Merge pull request #6930 from Security-Onion-Solutions/issue/6810

upgrade salt to 3004

salt/ca/init.sls

@@ -45,12 +45,6 @@ pki_public_ca_crt:
         attempts: 5
         interval: 30
 
-x509_pem_entries:
-  module.run:
-    - mine.send:
-       - name: x509.get_pem_entries
-       - glob_path: /etc/pki/ca.crt
-
 cakeyperms:
   file.managed:
     - replace: False

salt/common/tools/sbin/so-import-evtx

@@ -21,7 +21,7 @@
 {%- set MANAGERIP = salt['pillar.get']('global:managerip') -%}
 {%- set URLBASE = salt['pillar.get']('global:url_base') %}
 {% set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
-{% set ES_PW = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
+{% set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 
 INDEX_DATE=$(date +'%Y.%m.%d')
 RUNID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
@@ -42,7 +42,7 @@ function evtx2es() {
   EVTX=$1
   HASH=$2
   
-  ES_PW=$(lookup_pillar "auth:users:so_elastic_user:pass" "elasticsearch")
+  ES_PASS=$(lookup_pillar "auth:users:so_elastic_user:pass" "elasticsearch")
   ES_USER=$(lookup_pillar "auth:users:so_elastic_user:user" "elasticsearch")
 
   docker run --rm \
@@ -51,7 +51,7 @@ function evtx2es() {
     {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} \
     --host {{ MANAGERIP }} --scheme https \
     --index so-beats-$INDEX_DATE --pipeline import.wel \
-    --login $ES_USER --pwd $ES_PW \
+    --login $ES_USER --pwd "$ES_PASS" \
     "/tmp/$RUNID.evtx" >> $LOG_FILE 2>&1
 
   docker run --rm \

salt/common/tools/sbin/soup

@@ -711,6 +711,8 @@ up_to_2.3.90() {
 up_to_2.3.100() {
   echo "Updating to Security Onion 2.3.100"
   fix_wazuh
+  echo "Removing /opt/so/state files for patched Salt InfluxDB module and state. This is due to Salt being upgraded and needing to patch the files again."
+  rm -vrf /opt/so/state/influxdb_continuous_query.py.patched /opt/so/state/influxdb_retention_policy.py.patched /opt/so/state/influxdbmod.py.patched
 }
 
 verify_upgradespace() {
@@ -861,7 +863,7 @@ upgrade_salt() {
   fi
 }
 
-upgrade_to_2.3.50_repo() {
+update_repo() {
   echo "Performing repo changes."
   if [[ "$OS" == "centos" ]]; then
     # Import GPG Keys
@@ -1055,7 +1057,7 @@ main() {
 
     stop_salt_master
 
-    upgrade_to_2.3.50_repo
+    update_repo
 
     # Does salt need upgraded. If so update it.
     if [[ $UPGRADESALT -eq 1 ]]; then

salt/curator/files/curator.yml

@@ -19,8 +19,8 @@ client:
     - {{elasticsearch}}
   port: 9200
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
-  username: {{ ES_USER }}
-  password: {{ ES_PASS }}
+  username: "{{ ES_USER }}"
+  password: "{{ ES_PASS }}"
 {%- endif %}
   url_prefix:
   use_ssl: True

salt/curator/init.sls

@@ -56,6 +56,7 @@ curconf:
     - group: 939
     - mode: 660
     - template: jinja
+    - show_changes: False
 
 curcloseddel:
   file.managed:

salt/elastalert/defaults.yaml

@@ -22,8 +22,8 @@ elastalert:
     verify_certs: false
     #es_send_get_body_as: GET
 {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
-    es_username: {{ ES_USER }}
-    es_password: {{ ES_PASS }}
+    es_username: "{{ ES_USER }}"
+    es_password: "{{ ES_PASS }}"
 {%- endif %}
     writeback_index: elastalert_status
     alert_time_limit:

salt/elastalert/init.sls

@@ -101,6 +101,7 @@ elastaconf:
     - group: 933
     - mode: 660
     - template: jinja
+    - show_changes: False
 
 wait_for_elasticsearch:
   cmd.run:

salt/elasticsearch/auth.sls

@@ -1,11 +1,16 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
-  {% set so_elastic_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', salt['random.get_str'](72)) %}
-  {% set so_kibana_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass', salt['random.get_str'](72)) %}
-  {% set so_logstash_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', salt['random.get_str'](72)) %}
-  {% set so_beats_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_beats_user:pass', salt['random.get_str'](72)) %}
-  {% set so_monitor_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_monitor_user:pass', salt['random.get_str'](72)) %}
+  {% set DIGITS = "1234567890" %}
+  {% set LOWERCASE = "qwertyuiopasdfghjklzxcvbnm" %}
+  {% set UPPERCASE = "QWERTYUIOPASDFGHJKLZXCVBNM" %}
+  {% set SYMBOLS = "~!@#$%^&*()-_=+[]|;:,.<>?" %}
+  {% set CHARS = DIGITS~LOWERCASE~UPPERCASE~SYMBOLS %}
+  {% set so_elastic_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', salt['random.get_str'](72, chars=CHARS)) %}
+  {% set so_kibana_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass', salt['random.get_str'](72, chars=CHARS)) %}
+  {% set so_logstash_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', salt['random.get_str'](72, chars=CHARS)) %}
+  {% set so_beats_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_beats_user:pass', salt['random.get_str'](72, chars=CHARS)) %}
+  {% set so_monitor_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_monitor_user:pass', salt['random.get_str'](72, chars=CHARS)) %}
   {% set auth_enabled = salt['pillar.get']('elasticsearch:auth:enabled', False) %}
 
 elastic_auth_pillar:
@@ -20,19 +25,19 @@ elastic_auth_pillar:
             users:
               so_elastic_user:
                 user: so_elastic
-                pass: {{ so_elastic_user_pass }}
+                pass: "{{ so_elastic_user_pass }}"
               so_kibana_user:
                 user: so_kibana
-                pass: {{ so_kibana_user_pass }}
+                pass: "{{ so_kibana_user_pass }}"
               so_logstash_user:
                 user: so_logstash
-                pass: {{ so_logstash_user_pass }}
+                pass: "{{ so_logstash_user_pass }}"
               so_beats_user:
                 user: so_beats
-                pass: {{ so_beats_user_pass }}
+                pass: "{{ so_beats_user_pass }}"
               so_monitor_user:
                 user: so_monitor
-                pass: {{ so_monitor_user_pass }}
+                pass: "{{ so_monitor_user_pass }}"
     - show_changes: False
 {% else %}
 

salt/kibana/secrets.sls

@@ -1,9 +1,14 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
-  {% set kibana_encryptedSavedObjects_encryptionKey = salt['pillar.get']('kibana:secrets:encryptedSavedObjects:encryptionKey', salt['random.get_str'](72)) %}
-  {% set kibana_security_encryptionKey = salt['pillar.get']('kibana:secrets:security:encryptionKey', salt['random.get_str'](72)) %}
-  {% set kibana_reporting_encryptionKey = salt['pillar.get']('kibana:secrets:reporting:encryptionKey', salt['random.get_str'](72)) %}
+  {% set DIGITS = "1234567890" %}
+  {% set LOWERCASE = "qwertyuiopasdfghjklzxcvbnm" %}
+  {% set UPPERCASE = "QWERTYUIOPASDFGHJKLZXCVBNM" %}
+  {% set SYMBOLS = "~!@#$%^&*()-_=+[]|;:,.<>?" %}
+  {% set CHARS = DIGITS~LOWERCASE~UPPERCASE~SYMBOLS %}
+  {% set kibana_encryptedSavedObjects_encryptionKey = salt['pillar.get']('kibana:secrets:encryptedSavedObjects:encryptionKey', salt['random.get_str'](72, chars=CHARS)) %}
+  {% set kibana_security_encryptionKey = salt['pillar.get']('kibana:secrets:security:encryptionKey', salt['random.get_str'](72, chars=CHARS)) %}
+  {% set kibana_reporting_encryptionKey = salt['pillar.get']('kibana:secrets:reporting:encryptionKey', salt['random.get_str'](72, chars=CHARS)) %}
 
 kibana_pillar_directory:
   file.directory:
@@ -18,11 +23,11 @@ kibana_secrets_pillar:
         kibana:
           secrets:
             encryptedSavedObjects:
-              encryptionKey: {{ kibana_encryptedSavedObjects_encryptionKey }}
+              encryptionKey: "{{ kibana_encryptedSavedObjects_encryptionKey }}"
             security:
-              encryptionKey: {{ kibana_security_encryptionKey }}
+              encryptionKey: "{{ kibana_security_encryptionKey }}"
             reporting:
-              encryptionKey: {{ kibana_reporting_encryptionKey }}
+              encryptionKey: "{{ kibana_reporting_encryptionKey }}"
     - show_changes: False
 
