Remove version 3.0.0 from discussion template

2026-03-26 14:32:42 +01:00 · 2026-03-13 10:50:17 -04:00
172 changed files with 1659 additions and 855 deletions
--- a/.github/workflows/pythontest.yml
+++ b/.github/workflows/pythontest.yml
@@ -13,7 +13,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        python-version: ["3.14"]
+        python-version: ["3.13"]
        python-code-path: ["salt/sensoroni/files/analyzers", "salt/manager/tools/sbin"]
    steps:
--- a/salt/_modules/needs_restarting.py
+++ b/salt/_modules/needs_restarting.py
@@ -1,14 +1,24 @@
 from os import path
 import subprocess
 def check():
  osfam = __grains__['os_family']
  retval = 'False'
-  cmd = 'needs-restarting -r > /dev/null 2>&1'
+  if osfam == 'Debian':
    if path.exists('/var/run/reboot-required'):
      retval = 'True'
-  try:
+  elif osfam == 'RedHat':
-    needs_restarting = subprocess.check_call(cmd, shell=True)
+    cmd = 'needs-restarting -r > /dev/null 2>&1'
-  except subprocess.CalledProcessError:
+    
-    retval = 'True'
+    try:
      needs_restarting = subprocess.check_call(cmd, shell=True)
    except subprocess.CalledProcessError:
      retval = 'True'
  else:
    retval = 'Unsupported OS: %s' % os
  return retval
--- a/salt/ca/trustca.sls
+++ b/salt/ca/trustca.sls
@@ -3,6 +3,8 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 include:
  - docker
@@ -16,3 +18,9 @@ trusttheca:
    - show_changes: False
    - makedirs: True
 {% if GLOBALS.os_family == 'Debian' %}
 symlinkca:
  file.symlink:
    - target: /etc/pki/tls/certs/intca.crt
    - name: /etc/ssl/certs/intca.crt
 {% endif %}
--- a/salt/common/files/daemon.json
+++ b/salt/common/files/daemon.json
@@ -0,0 +1,19 @@
 {
  "registry-mirrors": [
    "https://:5000"
  ],
  "bip": "172.17.0.1/24",
  "default-address-pools": [
    {
      "base": "172.17.0.0/24",
      "size": 24
    }
  ],
  "default-ulimits": {
      "nofile": {
        "Name": "nofile",
        "Soft": 1048576,
        "Hard": 1048576
      }
  }
 }
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -20,6 +20,11 @@ kernel.printk:
  sysctl.present:
    - value: "3 4 1 3"
 # Remove variables.txt from /tmp - This is temp
 rmvariablesfile:
  file.absent:
    - name: /tmp/variables.txt
 # Add socore Group
 socoregroup:
  group.present:
@@ -144,6 +149,28 @@ common_sbin_jinja:
      - so-import-pcap
 {% endif %}
 {% if GLOBALS.role == 'so-heavynode' %}
 remove_so-pcap-import_heavynode:
  file.absent:
    - name: /usr/sbin/so-pcap-import
 remove_so-import-pcap_heavynode:
  file.absent:
    - name: /usr/sbin/so-import-pcap
 {% endif %}
 {% if not GLOBALS.is_manager%}
 # prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
 # these two states remove the scripts from non manager nodes
 remove_soup:
  file.absent:
    - name: /usr/sbin/soup
 remove_so-firewall:
  file.absent:
    - name: /usr/sbin/so-firewall
 {% endif %}
 so-status_script:
  file.managed:
    - name: /usr/sbin/so-status
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -1,5 +1,52 @@
 # we cannot import GLOBALS from vars/globals.map.jinja in this state since it is called in setup.virt.init
 # since it is early in setup of a new VM, the pillars imported in GLOBALS are not yet defined
 {% if grains.os_family == 'Debian' %}
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
      - apache2-utils
      - wget
      - ntpdate
      - jq
      - curl
      - ca-certificates
      - software-properties-common
      - apt-transport-https
      - openssl
      - netcat-openbsd
      - sqlite3
      - libssl-dev
      - procps
      - python3-dateutil
      - python3-docker
      - python3-packaging
      - python3-lxml
      - git
      - rsync
      - vim
      - tar
      - unzip
      - bc
      {% if grains.oscodename != 'focal' %}
      - python3-rich
      {% endif %}
 {%     if grains.oscodename == 'focal' %}
 # since Ubuntu requires and internet connection we can use pip to install modules
 python3-pip:
  pkg.installed
 python-rich:
  pip.installed:
    - name: rich
    - target: /usr/local/lib/python3.8/dist-packages/
    - require:
      - pkg: python3-pip
 {%     endif %}
 {% endif %}
 {% if grains.os_family == 'RedHat' %}
 remove_mariadb:
  pkg.removed:
@@ -37,3 +84,5 @@ commonpkgs:
      - unzip
      - wget
      - yum-utils
 {% endif %}
--- a/salt/common/soup_scripts.sls
+++ b/salt/common/soup_scripts.sls
@@ -11,6 +11,14 @@
 {%   endif %}
 {%   set SOVERSION = salt['file.read']('/etc/soversion').strip() %}
 remove_common_soup:
  file.absent:
    - name: /opt/so/saltstack/default/salt/common/tools/sbin/soup
 remove_common_so-firewall:
  file.absent:
