remove kernel bool option, just use list

salt/top.sls

@@ -12,6 +12,7 @@ base:
   '*':
     - cron.running
     - repo.client
+    - versionlock
     - ntp
     - schedule
     - logrotate

salt/versionlock/defaults.yaml

@@ -1,3 +1,2 @@
 versionlock:
-  kernel: False
   hold: []

salt/versionlock/init.sls

@@ -1,3 +1,8 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
 {% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %}
 
 {% for pkg in VERSIONLOCKMERGED.hold %}

salt/versionlock/map.jinja

@@ -1,7 +1,13 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
 {% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %}
 {% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %}
 {% set HELD = salt['pkg.list_holds']() %}
 
+{# these are packages held / versionlock in other states #}
 {% set PACKAGES_HELD_IN_OTHER_STATES = [
    'salt',
    'salt-master',
@@ -12,21 +18,16 @@
    'docker-ce-rootless-extras'
 ] %}
 
-{% if VERSIONLOCKMERGED.kernel %}
-    {% do VERSIONLOCKMERGED['hold'].append('kernel') %}
-{% endif %}
-
 {# remove packages held in other states from hold list #}
 {% do VERSIONLOCKMERGED.update({'hold': VERSIONLOCKMERGED['hold'] | unique | reject('in', PACKAGES_HELD_IN_OTHER_STATES) | list }) %}
 
+{# initiate VERSIONLOCKMERGED.UNHOLD #}
 {% do VERSIONLOCKMERGED.update({'UNHOLD': []}) %}
 
 {# if a package is currently held but not set to be held, unhold it #}
 {% for item in HELD %}
     {% set base_name = item.rsplit('-', 2)[0] %}
-    {% if base_name not in VERSIONLOCKMERGED['hold']
+    {% if base_name not in VERSIONLOCKMERGED['hold'] and base_name not in PACKAGES_HELD_IN_OTHER_STATES and base_name not in VERSIONLOCKMERGED['UNHOLD'] %}
-       and base_name not in PACKAGES_HELD_IN_OTHER_STATES
-       and base_name not in VERSIONLOCKMERGED['UNHOLD'] %}
         {% do VERSIONLOCKMERGED['UNHOLD'].append(base_name) %}
     {% endif %}
 {% endfor %}

salt/versionlock/soc_versionlock.yaml

@@ -1,10 +1,7 @@
 versionlock:
-  kernel:
-    description: Lock the kernel to prevent upgrade.
-    global: True
-    forcedType: bool
   hold:
-    description: List of packages to hold
+    description: List of packages to hold. To reduce the frequency of required reboots, add 'kernel' to this list.
     global: True
     forcedType: "[]string"
     multiline: True
+    helpLink: versionlock.html

setup/so-functions

@@ -1404,7 +1404,7 @@ make_some_dirs() {
 	mkdir -p $local_salt_dir/salt/firewall/portgroups
 	mkdir -p $local_salt_dir/salt/firewall/ports
 
-	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert stig global kafka;do
+	for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert stig global kafka versionlock; do
 	mkdir -p $local_salt_dir/pillar/$THEDIR
 	touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
 	touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls