Merge pull request #1126 from Security-Onion-Solutions/issue/1091

Issue/1091

salt/ca/init.sls

@@ -10,12 +10,16 @@
   file.directory: []
 
 pki_private_key:
-    x509.private_key_managed:
+  x509.private_key_managed:
-        - name: /etc/pki/ca.key
+    - name: /etc/pki/ca.key
-        - bits: 4096
+    - bits: 4096
-        - passphrase:
+    - passphrase:
-        - cipher: aes_256_cbc
+    - cipher: aes_256_cbc
-        - backup: True
+    - backup: True
+    {% if salt['file.file_exists']('/etc/pki/ca.key') -%}
+    - prereq:
+      - x509: /etc/pki/ca.crt
+    {%- endif %}
 
 /etc/pki/ca.crt:
   x509.certificate_managed:
@@ -32,22 +36,18 @@ pki_private_key:
     - days_valid: 3650
     - days_remaining: 0
     - backup: True
-    - managed_private_key:
-        name: /etc/pki/ca.key
-        bits: 4096
-        backup: True
     - require:
       - file: /etc/pki
 
-send_x509_pem_entries_to_mine:
+x509_pem_entries:
   module.run:
     - mine.send:
-      - func: x509.get_pem_entries
+       - name: x509.get_pem_entries
-      - glob_path: /etc/pki/ca.crt
+       - glob_path: /etc/pki/ca.crt
 
 cakeyperms:
   file.managed:
     - replace: False
     - name: /etc/pki/ca.key
     - mode: 640
-    - group: 939
+    - group: 939

salt/common/tools/sbin/soup

@@ -18,13 +18,17 @@
 . /usr/sbin/so-common
 UPDATE_DIR=/tmp/sogh/securityonion
 INSTALLEDVERSION=$(cat /etc/soversion)
-default_salt_dir=/opt/so/saltstack/default
+INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk {'print $2'})
+DEFAULT_SALT_DIR=/opt/so/saltstack/default
+BATCHSIZE=5
+SOUP_LOG=/root/soup.log
+exec 3>&1 1>${SOUP_LOG} 2>&1
 
 manager_check() {
   # Check to see if this is a manager
   MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
   if [[ "$MANAGERCHECK" =~ ^('so-eval'|'so-manager'|'so-standalone'|'so-managersearch')$ ]]; then
-    echo "This is a manager. We can proceed"
+    echo "This is a manager. We can proceed."
   else
     echo "Please run soup on the manager. The manager controls all updates."
     exit 0
@@ -58,23 +62,33 @@ clone_to_tmp() {
 copy_new_files() {
   # Copy new files over to the salt dir
   cd /tmp/sogh/securityonion
-  rsync -a salt $default_salt_dir/
+  rsync -a salt $DEFAULT_SALT_DIR/
-  rsync -a pillar $default_salt_dir/
+  rsync -a pillar $DEFAULT_SALT_DIR/
-  chown -R socore:socore $default_salt_dir/
+  chown -R socore:socore $DEFAULT_SALT_DIR/
-  chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
+  chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
   cd /tmp
 }
 
+detect_os() {
+	# Detect Base OS
+	echo "Determining Base OS." >> "$SOUP_LOG" 2>&1
+	if [ -f /etc/redhat-release ]; then
+		OS="centos"
+	elif [ -f /etc/os-release ]; then
+		OS="ubuntu"
+	fi
+	echo "Found OS: $OS" >> "$SOUP_LOG" 2>&1
+}
+
 highstate() {
   # Run a highstate but first cancel a running one.
   salt-call saltutil.kill_all_jobs
-  salt-call state.highstate
+  salt-call state.highstate -l info
 }
 
 pillar_changes() {
     # This function is to add any new pillar items if needed.
-    echo "Checking to see if pillar changes are needed"
+    echo "Checking to see if pillar changes are needed."
-
 }
 