    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall
 # This section is used to put the scripts in place in the Salt file system
 # in case a state run tries to overwrite what we do in the next section.
 copy_so-common_common_tools_sbin:
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -349,16 +349,21 @@ get_random_value() {
 }
 gpg_rpm_import() {
-	if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
+	if [[ $is_oracle ]]; then
-		local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
+	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-	else
+	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
-		local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
+	    else
 	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	    fi
 		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 		for RPMKEY in "${RPMKEYS[@]}"; do
    	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"
 	    done
 	elif [[ $is_rpm ]]; then
 		echo "Importing the security onion GPG key"
 		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
 	fi
 	RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 	for RPMKEY in "${RPMKEYS[@]}"; do
 		rpm --import $RPMKEYSLOC/$RPMKEY
 		echo "Imported $RPMKEY"
 	done
 }
 header() {
@@ -610,19 +615,69 @@ salt_minion_count() {
 }
 set_os() {
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
+	if [ -f /etc/redhat-release ]; then
-		OS=oracle
+		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
-		OSVER=9
+			OS=rocky
-		is_oracle=true
+			OSVER=9
-		is_rpm=true
+			is_rocky=true
 			is_rpm=true
 		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
 			OS=centos
 			OSVER=9
 			is_centos=true
 			is_rpm=true
 		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
 			OS=alma
 			OSVER=9
 			is_alma=true
 			is_rpm=true
 		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
 			if [ -f /etc/oracle-release ]; then
 				OS=oracle
 				OSVER=9
 				is_oracle=true
 				is_rpm=true
 			else
 				OS=rhel
 				OSVER=9
 				is_rhel=true
 				is_rpm=true
 			fi
 		fi
 		cron_service_name="crond"
 	elif [ -f /etc/os-release ]; then
 		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
 			OSVER=focal
 			UBVER=20.04
 			OS=ubuntu
 			is_ubuntu=true
 			is_deb=true
 		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
 			OSVER=jammy
 			UBVER=22.04
 			OS=ubuntu
 			is_ubuntu=true
 			is_deb=true
 		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
 			OSVER=bookworm
 			DEBVER=12
 			is_debian=true
 			OS=debian
 			is_deb=true
 		fi
 		cron_service_name="cron"
 	fi
 	cron_service_name="crond"
 }
 set_minionid() {
 	MINIONID=$(lookup_grain id)
 }
 set_palette() {
 	if [[ $is_deb ]]; then
 	    update-alternatives --set newt-palette /etc/newt/palette.original
    fi
 }
 set_version() {
 	CURRENTVERSION=0.0.0
--- a/salt/curator/disabled.sls
+++ b/salt/curator/disabled.sls
@@ -0,0 +1,34 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 so-curator:
  docker_container.absent:
    - force: True
 so-curator_so-status.disabled:
  file.line:
    - name: /opt/so/conf/so-status/so-status.conf
    - match: ^so-curator$
    - mode: delete
 so-curator-cluster-close:
  cron.absent:
    - identifier: so-curator-cluster-close
 so-curator-cluster-delete:
  cron.absent:
    - identifier: so-curator-cluster-delete
 delete_curator_configuration:
  file.absent:
    - name: /opt/so/conf/curator
    - recurse: True
 {% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
 {% if files|length > 0 %}
 delete_curator_scripts:
  file.absent:
    - names: {{files|yaml}}
 {% endif %}
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -1,10 +1,6 @@
 docker:
  range: '172.17.1.0/24'
  gateway: '172.17.1.1'
  ulimits:
    - name: nofile
      soft: 1048576
      hard: 1048576
  containers:
    'so-dockerregistry':
      final_octet: 20
@@ -13,7 +9,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elastic-fleet':
      final_octet: 21
      port_bindings:
@@ -21,7 +16,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elasticsearch':
      final_octet: 22
      port_bindings:
@@ -30,16 +24,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits:
        - name: memlock
          soft: -1
          hard: -1
        - name: nofile
          soft: 65536
          hard: 65536
        - name: nproc
          soft: 4096
          hard: 4096
    'so-influxdb':
      final_octet: 26
      port_bindings:
@@ -47,7 +31,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-kibana':
      final_octet: 27
      port_bindings:
@@ -55,7 +38,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-kratos':
      final_octet: 28
      port_bindings:
@@ -64,7 +46,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-hydra':
      final_octet: 30
      port_bindings:
@@ -73,7 +54,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-logstash':
      final_octet: 29
      port_bindings:
@@ -90,7 +70,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-nginx':
      final_octet: 31
      port_bindings:
@@ -102,7 +81,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-nginx-fleet-node':
      final_octet: 31
      port_bindings:
@@ -110,7 +88,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-redis':
      final_octet: 33
      port_bindings:
@@ -119,13 +96,11 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-sensoroni':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-soc':
      final_octet: 34
      port_bindings:
@@ -133,19 +108,16 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-backend':
      final_octet: 36
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-filestream':
      final_octet: 37
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-frontend':
      final_octet: 38
      port_bindings:
@@ -153,13 +125,11 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-manager':
      final_octet: 39
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-gatekeeper':
      final_octet: 40
      port_bindings:
@@ -167,7 +137,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-coordinator':
      final_octet: 41
      port_bindings:
@@ -175,13 +144,11 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elastalert':
      final_octet: 42
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elastic-fleet-package-registry':
      final_octet: 44
      port_bindings:
@@ -189,13 +156,11 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-idh':
      final_octet: 45
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elastic-agent':
      final_octet: 46
      port_bindings:
@@ -204,34 +169,23 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-telegraf':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-suricata':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits:
-        - name: memlock
+        - memlock=524288000
          soft: 524288000
          hard: 524288000
    'so-zeek':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits:
        - name: core
          soft: 0
          hard: 0
        - name: nofile
          soft: 1048576
          hard: 1048576
    'so-kafka':
      final_octet: 88
      port_bindings:
@@ -242,4 +196,3 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
--- a/salt/docker/docker.map.jinja
+++ b/salt/docker/docker.map.jinja
@@ -1,8 +1,8 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
-{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
+{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKERMERGED.range.split('.') %}
+{% set RANGESPLIT = DOCKER.range.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
-{% for container, vals in DOCKERMERGED.containers.items() %}
+{% for container, vals in DOCKER.containers.items() %}
-{%   do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %}
+{%   do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %}
 {% endfor %}
--- a/salt/docker/files/daemon.json.jinja
+++ b/salt/docker/files/daemon.json.jinja
@@ -1,24 +0,0 @@
 {% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
 {
  "registry-mirrors": [
    "https://:5000"
  ],
  "bip": "172.17.0.1/24",
  "default-address-pools": [
    {
      "base": "172.17.0.0/24",
      "size": 24
    }
  ]
 {%- if DOCKERMERGED.ulimits %},
  "default-ulimits": {
 {%-   for ULIMIT in DOCKERMERGED.ulimits %}
    "{{ ULIMIT.name }}": {
      "Name": "{{ ULIMIT.name }}",
      "Soft": {{ ULIMIT.soft }},
      "Hard": {{ ULIMIT.hard }}
    }{{ "," if not loop.last else "" }}
 {%-   endfor %}
  }
 {%- endif %}
 }
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 # docker service requires the ca.crt
@@ -15,6 +15,39 @@ dockergroup:
    - name: docker
    - gid: 920
 {% if GLOBALS.os_family == 'Debian' %}
 {%    if grains.oscodename == 'bookworm' %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 2.2.1-1~debian.12~bookworm
      - docker-ce: 5:29.2.1-1~debian.12~bookworm
      - docker-ce-cli: 5:29.2.1-1~debian.12~bookworm
      - docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm
    - hold: True
    - update_holds: True
 {%    elif grains.oscodename == 'jammy' %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 2.2.1-1~ubuntu.22.04~jammy
      - docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy
      - docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy
      - docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy
    - hold: True
    - update_holds: True
 {%    else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.7.21-1
      - docker-ce: 5:27.2.0-1~ubuntu.20.04~focal
      - docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal
      - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal
    - hold: True
    - update_holds: True
 {%   endif %}
 {% else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
@@ -24,6 +57,7 @@ dockerheldpackages:
      - docker-ce-rootless-extras: 29.2.1-1.el9
    - hold: True
    - update_holds: True
 {% endif %}
 #disable docker from managing iptables
 iptables_disabled:
@@ -41,9 +75,10 @@ dockeretc:
  file.directory:
    - name: /etc/docker
 # Manager daemon.json
 docker_daemon:
  file.managed:
-    - source: salt://docker/files/daemon.json.jinja
+    - source: salt://common/files/daemon.json
    - name: /etc/docker/daemon.json
    - template: jinja 
@@ -74,8 +109,8 @@ dockerreserveports:
 sos_docker_net:
  docker_network.present:
    - name: sobridge
-    - subnet: {{ DOCKERMERGED.range }}
+    - subnet: {{ DOCKER.range }}
-    - gateway: {{ DOCKERMERGED.gateway }}
+    - gateway: {{ DOCKER.gateway }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
--- a/salt/docker/soc_docker.yaml
+++ b/salt/docker/soc_docker.yaml
@@ -7,25 +7,6 @@ docker:
    description: Default docker IP range for containers.
