+				logCmd "dnf config-manager --set-enabled crb"
+				logCmd "dnf -y install epel-release"
+			fi
+			dnf install -y yum-utils device-mapper-persistent-data lvm2
+			curl -fsSL https://repo.securityonion.net/file/so-repo/prod/3/so/so.repo | tee /etc/yum.repos.d/so.repo
+			rpm --import https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public
+			dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
+			curl -fsSL "https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo" | tee /etc/yum.repos.d/salt.repo
+			dnf repolist
+			curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
+		else
+			echo "Not sure how you got here."
+			exit 1
+		fi
 	fi
 }
 
@@ -1786,13 +1909,57 @@ saltify() {
 	SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
 	info "Installing Salt $SALTVERSION"
 	chmod u+x ../salt/salt/scripts/bootstrap-salt.sh
+	if [[ $is_deb ]]; then
 
-	if [[ $waitforstate ]]; then
-		# install all for a manager
-		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
-	else
-		# just a minion
-		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
+		DEBIAN_FRONTEND=noninteractive retry 30 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup
+		if [ $OSVER == "focal" ]; then update-alternatives --install /usr/bin/python python /usr/bin/python3.10 10; fi
+		local pkg_arr=(
+			'apache2-utils'
+			'ca-certificates'
+			'curl'
+			'software-properties-common'
+			'apt-transport-https'
+			'openssl'
+			'netcat-openbsd'
+			'jq'
+			'gnupg'
+		)
+		retry 30 10 "apt-get -y install ${pkg_arr[*]}" || fail_setup
+
+		logCmd "mkdir -vp /etc/apt/keyrings"
+		logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg"
+
+		if [[ $is_ubuntu ]]; then
+			# Add Docker Repo
+			add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" 
+		
+		else
+			# Add Docker Repo
+			curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+			echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list 
+		fi
+
+		logCmd "apt-key add /etc/apt/keyrings/docker.pub"
+
+		retry 30 10 "apt-get update" "" "Err:" || fail_setup
+		if [[ $waitforstate ]]; then
+			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -M -X stable $SALTVERSION" || fail_setup
+			retry 30 10 "apt-mark hold salt-minion salt-common salt-master" || fail_setup
+			retry 30 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1
+		else
+			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -X stable $SALTVERSION" || fail_setup
+			retry 30 10 "apt-mark hold salt-minion salt-common" || fail_setup
+		fi
+	fi
+		
+	if [[ $is_rpm ]]; then
+		if [[ $waitforstate ]]; then 
+			# install all for a manager
+			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
+		else
+			# just a minion
+			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
+		fi
 	fi
 
 	salt_install_module_deps
@@ -1938,7 +2105,14 @@ set_proxy() {
 		"}" > /root/.docker/config.json
 
 	# Set proxy for package manager
-	echo "proxy=$so_proxy" >> /etc/yum.conf
+	if [[ $is_rpm ]]; then
+		echo "proxy=$so_proxy" >> /etc/yum.conf
+	else
+		# Set it up so the updates roll through the manager
+		printf '%s\n'\
+			"Acquire::http::Proxy \"$so_proxy\";"\
+			"Acquire::https::Proxy \"$so_proxy\";" > /etc/apt/apt.conf.d/00-proxy.conf
+	fi
 
 	# Set global git proxy
 	printf '%s\n'\
@@ -2128,13 +2302,23 @@ update_sudoers_for_testing() {
 }
 
 update_packages() {
-	logCmd "dnf repolist"
-	logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
-	RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo")
-	info "Removing repo files added by oracle-repos package update"
-	for FILE in ${RMREPOFILES[@]}; do
-		logCmd "rm -f /etc/yum.repos.d/$FILE"
-	done
+	if [[ $is_oracle ]]; then
+		logCmd "dnf repolist"
+		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
+		RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo")
+		info "Removing repo files added by oracle-repos package update"
+		for FILE in ${RMREPOFILES[@]}; do
+			logCmd "rm -f /etc/yum.repos.d/$FILE"
+		done
+	elif [[ $is_deb ]]; then
+		info "Running apt-get update"
+		retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
+		info "Running apt-get upgrade"
+		retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || fail_setup
+	else
+		info "Updating packages"
+		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
+	fi
 }
 
