diff --git a/salt/elasticsearch/auth.sls b/salt/elasticsearch/auth.sls
index f3aefa6b9..a7de4ef8f 100644
--- a/salt/elasticsearch/auth.sls
+++ b/salt/elasticsearch/auth.sls
@@ -15,7 +15,7 @@
 elastic_auth_pillar:
   file.managed:
     - name: /opt/so/saltstack/local/pillar/elasticsearch/auth.sls
-    - mode: 600
+    - mode: 640
     - reload_pillar: True
     - contents: |
         elasticsearch:
diff --git a/salt/kafka/nodes.sls b/salt/kafka/nodes.sls
index cae2a1d0f..90cc931bb 100644
--- a/salt/kafka/nodes.sls
+++ b/salt/kafka/nodes.sls
@@ -10,9 +10,9 @@
 write_kafka_pillar_yaml:
   file.managed:
     - name: /opt/so/saltstack/local/pillar/kafka/nodes.sls
-    - mode: 644
+    - mode: 640
     - user: socore
     - source: salt://kafka/files/managed_node_pillar.jinja
     - template: jinja
     - context:
-        COMBINED_KAFKANODES: {{ COMBINED_KAFKANODES }}
\ No newline at end of file
+        COMBINED_KAFKANODES: {{ COMBINED_KAFKANODES }}
diff --git a/salt/kibana/secrets.sls b/salt/kibana/secrets.sls
index f97aa4d59..048cea4d4 100644
--- a/salt/kibana/secrets.sls
+++ b/salt/kibana/secrets.sls
@@ -22,7 +22,7 @@ kibana_pillar_directory:
 kibana_secrets_pillar:
   file.managed:
     - name: /opt/so/saltstack/local/pillar/kibana/secrets.sls
-    - mode: 600
+    - mode: 640
     - reload_pillar: True
     - contents: |
         kibana:
diff --git a/salt/manager/elasticsearch.sls b/salt/manager/elasticsearch.sls
index df93217b8..ab9dbb287 100644
--- a/salt/manager/elasticsearch.sls
+++ b/salt/manager/elasticsearch.sls
@@ -3,5 +3,5 @@ elastic_curl_config_distributed:
     - name: /opt/so/saltstack/local/salt/elasticsearch/curl.config
     - source: salt://elasticsearch/files/curl.config.template
     - template: jinja
-    - mode: 600
+    - mode: 640
     - show_changes: False
diff --git a/salt/manager/init.sls b/salt/manager/init.sls
index 5eadead92..07a1b8816 100644
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -127,15 +127,28 @@ so_fleetagent_status:
     - month: '*'
     - dayweek: '*'
 
-socore_own_saltstack:
+socore_own_saltstack_default:
   file.directory:
-    - name: /opt/so/saltstack
+    - name: /opt/so/saltstack/default
     - user: socore
     - group: socore
     - recurse:
       - user
       - group
 
+socore_own_saltstack_local:
+  file.directory:
+    - name: /opt/so/saltstack/local
+    - user: socore
+    - group: socore
+    - dir_mode: 750
+    - file_mode: 640
+    - replace: False
+    - recurse:
+      - user
+      - group
+      - mode
+
 rules_dir:
   file.directory:
     - name: /nsm/rules/yara