From c6168c1487efba24ef4f13c7ee17aceb070a19c5 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Thu, 5 Feb 2026 10:20:54 -0500
Subject: [PATCH 1/9] bootstrap-salt update

---
 salt/salt/scripts/bootstrap-salt.sh | 147 +++++++++++++++++++++++++---
 1 file changed, 131 insertions(+), 16 deletions(-)

diff --git a/salt/salt/scripts/bootstrap-salt.sh b/salt/salt/scripts/bootstrap-salt.sh
index 861f22de5..9324a0170 100644
--- a/salt/salt/scripts/bootstrap-salt.sh
+++ b/salt/salt/scripts/bootstrap-salt.sh
@@ -26,7 +26,7 @@
 #======================================================================================================================
 set -o nounset                              # Treat unset variables as an error
 
-__ScriptVersion="2025.09.03"
+__ScriptVersion="2026.01.22"
 __ScriptName="bootstrap-salt.sh"
 
 __ScriptFullName="$0"
@@ -369,7 +369,7 @@ __usage() {
         also be specified. Salt installation will be ommitted, but some of the
         dependencies could be installed to write configuration with -j or -J.
     -d  Disables checking if Salt services are enabled to start on system boot.
-        You can also do this by touching ${BS_TMP_DIR}/disable_salt_checks on the target
+        You can also do this by touching ${_TMP_DIR}/disable_salt_checks on the target
         host. Default: \${BS_FALSE}
     -D  Show debug output
     -f  Force shallow cloning for git installations.
@@ -2819,14 +2819,25 @@ __install_salt_from_repo() {
         ${_pip_cmd} install --force-reinstall --break-system-packages "${_arch_dep}"
     fi
 
-    echodebug "Running '${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl'"
+    _PIP_VERSION_STRING=$(${_pip_cmd} --version)
+    echodebug "Installed pip version: $_PIP_VERSION_STRING"
+    _PIP_MAJOR_VERSION=$(echo "$_PIP_VERSION_STRING" | sed -E 's/^pip ([0-9]+)\..*/\1/')
 
-    echodebug "Running ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} --global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl"
-
-    ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall \
-        ${_PIP_INSTALL_ARGS} \
-        --global-option="--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS}" \
-        ${_TMP_DIR}/git/deps/salt*.whl || return 1
+    # The following branching can be removed once we no longer support distros that still ship with
+    # versions of `pip` earlier than v22.1 such as Debian 11
+    if [ "$_PIP_MAJOR_VERSION" -lt 23 ]; then
+        echodebug "Running ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} --global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl"
+        ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall \
+            ${_PIP_INSTALL_ARGS} \
+            --global-option="--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS}" \
+            ${_TMP_DIR}/git/deps/salt*.whl || return 1
+    else
+        echodebug "Running ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} --config-settings=--global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl"
+        ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall \
+            ${_PIP_INSTALL_ARGS} \
+            --config-settings="--global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS}" \
+            ${_TMP_DIR}/git/deps/salt*.whl || return 1
+    fi
 
     echoinfo "Checking if Salt can be imported using ${_py_exe}"
     CHECK_SALT_SCRIPT=$(cat << EOM
@@ -6096,7 +6107,14 @@ install_arch_linux_git_deps() {
 }
 
 install_arch_linux_onedir_deps() {
+    echodebug "install_arch_linux_onedir_deps() entry"
+
+    # Basic tooling for download/verify/extract
+    pacman -Sy --noconfirm --needed wget tar gzip gnupg ca-certificates || return 1
+
+    # Reuse stable deps for python-yaml etc. if you want config_salt() parity
     install_arch_linux_stable_deps || return 1
+    return 0
 }
 
