update index template priorities + explicity add datastream config options

salt/common/tools/sbin/so-common

@@ -349,16 +349,21 @@ get_random_value() {
 }
 
 gpg_rpm_import() {
-	if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-		local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
-	else
-		local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
+	if [[ $is_oracle ]]; then
+	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
+	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
+	    else
+	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
+	    fi
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+		for RPMKEY in "${RPMKEYS[@]}"; do
+    	        rpm --import $RPMKEYSLOC/$RPMKEY
+	        echo "Imported $RPMKEY"
+	    done
+	elif [[ $is_rpm ]]; then
+		echo "Importing the security onion GPG key"
+		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
 	fi
-	RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
-	for RPMKEY in "${RPMKEYS[@]}"; do
-		rpm --import $RPMKEYSLOC/$RPMKEY
-		echo "Imported $RPMKEY"
-	done
 }
 
 header() {
@@ -545,6 +550,22 @@ retry() {
         return $exitcode
 }
 
+rollover_index() {
+  idx=$1
+  exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
+  if [[ $exists -eq 200 ]]; then
+    rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
+
+    if [[ $rollover -eq 200 ]]; then
+      echo "Successfully triggered rollover for $idx..."
+    else
+      echo "Could not trigger rollover for $idx..."
+    fi
+  else
+    echo "Could not find index $idx..."
+  fi
+}
+
 run_check_net_err() {
 	local cmd=$1
 	local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
@@ -610,19 +631,69 @@ salt_minion_count() {
 }
 
 set_os() {
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
-		OS=oracle
-		OSVER=9
-		is_oracle=true
-		is_rpm=true
+	if [ -f /etc/redhat-release ]; then
+		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
+			OS=rocky
+			OSVER=9
+			is_rocky=true
+			is_rpm=true
+		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
+			OS=centos
+			OSVER=9
+			is_centos=true
+			is_rpm=true
+		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
+			OS=alma
+			OSVER=9
+			is_alma=true
+			is_rpm=true
+		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
+			if [ -f /etc/oracle-release ]; then
+				OS=oracle
+				OSVER=9
+				is_oracle=true
+				is_rpm=true
+			else
+				OS=rhel
+				OSVER=9
+				is_rhel=true
+				is_rpm=true
+			fi
+		fi
+		cron_service_name="crond"
+	elif [ -f /etc/os-release ]; then
+		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
+			OSVER=focal
+			UBVER=20.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
+			OSVER=jammy
+			UBVER=22.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
+			OSVER=bookworm
+			DEBVER=12
+			is_debian=true
+			OS=debian
+			is_deb=true
+		fi
+		cron_service_name="cron"
 	fi
-	cron_service_name="crond"
 }
 
 set_minionid() {
 	MINIONID=$(lookup_grain id)
 }
 
+set_palette() {
+	if [[ $is_deb ]]; then
+	    update-alternatives --set newt-palette /etc/newt/palette.original
+    fi
+}
 
 set_version() {
 	CURRENTVERSION=0.0.0

salt/elasticsearch/defaults.yaml

@@ -117,7 +117,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - so-case*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -129,8 +129,6 @@ elasticsearch:
                 match_mapping_type: string
           settings:
             index:
-              lifecycle:
-                name: so-case-logs
               mapping:
                 total_fields:
                   limit: 1500
@@ -141,14 +139,7 @@ elasticsearch:
               sort:
                 field: '@timestamp'
                 order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
     so-common:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -212,7 +203,9 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - winlog-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-*-so*
@@ -272,7 +265,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - so-detection*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -284,8 +277,6 @@ elasticsearch:
                 match_mapping_type: string
           settings:
             index:
-              lifecycle:
-                name: so-detection-logs
               mapping:
                 total_fields:
                   limit: 1500
@@ -296,11 +287,6 @@ elasticsearch:
               sort:
                 field: '@timestamp'
                 order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
     sos-backup:
       index_sorting: false
       index_template:
@@ -460,7 +446,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - endgame*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -508,8 +494,6 @@ elasticsearch:
                 priority: 50
             min_age: 30d
     so-idh:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -566,8 +550,8 @@ elasticsearch:
         - common-dynamic-mappings
         ignore_missing_component_templates: []
         index_patterns:
-        - so-idh-*
-        priority: 500
+        - logs-idh-so*
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -677,11 +661,13 @@ elasticsearch:
         - common-dynamic-mappings
         - winlog-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-import-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -736,7 +722,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - so-ip*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -751,19 +737,12 @@ elasticsearch:
               mapping:
                 total_fields:
                   limit: 1500
-              lifecycle:
-                name: so-ip-mappings-logs
               number_of_replicas: 0
               number_of_shards: 1
               refresh_interval: 30s
               sort:
                 field: '@timestamp'
                 order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
     so-items:
       index_sorting: false
       index_template:
@@ -772,7 +751,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - .items-default-**
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -851,8 +830,6 @@ elasticsearch:
                 priority: 50
             min_age: 30d
     so-kratos:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -873,7 +850,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - logs-kratos-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -921,8 +898,6 @@ elasticsearch:
                 priority: 50
             min_age: 30d
     so-hydra:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -983,7 +958,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - logs-hydra-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -1038,7 +1013,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - .lists-default-**
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -1524,6 +1499,9 @@ elasticsearch:
         - so-fleet_integrations.ip_mappings-1
         - so-fleet_globals-1
         - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates:
         - logs-elastic_agent.cloudbeat@custom
         index_patterns:
@@ -1759,6 +1737,9 @@ elasticsearch:
         - so-fleet_integrations.ip_mappings-1
         - so-fleet_globals-1
         - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates:
         - logs-elastic_agent.heartbeat@custom
         index_patterns:
@@ -3018,8 +2999,6 @@ elasticsearch:
                 priority: 50
             min_age: 30d
     so-logs-soc:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -3074,11 +3053,13 @@ elasticsearch:
         - dtc-user_agent-mappings
         - common-settings
         - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-soc-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -3668,10 +3649,13 @@ elasticsearch:
         - vulnerability-mappings
         - common-settings
         - common-dynamic-mappings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-logstash-default*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -3971,8 +3955,8 @@ elasticsearch:
         - common-dynamic-mappings
         ignore_missing_component_templates: []
         index_patterns:
-        - logs-redis-default*
-        priority: 500
+        - logs-redis.log*
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4083,11 +4067,13 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-strelka-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4197,11 +4183,13 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-suricata-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4311,11 +4299,13 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-suricata.alerts-*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4425,11 +4415,13 @@ elasticsearch:
         - vulnerability-mappings
         - common-settings
         - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-syslog-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4541,11 +4533,13 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-zeek-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false

