remove old pillar

Assistant: Investigated Query Toggle Filter

salt/docker/init.sls

@@ -20,20 +20,20 @@ dockergroup:
 dockerheldpackages:
   pkg.installed:
     - pkgs:
-      - containerd.io: 2.2.1-1~debian.12~bookworm
-      - docker-ce: 5:29.2.1-1~debian.12~bookworm
-      - docker-ce-cli: 5:29.2.1-1~debian.12~bookworm
-      - docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm
+      - containerd.io: 1.7.21-1
+      - docker-ce: 5:27.2.0-1~debian.12~bookworm
+      - docker-ce-cli: 5:27.2.0-1~debian.12~bookworm
+      - docker-ce-rootless-extras: 5:27.2.0-1~debian.12~bookworm
     - hold: True
     - update_holds: True
 {%    elif grains.oscodename == 'jammy' %}
 dockerheldpackages:
   pkg.installed:
     - pkgs:
-      - containerd.io: 2.2.1-1~ubuntu.22.04~jammy
-      - docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy
-      - docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy
-      - docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy
+      - containerd.io: 1.7.21-1
+      - docker-ce: 5:27.2.0-1~ubuntu.22.04~jammy
+      - docker-ce-cli: 5:27.2.0-1~ubuntu.22.04~jammy
+      - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.22.04~jammy
     - hold: True
     - update_holds: True
 {%    else %}
@@ -51,10 +51,10 @@ dockerheldpackages:
 dockerheldpackages:
   pkg.installed:
     - pkgs:
-      - containerd.io: 2.2.1-1.el9
-      - docker-ce: 3:29.2.1-1.el9
-      - docker-ce-cli: 1:29.2.1-1.el9
-      - docker-ce-rootless-extras: 29.2.1-1.el9
+      - containerd.io: 1.7.21-3.1.el9
+      - docker-ce: 3:27.2.0-1.el9
+      - docker-ce-cli: 1:27.2.0-1.el9
+      - docker-ce-rootless-extras: 27.2.0-1.el9
     - hold: True
     - update_holds: True
 {% endif %}
@@ -106,8 +106,6 @@ dockerreserveports:
     - source: salt://common/files/99-reserved-ports.conf
     - name: /etc/sysctl.d/99-reserved-ports.conf
 
-# If this network doesn't already exist
-{% if not salt['docker.networks'](names='sobridge') %}
 sos_docker_net:
   docker_network.present:
     - name: sobridge
@@ -119,4 +117,4 @@ sos_docker_net:
         com.docker.network.bridge.enable_ip_masquerade: 'true'
         com.docker.network.bridge.enable_icc: 'true'
         com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
-{% endif %}
+    - unless: 'docker network ls | grep sobridge'

salt/elasticsearch/soc_elasticsearch.yaml

@@ -84,13 +84,6 @@ elasticsearch:
     custom008: *pipelines
     custom009: *pipelines
     custom010: *pipelines
-  managed_integrations:
-    description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass
-    forcedType: "[]string"
-    multiline: True
-    global: True
-    advanced: True
-    helpLink: elasticsearch.html
   index_settings:
     global_overrides:
       index_template:

salt/manager/managed_soc_annotations.sls

@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 
 {# Managed elasticsearch/soc_elasticsearch.yaml file for adding integration configuration items to UI #}
-{% set managed_integrations = salt['pillar.get']('elasticsearch:managed_integrations', []) %}
+{% set managed_integrations = salt['pillar.get']('manager:managed_integrations', []) %}
 {% if managed_integrations and salt['file.file_exists']('/opt/so/state/esfleet_package_components.json') and salt['file.file_exists']('/opt/so/state/esfleet_component_templates.json') %}
 {%   from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %}
 {%   set addon_integration_keys = ADDON_INTEGRATION_DEFAULTS.keys() %}

salt/manager/soc_manager.yaml

@@ -78,3 +78,10 @@ manager:
         advanced: True
         helpLink: elastic-fleet.html
         forcedType: int
+  managed_integrations:
+    description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass
+    forcedType: "[]string"
+    multiline: True
+    global: True
+    advanced: True
+    helpLink: elasticsearch.html