    helpLink: docker.html
    advanced: True
  ulimits:
    description: |
      Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
    forcedType: "[]{}"
    syntax: json
    advanced: True
    helpLink: docker.html
    uiElements:
    - field: name
      label: Resource Name
      required: True
      regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
      regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
    - field: soft
      label: Soft Limit
      forcedType: int
    - field: hard
      label: Hard Limit
      forcedType: int
  containers:
    so-dockerregistry: &dockerOptions
      final_octet:
@@ -58,25 +39,6 @@ docker:
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
      ulimits:
        description: |
          Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
        advanced: True
        helpLink: docker.html
        forcedType: "[]{}"
        syntax: json
        uiElements:
        - field: name
          label: Resource Name
          required: True
          regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
          regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
        - field: soft
          label: Soft Limit
          forcedType: int
        - field: hard
          label: Hard Limit
          forcedType: int
    so-elastic-fleet: *dockerOptions
    so-elasticsearch: *dockerOptions
    so-influxdb: *dockerOptions
@@ -100,6 +62,42 @@ docker:
    so-idh: *dockerOptions
    so-elastic-agent: *dockerOptions
    so-telegraf: *dockerOptions
-    so-suricata: *dockerOptions
+    so-suricata:
      final_octet:
        description: Last octet of the container IP address.
        helpLink: docker.html
        readonly: True
        advanced: True
        global: True
      port_bindings:
        description: List of port bindings for the container.
        helpLink: docker.html
        advanced: True
        multiline: True
        forcedType: "[]string"
      custom_bind_mounts:
        description: List of custom local volume bindings.
        advanced: True
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
      extra_hosts:
        description: List of additional host entries for the container.
        advanced: True
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
      extra_env:
        description: List of additional ENV entries for the container.
        advanced: True
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
      ulimits:
        description: Ulimits for the container, in bytes.
        advanced: True
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
    so-zeek: *dockerOptions
    so-kafka: *dockerOptions
--- a/salt/elastalert/enabled.sls
+++ b/salt/elastalert/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 include:
  - elastalert.config
@@ -24,7 +24,7 @@ so-elastalert:
    - user: so-elastalert
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
    - detach: True
    - binds:
      - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
@@ -33,30 +33,24 @@ so-elastalert:
      - /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
      - /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
      - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
-      {% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-elastalert'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-      {% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
+      {% if DOCKER.containers['so-elastalert'].extra_hosts %}
-        {% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
+        {% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-      {% if DOCKERMERGED.containers['so-elastalert'].extra_env %}
+      {% if DOCKER.containers['so-elastalert'].extra_env %}
    - environment:
-        {% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elastalert'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - require:
      - cmd: wait_for_elasticsearch
      - file: elastarules
--- a/salt/elastalert/files/custom/placeholder
+++ b/salt/elastalert/files/custom/placeholder
@@ -0,0 +1 @@
 THIS IS A PLACEHOLDER FILE
--- a/salt/elastic-fleet-package-registry/enabled.sls
+++ b/salt/elastic-fleet-package-registry/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 include:
  - elastic-fleet-package-registry.config
@@ -21,36 +21,30 @@ so-elastic-fleet-package-registry:
    - user: 948
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
    - extra_hosts:
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+        {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
-          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+    {% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
    - binds:
-        {% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
+    {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
    - environment:
-        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
 delete_so-elastic-fleet-package-registry_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 include:
  - ca
@@ -22,17 +22,17 @@ so-elastic-agent:
    - user: 949
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
+        {% if DOCKER.containers['so-elastic-agent'].extra_hosts %}
-          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
+          {% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -41,25 +41,19 @@ so-elastic-agent:
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro 
      - /nsm:/nsm:ro
      - /opt/so/log:/opt/so/log:ro
-     {% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
+     {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - environment:
      - FLEET_CA=/etc/pki/tls/certs/intca.crt
      - LOGS_PATH=logs
-      {% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
+      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
-        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - require:
      - file: create-elastic-agent-config
      - file: trusttheca
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 {#   This value is generated during node install and stored in minion pillar #}
@@ -94,17 +94,17 @@ so-elastic-fleet:
    - user: 947
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
+        {% if DOCKER.containers['so-elastic-fleet'].extra_hosts %}
-          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
+          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -112,8 +112,8 @@ so-elastic-fleet:
      - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
      - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
-     {% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
+     {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}      
@@ -128,17 +128,11 @@ so-elastic-fleet:
      - FLEET_CA=/etc/pki/tls/certs/intca.crt     
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
      - LOGS_PATH=logs
-      {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
+      {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
-        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: trusttheca
      - x509: etc_elasticfleet_key
--- a/salt/elasticfleet/files/certs/placeholder
+++ b/salt/elasticfleet/files/certs/placeholder
--- a/salt/elasticsearch/config.map.jinja
+++ b/salt/elasticsearch/config.map.jinja
@@ -6,6 +6,8 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 {# this is a list of dicts containing hostname:ip for elasticsearch nodes that need to know about each other for cluster #}
 {% set ELASTICSEARCH_SEED_HOSTS = [] %}
 {% set node_data = salt['pillar.get']('elasticsearch:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
@@ -34,8 +36,14 @@
      {% endfor %}
    {% endif %}
 {% elif grains.id.split('_') | last == 'searchnode' %}
  {% if HIGHLANDER %}
        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
  {% endif %}
  {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
 {% endif %}
 {% if HIGHLANDER %}
      {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
 {% endif %}
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}
--- a/salt/elasticsearch/config.sls
+++ b/salt/elasticsearch/config.sls
@@ -98,6 +98,10 @@ esrolesdir:
    - group: 939
    - makedirs: True
 eslibdir:
  file.absent:
    - name: /opt/so/conf/elasticsearch/lib
 esingestdynamicconf:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/ingest
@@ -115,6 +119,11 @@ esingestconf:
    - group: 939
    - show_changes: False
 # Remove .fleet_final_pipeline-1 because we are using global@custom now
 so-fleet-final-pipeline-remove:
  file.absent:
    - name: /opt/so/conf/elasticsearch/ingest/.fleet_final_pipeline-1
 # Auto-generate Elasticsearch ingest node pipelines from pillar
 {% for pipeline, config in ELASTICSEARCHMERGED.pipelines.items() %}
 es_ingest_conf_{{pipeline}}:
--- a/salt/elasticsearch/enabled.sls
+++ b/salt/elasticsearch/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
@@ -28,15 +28,15 @@ so-elasticsearch:
    - user: elasticsearch
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
    - extra_hosts:
    {% for node in ELASTICSEARCH_NODES %}
    {%   for hostname, ip in node.items() %}
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
+    {% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
-      {% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -45,19 +45,17 @@ so-elasticsearch:
      - discovery.type=single-node
      {% endif %}
      - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
-      {% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
+      ulimits:
-        {% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
+      - memlock=-1:-1
      - nofile=65536:65536
      - nproc=4096
      {% if DOCKER.containers['so-elasticsearch'].extra_env %}
        {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -77,8 +75,8 @@ so-elasticsearch:
      - {{ repo }}:{{ repo }}:rw
        {% endfor %}
      {% endif %}
-      {% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
--- a/salt/elasticsearch/files/ingest-dynamic/.gitkeep
+++ b/salt/elasticsearch/files/ingest-dynamic/.gitkeep
--- a/salt/elasticsearch/files/ingest-dynamic/common
+++ b/salt/elasticsearch/files/ingest-dynamic/common
@@ -1,3 +1,5 @@
 {%- set HIGHLANDER = salt['pillar.get']('global:highlander', False) -%}
 {%- raw -%}
 {
  "description" : "common",
  "processors" : [
@@ -65,7 +67,19 @@
    { "append":          { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  } },
    { "grok":            { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]} },
    { "set":             { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
-    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } },
+    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
 {%- endraw %}
 {%- if HIGHLANDER %}
    ,
    {
      "pipeline": {
        "name": "ecs"
      }
    }
 {%- endif %}
 {%- raw %}
    ,
    { "pipeline": { "name": "global@custom", "ignore_missing_pipeline": true, "description": "[Fleet] Global pipeline for all data streams" } }
  ]
 }
 {% endraw %}
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -27,12 +27,14 @@ iptables_config:
    - source: salt://firewall/iptables.jinja
    - template: jinja
 {%   if grains.os_family == 'RedHat' %}
 disable_firewalld:
  service.dead:
    - name: firewalld
    - enable: False
    - require:
      - file: iptables_config
 {%   endif %}
 iptables_restore:
  cmd.run:
@@ -42,6 +44,7 @@ iptables_restore:
    - onlyif:
      - iptables-restore --test {{ iptmap.configfile }}
 {%   if grains.os_family == 'RedHat' %}
 enable_firewalld:
  service.running:
    - name: firewalld
@@ -49,6 +52,7 @@ enable_firewalld:
    - onfail:
      - file: iptables_config
      - cmd: iptables_restore
 {%   endif %}
 {% else %}
--- a/salt/firewall/ipt.map.jinja
+++ b/salt/firewall/ipt.map.jinja
@@ -1,6 +1,14 @@
-{% set iptmap = {
+{% set iptmap = salt['grains.filter_by']({
-    'service': 'iptables',
+    'Debian': {
-    'iptpkg': 'iptables-nft',
+        'service': 'netfilter-persistent',
-    'persistpkg': 'iptables-nft-services',
+        'iptpkg': 'iptables',
-    'configfile': '/etc/sysconfig/iptables'
+        'persistpkg': 'iptables-persistent',
-} %}
+        'configfile': '/etc/iptables/rules.v4'
    },
    'RedHat': {
        'service': 'iptables',
        'iptpkg': 'iptables-nft',
        'persistpkg': 'iptables-nft-services',
        'configfile': '/etc/sysconfig/iptables'
    },
 }) %}
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -1,5 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%- from 'docker/docker.map.jinja' import DOCKER %}
 {%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
 {%- set role = GLOBALS.role.split('-')[1] %}
 {%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
@@ -8,9 +8,9 @@
 {%- set D1 = [] %}
 {%- set D2 = [] %}
 {%- for container in NODE_CONTAINERS %}
-{%-   set IP = DOCKERMERGED.containers[container].ip %}
+{%-   set IP = DOCKER.containers[container].ip %}
-{%-   if DOCKERMERGED.containers[container].port_bindings is defined %}
+{%-   if DOCKER.containers[container].port_bindings is defined %}
-{%-     for binding in DOCKERMERGED.containers[container].port_bindings %}
+{%-     for binding in DOCKER.containers[container].port_bindings %}
 {#-       cant split int so we convert to string #}
 {%-       set binding = binding|string %}
 {#-          split the port binding by /. if proto not specified, default is tcp #}
@@ -33,13 +33,13 @@
 {%-           set hostPort = bsa[0] %}
 {%-           set containerPort = bsa[1] %}
 {%-         endif %}
-{%-         do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
+{%-         do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
 {%-         if bindip | length and bindip != '0.0.0.0' %}
-{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         else %}
-{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         endif %}
-{%-         do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
+{%-         do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
 {%-     endfor %}
 {%-   endif %}
 {%- endfor %}
@@ -52,7 +52,7 @@
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE
+-A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
 {%- for rule in PR %}
 {{ rule }}
 {%- endfor %}
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -1,11 +1,11 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{% from 'docker/docker.map.jinja' import DOCKER %}
 {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
 {# add our ip to self #}
 {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
 {# add dockernet range #}
-{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %}
+{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}
 {% if GLOBALS.role == 'so-idh' %}
 {%   from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
--- a/salt/hydra/enabled.sls
+++ b/salt/hydra/enabled.sls
@@ -11,7 +11,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   if 'api' in salt['pillar.get']('features', []) %}
@@ -26,38 +26,32 @@ so-hydra:
    - name: so-hydra
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
    - binds:
      - /opt/so/conf/hydra/:/hydra-conf:ro
      - /opt/so/log/hydra/:/hydra-log:rw
      - /nsm/hydra/db:/hydra-data:rw
-      {% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKERMERGED.containers['so-hydra'].extra_hosts %}