salt/manager/tools/sbin/soup

@@ -403,7 +403,15 @@ migrate_pcap_to_suricata() {
 }
 
 post_to_3.0.0() {
-  echo "Nothing to apply"
+  for idx in "logs-idh-so" "logs-redis.log-default"; do
+    rollover_index "$idx"
+  done
+
+  # Remove ILM for so-case and so-detection indices
+  for idx in "so-case" "so-casehistory" "so-detection" "so-detectionhistory"; do
+    so-elasticsearch-query $idx/_ilm/remove -XPOST
+  done
+
   POSTVERSION=3.0.0
 }
 
@@ -576,46 +584,78 @@ upgrade_check_salt() {
 upgrade_salt() {
   echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
   echo ""
-  # Check if salt-cloud is installed
-  if rpm -q salt-cloud &>/dev/null; then
-    SALT_CLOUD_INSTALLED=true
-  fi
-  # Check if salt-cloud is configured
-  if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
-    SALT_CLOUD_CONFIGURED=true
-  fi
-
-  echo "Removing yum versionlock for Salt."
-  echo ""
-  yum versionlock delete "salt"
-  yum versionlock delete "salt-minion"
-  yum versionlock delete "salt-master"
-  # Remove salt-cloud versionlock if installed
-  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
-    yum versionlock delete "salt-cloud"
-  fi
-  echo "Updating Salt packages."
-  echo ""
-  set +e
-  # Run with -r to ignore repos set by bootstrap
-  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+  # If rhel family
+  if [[ $is_rpm ]]; then
+    # Check if salt-cloud is installed
+    if rpm -q salt-cloud &>/dev/null; then
+      SALT_CLOUD_INSTALLED=true
+    fi
+    # Check if salt-cloud is configured
+    if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
+      SALT_CLOUD_CONFIGURED=true
+    fi
+    
+    echo "Removing yum versionlock for Salt."
+    echo ""
+    yum versionlock delete "salt"
+    yum versionlock delete "salt-minion"
+    yum versionlock delete "salt-master"
+    # Remove salt-cloud versionlock if installed
+    if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+      yum versionlock delete "salt-cloud"
+    fi
+    echo "Updating Salt packages."
+    echo ""
+    set +e
+    # if oracle run with -r to ignore repos set by bootstrap
+    if [[ $OS == 'oracle' ]]; then
+      # Add -L flag only if salt-cloud is already installed
+      if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+        run_check_net_err \
+        "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
+        "Could not update salt, please check $SOUP_LOG for details."
+      else
+        run_check_net_err \
+        "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
+        "Could not update salt, please check $SOUP_LOG for details."
+      fi
+    # if another rhel family variant we want to run without -r to allow the bootstrap script to manage repos
+    else
+      run_check_net_err \
+      "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
+      "Could not update salt, please check $SOUP_LOG for details."
+    fi
+    set -e
+    echo "Applying yum versionlock for Salt."
+    echo ""
+    yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
+    yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
+    yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
+    # Add salt-cloud versionlock if installed
+    if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+      yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
+    fi
+  # Else do Ubuntu things
+  elif [[ $is_deb ]]; then
+    # ensure these files don't exist when upgrading from 3006.9 to 3006.16
+    rm -f /etc/apt/keyrings/salt-archive-keyring-2023.pgp /etc/apt/sources.list.d/salt.list
+    echo "Removing apt hold for Salt."
+    echo ""
+    apt-mark unhold "salt-common"
+    apt-mark unhold "salt-master"
+    apt-mark unhold "salt-minion"
+    echo "Updating Salt packages."
+    echo ""
+    set +e
     run_check_net_err \
-    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
+    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
     "Could not update salt, please check $SOUP_LOG for details."
-  else
-    run_check_net_err \
-    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
-    "Could not update salt, please check $SOUP_LOG for details."
-  fi
-  set -e
-  echo "Applying yum versionlock for Salt."
-  echo ""
-  yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
-  yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
-  yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
-  # Add salt-cloud versionlock if installed
-  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
-    yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
+    set -e
+    echo "Applying apt hold for Salt."
+    echo ""
+    apt-mark hold "salt-common"
+    apt-mark hold "salt-master"
+    apt-mark hold "salt-minion"
   fi
 