salt/manager/tools/sbin/soup

@@ -165,7 +165,7 @@ EOF
 }
 
 airgap_update_dockers() {
-  if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then
+  if [[ $is_airgap -eq 0 ]] || [[ ! -z "$ISOLOC" ]]; then
     # Let's copy the tarball
     if [[ ! -f $AGDOCKER/registry.tar ]]; then
       echo "Unable to locate registry. Exiting"
@@ -200,24 +200,13 @@ update_registry() {
 check_airgap() {
   # See if this is an airgap install
   AIRGAP=$(cat /opt/so/saltstack/local/pillar/global/soc_global.sls | grep airgap: | awk '{print $2}' | tr '[:upper:]' '[:lower:]')
-  if [[ ! -z "$ISOLOC" ]]; then
-    # flag to use ISO for non-airgap installs, won't be used everywhere is_airgap -eq 0 is used. Used to speed up network soups by using local storage for large files.
-    nonairgap_useiso=0
-  else
-    nonairgap_useiso=1
-  fi
-
   if [[ "$AIRGAP" == "true" ]]; then
       is_airgap=0
-    else
-      is_airgap=1
-  fi
-
-  # use ISO if its airgap install OR ISOLOC was set with -f <path>
-  if [[ "$AIRGAP" == "true" ]] || [[ $nonairgap_useiso -eq 0 ]]; then
       UPDATE_DIR=/tmp/soagupdate/SecurityOnion
       AGDOCKER=/tmp/soagupdate/docker
       AGREPO=/tmp/soagupdate/minimal/Packages
+  else
+      is_airgap=1
   fi
 }
 
@@ -708,6 +697,19 @@ post_to_2.4.210() {
   echo "Regenerating Elastic Agent Installers"
   /sbin/so-elastic-agent-gen-installers
 
+  # migrate elasticsearch:managed_integrations pillar to manager:managed_integrations
+  if managed_integrations=$(/usr/sbin/so-yaml.py get /opt/so/saltstack/local/pillar/elasticsearch/soc_elasticsearch.sls elasticsearch.managed_integrations); then
+    local managed_integrations_old_pillar="/tmp/elasticsearch-managed_integrations.yaml"
+
+    echo "Migrating managed_integrations pillar"
+    echo -e "$managed_integrations" > "$managed_integrations_old_pillar"
+
+    /usr/sbin/so-yaml.py add /opt/so/saltstack/local/pillar/manager/soc_manager.sls manager.managed_integrations file:$managed_integrations_old_pillar > /dev/null 2>&1
+
+    /usr/sbin/so-yaml.py remove /opt/so/saltstack/local/pillar/elasticsearch/soc_elasticsearch.sls elasticsearch.managed_integrations
+  fi
+
+
   POSTVERSION=2.4.210
 }
 
@@ -1398,7 +1400,7 @@ so-yaml.py removelistitem /etc/salt/master file_roots.base /opt/so/rules/nids
 }
 
 determine_elastic_agent_upgrade() {
-  if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then
+  if [[ $is_airgap -eq 0 ]]; then
     update_elastic_agent_airgap
   else
     set +e
@@ -2016,10 +2018,15 @@ main() {
   MINION_ROLE=$(lookup_role)
   echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
   echo ""
-  if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then
-    # Let's mount the ISO since this is airgap or non-airgap with -f used
+  if [[ $is_airgap -eq 0 ]]; then
+    # Let's mount the ISO since this is airgap
     airgap_mounted
   else
+    # if not airgap but -f was used
+    if [[ ! -z "$ISOLOC" ]]; then
+      airgap_mounted
+      AGDOCKER=/tmp/soagupdate/docker
+    fi
     echo "Cloning Security Onion github repo into $UPDATE_DIR."
     echo "Removing previous upgrade sources."
     rm -rf $UPDATE_DIR
@@ -2039,8 +2046,7 @@ main() {
   upgrade_check_salt
   set -e
 
-  if [[ $is_airgap -eq 0 ]] || [[ $nonairgap_useiso -eq 0 ]]; then
-    # non-airgap with -f used can do an initial ISO repo update and so-repo-sync cron job will sync any diff later via network
+  if [[ $is_airgap -eq 0 ]]; then
     update_airgap_repo
     dnf clean all
     check_os_updates

salt/soc/defaults.yaml

@@ -2380,6 +2380,10 @@ soc:
               exclusive: true
               enablesToggles:
                 - acknowledged
+            - name: investigated
+              filter: event.investigated:true
+              enabled: false
+              exclusive: false
           queries:
             - name: 'Group By Name, Module'
               query: '* | groupby rule.name event.module* event.severity_label rule.uuid'