 install_arch_linux_stable() {
@@ -6111,7 +6129,73 @@ install_arch_linux_stable() {
     pacman -S --noconfirm --needed bash || return 1
     pacman -Su --noconfirm || return 1
     # We can now resume regular salt update
-    pacman -Syu --noconfirm salt || return 1
+    # Except that this hasn't been in arch repos for years;
+    # so we have to build from AUR
+    # We use "buildgirl" because Eve demanded it.
+    build_user=${build_user:-buildgirl}
+    userdel "$build_user" || true
+    useradd -M -r -s /usr/bin/nologin "$build_user"
+    echo "$build_user ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/"$build_user"
+    rm -rf /tmp/yay-bin || true
+
+    git clone https://aur.archlinux.org/salt.git /tmp/yay-bin
+    chown -R "$build_user":"$build_user" /tmp/yay-bin
+    sudo -u "$build_user" env -i \
+        HOME=/tmp \
+        PATH=/usr/bin:/bin:/usr/sbin:/sbin \
+        MAKEFLAGS="-j$(nproc)" \
+        LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 \
+        makepkg -CcsiD /tmp/yay-bin \
+        --noconfirm --needed \
+        --noprogressbar || return 1
+
+    rm -f /etc/sudoers.d/"$build_user"
+    rm -rf /tmp/yay-bin
+    userdel "$build_user"
+    return 0
+}
+
+install_arch_linux_onedir() {
+    echodebug "install_arch_linux_onedir() entry"
+
+    version="${ONEDIR_REV:-latest}"
+    arch="x86_64"
+    [ "$(uname -m)" = "aarch64" ] && arch="aarch64"
+
+    # Resolve "latest" to actual version
+    if [ "$version" = "latest" ]; then
+        version=$(wget -qO- https://api.github.com/repos/saltstack/salt/releases/latest \
+                  | grep -Eo '"tag_name": *"v[0-9.]+"' \
+                  | sed 's/"tag_name": *"v//;s/"//') || return 1
+    fi
+
+    tarball="salt-${version}-onedir-linux-${arch}.tar.xz"
+    url="https://github.com/saltstack/salt/releases/download/v${version}/${tarball}"
+    extractdir="/tmp/salt-${version}-onedir-linux-${arch}"
+
+    echoinfo "Downloading Salt onedir: $url"
+    wget -q "$url" -O "/tmp/${tarball}" || return 1
+
+    # Validate tarball
+    if ! tar -tf "/tmp/${tarball}" >/dev/null 2>&1; then
+        echoerror "Invalid or corrupt onedir tarball"
+        return 1
+    fi
+
+    # Prepare extraction
+    rm -rf "$extractdir" || true
+    rm -rf /opt/saltstack/salt || true
+    mkdir -p "$extractdir"
+
+    # Extract and flatten (remove leading 'salt/' directory)
+    # /tmp/salt-${version}-onedir-linux-${arch}
+    tar --strip-components=1 -xf "/tmp/${tarball}" -C "$extractdir"
+
+    # Place into /opt
+    mkdir -p /opt/saltstack/salt
+    mv "$extractdir"/* /opt/saltstack/salt/ || return 1
+    chmod -R 755 /opt/saltstack/salt
+
     return 0
 }
 
@@ -6249,17 +6333,48 @@ install_arch_check_services() {
     return 0
 }
 
-install_arch_linux_onedir() {
-  install_arch_linux_stable || return 1
 
-  return 0
-}
 
 install_arch_linux_onedir_post() {
-  install_arch_linux_post || return 1
+    echodebug "install_arch_linux_onedir_post() entry"
 
-  return 0
+    # Disable any distro/AUR salt units
+    systemctl disable --now salt-minion.service 2>/dev/null || true
+    systemctl disable --now salt-master.service 2>/dev/null || true
+
+    # Drop a clean unit, same pattern as Debian/Ubuntu onedir
+    cat >/etc/systemd/system/salt-minion.service <<'EOF'
+[Unit]
+Description=Salt Minion (onedir)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/opt/saltstack/salt/salt-minion -c /etc/salt
+Restart=always
+LimitNOFILE=100000
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+    systemctl daemon-reload
+
+    # Add onedir paths system-wide
+    cat >/etc/profile.d/saltstack.sh <<'EOF'
+export PATH=/opt/saltstack/salt:/opt/saltstack/salt/bin:$PATH
+EOF
+
+    chmod 644 /etc/profile.d/saltstack.sh
+
+    if [ "$_START_DAEMONS" -eq $BS_TRUE ]; then
+        systemctl enable --now salt-minion.service
+    fi
+
+    return 0
 }
+
 #
 #   Ended Arch Install Functions
 #

From 2b05583035a31666b8c9c11487dc79bbfe8e065f Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Fri, 13 Feb 2026 14:49:53 -0500
Subject: [PATCH 2/9] update salt 3006.19