 {% else %}

salt/logstash/init.sls

@@ -89,6 +89,7 @@ ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}:
     - group: 939
     - mode: 660
     - makedirs: True
+    - show_changes: False
     {% endfor %}
 
 ls_pipeline_{{PL}}:

salt/repo/client/files/centos/securityonion.repo

@@ -42,18 +42,11 @@ gpgkey=file:///etc/pki/rpm-gpg/docker.pub
 
 [saltstack]
 name=SaltStack repo for RHEL/CentOS $releasever PY3
-baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack3003/
+baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack/
 enabled=1
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/SALTSTACK-GPG-KEY.pub
 
-[saltstack3003]
-name=SaltStack repo for RHEL/CentOS $releasever PY3
-baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack3003/
-enabled=1
-gpgcheck=1
-gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub
-
 [wazuh_repo]
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH
@@ -75,4 +68,4 @@ name=Security Onion Repo repo
 baseurl=https://repo.securityonion.net/file/securityonion-repo/securityonion/
 enabled=1
 gpgcheck=1
-gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub
+gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub

salt/repo/client/init.sls

@@ -28,7 +28,7 @@ airgap_repo:
   file.absent:
     - name: {{ REPOPATH }}{{ file }}
     - onchanges_in:
-      - module: cleanyum
+      - cmd: cleanyum
   {% endfor %}
 {% endif %}
 

salt/salt/files/influxdb_continuous_query.py.patch

@@ -1,4 +1,4 @@
-60c60
+56c56
 <             database, name, query, resample_time, coverage_period
 ---
 >             database, name, query, resample_time, coverage_period, **client_args

salt/salt/files/influxdb_retention_policy.py.patch

@@ -1,16 +1,16 @@
-38c38
+34c34
 <         hours = int(duration.split("h"))
 ---
 >         hours = int(duration.split("h")[0])
-52c52
+48c48
 < def present(name, database, duration="7d", replication=1, default=False, **client_args):
 ---
 > def present(name, database, duration="7d", replication=1, default=False, shard_duration="1d", **client_args):
-77c77
+73c73
 <             database, name, duration, replication, default, **client_args
 ---
 >             database, name, duration, replication, shard_duration, default, **client_args
-119c119
+113c113
 <                     database, name, duration, replication, default, **client_args
 ---
 >                     database, name, duration, replication, shard_duration, default, **client_args

salt/salt/files/influxdbmod.py.patch

@@ -1,16 +1,16 @@
-427c427
+421c421
 <     database, name, duration, replication, default=False, **client_args
 ---
 >     database, name, duration, replication, shard_duration, default=False, **client_args
-462c462
+456c456
 <     client.create_retention_policy(name, duration, replication, database, default)
 ---
 >     client.create_retention_policy(name, duration, replication, database, default, shard_duration)
-468c468
+462c462
 <     database, name, duration, replication, default=False, **client_args
 ---
 >     database, name, duration, replication, shard_duration, default=False, **client_args
-504c504
+498c498
 <     client.alter_retention_policy(name, database, duration, replication, default)
 ---
 >     client.alter_retention_policy(name, database, duration, replication, default, shard_duration)

salt/salt/master.defaults.yaml

@@ -2,4 +2,4 @@
 # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions
 salt:
   master:
-    version: 3003
+    version: 3004

salt/salt/minion.defaults.yaml

@@ -2,6 +2,6 @@
 # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions
 salt:
   minion:
-    version: 3003
+    version: 3004
     check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
-    service_start_delay: 30 # in seconds.
+    service_start_delay: 30 # in seconds.

salt/soctopus/init.sls

@@ -34,6 +34,7 @@ soctopusconf:
     - group: 939
     - mode: 600
     - template: jinja
+    - show_changes: False
 
 soctopuslogdir:
   file.directory:

setup/so-functions

@@ -799,7 +799,7 @@ configure_ntp() {
 
 	# Install chrony if it isn't already installed
 	if ! command -v chronyc &> /dev/null; then
-		yum -y install chrony
+		logCmd "yum -y install chrony"
 	fi
 