+    {% if DOCKER.containers['so-hydra'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-hydra'].extra_env %}
+    {% if DOCKER.containers['so-hydra'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %}
+      {% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-hydra'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - restart_policy: unless-stopped
    - watch:
      - file: hydraconfig
@@ -73,7 +67,7 @@ delete_so-hydra_so-status.disabled:
 wait_for_hydra:
  http.wait_for_successful_query:
-    - name: 'http://{{ GLOBALS.manager }}:4444/health/alive'
+    - name: 'http://{{ GLOBALS.manager }}:4444/'
    - ssl: True
    - verify_ssl: False
    - status:
--- a/salt/idh/enabled.sls
+++ b/salt/idh/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 include:
  - idh.config
@@ -22,29 +22,23 @@ so-idh:
      - /nsm/idh:/var/tmp:rw
      - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
      - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
-      {% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-idh'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-idh'].extra_hosts %}
+    {% if DOCKER.containers['so-idh'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-idh'].extra_env %}
+    {% if DOCKER.containers['so-idh'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %}
+      {% for XTRAENV in DOCKER.containers['so-idh'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-idh'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: opencanary_config
    - require:
--- a/salt/idh/openssh/config.sls
+++ b/salt/idh/openssh/config.sls
@@ -3,6 +3,7 @@
 include:
  - idh.openssh
 {% if grains.os_family == 'RedHat' %}
 idh_sshd_selinux:
  selinux.port_policy_present:
    - port: {{ openssh_map.config.port }}
@@ -12,6 +13,7 @@ idh_sshd_selinux:
      - file: openssh_config
    - require:
      - pkg: python_selinux_mgmt_tools
 {% endif %}
 openssh_config:
  file.replace:
--- a/salt/idh/openssh/init.sls
+++ b/salt/idh/openssh/init.sls
@@ -16,6 +16,8 @@ openssh:
    - name: {{ openssh_map.service }}
  {% endif %}
 {% if grains.os_family == 'RedHat' %}
 python_selinux_mgmt_tools:
  pkg.installed:
    - name: policycoreutils-python-utils
 {% endif %}
--- a/salt/influxdb/enabled.sls
+++ b/salt/influxdb/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
 {%   set TOKEN = salt['pillar.get']('influxdb:token') %}
@@ -21,7 +21,7 @@ so-influxdb:
    - hostname: influxdb
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
    - environment:
      - INFLUXD_CONFIG_PATH=/conf/config.yaml
      - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -31,8 +31,8 @@ so-influxdb:
      - DOCKER_INFLUXDB_INIT_ORG=Security Onion
      - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
      - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
-      {% if DOCKERMERGED.containers['so-influxdb'].extra_env %}
+      {% if DOCKER.containers['so-influxdb'].extra_env %}
-        {% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
@@ -43,27 +43,21 @@ so-influxdb:
      - /nsm/influxdb:/var/lib/influxdb2:rw
      - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
      - /etc/pki/influxdb.key:/conf/influxdb.key:ro
-      {% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-influxdb'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
+    {% if DOCKER.containers['so-influxdb'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-influxdb'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: influxdbconf
      - x509: influxdb_key
--- a/salt/kafka/enabled.sls
+++ b/salt/kafka/enabled.sls
@@ -12,7 +12,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
 {%   set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
 {%   if 'gmd' in salt['pillar.get']('features', []) %}
@@ -31,22 +31,22 @@ so-kafka:
    - name: so-kafka
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-kafka'].ip }}
    - user: kafka
    - environment:
        KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
-        KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
+        KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
    - extra_hosts:
      {% for node in KAFKANODES %}
      - {{ node }}:{{ KAFKANODES[node].ip }}
      {% endfor %}
-      {% if DOCKERMERGED.containers['so-kafka'].extra_hosts %}
+      {% if DOCKER.containers['so-kafka'].extra_hosts %}
-      {%   for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %}
+      {%   for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %}
      - {{ XTRAHOST }}
      {%   endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-kafka'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -60,12 +60,6 @@ so-kafka:
      {% if KAFKA_EXTERNAL_ACCESS %}
      - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
      {% endif %}
    {% if DOCKERMERGED.containers['so-kafka'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      {% for sc in ['server', 'client'] %}
      - file: kafka_kraft_{{sc}}_properties
--- a/salt/kibana/enabled.sls
+++ b/salt/kibana/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -20,20 +20,20 @@ so-kibana:
    - user: kibana
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
    - environment:
      - ELASTICSEARCH_HOST={{ GLOBALS.manager }}
      - ELASTICSEARCH_PORT=9200
      - MANAGER={{ GLOBALS.manager }}
-      {% if DOCKERMERGED.containers['so-kibana'].extra_env %}
+      {% if DOCKER.containers['so-kibana'].extra_env %}
-        {% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKERMERGED.containers['so-kibana'].extra_hosts %}
+    {% if DOCKER.containers['so-kibana'].extra_hosts %}
-      {% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -42,21 +42,15 @@ so-kibana:
      - /opt/so/log/kibana:/var/log/kibana:rw
      - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      {% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-kibana'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    {% if DOCKERMERGED.containers['so-kibana'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: kibanaconfig
--- a/salt/kibana/map.jinja
+++ b/salt/kibana/map.jinja
@@ -5,6 +5,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'kibana/defaults.yaml' as KIBANADEFAULTS with context %}
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 {% do KIBANADEFAULTS.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
 {% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}
--- a/salt/kibana/so_dashboard_load.sls
+++ b/salt/kibana/so_dashboard_load.sls
@@ -3,6 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 include:
  - kibana.enabled
@@ -28,3 +29,27 @@ so-kibana-dashboard-load:
    - require:
      - sls: kibana.enabled
      - file: dashboard_saved_objects_template
 {%- if HIGHLANDER %}
 dashboard_saved_objects_template_hl:
  file.managed:
    - name: /opt/so/conf/kibana/hl.ndjson.template
    - source: salt://kibana/files/hl.ndjson
    - user: 932
    - group: 939
    - show_changes: False
 dashboard_saved_objects_hl_changes:
  file.absent:
    - names:
      - /opt/so/state/kibana_hl.txt
    - onchanges:
      - file: dashboard_saved_objects_template_hl
 so-kibana-dashboard-load_hl:
  cmd.run:
    - name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/hl.ndjson.template
    - cwd: /opt/so
    - require:
      - sls: kibana.enabled
      - file: dashboard_saved_objects_template_hl
 {%- endif %}
--- a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults
+++ b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults
@@ -1,5 +1,6 @@
 #!/bin/bash
 . /usr/sbin/so-common
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
 ## This hackery will be removed if using Elastic Auth ##
@@ -8,6 +9,10 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http:
 # Disable certain Features from showing up in the Kibana UI
 echo
-echo "Setting up default Kibana Space:"
+echo "Setting up default Space:"
 {% if HIGHLANDER %}
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log
 {% else %}
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV3","inventory","dataQuality","searchSynonyms","enterpriseSearchApplications","enterpriseSearchAnalytics","securitySolutionTimeline","securitySolutionNotes","entityManager"]} ' >> /opt/so/log/kibana/misc.log
 {% endif %}
 echo
--- a/salt/kratos/enabled.sls
+++ b/salt/kratos/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -19,38 +19,32 @@ so-kratos:
    - name: so-kratos
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
    - binds:
      - /opt/so/conf/kratos/:/kratos-conf:ro
      - /opt/so/log/kratos/:/kratos-log:rw
      - /nsm/kratos/db:/kratos-data:rw
-      {% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-kratos'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKERMERGED.containers['so-kratos'].extra_hosts %}
+    {% if DOCKER.containers['so-kratos'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-kratos'].extra_env %}
+    {% if DOCKER.containers['so-kratos'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %}
+      {% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-kratos'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - restart_policy: unless-stopped
    - watch:
      - file: kratosschema
--- a/salt/logstash/config.sls
+++ b/salt/logstash/config.sls
@@ -36,6 +36,10 @@ logstash:
    - gid: 931
    - home: /opt/so/conf/logstash
 lslibdir:
  file.absent:
    - name: /opt/so/conf/logstash/lib
 logstash_sbin:
  file.recurse:
    - name: /usr/sbin
--- a/salt/logstash/enabled.sls
+++ b/salt/logstash/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'logstash/map.jinja' import LOGSTASH_MERGED %}
 {%   from 'logstash/map.jinja' import LOGSTASH_NODES %}
 {%   set lsheap = LOGSTASH_MERGED.settings.lsheap %}
@@ -32,7 +32,7 @@ so-logstash:
    - name: so-logstash
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
    - user: logstash
    - extra_hosts:
    {% for node in LOGSTASH_NODES %}
@@ -40,20 +40,20 @@ so-logstash:
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKERMERGED.containers['so-logstash'].extra_hosts %}
+    {% if DOCKER.containers['so-logstash'].extra_hosts %}
-    {%   for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %}
+    {%   for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
      - {{ XTRAHOST }}
    {%   endfor %}
    {% endif %}
    - environment:
      - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
-    {% if DOCKERMERGED.containers['so-logstash'].extra_env %}
+    {% if DOCKER.containers['so-logstash'].extra_env %}
-    {%   for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %}
+    {%   for XTRAENV in DOCKER.containers['so-logstash'].extra_env %}
      - {{ XTRAENV }}
    {%   endfor %}
    {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -91,17 +91,11 @@ so-logstash:
      - /opt/so/log/fleet/:/osquery/logs:ro
      - /opt/so/log/strelka:/strelka:ro
      {% endif %}
-      {% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-logstash'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-logstash'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: lsetcsync
      - file: trusttheca
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -63,9 +63,11 @@ yara_log_dir:
      - user
      - group
 {% if GLOBALS.os_family == 'RedHat' %}
 install_createrepo:
  pkg.installed:
    - name: createrepo_c
 {% endif %}
 repo_conf_dir:
  file.directory:
--- a/salt/manager/tools/sbin/so-client
+++ b/salt/manager/tools/sbin/so-client
@@ -134,8 +134,8 @@ function require() {
 function verifyEnvironment() {
  require "jq"
  require "curl"
-  response=$(curl -Ss -L ${hydraUrl}/health/alive)
+  response=$(curl -Ss -L ${hydraUrl}/)
-  [[ "$response" != '{"status":"ok"}' ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
+  [[ "$response" != *"Error 404"* ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
 }
 function createFile() {
--- a/salt/manager/tools/sbin/so-minion
+++ b/salt/manager/tools/sbin/so-minion
@@ -462,14 +462,19 @@ function add_sensor_to_minion() {
        echo "      lb_procs: '$CORECOUNT'"
        echo "suricata:"
        echo "  enabled: True "
        echo "  pcap:"
        echo "    enabled: True"
        if [[ $is_pcaplimit ]]; then
            echo "  pcap:"
            echo "    maxsize: $MAX_PCAP_SPACE"
        fi
        echo "  config:"
        echo "    af-packet:"
        echo "      threads: '$CORECOUNT'"
        echo "pcap:"
        echo "  enabled: True"
        if [[ $is_pcaplimit ]]; then
            echo "  config:"
            echo "    diskfreepercentage: $DFREEPERCENT"
        fi
        echo "  "
    } >> $PILLARFILE
    if [ $? -ne 0 ]; then
--- a/salt/manager/tools/sbin/so-yaml.py
+++ b/salt/manager/tools/sbin/so-yaml.py
@@ -22,7 +22,7 @@ def showUsage(args):
    print('    removelistitem   - Remove a list item from a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr)
    print('    replacelistobject  - Replace a list object based on a condition. Requires KEY, CONDITION_FIELD, CONDITION_VALUE, and JSON_OBJECT args.', file=sys.stderr)
    print('    add              - Add a new key and set its value. Fails if key already exists. Requires KEY and VALUE args.', file=sys.stderr)
-    print('    get [-r]         - Displays (to stdout) the value stored in the given key. Requires KEY arg. Use -r for raw output without YAML formatting.', file=sys.stderr)
+    print('    get              - Displays (to stdout) the value stored in the given key. Requires KEY arg.', file=sys.stderr)
    print('    remove           - Removes a yaml key, if it exists. Requires KEY arg.', file=sys.stderr)
    print('    replace          - Replaces (or adds) a new key and set its value. Requires KEY and VALUE args.', file=sys.stderr)
    print('    help             - Prints this usage information.', file=sys.stderr)
@@ -256,7 +256,7 @@ def replacelistobject(args):
 def addKey(content, key, value):
    pieces = key.split(".", 1)
    if len(pieces) > 1:
-        if pieces[0] not in content or content[pieces[0]] is None:
+        if not pieces[0] in content:
            content[pieces[0]] = {}
        addKey(content[pieces[0]], pieces[1], value)
    elif key in content:
@@ -332,11 +332,6 @@ def getKeyValue(content, key):
 def get(args):
    raw = False
    if len(args) > 0 and args[0] == '-r':
        raw = True
        args = args[1:]
    if len(args) != 2:
        print('Missing filename or key arg', file=sys.stderr)
        showUsage(None)
@@ -351,15 +346,7 @@ def get(args):
        print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr)
        return 2
-    if raw:
+    print(yaml.safe_dump(output))
        if isinstance(output, bool):
            print(str(output).lower())
        elif isinstance(output, (dict, list)):
            print(yaml.safe_dump(output).strip())
        else:
            print(output)
    else:
        print(yaml.safe_dump(output))
    return 0
--- a/salt/manager/tools/sbin/so-yaml_test.py
+++ b/salt/manager/tools/sbin/so-yaml_test.py
@@ -395,17 +395,6 @@ class TestRemove(unittest.TestCase):
            self.assertEqual(result, 0)
            self.assertIn("45\n...", mock_stdout.getvalue())
    def test_get_int_raw(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
            filename = "/tmp/so-yaml_test-get.yaml"
            file = open(filename, "w")
            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
            file.close()
            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