   echo "Checking if Salt was upgraded."
@@ -1052,10 +1092,6 @@ main() {
   echo ""
   set_os
 
-  if [[ ! $is_oracle ]]; then
-    fail "This OS is not supported. Security Onion requires Oracle Linux 9."
-  fi
-
   check_salt_master_status 1 || fail  "Could not talk to salt master: Please run 'systemctl status salt-master' to ensure the salt-master service is running and check the log at /opt/so/log/salt/master."
 
   echo "Checking to see if this is a manager."
@@ -1165,6 +1201,14 @@ main() {
       echo "Upgrading Salt"
       # Update the repo files so it can actually upgrade
       upgrade_salt
+
+      # for Debian based distro, we need to stop salt again after upgrade output below is from bootstrap-salt
+      # *  WARN: Not starting daemons on Debian based distributions
+      #    is not working mostly because starting them is the default behaviour.
+      if [[ $is_deb ]]; then
+        stop_salt_minion
+        stop_salt_master
+      fi
     fi
 
     preupgrade_changes

setup/so-functions

@@ -852,14 +852,74 @@ detect_cloud() {
 
 detect_os() {
 	title "Detecting Base OS"
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
-		OS=oracle
-		OSVER=9
-		is_oracle=true
-		is_rpm=true
-		is_supported=true
+	if [ -f /etc/redhat-release ]; then
+		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
+			OS=rocky
+			OSVER=9
+			is_rocky=true
+			is_rpm=true
+			not_supported=true
+			unset is_supported
+		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
+			OS=centos
+			OSVER=9
+			is_centos=true
+			is_rpm=true
+			not_supported=true
+			unset is_supported
+		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
+			OS=alma
+			OSVER=9
+			is_alma=true
+			is_rpm=true
+			not_supported=true
+			unset is_supported
+		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
+			if [ -f /etc/oracle-release ]; then
+				OS=oracle
+				OSVER=9
+				is_oracle=true
+				is_rpm=true
+				is_supported=true
+			else
+				OS=rhel
+				OSVER=9
+				is_rhel=true
+				is_rpm=true
+				not_supported=true
+				unset is_supported
+			fi
+		fi
+	elif [ -f /etc/os-release ]; then
+		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
+			OSVER=focal
+			UBVER=20.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+			not_supported=true
+			unset is_supported
+		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
+			OSVER=jammy
+			UBVER=22.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+			not_supported=true
+			unset is_supported
+		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
+			OSVER=bookworm
+			DEBVER=12
+			is_debian=true
+			OS=debian
+			is_deb=true
+			not_supported=true
+			unset is_supported
+		fi
+		installer_prereq_packages
+
 	else
-		info "This OS is not supported. Security Onion requires Oracle Linux 9."
+		info "We were unable to determine if you are using a supported OS."
 		fail_setup
 	fi
 
@@ -872,6 +932,23 @@ download_elastic_agent_artifacts() {
 	fi
 }
 
+installer_prereq_packages() {	
+	if [[ $is_deb ]]; then
+		# Print message to stdout so the user knows setup is doing something
+		info "Running apt-get update"
+		retry 150 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
+		# Install network manager so we can do interface stuff
+		if ! command -v nmcli > /dev/null 2>&1; then
+			info "Installing network-manager"
+			retry 150 10 "apt-get -y install network-manager ethtool" >> "$setup_log" 2>&1 || fail_setup
+			logCmd "systemctl enable NetworkManager"
+			logCmd "systemctl start NetworkManager"
+		fi
+		if ! command -v curl > /dev/null 2>&1; then
+			retry 150 10 "apt-get -y install curl"  >> "$setup_log" 2>&1 || fail_setup
+		fi
+	fi
+}
 
 disable_auto_start() {
 	
@@ -1383,7 +1460,7 @@ network_init() {
 	title "Initializing Network"
 	disable_ipv6
 	set_hostname
-	if [[ ( $is_iso || $is_desktop_iso ) ]]; then
+	if [[ ( $is_iso || $is_desktop_iso || $is_debian ) ]]; then
 		set_management_interface
 	fi
 }
@@ -1617,6 +1694,11 @@ reinstall_init() {
 		# Uninstall local Elastic Agent, if installed
 		elastic-agent uninstall -f
 
