From da94788255407268b2edbfcae0894e20d185b7bd Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Fri, 26 Jun 2026 10:51:41 -0400
Subject: [PATCH] Move highstate_interval_hours to salt.schedule and split
 schedule.sls

highstate_interval_hours describes the per-minion highstate schedule, not the
active-push pipeline, so relocate it from salt.auto_apply to a new salt.schedule
settings subtree. Repoint so-salt-minion-check at the new pillar path (it had
been left on the stale global:push path) so its restart grace period tracks the
schedule again.

- Add salt.schedule.highstate_interval_hours to defaults.yaml/soc_salt.yaml and a
  side-effect-free salt/salt/schedule.map.jinja (SCHEDULEMERGED), matching the
  *MERGED map convention. Consumers read SCHEDULEMERGED.highstate_interval_hours.
- Split salt/schedule.sls into salt/salt/highstate_schedule.sls (every minion) and
  salt/salt/push_drain_schedule.sls (managers); update top.sls to apply the
  highstate schedule via '*' and the drainer schedule via the configured-manager
  block. Remove the now-empty schedule.sls aggregator.
- pillar_push_map.yaml and so-push-drainer: comment/doc updates only.
---
 salt/common/tools/sbin_jinja/so-salt-minion-check   |  6 +++---
 salt/manager/tools/sbin/so-push-drainer             |  2 +-
 salt/reactor/pillar_push_map.yaml                   | 12 ++++++------
 salt/salt/defaults.yaml                             |  3 ++-
 salt/salt/highstate_schedule.sls                    | 11 +++++++++++
 salt/{schedule.sls => salt/push_drain_schedule.sls} |  9 ---------
 salt/salt/schedule.map.jinja                        |  2 ++
 salt/salt/soc_salt.yaml                             | 13 +++++++------
 salt/top.sls                                        |  4 ++--
 9 files changed, 34 insertions(+), 28 deletions(-)
 create mode 100644 salt/salt/highstate_schedule.sls
 rename salt/{schedule.sls => salt/push_drain_schedule.sls} (69%)
 create mode 100644 salt/salt/schedule.map.jinja

diff --git a/salt/common/tools/sbin_jinja/so-salt-minion-check b/salt/common/tools/sbin_jinja/so-salt-minion-check
index 3b2b32afe..1376193cc 100755
--- a/salt/common/tools/sbin_jinja/so-salt-minion-check
+++ b/salt/common/tools/sbin_jinja/so-salt-minion-check
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-
+{% from 'salt/schedule.map.jinja' import SCHEDULEMERGED %}
 
 # this script checks the time the file /opt/so/log/salt/state-apply-test was last modified and restarts the salt-minion service if it is outside a threshold date/time
 # the file is modified via file.touch using a scheduled job healthcheck.salt-minion.state-apply-test that runs a state.apply. 
@@ -23,8 +23,8 @@ SYSTEM_START_TIME=$(date -d "$(</proc/uptime awk '{print $1}') seconds ago" +%s)
 LAST_HIGHSTATE_END=$([ -e "/opt/so/log/salt/lasthighstate" ] && date -r /opt/so/log/salt/lasthighstate +%s || echo 0)
 LAST_HEALTHCHECK_STATE_APPLY=$([ -e "/opt/so/log/salt/state-apply-test" ] && date -r /opt/so/log/salt/state-apply-test +%s || echo 0)
 # SETTING THRESHOLD TO ANYTHING UNDER 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
-# THRESHOLD is derived from the global push highstate interval + 1 hour, so the minion-check grace period tracks the schedule automatically.
-THRESHOLD=$(( ({{ salt['pillar.get']('global:push:highstate_interval_hours', 2) }} + 1) * 3600 )) #within how many seconds the file /opt/so/log/salt/state-apply-test must have been touched/modified before the salt minion is restarted
+# THRESHOLD is derived from the salt schedule highstate interval + 1 hour, so the minion-check grace period tracks the schedule automatically.
+THRESHOLD=$(( ({{ SCHEDULEMERGED.highstate_interval_hours }} + 1) * 3600 )) #within how many seconds the file /opt/so/log/salt/state-apply-test must have been touched/modified before the salt minion is restarted
 THRESHOLD_DATE=$((LAST_HEALTHCHECK_STATE_APPLY+THRESHOLD))
 
 logCmd() {
diff --git a/salt/manager/tools/sbin/so-push-drainer b/salt/manager/tools/sbin/so-push-drainer
index fe25d31fc..fbbd952a4 100644
--- a/salt/manager/tools/sbin/so-push-drainer
+++ b/salt/manager/tools/sbin/so-push-drainer
@@ -10,7 +10,7 @@ so-push-drainer
 ===============
 
 Scheduled drainer for the active-push feature. Runs on the manager every
-drain_interval seconds (default 15) via a salt schedule in salt/schedule.sls.
+drain_interval seconds (default 15) via a salt schedule in salt/salt/push_drain_schedule.sls.
 