 	[[ -f $chrony_conf ]] && mv $chrony_conf "$chrony_conf.bak"
@@ -1137,10 +1137,10 @@ installer_prereq_packages() {
 	if [ "$OS" == centos ]; then
 		if [[ ! $is_iso ]]; then
 			if ! yum versionlock > /dev/null 2>&1; then
-				yum -y install yum-plugin-versionlock >> "$setup_log" 2>&1
+				logCmd "yum -y install yum-plugin-versionlock"
 			fi
 			if ! command -v nmcli > /dev/null 2>&1; then
-				yum -y install NetworkManager >> "$setup_log" 2>&1
+				logCmd "yum -y install NetworkManager"
 			fi
 		fi
 		logCmd "systemctl enable NetworkManager"
@@ -1192,16 +1192,14 @@ disable_ipv6() {
 docker_install() {
 
 	if [ $OS = 'centos' ]; then
-		{
-			yum clean expire-cache;
-			if [[ ! $is_iso ]]; then
-			  yum -y install docker-ce-20.10.5-3.el7 docker-ce-cli-20.10.5-3.el7 docker-ce-rootless-extras-20.10.5-3.el7 containerd.io-1.4.4-3.1.el7
-			fi
-			yum versionlock docker-ce-20.10.5-3.el7
-			yum versionlock docker-ce-cli-20.10.5-3.el7
-			yum versionlock docker-ce-rootless-extras-20.10.5-3.el7
-			yum versionlock containerd.io-1.4.4-3.1.el7
-		} >> "$setup_log" 2>&1
+		logCmd "yum clean expire-cache"
+		if [[ ! $is_iso ]]; then
+			logCmd "yum -y install docker-ce-20.10.5-3.el7 docker-ce-cli-20.10.5-3.el7 docker-ce-rootless-extras-20.10.5-3.el7 containerd.io-1.4.4-3.1.el7"
+		fi
+		logCmd "yum versionlock docker-ce-20.10.5-3.el7"
+		logCmd "yum versionlock docker-ce-cli-20.10.5-3.el7"
+		logCmd "yum versionlock docker-ce-rootless-extras-20.10.5-3.el7"
+		logCmd "yum versionlock containerd.io-1.4.4-3.1.el7"
 		
 	else
 		case "$install_type" in
@@ -2018,17 +2016,17 @@ proxy_validate() {
 
 reserve_group_ids() {
 	# This is a hack to fix CentOS from taking group IDs that we need
-	groupadd -g 928 kratos
-	groupadd -g 930 elasticsearch
-	groupadd -g 931 logstash
-	groupadd -g 932 kibana
-	groupadd -g 933 elastalert
-	groupadd -g 934 curator
-	groupadd -g 937 zeek
-	groupadd -g 940 suricata
-	groupadd -g 941 stenographer
-	groupadd -g 945 ossec
-	groupadd -g 946 cyberchef
+	logCmd "groupadd -g 928 kratos"
+	logCmd "groupadd -g 930 elasticsearch"
+	logCmd "groupadd -g 931 logstash"
+	logCmd "groupadd -g 932 kibana"
+	logCmd "groupadd -g 933 elastalert"
+	logCmd "groupadd -g 934 curator"
+	logCmd "groupadd -g 937 zeek"
+	logCmd "groupadd -g 940 suricata"
+	logCmd "groupadd -g 941 stenographer"
+	logCmd "groupadd -g 945 ossec"
+	logCmd "groupadd -g 946 cyberchef"
 }
 
 reserve_ports() {
@@ -2163,7 +2161,7 @@ remove_package() {
 	local package_name=$1
 	if [ $OS = 'centos' ]; then
 		if rpm -qa | grep -q "$package_name"; then
-			yum remove -y "$package_name"
+			logCmd "yum remove -y $package_name"
 		fi
 	else
 		if dpkg -l | grep -q "$package_name"; then
@@ -2189,51 +2187,36 @@ saltify() {
 		fi 
 		case "$install_type" in
 			'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT')
-				reserve_group_ids >> "$setup_log" 2>&1
+				reserve_group_ids
 				if [[ ! $is_iso ]]; then
 				  logCmd "yum -y install sqlite curl mariadb-devel"
 				fi 
 				# Download Ubuntu Keys in case manager updates = 1
-				mkdir -p /opt/so/gpg >> "$setup_log" 2>&1
+				logCmd "mkdir -vp /opt/so/gpg"
 				if [[ ! $is_airgap ]]; then
-				  logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3003/SALTSTACK-GPG-KEY.pub"
+				  logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004/SALTSTACK-GPG-KEY.pub"
 				  logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg"
 				  logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH"
 				fi
 				set_progress_str 7 'Installing salt-master'
 				if [[ ! $is_iso ]]; then
-				  logCmd "yum -y install salt-master-3003"
+				  logCmd "yum -y install salt-master-3004"
 				fi
-				systemctl enable salt-master >> "$setup_log" 2>&1
+				logCmd "systemctl enable salt-master"
 				;;
 			*)
 				;;
 		esac
 		if [[ ! $is_airgap ]]; then
-		  yum clean expire-cache >> "$setup_log" 2>&1
+		  logCmd "yum clean expire-cache"
 		fi
 		set_progress_str 8 'Installing salt-minion & python modules'
-		{
 			if [[ ! $is_iso ]]; then
-			  yum -y install salt-minion-3003\
-			  	httpd-tools\
-			   	python3\
-					python36-docker\
-					python36-dateutil\
-					python36-m2crypto\
-					python36-mysql\
-					python36-packaging\
-					python36-lxml\
-					yum-utils\
-					device-mapper-persistent-data\
-					lvm2\
-					openssl\
-					jq;
-					yum -y update --exclude=salt*;
+				logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
+				logCmd "yum -y update --exclude=salt*"
 			fi
-			systemctl enable salt-minion;
-		} >> "$setup_log" 2>&1
-		yum versionlock salt*
+		logCmd "systemctl enable salt-minion"
+		logCmd "yum versionlock salt*"
 	else
 		DEBIAN_FRONTEND=noninteractive retry 50 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || exit 1
 