+		if [[ $is_deb ]]; then
+			echo "Unholding previously held packages."
+			apt-mark unhold $(apt-mark showhold)
+		fi
+
 	} >> "$setup_log" 2>&1
 
 	info "System reinstall init has been completed."
@@ -1633,7 +1715,11 @@ reset_proxy() {
 
 	[[ -f /etc/gitconfig ]] && rm -f /etc/gitconfig
 	
-	sed -i "/proxy=/d" /etc/dnf/dnf.conf
+	if [[ $is_rpm ]]; then
+		sed -i "/proxy=/d" /etc/dnf/dnf.conf
+	else
+		[[ -f /etc/apt/apt.conf.d/00-proxy.conf ]] && rm -f /etc/apt/apt.conf.d/00-proxy.conf
+	fi
 }
 
 restore_file() {
@@ -1679,8 +1765,14 @@ drop_install_options() {
 
 remove_package() {
 	local package_name=$1
-	if rpm -qa | grep -q "$package_name"; then
-		logCmd "dnf remove -y $package_name"
+	if [[ $is_rpm ]]; then
+		if rpm -qa | grep -q "$package_name"; then
+			logCmd "dnf remove -y $package_name"
+		fi
+	else
+		if dpkg -l | grep -q "$package_name"; then
+			retry 150 10 "apt purge -y \"$package_name\""
+		fi
 	fi
 }
 
@@ -1694,91 +1786,122 @@ remove_package() {
 
 securityonion_repo() {
 	# Remove all the current repos
-	logCmd "dnf -v clean all"
-	logCmd "mkdir -vp /root/oldrepos"
-	if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then
-		logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/"
-	fi
-	if ! $is_desktop_grid; then
-		gpg_rpm_import
-		if [[ ! $is_airgap ]]; then
-			echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /etc/yum/mirror.txt
-			echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/3/oracle/9" >> /etc/yum/mirror.txt
-			echo "[main]" > /etc/yum.repos.d/securityonion.repo
-			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-			echo "installonly_limit=3" >> /etc/yum.repos.d/securityonion.repo
-			echo "clean_requirements_on_remove=True" >> /etc/yum.repos.d/securityonion.repo
-			echo "best=True" >> /etc/yum.repos.d/securityonion.repo
-			echo "skip_if_unavailable=False" >> /etc/yum.repos.d/securityonion.repo
-			echo "cachedir=/opt/so/conf/reposync/cache" >> /etc/yum.repos.d/securityonion.repo
-			echo "keepcache=0" >> /etc/yum.repos.d/securityonion.repo
-			echo "[securityonionsync]" >> /etc/yum.repos.d/securityonion.repo
-			echo "name=Security Onion Repo repo" >> /etc/yum.repos.d/securityonion.repo
-			echo "mirrorlist=file:///etc/yum/mirror.txt" >> /etc/yum.repos.d/securityonion.repo
-			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
-			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-			logCmd "dnf repolist"
-		else
+	if [[ $is_oracle ]]; then
+		logCmd "dnf -v clean all"
+		logCmd "mkdir -vp /root/oldrepos"
+		if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then
+			logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/"
+		fi
+		if ! $is_desktop_grid; then
+			gpg_rpm_import
+			if [[ ! $is_airgap ]]; then
+				echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /etc/yum/mirror.txt
+				echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/3/oracle/9" >> /etc/yum/mirror.txt
+				echo "[main]" > /etc/yum.repos.d/securityonion.repo
+				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+				echo "installonly_limit=3" >> /etc/yum.repos.d/securityonion.repo
+				echo "clean_requirements_on_remove=True" >> /etc/yum.repos.d/securityonion.repo
+				echo "best=True" >> /etc/yum.repos.d/securityonion.repo
+				echo "skip_if_unavailable=False" >> /etc/yum.repos.d/securityonion.repo
+				echo "cachedir=/opt/so/conf/reposync/cache" >> /etc/yum.repos.d/securityonion.repo
+				echo "keepcache=0" >> /etc/yum.repos.d/securityonion.repo
+				echo "[securityonionsync]" >> /etc/yum.repos.d/securityonion.repo
+				echo "name=Security Onion Repo repo" >> /etc/yum.repos.d/securityonion.repo
+				echo "mirrorlist=file:///etc/yum/mirror.txt" >> /etc/yum.repos.d/securityonion.repo
+				echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
+				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+				logCmd "dnf repolist"
+			else
+				echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
+				echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
+				echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
+				echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
+				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+				echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
+				logCmd "dnf repolist"
+			fi
+		elif [[ ! $waitforstate ]]; then
 			echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
 			echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
 			echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
 			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
 			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-			echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
-			logCmd "dnf repolist"
+			echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo		
+		elif [[ $waitforstate ]]; then
+			echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
+			echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
+			echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo
+			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
+			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
 		fi
-	elif [[ ! $waitforstate ]]; then
-		echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
-		echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
-		echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
-		echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
-		echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-		echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
-	elif [[ $waitforstate ]]; then
-		echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
-		echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
-		echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo
-		echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
-		echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
 	fi
-	logCmd "dnf repolist all"
+	if [[ $is_rpm ]]; then logCmd "dnf repolist all"; fi
 	if [[ $waitforstate ]]; then
-		# Build the repo locally so we can use it
-		echo "Syncing Repos"
-		repo_sync_local
+		if [[ $is_rpm ]]; then
+				# Build the repo locally so we can use it
+				echo "Syncing Repos"
+				repo_sync_local
+		fi
 	fi
 }
 