---
 salt/manager/tools/sbin/soup                  |  3 +-
 .../engines/master/minimum_auth_version.py    | 74 +++++++++++++++++++
 salt/salt/master.defaults.yaml                |  2 +-
 .../add_minimum_auth_version_engine.sls       | 16 ++++
 .../master/files/minimum_auth_version.conf    |  1 +
 .../files/minimum_auth_version_engine.conf    |  3 +
 .../remove_minimum_auth_version_engine.sls    | 17 +++++
 salt/salt/minion.defaults.yaml                |  2 +-
 8 files changed, 115 insertions(+), 3 deletions(-)
 create mode 100644 salt/salt/engines/master/minimum_auth_version.py
 create mode 100644 salt/salt/master/add_minimum_auth_version_engine.sls
 create mode 100644 salt/salt/master/files/minimum_auth_version.conf
 create mode 100644 salt/salt/master/files/minimum_auth_version_engine.conf
 create mode 100644 salt/salt/master/remove_minimum_auth_version_engine.sls

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 4c9b60c3d..e83436551 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -995,7 +995,8 @@ up_to_2.4.210() {
   # Elastic Update for this release, so download Elastic Agent files
   determine_elastic_agent_upgrade
   create_ca_pillar
-
+  # This is the only way the state is called so we can use concurrent=True
+  salt-call state.apply salt.master.add_minimum_auth_version_engine --file-root=$UPDATE_DIR/salt --local --concurrent=True
   INSTALLEDVERSION=2.4.210
 }
 
diff --git a/salt/salt/engines/master/minimum_auth_version.py b/salt/salt/engines/master/minimum_auth_version.py
new file mode 100644
index 000000000..be4585569
--- /dev/null
+++ b/salt/salt/engines/master/minimum_auth_version.py
@@ -0,0 +1,74 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# -*- coding: utf-8 -*-
+
+import logging
+import os
+import time
+from datetime import datetime, timedelta
+import salt.client
+
+log = logging.getLogger(__name__)
+
+TIMESTAMP_FILE = '/opt/so/state/mav_engine_start_time'
+
+def _get_start_time():
+    """Read persisted start time from file, or create one if it doesn't exist."""
+    if os.path.exists(TIMESTAMP_FILE):
+        with open(TIMESTAMP_FILE, 'r') as f:
+            timestamp = f.read().strip()
+        start_time = datetime.fromisoformat(timestamp)
+        log.info("Loaded existing start time from %s: %s", TIMESTAMP_FILE, start_time)
+        return start_time
+
+    start_time = datetime.now()
+    with open(TIMESTAMP_FILE, 'w') as f:
+        f.write(start_time.isoformat())
+    log.info("No existing start time found. Persisted new start time: %s", start_time)
+    return start_time
+
+
+def _clear_start_time():
+    """Remove the persisted timestamp file after successful completion."""
+    if os.path.exists(TIMESTAMP_FILE):
+        os.remove(TIMESTAMP_FILE)
+        log.info("Removed timestamp file %s", TIMESTAMP_FILE)
+
+
+def start(wait_days=7):
+    """
+    This engine waits for the specified number of days, then changes minimum_auth_version.
+
+    Args:
+        wait_days: Days to wait before taking action (default: 7)
+    """
+    log.info(
+        "Starting minimum_auth_version engine - Wait time: %d days",
+        wait_days
+    )
+
+    start_time = _get_start_time()
+    wait_delta = timedelta(days=wait_days)
+    mav_removed = False
+    caller = salt.client.Caller()
+
+    while True:
+        if not mav_removed:
+            elapsed = datetime.now() - start_time
+
+            if elapsed >= wait_delta:
+                log.info("Changing minimum_auth_version")
+                _clear_start_time()
+                result = caller.cmd('state.apply', 'salt.master.remove_minimum_auth_version_engine', kwarg={'queue': True})
+                # We shouldn't reach this line since the above line should remove the engine and restart salt-master
+                log.info("State apply result: %s", result)
+                mav_removed = True
+            else:
+                remaining = wait_delta - elapsed
+                days_remaining = remaining.total_seconds() / 86400
+                log.info("Time remaining before changing minimum_auth_version: %.1f days", days_remaining)
+
+        time.sleep(3600)  # Check hourly
diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml
index 9dfe8587f..a54c33014 100644
--- a/salt/salt/master.defaults.yaml
+++ b/salt/salt/master.defaults.yaml
@@ -1,4 +1,4 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
   master:
-    version: '3006.16'
+    version: '3006.19'
diff --git a/salt/salt/master/add_minimum_auth_version_engine.sls b/salt/salt/master/add_minimum_auth_version_engine.sls
new file mode 100644
index 000000000..a395733cc
--- /dev/null
+++ b/salt/salt/master/add_minimum_auth_version_engine.sls
@@ -0,0 +1,16 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# This state is to be used during soup preupgrade_changes, and run when the salt-master has been stopped. Soup will later start the salt-master.
+
+add_minimum_auth_version_engine_config:
+  file.managed:
+    - name: /etc/salt/master.d/minimum_auth_version_engine.conf
+    - source: salt://salt/master/files/minimum_auth_version_engine.conf
+
+add_minimum_auth_version_engine:
+  file.managed:
+    - name: /etc/salt/engines/minimum_auth_version.py
+    - source: salt://salt/engines/master/minimum_auth_version.py
diff --git a/salt/salt/master/files/minimum_auth_version.conf b/salt/salt/master/files/minimum_auth_version.conf
new file mode 100644
index 000000000..29fd0c99d
--- /dev/null
+++ b/salt/salt/master/files/minimum_auth_version.conf
@@ -0,0 +1 @@
+minimum_auth_version: 0
diff --git a/salt/salt/master/files/minimum_auth_version_engine.conf b/salt/salt/master/files/minimum_auth_version_engine.conf
new file mode 100644
index 000000000..67e9ac654
--- /dev/null
+++ b/salt/salt/master/files/minimum_auth_version_engine.conf
@@ -0,0 +1,3 @@
+engines:
+  - minimum_auth_version:
+      wait_days: 7
diff --git a/salt/salt/master/remove_minimum_auth_version_engine.sls b/salt/salt/master/remove_minimum_auth_version_engine.sls
new file mode 100644
index 000000000..d2ed27cae
--- /dev/null
+++ b/salt/salt/master/remove_minimum_auth_version_engine.sls
@@ -0,0 +1,17 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+include:
+  - salt.master
+
+remove_minimum_auth_version_engine_config:
+  file.absent:
+    - name: /etc/salt/master.d/minimum_auth_version_engine.conf
+
+remove_minimum_auth_version_engine:
+  file.absent:
+    - name: /etc/salt/engines/minimum_auth_version.py
+    - watch_in:
+      - service: salt_master_service
diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml
index e897313d2..11f3dab41 100644
--- a/salt/salt/minion.defaults.yaml
+++ b/salt/salt/minion.defaults.yaml
@@ -1,5 +1,5 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
   minion:
-    version: '3006.16'
+    version: '3006.19'
     check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default