 # This is used for development to speed up network install tests.
@@ -2144,7 +2328,15 @@ use_turbo_proxy() {
 		return
 	fi
 
-	printf '%s\n' "proxy=${TURBO}:3142" >> /etc/yum.conf
+	if [[ $OS == 'centos' ]]; then
+		printf '%s\n' "proxy=${TURBO}:3142" >> /etc/yum.conf
+	else
+		printf '%s\n'\
+			"Acquire {"\
+			"  HTTP::proxy \"${TURBO}:3142\";"\
+			"  HTTPS::proxy \"${TURBO}:3142\";"\
+			"}" > /etc/apt/apt.conf.d/proxy.conf
+	fi
 }
 
 wait_for_file() {

setup/so-preflight

@@ -34,19 +34,32 @@ check_default_repos() {
 		printf '%s' "$repo_str" | tee -a "$preflight_log"
 	fi
 
-	if [[ $script_run == true ]]; then
-		printf '%s' 'yum update.'
+	if [[ $OS == 'centos' ]]; then
+		if [[ $script_run == true ]]; then
+			printf '%s' 'yum update.'
+		else
+			printf '%s' 'yum update.' | tee -a "$preflight_log"
+		fi
+		echo "" >> "$preflight_log"
+		yum -y check-update >> $preflight_log 2>&1
+		ret_code=$?
+		if [[ $ret_code == 0 || $ret_code == 100 ]]; then
+			printf '%s\n' '  SUCCESS'
+			ret_code=0
+		else
+			printf '%s\n' '  FAILURE'
+		fi
 	else
-		printf '%s' 'yum update.' | tee -a "$preflight_log"
-	fi
-	echo "" >> "$preflight_log"
-	yum -y check-update >> $preflight_log 2>&1
-	ret_code=$?
-	if [[ $ret_code == 0 || $ret_code == 100 ]]; then
-		printf '%s\n' '  SUCCESS'
-		ret_code=0
-	else
-		printf '%s\n' '  FAILURE'
+		if [[ $script_run == true ]]; then
+			printf '%s' 'apt update.'
+		else
+			printf '%s' 'apt update.' | tee -a "$preflight_log"
+		fi
+		echo "" >> "$preflight_log"
+		retry 150 10 "apt-get -y update" >> $preflight_log 2>&1
+		ret_code=$?
+		[[ $ret_code == 0 ]] && printf '%s\n' '  SUCCESS' || printf '%s\n' '  FAILURE'
+
 	fi
 
 	return $ret_code
@@ -60,11 +73,21 @@ check_new_repos() {
 		printf '%s' "$repo_url_str" | tee -a "$preflight_log"
 	fi
 
-	local repo_arr=(
-		"https://download.docker.com/linux/centos/docker-ce.repo"
-		"https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub"
-		"https://download.docker.com/linux/ubuntu/gpg"
+	if [[ $OS == 'centos' ]]; then
+		local repo_arr=( 
+			"https://download.docker.com/linux/centos/docker-ce.repo"
+			"https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub"
+			"https://download.docker.com/linux/ubuntu/gpg"
+			)
+	else
+		local ubuntu_version
+		ubuntu_version=$(grep VERSION_ID /etc/os-release 2> /dev/null | awk -F '[ "]' '{print $2}')
+		local repo_arr=(
+			"https://download.docker.com/linux/ubuntu/gpg"
+			"https://download.docker.com/linux/ubuntu"
+			"https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/SALTSTACK-GPG-KEY.pub"
 		)
+	fi
 