 repo_sync_local() {
 	SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
 	info "Repo Sync"
-	# Sync the repo from the SO repo locally.
-	info "Adding Repo Download Configuration"
-	mkdir -p /nsm/repo
-	mkdir -p /opt/so/conf/reposync/cache
-	echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /opt/so/conf/reposync/mirror.txt
-	echo "https://repo-alt.securityonion.net/prod/3/oracle/9" >> /opt/so/conf/reposync/mirror.txt
-	echo "[main]" > /opt/so/conf/reposync/repodownload.conf
-	echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
-	echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
-	echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf
-	echo "best=True" >> /opt/so/conf/reposync/repodownload.conf
-	echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf
-	echo "cachedir=/opt/so/conf/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf
-	echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf
-	echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf
-	echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf
-	echo "mirrorlist=file:///opt/so/conf/reposync/mirror.txt" >> /opt/so/conf/reposync/repodownload.conf
-	echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf
-	echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
-
-	logCmd "dnf repolist"
-
-	if [[ ! $is_airgap ]]; then
-		curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
-		retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup
-		# After the download is complete run createrepo
-		create_repo
+	if [[ $is_supported ]]; then
+		# Sync the repo from the the SO repo locally.
+		# Check for reposync
+		info "Adding Repo Download Configuration"
+		mkdir -p /nsm/repo
+		mkdir -p /opt/so/conf/reposync/cache
+		echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /opt/so/conf/reposync/mirror.txt
+		echo "https://repo-alt.securityonion.net/prod/3/oracle/9" >> /opt/so/conf/reposync/mirror.txt
+		echo "[main]" > /opt/so/conf/reposync/repodownload.conf
+		echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
+		echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
+		echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf
+		echo "best=True" >> /opt/so/conf/reposync/repodownload.conf
+		echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf
+		echo "cachedir=/opt/so/conf/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf
+		echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf
+		echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf
+		echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf
+		echo "mirrorlist=file:///opt/so/conf/reposync/mirror.txt" >> /opt/so/conf/reposync/repodownload.conf
+		echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf
+		echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
+	
+		logCmd "dnf repolist"
+		
+		if [[ ! $is_airgap ]]; then
+        	curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
+			retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup
+			# After the download is complete run createrepo
+			create_repo
+		fi
+	else
+		# Add the proper repos for unsupported stuff
+		echo "Adding Repos"
+		if [[ $is_rpm ]]; then
+			if [[ $is_rhel ]]; then
+				logCmd "subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms"
+				info "Install epel for rhel" 
+				logCmd "dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
+				logCmd "dnf -y install https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm"
+			else  
+				logCmd "dnf config-manager --set-enabled crb"
+				logCmd "dnf -y install epel-release"
+			fi
+			dnf install -y yum-utils device-mapper-persistent-data lvm2
+			curl -fsSL https://repo.securityonion.net/file/so-repo/prod/3/so/so.repo | tee /etc/yum.repos.d/so.repo
+			rpm --import https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public
+			dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
+			curl -fsSL "https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo" | tee /etc/yum.repos.d/salt.repo
+			dnf repolist
+			curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
+		else
+			echo "Not sure how you got here."
+			exit 1
+		fi
 	fi
 }
 
@@ -1786,13 +1909,57 @@ saltify() {
 	SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
 	info "Installing Salt $SALTVERSION"
 	chmod u+x ../salt/salt/scripts/bootstrap-salt.sh
+	if [[ $is_deb ]]; then
 