From ada463320bcea459e2fa3245ead77b9c94aa128b Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Fri, 13 Feb 2026 15:51:54 -0500
Subject: [PATCH 3/9] upgrade salt 3006.19

---
 salt/manager/tools/sbin/soup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index e83436551..4dc950e5b 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -996,7 +996,7 @@ up_to_2.4.210() {
   determine_elastic_agent_upgrade
   create_ca_pillar
   # This is the only way the state is called so we can use concurrent=True
-  salt-call state.apply salt.master.add_minimum_auth_version_engine --file-root=$UPDATE_DIR/salt --local --concurrent=True
+  salt-call state.apply salt.master.add_minimum_auth_version_engine --file-root=$UPDATE_DIR/salt --local concurrent=True
   INSTALLEDVERSION=2.4.210
 }
 

From c28bcfa85e8e3261388905a920194ec646b457d8 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Fri, 13 Feb 2026 16:24:19 -0500
Subject: [PATCH 4/9] upgrade salt 3006.19

---
 salt/manager/tools/sbin/soup                            | 2 +-
 salt/salt/engines/master/minimum_auth_version.py        | 2 +-
 salt/salt/master/add_minimum_auth_version_engine.sls    | 5 +++++
 salt/salt/master/remove_minimum_auth_version_engine.sls | 4 ++++
 4 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 4dc950e5b..dab66b2d1 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -996,7 +996,7 @@ up_to_2.4.210() {
   determine_elastic_agent_upgrade
   create_ca_pillar
   # This is the only way the state is called so we can use concurrent=True
-  salt-call state.apply salt.master.add_minimum_auth_version_engine --file-root=$UPDATE_DIR/salt --local concurrent=True
+  salt-call state.apply salt.master.add_minimum_auth_version --file-root=$UPDATE_DIR/salt --local concurrent=True
   INSTALLEDVERSION=2.4.210
 }
 
diff --git a/salt/salt/engines/master/minimum_auth_version.py b/salt/salt/engines/master/minimum_auth_version.py
index be4585569..59be18f28 100644
--- a/salt/salt/engines/master/minimum_auth_version.py
+++ b/salt/salt/engines/master/minimum_auth_version.py
@@ -62,7 +62,7 @@ def start(wait_days=7):
             if elapsed >= wait_delta:
                 log.info("Changing minimum_auth_version")
                 _clear_start_time()
-                result = caller.cmd('state.apply', 'salt.master.remove_minimum_auth_version_engine', kwarg={'queue': True})
+                result = caller.cmd('state.apply', 'salt.master.remove_minimum_auth_version', kwarg={'queue': True})
                 # We shouldn't reach this line since the above line should remove the engine and restart salt-master
                 log.info("State apply result: %s", result)
                 mav_removed = True
diff --git a/salt/salt/master/add_minimum_auth_version_engine.sls b/salt/salt/master/add_minimum_auth_version_engine.sls
index a395733cc..38612260d 100644
--- a/salt/salt/master/add_minimum_auth_version_engine.sls
+++ b/salt/salt/master/add_minimum_auth_version_engine.sls
@@ -5,6 +5,11 @@
 
 # This state is to be used during soup preupgrade_changes, and run when the salt-master has been stopped. Soup will later start the salt-master.
 
+set_minimum_auth_version_0:
+  file.managed:
+    - name: /etc/salt/master.d/minimum_auth_version.conf
+    - source: salt://salt/master/files/minimum_auth_version.conf
+
 add_minimum_auth_version_engine_config:
   file.managed:
     - name: /etc/salt/master.d/minimum_auth_version_engine.conf
diff --git a/salt/salt/master/remove_minimum_auth_version_engine.sls b/salt/salt/master/remove_minimum_auth_version_engine.sls
index d2ed27cae..2578e12fc 100644
--- a/salt/salt/master/remove_minimum_auth_version_engine.sls
+++ b/salt/salt/master/remove_minimum_auth_version_engine.sls
@@ -6,6 +6,10 @@
 include:
   - salt.master
 
+unset_minimum_auth_version_0:
+  file.absent:
+    - name: /etc/salt/master.d/minimum_auth_version.conf
+
 remove_minimum_auth_version_engine_config:
   file.absent:
     - name: /etc/salt/master.d/minimum_auth_version_engine.conf

From 7e0fb73fec014e201e8757c2e347db3914d74096 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Fri, 13 Feb 2026 17:58:57 -0500
Subject: [PATCH 5/9] upgrade salt 3006.19

---
 ...nimum_auth_version_engine.sls => add_minimum_auth_version.sls} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename salt/salt/master/{add_minimum_auth_version_engine.sls => add_minimum_auth_version.sls} (100%)

diff --git a/salt/salt/master/add_minimum_auth_version_engine.sls b/salt/salt/master/add_minimum_auth_version.sls
similarity index 100%
rename from salt/salt/master/add_minimum_auth_version_engine.sls
rename to salt/salt/master/add_minimum_auth_version.sls

From 82ca64d66f0af19fc1f7404451c1cad419e25c3a Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Fri, 13 Feb 2026 20:49:25 -0500
Subject: [PATCH 6/9] upgrade salt 3006.19 1 day for testing

---
 salt/salt/master/files/minimum_auth_version_engine.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/salt/master/files/minimum_auth_version_engine.conf b/salt/salt/master/files/minimum_auth_version_engine.conf
index 67e9ac654..8ccbb90b2 100644
--- a/salt/salt/master/files/minimum_auth_version_engine.conf
+++ b/salt/salt/master/files/minimum_auth_version_engine.conf
@@ -1,3 +1,3 @@
 engines:
   - minimum_auth_version:
-      wait_days: 7
+      wait_days: 1

From ed014b431e20374c3ec2595f96f15b93f4a0ac5e Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Sun, 15 Feb 2026 09:16:36 -0500
Subject: [PATCH 7/9] upgrade salt 3006.19