 update_dockers() {
@@ -143,7 +157,7 @@ update_dockers() {
 
 update_version() {
   # Update the version to the latest
-  echo "Updating the version file."
+  echo "Updating the Security Onion version file."
   echo $NEWVERSION > /etc/soversion
   sed -i "s/$INSTALLEDVERSION/$NEWVERSION/g" /opt/so/saltstack/local/pillar/static.sls
 }
@@ -154,8 +168,44 @@ upgrade_check() {
     if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
       echo "You are already running the latest version of Security Onion."
       exit 0
+    fi 
+}
+
+upgrade_check_salt() {
+    NEWSALTVERSION=$(grep version: $UPDATE_DIR/salt/salt/master.defaults.yaml | awk {'print $2'})
+    if [ "$INSTALLEDSALTVERSION" == "$NEWSALTVERSION" ]; then
+      echo "You are already running the correct version of Salt for Security Onion."
     else
-      echo "Performing Upgrade from $INSTALLEDVERSION to $NEWVERSION"
+      SALTUPGRADED=True
+      echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
+      echo ""
+      # If CentOS
+      if [ "$OS" == "centos" ]; then
+        echo "Removing yum versionlock for Salt."
+        echo ""
+        yum versionlock delete "salt-*"
+        echo "Updating Salt packages and restarting services."
+        echo ""
+        sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
+        echo "Applying yum versionlock for Salt."
+        echo ""
+        yum versionlock add "salt-*"
+      # Else do Ubuntu things
+      elif [ "$OS" == "ubuntu" ]; then
+        echo "Removing apt hold for Salt."
+        echo ""
+        apt-mark unhold "salt-common"
+        apt-mark unhold "salt-master"
+        apt-mark unhold "salt-minion"
+        echo "Updating Salt packages and restarting services."
+        echo ""
+        sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
+        echo "Applying apt hold for Salt."
+        echo ""
+        apt-mark hold "salt-common"
+        apt-mark hold "salt-master"
+        apt-mark hold "salt-minion"
+      fi
     fi 
 }
 
@@ -167,41 +217,97 @@ verify_latest_update_script() {
       echo "This version of the soup script is up to date. Proceeding."
     else
       echo "You are not running the latest soup version. Updating soup."
-      cp $UPDATE_DIR/salt/common/tools/sbin/soup $default_salt_dir/salt/common/tools/sbin/
+      cp $UPDATE_DIR/salt/common/tools/sbin/soup $DEFAULT_SALT_DIR/salt/common/tools/sbin/
       salt-call state.apply common queue=True
       echo ""
-      echo "soup has been updated. Please run soup again"
+      echo "soup has been updated. Please run soup again."
       exit 0
     fi
 }
 
-echo "Checking to see if this is a manager"
+main () {
+while getopts ":b" opt; do
+  case "$opt" in
+    b ) # process option b
+       shift
+       BATCHSIZE=$1
+       if ! [[ "$BATCHSIZE" =~ ^[0-9]+$ ]]; then
+         echo "Batch size must be a number greater than 0."
+         exit 1
+       fi
+      ;;
+    \? ) echo "Usage: cmd [-b]"
+      ;;
+  esac
+done
+
+echo "Checking to see if this is a manager."
+echo ""
 manager_check
-echo "Cloning latest code to a temporary location"
+echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
+echo ""
+detect_os
+echo ""
+echo "Cloning Security Onion github repo into $UPDATE_DIR."
 clone_to_tmp
 echo ""
-echo "Verifying we have the latest script"
+echo "Verifying we have the latest soup script."
 verify_latest_update_script
 echo ""
-echo "Let's see if we need to update"
+
+echo "Let's see if we need to update Security Onion."
 upgrade_check
+
+
 echo ""
-echo "Making pillar changes"
+echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
+echo ""
+echo "Stopping Salt Minion service."
+systemctl stop salt-minion
+echo ""
+echo "Stopping Salt Master service."
+systemctl stop salt-master
+echo ""
+echo "Checking for Salt Master and Minion updates."
+upgrade_check_salt
+
+
+echo "Making pillar changes."
 pillar_changes
 echo ""
-echo "Cleaning up old dockers"
+
+echo "Cleaning up old dockers."
 clean_dockers
 echo ""
-echo "Updating docker to $NEWVERSION"
+echo "Updating dockers to $NEWVERSION."
 update_dockers
+
 echo ""
-echo "Copying new code"
+echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR."
 copy_new_files
 echo ""
-echo "Updating version"
 update_version
+
+
 echo ""
-echo "Running a highstate to complete upgrade"
+echo "Starting Salt Master service."
+systemctl start salt-master
+
+
+echo ""
+echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
 highstate
 echo ""
 echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete."
+
+SALTUPGRADED="True"
+if [[ "$SALTUPGRADED" == "True" ]]; then
+  echo ""
+  echo "Upgrading Salt on the remaining Security Onion nodes from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
+  salt -C 'not *_eval and not *_helix and not *_manager and not *_managersearch and not *_standalone' -b $BATCHSIZE state.apply salt.minion 
+  echo ""
+fi
+
+}
+
+main "$@" | tee /dev/fd/3