 	__check_url_arr "${repo_arr[@]}"
 	local ret_code=$?
@@ -132,6 +155,17 @@ __check_url_arr() {
 	return $ret_code
 }
 
+preflight_prereqs() {
+	local ret_code=0
+	
+	if [[ $OS == 'centos' ]]; then
+		: # no-op to match structure of other checks for $OS var
+	else
+		retry 150 10 "apt-get -y install curl" >> "$preflight_log" 2>&1 || ret_code=1
+	fi
+
+	return $ret_code
+}
 
 main() {
 	local intro_str="Beginning pre-flight checks."
@@ -149,6 +183,7 @@ main() {
 	fi
 
 	check_default_repos &&\
+	preflight_prereqs &&\
 	check_new_repos &&\
 	check_misc_urls
 

setup/so-setup

@@ -66,6 +66,36 @@ set_timezone
 # Let's see what OS we are dealing with here
 detect_os
 
+# Ubuntu/Debian whiptail pallete to make it look the same as CentOS and Rocky.
+set_palette >> $setup_log 2>&1
+
+if [[ $not_supported ]] && [ -z "$test_profile" ]; then
+	if [[ "$OSVER" == "focal" ]]; then
+		if (whiptail_focal_warning); then
+			true
+		else
+			info "User cancelled setup."
+			whiptail_cancel
+		fi
+	else
+		if (whiptail_unsupported_os_warning); then
+			true
+		else
+			info "User cancelled setup."
+			whiptail_cancel
+		fi
+	fi
+fi
+
+# we need to upgrade packages on debian prior to install and reboot if there are due to iptables-restore not running properly
+# if packages are updated and the box isn't rebooted
+if [[ $is_debian ]]; then
+	update_packages
+	if [[ -f "/var/run/reboot-required" ]] && [ -z "$test_profile" ]; then
+		whiptail_debian_reboot_required
+		reboot
+	fi
+fi
 
 # Check to see if this is the setup type of "desktop".
 is_desktop=
@@ -78,7 +108,7 @@ if [ "$setup_type" = 'desktop' ]; then
 	fi
 fi
 
-# Make sure if ISO is specified that we are dealing with an RPM-based install
+# Make sure if ISO is specified that we are dealing with CentOS or Rocky
 title "Detecting if this is an ISO install"
 if [[ "$setup_type" == 'iso' ]]; then
 	if [[ $is_rpm ]]; then

setup/so-whiptail

@@ -27,6 +27,23 @@ whiptail_airgap() {
 	fi
 }
 
+whiptail_debian_reboot_required() {
+
+	[ -n "$TESTING" ] && return
+
+	read -r -d '' message <<- EOM
+
+	Packages were upgraded and a reboot is required prior to Security Onion installation.
+
+	Once the reboot has completed, rerun Security Onion setup.
+
+	Press TAB and then the ENTER key to reboot the system.
+
+	EOM
+
+	whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext
+}
+
 whiptail_desktop_install() {
 
 	[ -n "$TESTING" ] && return
@@ -479,6 +496,27 @@ __append_end_msg() {
 	EOM
 }
 
+whiptail_focal_warning() {
+
+	[ -n "$TESTING" ] && return
+
+	read -r -d '' focal_warning_continue <<- EOM
+
+	WARNING: Ubuntu 20.04 is only supported as a minion role.
+
+	This node may not install or operate as expected if installed
+	as a manager, managersearch, standalone, eval, or import.
+
+	Would you like to continue the install?
+
+	EOM
+	whiptail --title "$whiptail_title" \
+		--yesno "$focal_warning_continue" 14 75 --defaultno
+
+	local exitstatus=$?
+	return $exitstatus
+
+}
 