 For each intent file under /opt/so/state/push_pending/*.json whose last_touch
 is older than debounce_seconds, this script:
diff --git a/salt/reactor/pillar_push_map.yaml b/salt/reactor/pillar_push_map.yaml
index 51ad1db81..c77f5e93c 100644
--- a/salt/reactor/pillar_push_map.yaml
+++ b/salt/reactor/pillar_push_map.yaml
@@ -186,12 +186,12 @@ registry:
     tgt: 'G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managerhype or G@role:so-managersearch or G@role:so-standalone'
 
 # salt: fanout to a fleetwide highstate. The salt.auto_apply settings tune the
-# push pipeline itself (enabled, debounce/drain intervals, batch sizing) and the
-# per-minion highstate schedule; they are consumed by the manager's schedule,
-# beacons, and master reactor config as well as every minion's highstate
-# schedule, so a targeted re-apply isn't meaningful. A salt audit row only fires
-# for SOC-driven salt.auto_apply edits -- salt version bumps go through soup, not
-# SOC, so they never reach this map.
+# push pipeline itself (enabled, debounce/drain intervals, batch sizing) and
+# salt.schedule sets the per-minion highstate interval; they are consumed by the
+# manager's schedule, beacons, and master reactor config as well as every
+# minion's highstate schedule, so a targeted re-apply isn't meaningful. A salt
+# audit row only fires for SOC-driven salt.auto_apply / salt.schedule edits --
+# salt version bumps go through soup, not SOC, so they never reach this map.
 salt:
   - highstate: True
     tgt: '*'
diff --git a/salt/salt/defaults.yaml b/salt/salt/defaults.yaml
index 7dcbf0ff8..12d0373d5 100644
--- a/salt/salt/defaults.yaml
+++ b/salt/salt/defaults.yaml
@@ -1,8 +1,9 @@
 salt:
   auto_apply:
     enabled: true
-    highstate_interval_hours: 2
     debounce_seconds: 30
     drain_interval: 15
     batch: '25%'
     batch_wait: 15
+  schedule:
+    highstate_interval_hours: 2
diff --git a/salt/salt/highstate_schedule.sls b/salt/salt/highstate_schedule.sls
new file mode 100644
index 000000000..ca2797387
--- /dev/null
+++ b/salt/salt/highstate_schedule.sls
@@ -0,0 +1,11 @@
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% from 'salt/schedule.map.jinja' import SCHEDULEMERGED %}
+
+highstate_schedule:
+  schedule.present:
+    - function: state.highstate
+    - hours: {{ SCHEDULEMERGED.highstate_interval_hours }}
+    - maxrunning: 1
+{% if not GLOBALS.is_manager %}
+    - splay: 1800
+{% endif %}
diff --git a/salt/schedule.sls b/salt/salt/push_drain_schedule.sls
similarity index 69%
rename from salt/schedule.sls
rename to salt/salt/push_drain_schedule.sls
index 0b71dc65f..feee8288d 100644
--- a/salt/schedule.sls
+++ b/salt/salt/push_drain_schedule.sls
@@ -1,15 +1,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'salt/auto_apply.map.jinja' import AUTOAPPLY %}
 
-highstate_schedule:
-  schedule.present:
-    - function: state.highstate
-    - hours: {{ AUTOAPPLY.highstate_interval_hours }}
-    - maxrunning: 1
-{% if not GLOBALS.is_manager %}
-    - splay: 1800
-{% endif %}
-
 {% if GLOBALS.is_manager and AUTOAPPLY.enabled %}
 push_drain_schedule:
   schedule.present:
diff --git a/salt/salt/schedule.map.jinja b/salt/salt/schedule.map.jinja
new file mode 100644
index 000000000..b9eeedfe6
--- /dev/null
+++ b/salt/salt/schedule.map.jinja
@@ -0,0 +1,2 @@
+{% import_yaml 'salt/defaults.yaml' as SALT_DEFAULTS %}
+{% set SCHEDULEMERGED = salt['pillar.get']('salt:schedule', SALT_DEFAULTS.salt.schedule, merge=True) %}
diff --git a/salt/salt/soc_salt.yaml b/salt/salt/soc_salt.yaml
index 530c5ab79..0aa0aaf89 100644
--- a/salt/salt/soc_salt.yaml
+++ b/salt/salt/soc_salt.yaml
@@ -5,12 +5,6 @@ salt:
       forcedType: bool
       helpLink: push
       global: True
-    highstate_interval_hours:
-      description: How often every minion in the grid runs a scheduled state.highstate, in hours. Lower values keep minions closer in sync at the cost of more load; higher values reduce load but increase worst-case latency for non-pushed changes. The salt-minion health check restarts a minion if its last highstate is older than this value plus one hour.
-      forcedType: int
-      helpLink: push
-      global: True
-      advanced: True
     debounce_seconds:
       description: Trailing-edge debounce window in seconds. A push intent must be quiet for this long before the drainer dispatches. Rapid bursts of edits within this window coalesce into one dispatch.
       forcedType: int
@@ -36,3 +30,10 @@ salt:
       helpLink: push
       global: True
       advanced: True
+  schedule:
+    highstate_interval_hours:
+      description: How often every minion in the grid runs a scheduled state.highstate, in hours. Lower values keep minions closer in sync at the cost of more load; higher values reduce load but increase worst-case latency for non-pushed changes. The salt-minion health check restarts a minion if its last highstate is older than this value plus one hour.
+      forcedType: int
+      helpLink: push
+      global: True
+      advanced: True
diff --git a/salt/top.sls b/salt/top.sls
index cf743edd1..5e194b046 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -19,7 +19,7 @@ base:
     - repo.client
     - versionlock
     - ntp
-    - schedule
+    - salt.highstate_schedule
     - logrotate
 
   # manager node on proper salt version with empty node_data pillar
@@ -55,6 +55,7 @@ base:
     - motd
     - salt.minion-check
     - salt.lasthighstate
+    - salt.push_drain_schedule
     - common
     - docker
     - docker_clean
@@ -300,7 +301,6 @@ base:
     - nginx
     - elasticfleet
     - elasticfleet.install_agent_grid
-    - schedule
     - stig
 
   '*_hypervisor and I@features:vrt and G@saltversion:{{saltversion}}':