salt/salt/init.sls

@@ -1,15 +1,13 @@
-
-
 {% if grains['os'] != 'CentOS' %}    
 saltpymodules:
   pkg.installed:
     - pkgs:
       - python-docker
       - python-m2crypto
-  {% endif %}
+{% endif %}
 
-
+salt_bootstrap:
-salt_minion_service:
+  file.managed:
-  service.running:
+    - name: /usr/sbin/bootstrap-salt.sh
-    - name: salt-minion
+    - source: salt://salt/scripts/bootstrap-salt.sh
-    - enable: True
+    - mode: 755

salt/salt/map.jinja

@@ -0,0 +1,18 @@
+{% import_yaml 'salt/minion.defaults.yaml' as salt %}
+{% set SALTVERSION = salt.salt.minion.version %}
+
+{% if grains.os|lower == 'ubuntu' %}
+  {% set COMMON = 'salt-common' %}
+{% elif grains.os|lower == 'centos' %}
+  {% set COMMON = 'salt' %}
+{% endif %}
+
+{% if grains.saltversion|string != SALTVERSION|string %}
+  {% if grains.os|lower == 'centos' %}
+    {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && sh /usr/sbin/bootstrap-salt.sh -F -x python3 stable ' ~ SALTVERSION %}
+  {% elif grains.os|lower == 'ubuntu' %}
+    {% set UPGRADECOMMAND = 'apt-mark unhold salt-common && apt-mark unhold salt-minion && sh /usr/sbin/bootstrap-salt.sh -F -x python3 stable ' ~ SALTVERSION  %}
+  {% endif %}
+{% else %}
+  {% set UPGRADECOMMAND = 'echo Already running Salt Minon version ' ~ SALTVERSION %}
+{% endif %}

salt/salt/master.defaults.yaml

@@ -0,0 +1,4 @@
+#version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
+salt:
+  master:
+    version: 3001

salt/salt/master.sls

@@ -0,0 +1,11 @@
+salt_master_package:
+  pkg.installed:
+    - pkgs:
+      - salt
+      - salt-master
+    - hold: True
+
+salt_master_service:
+  service.running:
+    - name: salt-master
+    - enable: True

salt/salt/minion.defaults.yaml

@@ -0,0 +1,4 @@
+#version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
+salt:
+  minion:
+    version: 3001

salt/salt/minion.sls

@@ -0,0 +1,26 @@
+{% from 'salt/map.jinja' import COMMON with context %}
+{% from 'salt/map.jinja' import UPGRADECOMMAND with context %}
+
+include:
+  - salt
+
+install_salt_minion:
+  cmd.run:
+    - name: {{ UPGRADECOMMAND }} 
+
+#versionlock_salt_minion:
+#  module.run:
+#    - pkg.hold:
+#      - name: "salt-*"
+
+salt_minion_package:
+  pkg.installed:
+    - pkgs:
+      - {{ COMMON }}
+      - salt-minion
+    - hold: True
+
+salt_minion_service:
+  service.running:
+    - name: salt-minion
+    - enable: True