            self.assertEqual(result, 0)
            self.assertEqual("45\n", mock_stdout.getvalue())
    def test_get_str(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
            filename = "/tmp/so-yaml_test-get.yaml"
@@ -417,51 +406,6 @@ class TestRemove(unittest.TestCase):
            self.assertEqual(result, 0)
            self.assertIn("hello\n...", mock_stdout.getvalue())
    def test_get_str_raw(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
            filename = "/tmp/so-yaml_test-get.yaml"
            file = open(filename, "w")
            file.write("{key1: { child1: 123, child2: { deep1: \"hello\" } }, key2: false, key3: [e,f,g]}")
            file.close()
            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
            self.assertEqual(result, 0)
            self.assertEqual("hello\n", mock_stdout.getvalue())
    def test_get_bool(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
            filename = "/tmp/so-yaml_test-get.yaml"
            file = open(filename, "w")
            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
            file.close()
            result = soyaml.get([filename, "key2"])
            self.assertEqual(result, 0)
            self.assertIn("false\n...", mock_stdout.getvalue())
    def test_get_bool_raw(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
            filename = "/tmp/so-yaml_test-get.yaml"
            file = open(filename, "w")
            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
            file.close()
            result = soyaml.get(["-r", filename, "key2"])
            self.assertEqual(result, 0)
            self.assertEqual("false\n", mock_stdout.getvalue())
    def test_get_dict_raw(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
            filename = "/tmp/so-yaml_test-get.yaml"
            file = open(filename, "w")
            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
            file.close()
            result = soyaml.get(["-r", filename, "key1"])
            self.assertEqual(result, 0)
            self.assertIn("child1: 123", mock_stdout.getvalue())
            self.assertNotIn("...", mock_stdout.getvalue())
    def test_get_list(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
            filename = "/tmp/so-yaml_test-get.yaml"
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -88,7 +88,7 @@ check_err() {
        echo 'No route to host'
      ;;
      160)
-        echo 'Incompatible Elasticsearch upgrade'
+        echo 'Incompatiable Elasticsearch upgrade'
      ;;
      161)
        echo 'Required intermediate Elasticsearch upgrade not complete'
@@ -362,7 +362,7 @@ preupgrade_changes() {
    # This function is to add any new pillar items if needed.
    echo "Checking to see if changes are needed."
-    [[ "$INSTALLEDVERSION" =~ ^2\.4\.21[0-9]+$ ]] && up_to_3.0.0   
+    [[ "$INSTALLEDVERSION" == 2.4.210 ]] && up_to_3.0.0   
    true
 }
@@ -370,12 +370,12 @@ postupgrade_changes() {
    # This function is to add any new pillar items if needed.
    echo "Running post upgrade processes."
-    [[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0
+    [[ "$POSTVERSION" == 2.4.210 ]] && post_to_3.0.0
    true
 }
 check_minimum_version() {
-  if [[ ! "$INSTALLEDVERSION" =~ ^(2\.4\.21[0-9]+|3\.) ]]; then
+  if [[ "$INSTALLEDVERSION" != "2.4.210" ]] && [[ ! "$INSTALLEDVERSION" =~ ^3\. ]]; then
    echo "You must be on at least Security Onion 2.4.210 to upgrade. Currently installed version: $INSTALLEDVERSION"
    exit 1
  fi
@@ -385,23 +385,10 @@ check_minimum_version() {
 up_to_3.0.0() {
  determine_elastic_agent_upgrade
  migrate_pcap_to_suricata
  INSTALLEDVERSION=3.0.0
 }
 migrate_pcap_to_suricata() {
  local MINIONDIR=/opt/so/saltstack/local/pillar/minions
  local PCAPFILE=/opt/so/saltstack/local/pillar/pcap/soc_pcap.sls
  for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
    [[ -f "$pillar_file" ]] || continue
    pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
    so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
    so-yaml.py remove "$pillar_file" pcap
  done
 }
 post_to_3.0.0() {
  echo "Nothing to apply"
  POSTVERSION=3.0.0
@@ -576,46 +563,78 @@ upgrade_check_salt() {
 upgrade_salt() {
  echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
  echo ""
-  # Check if salt-cloud is installed
+  # If rhel family
-  if rpm -q salt-cloud &>/dev/null; then
+  if [[ $is_rpm ]]; then
-    SALT_CLOUD_INSTALLED=true
+    # Check if salt-cloud is installed
-  fi
+    if rpm -q salt-cloud &>/dev/null; then
-  # Check if salt-cloud is configured
+      SALT_CLOUD_INSTALLED=true
-  if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
+    fi
-    SALT_CLOUD_CONFIGURED=true
+    # Check if salt-cloud is configured
-  fi
+    if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
-
+      SALT_CLOUD_CONFIGURED=true
-  echo "Removing yum versionlock for Salt."
+    fi
-  echo ""
+    
-  yum versionlock delete "salt"
+    echo "Removing yum versionlock for Salt."
-  yum versionlock delete "salt-minion"
+    echo ""
-  yum versionlock delete "salt-master"
+    yum versionlock delete "salt"
-  # Remove salt-cloud versionlock if installed
+    yum versionlock delete "salt-minion"
-  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+    yum versionlock delete "salt-master"
-    yum versionlock delete "salt-cloud"
+    # Remove salt-cloud versionlock if installed
-  fi
+    if [[ $SALT_CLOUD_INSTALLED == true ]]; then
-  echo "Updating Salt packages."
+      yum versionlock delete "salt-cloud"
-  echo ""
+    fi
-  set +e
+    echo "Updating Salt packages."
-  # Run with -r to ignore repos set by bootstrap
+    echo ""
-  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+    set +e
    # if oracle run with -r to ignore repos set by bootstrap
    if [[ $OS == 'oracle' ]]; then
      # Add -L flag only if salt-cloud is already installed
      if [[ $SALT_CLOUD_INSTALLED == true ]]; then
        run_check_net_err \
        "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
        "Could not update salt, please check $SOUP_LOG for details."
      else
        run_check_net_err \
        "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
        "Could not update salt, please check $SOUP_LOG for details."
      fi
    # if another rhel family variant we want to run without -r to allow the bootstrap script to manage repos
    else
      run_check_net_err \
      "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
      "Could not update salt, please check $SOUP_LOG for details."
    fi
    set -e
    echo "Applying yum versionlock for Salt."
    echo ""
    yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
    yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
    yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
    # Add salt-cloud versionlock if installed
    if [[ $SALT_CLOUD_INSTALLED == true ]]; then
      yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
    fi
  # Else do Ubuntu things
  elif [[ $is_deb ]]; then
    # ensure these files don't exist when upgrading from 3006.9 to 3006.16
    rm -f /etc/apt/keyrings/salt-archive-keyring-2023.pgp /etc/apt/sources.list.d/salt.list
    echo "Removing apt hold for Salt."
    echo ""
    apt-mark unhold "salt-common"
    apt-mark unhold "salt-master"
    apt-mark unhold "salt-minion"
    echo "Updating Salt packages."
    echo ""
    set +e
    run_check_net_err \
-    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
+    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
    "Could not update salt, please check $SOUP_LOG for details."