@@ -2268,8 +2251,8 @@ saltify() {
 			'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR')
 
 				# Add saltstack repo(s)
-				wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3003/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1
-				echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3003 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
+				wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1
+				echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
 
 				# Add Docker repo
 				curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1
@@ -2277,7 +2260,7 @@ saltify() {
 
 				# Get gpg keys
 				mkdir -p /opt/so/gpg >> "$setup_log" 2>&1
-				wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3003/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
+				wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
 				wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1
 				wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1
 
@@ -2290,7 +2273,7 @@ saltify() {
 				set_progress_str 6 'Installing various dependencies'
 				retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1
 				set_progress_str 7 'Installing salt-master'
-				retry 50 10 "apt-get -y install salt-master=3003+ds-1" >> "$setup_log" 2>&1 || exit 1
+				retry 50 10 "apt-get -y install salt-master=3004+ds-1" >> "$setup_log" 2>&1 || exit 1
 				retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1
 				;;
 			*)
@@ -2301,14 +2284,14 @@ saltify() {
 				echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1
 				apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
 				apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1
-				echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3003/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
+				echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
 				echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log"
 				;;
 		esac
 
 		retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1
 		set_progress_str 8 'Installing salt-minion & python modules'
-		retry 50 10 "apt-get -y install salt-minion=3003+ds-1 salt-common=3003+ds-1" >> "$setup_log" 2>&1 || exit 1
+		retry 50 10 "apt-get -y install salt-minion=3004+ds-1 salt-common=3004+ds-1" >> "$setup_log" 2>&1 || exit 1
 		retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1
 		retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1
 	fi
@@ -2345,19 +2328,24 @@ securityonion_repo() {
 		if [[ "$INTERWEBS" == "AIRGAP" ]]; then
 			echo "This is airgap I don't need to add this repo"
 		else
-			mkdir -p /root/oldrepos
-			mv -v /etc/yum.repos.d/* /root/oldrepos/
-			ls -la /etc/yum.repos.d/
-			rm -rf /etc/yum.repos.d
-			yum clean all
-			yum repolist all
-			mkdir -p /etc/yum.repos.d
 			if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then
-				cp -f ../salt/repo/client/files/centos/securityonioncache.repo /etc/yum.repos.d/
+				local repo_conf_file="../salt/repo/client/files/centos/securityonioncache.repo"
 			else
-				cp -f ../salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
+				local repo_conf_file="../salt/repo/client/files/centos/securityonion.repo"
 			fi
-			yum repolist all
+			# need to yum clean all before repo conf files are removed or clean,cleans nothing
+			logCmd "yum -v clean all"
+			# update this package before we remove repo config files because the repo config files get added back
+			# when the package is updated when the update_packages function is called
+			logCmd "yum -v -y -c $repo_conf_file update centos-release"
+			logCmd "mkdir -vp /root/oldrepos"
+			logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/"
+			logCmd "ls -la /etc/yum.repos.d/"
+			logCmd "rm -vrf /etc/yum.repos.d"
+			logCmd "yum repolist all"
+			logCmd "mkdir -vp /etc/yum.repos.d"
+			logCmd "cp -f $repo_conf_file /etc/yum.repos.d/"
+			logCmd "yum repolist all"
 		fi
 	else
 		echo "This is Ubuntu"
@@ -2771,8 +2759,8 @@ update_sudoers() {
 
 update_packages() {
 	if [ "$OS" = 'centos' ]; then
-	    yum repolist >> /dev/null
-        yum -y update --exclude=salt*,wazuh*,docker*,containerd* >> "$setup_log"
+	    logCmd "yum repolist"
+        logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*"
 	else
 		retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1
 		retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1