From 576d218cd9334beaaad706d96bbfba096dd7f7a3 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 6 Sep 2024 08:10:59 -0400
Subject: [PATCH 1/4] dont restart suricata during setup. retry rule reload for
 3 minutes

---
 salt/suricata/tools/sbin/so-suricata-reload-rules | 4 ++--
 setup/so-setup                                    | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/salt/suricata/tools/sbin/so-suricata-reload-rules b/salt/suricata/tools/sbin/so-suricata-reload-rules
index 099cd2f7c..e09474b6e 100644
--- a/salt/suricata/tools/sbin/so-suricata-reload-rules
+++ b/salt/suricata/tools/sbin/so-suricata-reload-rules
@@ -7,5 +7,5 @@
 
 . /usr/sbin/so-common
 
-retry 40 3 'docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}'
-retry 40 3 'docker exec -it so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}'
+retry 60 3 'docker exec -it so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' || fail "The Suricata container was not ready in time."
+retry 60 3 'docker exec -it so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket' '{"message": "done", "return": "OK"}' || fail "The Suricata container was not ready in time."
diff --git a/setup/so-setup b/setup/so-setup
index bd8a8c6ba..cb4e7ebf0 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -759,8 +759,8 @@ if ! [[ -f $install_opt_file ]]; then
 			title "Downloading IDS Rules"
 			logCmd "so-rule-update"
 			if [[ $monints || $is_import ]]; then
-				title "Restarting Suricata to pick up the new rules"
-				logCmd "so-suricata-restart"
+				title "Applying the Suricata state to load the new rules"
+				logCmd "salt-call state.apply suricata -l info"
 			fi
 		fi
 		title "Setting up Kibana Default Space"

From fc25bfe0dfc161a859a96ad04be389bd3d6a8829 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 6 Sep 2024 09:04:43 -0400
Subject: [PATCH 2/4] grab es version from defaults during soup

---
 salt/common/tools/sbin/so-common | 3 ++-
 salt/manager/tools/sbin/soup     | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common
index 68288791d..6ae35324f 100755
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -677,7 +677,8 @@ has_uppercase() {
 }
 
 update_elastic_agent() {
-	get_elastic_agent_vars
+	local path="${1:-/opt/so/saltstack/default}"
+	get_elastic_agent_vars "$path"
 	echo "Checking if Elastic Agent update is necessary..."
 	download_and_verify "$ELASTIC_AGENT_URL" "$ELASTIC_AGENT_MD5_URL" "$ELASTIC_AGENT_FILE" "$ELASTIC_AGENT_MD5" "$ELASTIC_AGENT_EXPANSION_DIR"
 }
diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 6725814c6..6b6b4d64a 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -837,7 +837,8 @@ determine_elastic_agent_upgrade() {
   if [[ $is_airgap -eq 0 ]]; then
     update_elastic_agent_airgap
   else
-    update_elastic_agent
+    # the new elasticsearch defaults.yaml file is not yet placed in /opt/so/saltstack/default/salt/elasticsearch yet
+    update_elastic_agent "$UPDATE_DIR"
   fi
 }
 

From 331f63eadd10adf31009d7bea3259c0fcb6279fe Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 6 Sep 2024 10:30:22 -0400
Subject: [PATCH 3/4] pass path for airgap

---
 salt/manager/tools/sbin/soup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 6b6b4d64a..7807c9884 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -843,7 +843,7 @@ determine_elastic_agent_upgrade() {
 }
 
 update_elastic_agent_airgap() {
-  get_elastic_agent_vars
+  get_elastic_agent_vars "/tmp/soagupdate/SecurityOnion"
   rsync -av /tmp/soagupdate/fleet/* /nsm/elastic-fleet/artifacts/
   tar -xf "$ELASTIC_AGENT_FILE" -C "$ELASTIC_AGENT_EXPANSION_DIR"
 }

From 2e379dd29c34957acc6caced0e1674b5a78c7191 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 6 Sep 2024 10:44:35 -0400
Subject: [PATCH 4/4] fix line delete causing issues sourcing so-common and es
 agent grid upgrade

---
 .../elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
index 360aa2cf8..1ce379c1c 100644
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
@@ -5,7 +5,7 @@
 # this file except in compliance with the Elastic License 2.0.
 
 . /usr/sbin/so-common
-{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS -%}
+{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
 
 # Only run on Managers
 if ! is_manager_node; then