-	if [[ $waitforstate ]]; then
-		# install all for a manager
-		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
-	else
-		# just a minion
-		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
+		DEBIAN_FRONTEND=noninteractive retry 30 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup
+		if [ $OSVER == "focal" ]; then update-alternatives --install /usr/bin/python python /usr/bin/python3.10 10; fi
+		local pkg_arr=(
+			'apache2-utils'
+			'ca-certificates'
+			'curl'
+			'software-properties-common'
+			'apt-transport-https'
+			'openssl'
+			'netcat-openbsd'
+			'jq'
+			'gnupg'
+		)
+		retry 30 10 "apt-get -y install ${pkg_arr[*]}" || fail_setup
+
+		logCmd "mkdir -vp /etc/apt/keyrings"
+		logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg"
+
+		if [[ $is_ubuntu ]]; then
+			# Add Docker Repo
+			add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" 
+		
+		else
+			# Add Docker Repo
+			curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+			echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list 
+		fi
+
+		logCmd "apt-key add /etc/apt/keyrings/docker.pub"
+
+		retry 30 10 "apt-get update" "" "Err:" || fail_setup
+		if [[ $waitforstate ]]; then
+			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -M -X stable $SALTVERSION" || fail_setup
+			retry 30 10 "apt-mark hold salt-minion salt-common salt-master" || fail_setup
+			retry 30 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1
+		else
+			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -X stable $SALTVERSION" || fail_setup
+			retry 30 10 "apt-mark hold salt-minion salt-common" || fail_setup
+		fi
+	fi
+		
+	if [[ $is_rpm ]]; then
+		if [[ $waitforstate ]]; then 
+			# install all for a manager
+			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
+		else
+			# just a minion
+			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
+		fi
 	fi
 
 	salt_install_module_deps
@@ -1938,7 +2105,14 @@ set_proxy() {
 		"}" > /root/.docker/config.json
 
 	# Set proxy for package manager
-	echo "proxy=$so_proxy" >> /etc/yum.conf
+	if [[ $is_rpm ]]; then
+		echo "proxy=$so_proxy" >> /etc/yum.conf
+	else
+		# Set it up so the updates roll through the manager
+		printf '%s\n'\
+			"Acquire::http::Proxy \"$so_proxy\";"\
+			"Acquire::https::Proxy \"$so_proxy\";" > /etc/apt/apt.conf.d/00-proxy.conf
+	fi
 
 	# Set global git proxy
 	printf '%s\n'\
@@ -2128,13 +2302,23 @@ update_sudoers_for_testing() {
 }
 
 update_packages() {
-	logCmd "dnf repolist"
-	logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
-	RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo")
-	info "Removing repo files added by oracle-repos package update"
-	for FILE in ${RMREPOFILES[@]}; do
-		logCmd "rm -f /etc/yum.repos.d/$FILE"
-	done
+	if [[ $is_oracle ]]; then
+		logCmd "dnf repolist"
+		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
+		RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo")
+		info "Removing repo files added by oracle-repos package update"
+		for FILE in ${RMREPOFILES[@]}; do
+			logCmd "rm -f /etc/yum.repos.d/$FILE"
+		done
+	elif [[ $is_deb ]]; then
+		info "Running apt-get update"
+		retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
+		info "Running apt-get upgrade"
+		retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || fail_setup
+	else
+		info "Updating packages"
+		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
+	fi
 }
 
 # This is used for development to speed up network install tests.
@@ -2144,7 +2328,15 @@ use_turbo_proxy() {
 		return
 	fi
 
-	printf '%s\n' "proxy=${TURBO}:3142" >> /etc/yum.conf
+	if [[ $OS == 'centos' ]]; then
+		printf '%s\n' "proxy=${TURBO}:3142" >> /etc/yum.conf
+	else
+		printf '%s\n'\
+			"Acquire {"\
+			"  HTTP::proxy \"${TURBO}:3142\";"\
+			"  HTTPS::proxy \"${TURBO}:3142\";"\
+			"}" > /etc/apt/apt.conf.d/proxy.conf
+	fi
 }
 
 wait_for_file() {

setup/so-preflight

@@ -34,19 +34,32 @@ check_default_repos() {
 		printf '%s' "$repo_str" | tee -a "$preflight_log"
 	fi
 