 whiptail_gauge_post_setup() {
 
@@ -548,15 +586,23 @@ whiptail_install_type() {
 	[ -n "$TESTING" ] && return
 
 	# What kind of install are we doing?
-	install_type=$(whiptail --title "$whiptail_title" --menu \
-	"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
-		"IMPORT" "Import PCAP or log files " \
-		"EVAL" "Evaluation mode (not for production) " \
-		"STANDALONE" "Standalone production install " \
-		"DISTRIBUTED" "Distributed deployment " \
-		"DESKTOP" "Security Onion Desktop" \
-		3>&1 1>&2 2>&3
-	)
+	if [[ "$OSVER" != "focal" ]]; then
+		install_type=$(whiptail --title "$whiptail_title" --menu \
+		"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
+			"IMPORT" "Import PCAP or log files " \
+			"EVAL" "Evaluation mode (not for production) " \
+			"STANDALONE" "Standalone production install " \
+			"DISTRIBUTED" "Distributed deployment " \
+			"DESKTOP" "Security Onion Desktop" \
+			3>&1 1>&2 2>&3
+		)
+	elif [[ "$OSVER" == "focal" ]]; then
+		install_type=$(whiptail --title "$whiptail_title" --menu \
+		"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
+			"DISTRIBUTED" "Distributed install submenu " \
+			3>&1 1>&2 2>&3
+		)
+	fi
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -577,11 +623,18 @@ whiptail_install_type_dist() {
 
 	[ -n "$TESTING" ] && return
 
+	if [[ "$OSVER" != "focal" ]]; then
 	dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \
 		"New Deployment         " "Create a new Security Onion deployment" \
 		"Existing Deployment    " "Join to an existing Security Onion deployment " \
 		 3>&1 1>&2 2>&3
 	)
+	elif [[ "$OSVER" == "focal" ]]; then
+	dist_option=$(whiptail --title "$whiptail_title" --menu "Since this is Ubuntu, this box can only be connected to \nan existing deployment." 11 75 2 \
+		"Existing Deployment    " "Join to an existing Security Onion deployment " \
+		 3>&1 1>&2 2>&3
+	)
+	fi
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -863,7 +916,7 @@ whiptail_net_method() {
 	[ -n "$TESTING" ] && return
 
 	local pkg_mngr
-	pkg_mngr="yum"
+	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
 
 	read -r -d '' options_msg <<- EOM
 	"Direct" - Internet requests connect directly to the Internet.
@@ -1098,7 +1151,7 @@ whiptail_proxy_ask() {
 	[ -n "$TESTING" ] && return
 
 	local pkg_mngr
-	pkg_mngr="yum"
+	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
 	whiptail --title "$whiptail_title" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno
 }
 
@@ -1381,6 +1434,48 @@ whiptail_storage_requirements() {
 	whiptail_check_exitstatus $exitstatus
 }
 
+whiptail_ubuntu_notsupported() {
+	[ -n "$TESTING" ] && return
+	
+	read -r -d '' message <<- EOM
+		Ubuntu is not supported for this node type.
+
+		Please use a supported OS or install via ISO.
+	EOM
+	whiptail --title "$whiptail_title"  --msgbox "$message" 14 75
+}
+
+whiptail_ubuntu_warning() {
+	[ -n "$TESTING" ] && return
+	
+	read -r -d '' message <<- EOM
+		Ubuntu support for this node type is limited.
+
+		Please consider using a fully supported OS or install via ISO.
+	EOM
+	whiptail --title "$whiptail_title"  --msgbox "$message" 14 75
+
+}
+
+whiptail_unsupported_os_warning() {
+
+	[ -n "$TESTING" ] && return
+
+	read -r -d '' unsupported_os_continue <<- EOM
+	
+	WARNING: An unsupported operating system has been detected. 
+	Security Onion may not install or operate as expected. 
+
+	Would you like to continue the install?
+
+	EOM
+	whiptail --title "$whiptail_title" \
+		--yesno "$unsupported_os_continue" 14 75 --defaultno
+
+	local exitstatus=$?
+	return $exitstatus
+
+}
 
 whiptail_uppercase_warning() {