salt/ssl/init.sls

@@ -37,6 +37,19 @@ m2cryptopkgs:
       - python-m2crypto
 {% endif %}
 
+/etc/pki/influxdb.key:
+  x509.private_key_managed:
+    - CN: {{ manager }}
+    - bits: 4096
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/influxdb.key') -%}
+    - prereq:
+      - x509: /etc/pki/influxdb.crt
+    {%- endif %}
+
 # Create a cert for the talking to influxdb
 /etc/pki/influxdb.crt:
   x509.certificate_managed:
@@ -47,10 +60,10 @@ m2cryptopkgs:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
-    - managed_private_key:
+    - unless:
-        name: /etc/pki/influxdb.key
+      # https://github.com/saltstack/salt/issues/52167
-        bits: 4096
+      # Will trigger 5 days (432000 sec) from cert expiration
-        backup: True
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
 
 influxkeyperms:
   file.managed:
@@ -61,6 +74,19 @@ influxkeyperms:
 
 {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone'] %}
 
+/etc/pki/filebeat.key:
+  x509.private_key_managed:
+    - CN: {{ manager }}
+    - bits: 4096
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%}
+    - prereq:
+      - x509: /etc/pki/filebeat.crt
+    {%- endif %}
+
 # Request a cert and drop it where it needs to go to be distributed
 /etc/pki/filebeat.crt:
   x509.certificate_managed:
@@ -75,12 +101,15 @@ influxkeyperms:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
-    - managed_private_key:
+    - unless:
-        name: /etc/pki/filebeat.key
+      # https://github.com/saltstack/salt/issues/52167
-        bits: 4096
+      # Will trigger 5 days (432000 sec) from cert expiration
-        backup: True
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
   cmd.run:
     - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
+    - onchanges:
+      - x509: /etc/pki/filebeat.key
+
 
 fbperms:
   file.managed:
@@ -107,11 +136,28 @@ fbkeylink:
   file.symlink:
     - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.p8
     - target: /etc/pki/filebeat.p8
+    - user: socore
+    - group: socore
 
 fbcrtlink:
   file.symlink:
     - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.crt
     - target: /etc/pki/filebeat.crt
+    - user: socore
+    - group: socore
+
+/etc/pki/registry.key:
+  x509.private_key_managed:
+    - CN: {{ manager }}
+    - bits: 4096
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/registry.key') -%}
+    - prereq:
+      - x509: /etc/pki/registry.crt
+    {%- endif %}
 
 # Create a cert for the docker registry
 /etc/pki/registry.crt:
@@ -123,10 +169,10 @@ fbcrtlink:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
-    - managed_private_key:
+    - unless:
-        name: /etc/pki/registry.key
+      # https://github.com/saltstack/salt/issues/52167
-        bits: 4096
+      # Will trigger 5 days (432000 sec) from cert expiration
-        backup: True
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
 
 regkeyperms:
   file.managed:
@@ -135,6 +181,19 @@ regkeyperms:
     - mode: 640
     - group: 939
 
+/etc/pki/managerssl.key:
+  x509.private_key_managed:
+    - CN: {{ manager }}
+    - bits: 4096
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
+    - prereq:
+      - x509: /etc/pki/managerssl.crt
+    {%- endif %}
+
 # Create a cert for the reverse proxy
 /etc/pki/managerssl.crt:
   x509.certificate_managed:
@@ -146,10 +205,10 @@ regkeyperms:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
-    - managed_private_key:
+    - unless:
-        name: /etc/pki/managerssl.key
+      # https://github.com/saltstack/salt/issues/52167
-        bits: 4096
+      # Will trigger 5 days (432000 sec) from cert expiration
-        backup: True
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
 
 msslkeyperms:
   file.managed:
@@ -166,6 +225,11 @@ msslkeyperms:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/fleet.key') -%}
+    - prereq:
+      - x509: /etc/pki/fleet.crt
+    {%- endif %}
 