-	if [[ $script_run == true ]]; then
-		printf '%s' 'yum update.'
+	if [[ $OS == 'centos' ]]; then
+		if [[ $script_run == true ]]; then
+			printf '%s' 'yum update.'
+		else
+			printf '%s' 'yum update.' | tee -a "$preflight_log"
+		fi
+		echo "" >> "$preflight_log"
+		yum -y check-update >> $preflight_log 2>&1
+		ret_code=$?
+		if [[ $ret_code == 0 || $ret_code == 100 ]]; then
+			printf '%s\n' '  SUCCESS'
+			ret_code=0
+		else
+			printf '%s\n' '  FAILURE'
+		fi
 	else
-		printf '%s' 'yum update.' | tee -a "$preflight_log"
-	fi
-	echo "" >> "$preflight_log"
-	yum -y check-update >> $preflight_log 2>&1
-	ret_code=$?
-	if [[ $ret_code == 0 || $ret_code == 100 ]]; then
-		printf '%s\n' '  SUCCESS'
-		ret_code=0
-	else
-		printf '%s\n' '  FAILURE'
+		if [[ $script_run == true ]]; then
+			printf '%s' 'apt update.'
+		else
+			printf '%s' 'apt update.' | tee -a "$preflight_log"
+		fi
+		echo "" >> "$preflight_log"
+		retry 150 10 "apt-get -y update" >> $preflight_log 2>&1
+		ret_code=$?
+		[[ $ret_code == 0 ]] && printf '%s\n' '  SUCCESS' || printf '%s\n' '  FAILURE'
+
 	fi
 
 	return $ret_code
@@ -60,11 +73,21 @@ check_new_repos() {
 		printf '%s' "$repo_url_str" | tee -a "$preflight_log"
 	fi
 
-	local repo_arr=(
-		"https://download.docker.com/linux/centos/docker-ce.repo"
-		"https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub"
-		"https://download.docker.com/linux/ubuntu/gpg"
+	if [[ $OS == 'centos' ]]; then
+		local repo_arr=( 
+			"https://download.docker.com/linux/centos/docker-ce.repo"
+			"https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub"
+			"https://download.docker.com/linux/ubuntu/gpg"
+			)
+	else
+		local ubuntu_version
+		ubuntu_version=$(grep VERSION_ID /etc/os-release 2> /dev/null | awk -F '[ "]' '{print $2}')
+		local repo_arr=(
+			"https://download.docker.com/linux/ubuntu/gpg"
+			"https://download.docker.com/linux/ubuntu"
+			"https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/SALTSTACK-GPG-KEY.pub"
 		)
+	fi
 
 	__check_url_arr "${repo_arr[@]}"
 	local ret_code=$?
@@ -132,6 +155,17 @@ __check_url_arr() {
 	return $ret_code
 }
 
+preflight_prereqs() {
+	local ret_code=0
+	
+	if [[ $OS == 'centos' ]]; then
+		: # no-op to match structure of other checks for $OS var
+	else
+		retry 150 10 "apt-get -y install curl" >> "$preflight_log" 2>&1 || ret_code=1
+	fi
+
+	return $ret_code
+}
 
 main() {
 	local intro_str="Beginning pre-flight checks."
@@ -149,6 +183,7 @@ main() {
 	fi
 
 	check_default_repos &&\
+	preflight_prereqs &&\
 	check_new_repos &&\
 	check_misc_urls
 

setup/so-setup

@@ -66,6 +66,36 @@ set_timezone
 # Let's see what OS we are dealing with here
 detect_os
 
+# Ubuntu/Debian whiptail pallete to make it look the same as CentOS and Rocky.
+set_palette >> $setup_log 2>&1
+
+if [[ $not_supported ]] && [ -z "$test_profile" ]; then
+	if [[ "$OSVER" == "focal" ]]; then
+		if (whiptail_focal_warning); then
+			true
+		else
+			info "User cancelled setup."
+			whiptail_cancel
+		fi
+	else
+		if (whiptail_unsupported_os_warning); then
+			true
+		else
+			info "User cancelled setup."
+			whiptail_cancel
+		fi
+	fi
+fi
+
+# we need to upgrade packages on debian prior to install and reboot if there are due to iptables-restore not running properly
+# if packages are updated and the box isn't rebooted
+if [[ $is_debian ]]; then
+	update_packages
+	if [[ -f "/var/run/reboot-required" ]] && [ -z "$test_profile" ]; then
+		whiptail_debian_reboot_required
+		reboot
+	fi
+fi
 
 # Check to see if this is the setup type of "desktop".
 is_desktop=
@@ -78,7 +108,7 @@ if [ "$setup_type" = 'desktop' ]; then
 	fi
 fi
 
-# Make sure if ISO is specified that we are dealing with an RPM-based install
+# Make sure if ISO is specified that we are dealing with CentOS or Rocky
 title "Detecting if this is an ISO install"
 if [[ "$setup_type" == 'iso' ]]; then
 	if [[ $is_rpm ]]; then

setup/so-whiptail

@@ -27,6 +27,23 @@ whiptail_airgap() {
 	fi
 }
 
+whiptail_debian_reboot_required() {
+
+	[ -n "$TESTING" ] && return
+
+	read -r -d '' message <<- EOM
+
+	Packages were upgraded and a reboot is required prior to Security Onion installation.
+
+	Once the reboot has completed, rerun Security Onion setup.
+
+	Press TAB and then the ENTER key to reboot the system.
+
+	EOM
+
+	whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext
+}
+
 whiptail_desktop_install() {
 