---
 salt/salt/engines/master/minimum_auth_version.py           | 7 +++----
 ..._version_engine.sls => remove_minimum_auth_version.sls} | 0
 2 files changed, 3 insertions(+), 4 deletions(-)
 rename salt/salt/master/{remove_minimum_auth_version_engine.sls => remove_minimum_auth_version.sls} (100%)

diff --git a/salt/salt/engines/master/minimum_auth_version.py b/salt/salt/engines/master/minimum_auth_version.py
index 59be18f28..1213cb5e1 100644
--- a/salt/salt/engines/master/minimum_auth_version.py
+++ b/salt/salt/engines/master/minimum_auth_version.py
@@ -62,13 +62,12 @@ def start(wait_days=7):
             if elapsed >= wait_delta:
                 log.info("Changing minimum_auth_version")
                 _clear_start_time()
-                result = caller.cmd('state.apply', 'salt.master.remove_minimum_auth_version', kwarg={'queue': True})
+                result = caller.cmd('state.apply', 'salt.master.remove_minimum_auth_version', queue=True)
                 # We shouldn't reach this line since the above line should remove the engine and restart salt-master
                 log.info("State apply result: %s", result)
                 mav_removed = True
             else:
-                remaining = wait_delta - elapsed
-                days_remaining = remaining.total_seconds() / 86400
-                log.info("Time remaining before changing minimum_auth_version: %.1f days", days_remaining)
+                target_time = start_time + wait_delta
+                log.info("minimum_auth_version will be changed within an hour of %s", target_time.strftime('%m-%d-%Y %H:%M'))
 
         time.sleep(3600)  # Check hourly
diff --git a/salt/salt/master/remove_minimum_auth_version_engine.sls b/salt/salt/master/remove_minimum_auth_version.sls
similarity index 100%
rename from salt/salt/master/remove_minimum_auth_version_engine.sls
rename to salt/salt/master/remove_minimum_auth_version.sls

From fb364aec5dd189b8aca89ad87a51585519861f7f Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Tue, 17 Feb 2026 09:27:52 -0500
Subject: [PATCH 8/9] upgrade salt 3006.19

---
 salt/manager/tools/sbin/soup                  | 1 +
 salt/salt/master/add_minimum_auth_version.sls | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index dab66b2d1..4b508c939 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -995,6 +995,7 @@ up_to_2.4.210() {
   # Elastic Update for this release, so download Elastic Agent files
   determine_elastic_agent_upgrade
   create_ca_pillar
+  # This state is used to deal with the breaking change introduced in 3006.17 - https://docs.saltproject.io/en/3006/topics/releases/3006.17.html
   # This is the only way the state is called so we can use concurrent=True
   salt-call state.apply salt.master.add_minimum_auth_version --file-root=$UPDATE_DIR/salt --local concurrent=True
   INSTALLEDVERSION=2.4.210
diff --git a/salt/salt/master/add_minimum_auth_version.sls b/salt/salt/master/add_minimum_auth_version.sls
index 38612260d..768065a25 100644
--- a/salt/salt/master/add_minimum_auth_version.sls
+++ b/salt/salt/master/add_minimum_auth_version.sls
@@ -4,6 +4,8 @@
 # Elastic License 2.0.
 
 # This state is to be used during soup preupgrade_changes, and run when the salt-master has been stopped. Soup will later start the salt-master.
+# This state is used to deal with the breaking change introduced in 3006.17 - https://docs.saltproject.io/en/3006/topics/releases/3006.17.html
+
 
 set_minimum_auth_version_0:
   file.managed:

From 9b525612a8db3fb4a3a9c278eb2d07ac4185594b Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Tue, 17 Feb 2026 09:33:05 -0500
Subject: [PATCH 9/9] upgrade salt 3006.19

---
 salt/salt/master/files/minimum_auth_version_engine.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/salt/master/files/minimum_auth_version_engine.conf b/salt/salt/master/files/minimum_auth_version_engine.conf
index 8ccbb90b2..67e9ac654 100644
--- a/salt/salt/master/files/minimum_auth_version_engine.conf
+++ b/salt/salt/master/files/minimum_auth_version_engine.conf
@@ -1,3 +1,3 @@
 engines:
   - minimum_auth_version:
-      wait_days: 1
+      wait_days: 7