 /etc/pki/fleet.crt:
   x509.certificate_managed:
@@ -175,10 +239,10 @@ msslkeyperms:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
-    - managed_private_key:
+    - unless:
-        name: /etc/pki/fleet.key
+      # https://github.com/saltstack/salt/issues/52167
-        bits: 4096
+      # Will trigger 5 days (432000 sec) from cert expiration
-        backup: True
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
 
 fleetkeyperms:
   file.managed:
@@ -195,6 +259,19 @@ fbcertdir:
     - name: /opt/so/conf/filebeat/etc/pki
     - makedirs: True
 
+/opt/so/conf/filebeat/etc/pki/filebeat.key:
+  x509.private_key_managed:
+    - CN: {{ manager }}
+    - bits: 4096
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%}
+    - prereq:
+      - x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt
+    {%- endif %}
+
 # Request a cert and drop it where it needs to go to be distributed
 /opt/so/conf/filebeat/etc/pki/filebeat.crt:
   x509.certificate_managed:
@@ -209,15 +286,17 @@ fbcertdir:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
-    - managed_private_key:
+    - unless:
-        name: /opt/so/conf/filebeat/etc/pki/filebeat.key
+      # https://github.com/saltstack/salt/issues/52167
-        bits: 4096
+      # Will trigger 5 days (432000 sec) from cert expiration
-        backup: True
+      - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
 
 # Convert the key to pkcs#8 so logstash will work correctly.
 filebeatpkcs:
   cmd.run:
     - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
+    - onchanges:
+      - x509: /opt/so/conf/filebeat/etc/pki/filebeat.key
 
 filebeatkeyperms:
   file.managed:
@@ -238,6 +317,19 @@ chownfilebeatp8:
 
 {% if grains['role'] == 'so-fleet' %}
 
+/etc/pki/managerssl.key:
+  x509.private_key_managed:
+    - CN: {{ manager }}
+    - bits: 4096
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
+    - prereq:
+      - x509: /etc/pki/managerssl.crt
+    {%- endif %}
+
 # Create a cert for the reverse proxy
 /etc/pki/managerssl.crt:
   x509.certificate_managed:
@@ -249,10 +341,10 @@ chownfilebeatp8:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
-    - managed_private_key:
+    - unless:
-        name: /etc/pki/managerssl.key
+      # https://github.com/saltstack/salt/issues/52167
-        bits: 4096
+      # Will trigger 5 days (432000 sec) from cert expiration
-        backup: True
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
 
 msslkeyperms:
   file.managed:
@@ -264,11 +356,16 @@ msslkeyperms:
 # Create a private key and cert for Fleet
 /etc/pki/fleet.key:
   x509.private_key_managed:
-    - CN: {{ HOSTNAME }}
+    - CN: {{ manager }}
     - bits: 4096
     - days_remaining: 0
     - days_valid: 820
     - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/fleet.key') -%}
+    - prereq:
+      - x509: /etc/pki/fleet.crt
+    {%- endif %}
 
 /etc/pki/fleet.crt:
   x509.certificate_managed:
@@ -278,10 +375,10 @@ msslkeyperms:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
-    - managed_private_key:
+    - unless:
-        name: /etc/pki/fleet.key
+      # https://github.com/saltstack/salt/issues/52167
-        bits: 4096
+      # Will trigger 5 days (432000 sec) from cert expiration
-        backup: True
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
 
 fleetkeyperms:
   file.managed:

salt/top.sls

@@ -7,22 +7,30 @@
 {%- set FLEETMANAGER = salt['pillar.get']('static:fleet_manager', False) -%}
 {%- set FLEETNODE = salt['pillar.get']('static:fleet_node', False) -%}
 {%- set STRELKA = salt['pillar.get']('strelka:enabled', '0') -%}
+{% import_yaml 'salt/minion.defaults.yaml' as salt %}
+{% set saltversion = salt.salt.minion.version %}
 
 
 base:
 
-  'os:CentOS':
+  'not G@saltversion:{{saltversion}}':
-    - match: grain
+    - match: compound
+    - salt.minion
+
+  'G@os:CentOS and G@saltversion:{{saltversion}}':
+    - match: compound
     - yum
     - yum.packages
 
-  '*':
+  '* and G@saltversion:{{saltversion}}':
-    - salt
+    - match: compound
+    - salt.minion
     - docker
     - patch.os.schedule
     - motd
 
-  '*_helix':
+  '*_helix and G@saltversion:{{saltversion}}':
+    - match: compound
     - ca
     - ssl
     - registry
@@ -39,7 +47,8 @@ base:
     - filebeat
     - schedule
 
-  '*_sensor':
+  '*_sensor and G@saltversion:{{saltversion}}':
+    - match: compound
     - ca
     - ssl
     - common
@@ -61,7 +70,8 @@ base:
     {%- endif %}
     - schedule
 
-  '*_eval':
+  '*_eval and G@saltversion:{{saltversion}}':
+    - match: compound
     - ca
     - ssl
     - registry
@@ -117,7 +127,8 @@ base:
     {%- endif %}
 
 
-  '*_manager':
+  '*_manager and G@saltversion:{{saltversion}}':
+    - match: compound
     - ca
     - ssl
     - registry
@@ -162,7 +173,8 @@ base:
     - domainstats
     {%- endif %}
 
-  '*_standalone':
+  '*_standalone and G@saltversion:{{saltversion}}':
+    - match: compound
     - ca
     - ssl
     - registry
@@ -220,7 +232,7 @@ base:
 
   # Search node logic
 
-  '*_node and I@node:node_type:parser':
+  '*_node and I@node:node_type:parser and G@saltversion:{{saltversion}}':
     - match: compound
     - common
     - firewall
@@ -230,7 +242,7 @@ base:
     {%- endif %}
     - schedule
 
-  '*_node and I@node:node_type:hot':
+  '*_node and I@node:node_type:hot and G@saltversion:{{saltversion}}':
     - match: compound
     - common
     - firewall
@@ -241,7 +253,7 @@ base:
     {%- endif %}
     - schedule
 
-  '*_node and I@node:node_type:warm':
+  '*_node and I@node:node_type:warm and G@saltversion:{{saltversion}}':
     - match: compound
     - common
     - firewall
@@ -251,7 +263,8 @@ base:
     {%- endif %}
     - schedule
 
-  '*_searchnode':
+  '*_searchnode and G@saltversion:{{saltversion}}':
+    - match: compound
     - ca
     - ssl
     - common
@@ -269,7 +282,8 @@ base:
     {%- endif %}
     - schedule
 
-  '*_managersensor':
+  '*_managersensor and G@saltversion:{{saltversion}}':
+    - match: compound
     - common
     - nginx
     - telegraf
@@ -283,7 +297,8 @@ base:
     {%- endif %}
     - schedule
 
-  '*_managersearch':
+  '*_managersearch and G@saltversion:{{saltversion}}':
+    - match: compound
     - ca
     - ssl
     - registry
@@ -329,7 +344,8 @@ base:
     - domainstats
     {%- endif %}
 
-  '*_heavynode':
+  '*_heavynode and G@saltversion:{{saltversion}}':
+    - match: compound
     - ca
     - ssl
     - common
@@ -353,7 +369,8 @@ base:
     - filebeat
     - schedule
   
-  '*_fleet':
+  '*_fleet and G@saltversion:{{saltversion}}':
+    - match: compound
     - ca
     - ssl
     - common

setup/so-setup

@@ -467,7 +467,12 @@ fi
 	set_progress_str 21 'Copying minion pillars to manager'
 	copy_minion_tmp_files >> $setup_log 2>&1
 
-	set_progress_str 22 'Generating CA and checking in'
+	if [[ $is_minion ]]; then
+		set_progress_str 22 'Checking if the Salt Minion needs to be updated'
+		salt-call state.apply salt.minion -l info >> $setup_log 2>&1
+	fi
+
+	set_progress_str 23 'Generating CA and checking in'
 	salt_checkin >> $setup_log 2>&1
 
 	if [[ $is_manager || $is_helix ]]; then