 	[ -n "$TESTING" ] && return
@@ -479,6 +496,27 @@ __append_end_msg() {
 	EOM
 }
 
+whiptail_focal_warning() {
+
+	[ -n "$TESTING" ] && return
+
+	read -r -d '' focal_warning_continue <<- EOM
+
+	WARNING: Ubuntu 20.04 is only supported as a minion role.
+
+	This node may not install or operate as expected if installed
+	as a manager, managersearch, standalone, eval, or import.
+
+	Would you like to continue the install?
+
+	EOM
+	whiptail --title "$whiptail_title" \
+		--yesno "$focal_warning_continue" 14 75 --defaultno
+
+	local exitstatus=$?
+	return $exitstatus
+
+}
 
 whiptail_gauge_post_setup() {
 
@@ -548,15 +586,23 @@ whiptail_install_type() {
 	[ -n "$TESTING" ] && return
 
 	# What kind of install are we doing?
-	install_type=$(whiptail --title "$whiptail_title" --menu \
-	"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
-		"IMPORT" "Import PCAP or log files " \
-		"EVAL" "Evaluation mode (not for production) " \
-		"STANDALONE" "Standalone production install " \
-		"DISTRIBUTED" "Distributed deployment " \
-		"DESKTOP" "Security Onion Desktop" \
-		3>&1 1>&2 2>&3
-	)
+	if [[ "$OSVER" != "focal" ]]; then
+		install_type=$(whiptail --title "$whiptail_title" --menu \
+		"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
+			"IMPORT" "Import PCAP or log files " \
+			"EVAL" "Evaluation mode (not for production) " \
+			"STANDALONE" "Standalone production install " \
+			"DISTRIBUTED" "Distributed deployment " \
+			"DESKTOP" "Security Onion Desktop" \
+			3>&1 1>&2 2>&3
+		)
+	elif [[ "$OSVER" == "focal" ]]; then
+		install_type=$(whiptail --title "$whiptail_title" --menu \
+		"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
+			"DISTRIBUTED" "Distributed install submenu " \
+			3>&1 1>&2 2>&3
+		)
+	fi
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -577,11 +623,18 @@ whiptail_install_type_dist() {
 
 	[ -n "$TESTING" ] && return
 
+	if [[ "$OSVER" != "focal" ]]; then
 	dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \
 		"New Deployment         " "Create a new Security Onion deployment" \
 		"Existing Deployment    " "Join to an existing Security Onion deployment " \
 		 3>&1 1>&2 2>&3
 	)
+	elif [[ "$OSVER" == "focal" ]]; then
+	dist_option=$(whiptail --title "$whiptail_title" --menu "Since this is Ubuntu, this box can only be connected to \nan existing deployment." 11 75 2 \
+		"Existing Deployment    " "Join to an existing Security Onion deployment " \
+		 3>&1 1>&2 2>&3
+	)
+	fi
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -863,7 +916,7 @@ whiptail_net_method() {
 	[ -n "$TESTING" ] && return
 
 	local pkg_mngr
-	pkg_mngr="yum"
+	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
 
 	read -r -d '' options_msg <<- EOM
 	"Direct" - Internet requests connect directly to the Internet.
@@ -1098,7 +1151,7 @@ whiptail_proxy_ask() {
 	[ -n "$TESTING" ] && return
 
 	local pkg_mngr
-	pkg_mngr="yum"
+	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
 	whiptail --title "$whiptail_title" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno
 }
 
@@ -1381,6 +1434,48 @@ whiptail_storage_requirements() {
 	whiptail_check_exitstatus $exitstatus
 }
 
+whiptail_ubuntu_notsupported() {
+	[ -n "$TESTING" ] && return
+	
+	read -r -d '' message <<- EOM
+		Ubuntu is not supported for this node type.
+
+		Please use a supported OS or install via ISO.
+	EOM
+	whiptail --title "$whiptail_title"  --msgbox "$message" 14 75
+}
+
+whiptail_ubuntu_warning() {
+	[ -n "$TESTING" ] && return
+	
+	read -r -d '' message <<- EOM
+		Ubuntu support for this node type is limited.
+
+		Please consider using a fully supported OS or install via ISO.
+	EOM
+	whiptail --title "$whiptail_title"  --msgbox "$message" 14 75
+
+}
+
+whiptail_unsupported_os_warning() {
+
+	[ -n "$TESTING" ] && return
+
+	read -r -d '' unsupported_os_continue <<- EOM
+	
+	WARNING: An unsupported operating system has been detected. 
+	Security Onion may not install or operate as expected. 
+
+	Would you like to continue the install?
+
+	EOM
+	whiptail --title "$whiptail_title" \
+		--yesno "$unsupported_os_continue" 14 75 --defaultno
+
+	local exitstatus=$?
+	return $exitstatus
+
+}
 
 whiptail_uppercase_warning() {