-  else
+    set -e
-    run_check_net_err \
+    echo "Applying apt hold for Salt."
-    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
+    echo ""
-    "Could not update salt, please check $SOUP_LOG for details."
+    apt-mark hold "salt-common"
-  fi
+    apt-mark hold "salt-master"
-  set -e
+    apt-mark hold "salt-minion"
  echo "Applying yum versionlock for Salt."
  echo ""
  yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
  yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
  yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
  # Add salt-cloud versionlock if installed
  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
    yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
  fi
  echo "Checking if Salt was upgraded."
@@ -1052,10 +1071,6 @@ main() {
  echo ""
  set_os
  if [[ ! $is_oracle ]]; then
    fail "This OS is not supported. Security Onion requires Oracle Linux 9."
  fi
  check_salt_master_status 1 || fail  "Could not talk to salt master: Please run 'systemctl status salt-master' to ensure the salt-master service is running and check the log at /opt/so/log/salt/master."
  echo "Checking to see if this is a manager."
@@ -1165,6 +1180,14 @@ main() {
      echo "Upgrading Salt"
      # Update the repo files so it can actually upgrade
      upgrade_salt
      # for Debian based distro, we need to stop salt again after upgrade output below is from bootstrap-salt
      # *  WARN: Not starting daemons on Debian based distributions
      #    is not working mostly because starting them is the default behaviour.
      if [[ $is_deb ]]; then
        stop_salt_minion
        stop_salt_master
      fi
    fi
    preupgrade_changes
--- a/salt/nginx/enabled.sls
+++ b/salt/nginx/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'nginx/map.jinja' import NGINXMERGED %}
 include:
@@ -37,11 +37,11 @@ so-nginx:
    - hostname: so-nginx
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }}
+        - ipv4_address: {{ DOCKER.containers[container_config].ip }}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKERMERGED.containers[container_config].extra_hosts %}
+    {% if DOCKER.containers[container_config].extra_hosts %}
-      {% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -64,26 +64,20 @@ so-nginx:
      - /opt/so/rules/nids/suri:/surirules:ro
      {%   endif %}
      {% endif %}
-      {% if DOCKERMERGED.containers[container_config].custom_bind_mounts %}
+      {% if DOCKER.containers[container_config].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers[container_config].extra_env %}
+    {% if DOCKER.containers[container_config].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %}
+      {% for XTRAENV in DOCKER.containers[container_config].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers[container_config].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - cap_add: NET_BIND_SERVICE
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %}
+      {% for BINDING in DOCKER.containers[container_config].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - watch:
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -1,5 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%- from 'docker/docker.map.jinja' import DOCKER %}
 {%- from 'nginx/map.jinja' import NGINXMERGED %}
 {%- set role = grains.id.split('_') | last %}
 {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
@@ -387,13 +387,15 @@ http {
 		error_page 429 = @error429;
 		location @error401 {
-			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
+			if ($request_uri ~* (^/connect/.*|^/oauth2/.*)) {
 				return    401;
 			}
-			add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
+			if ($request_uri ~* ^/(?!(^/api/.*))) {
 				add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
 			}
-			if ($request_uri ~* ^/(?!(login|auth|oauth2|$))) {
+			if ($request_uri ~* ^/(?!(api/|login|auth|oauth2|$))) {
 				add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
 			}
 			return        302 /auth/self-service/login/browser;
--- a/salt/ntp/init.sls
+++ b/salt/ntp/init.sls
@@ -2,6 +2,7 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'ntp/config.map.jinja' import NTPCONFIG %}
 chrony_pkg:
@@ -16,7 +17,11 @@ chronyconf:
    - defaults:
        NTPCONFIG: {{ NTPCONFIG }}
 {% if GLOBALS.os_family == 'RedHat' %}
 chronyd:
 {% else %}
 chrony:
 {% endif %}
  service.running:
    - enable: True
    - watch: 
--- a/salt/podman/files/podman.service
+++ b/salt/podman/files/podman.service
@@ -0,0 +1,17 @@
 [Unit]
 Description=Podman API Service
 Requires=podman.socket
 After=podman.socket
 Documentation=man:podman-api(1)
 StartLimitIntervalSec=0
 [Service]
 Type=oneshot
 Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
 ExecStart=/usr/bin/podman system service
 TimeoutStopSec=30
 KillMode=process
 [Install]
 WantedBy=multi-user.target
 Also=podman.socket
--- a/salt/podman/files/podman.socket
+++ b/salt/podman/files/podman.socket
@@ -0,0 +1,10 @@
 [Unit]
 Description=Podman API Socket
 Documentation=man:podman-api(1)
 [Socket]
 ListenStream=%t/podman/podman.sock
 SocketMode=0660
 [Install]
 WantedBy=sockets.target
--- a/salt/podman/files/sobridge.conflist
+++ b/salt/podman/files/sobridge.conflist
@@ -0,0 +1,48 @@
 {
   "args": {
      "podman_options": {
         "isolate": "true",
         "mtu": "1500"
      }
   },
   "cniVersion": "0.4.0",
   "name": "sobridge",
   "plugins": [
      {
         "type": "bridge",
         "bridge": "sobridge",
         "isGateway": true,
         "ipMasq": false,
         "mtu": 1500,
         "hairpinMode": false,
         "ipam": {
            "type": "host-local",
            "routes": [
               {
                  "dst": "0.0.0.0/0"
               }
            ],
            "ranges": [
               [
                  {
                     "subnet": "172.17.1.0/24",
                     "gateway": "172.17.1.1"
                  }
               ]
            ]
         },
         "capabilities": {
            "ips": true
         }
      },
      {
         "type": "portmap",
         "capabilities": {
            "portMappings": false
         }
      },
      {
         "type": "tuning"
      }
   ]
 }
--- a/salt/podman/init.sls
+++ b/salt/podman/init.sls
@@ -0,0 +1,56 @@
 {% from 'docker/docker.map.jinja' import DOCKER %}
 Podman pkg:
  pkg.installed:
    - name: podman
 cnipkg:
  pkg.installed:
    - name: containernetworking-plugins
 {#
 Podman service:
  file.managed:
    - name: /usr/lib/systemd/system/podman.service
    - source: salt://podman/podman.service
 #}
 sobridgeconf:
  file.managed:
    - name: /etc/cni/net.d/sobridge.conflist
    - source: salt://podman/files/sobridge.conflist
 Podman_socket_service:
  service.running:
    - name: podman.socket
    - enable: true
 Podman_service:
  service.running:
    - name: podman.service
    - enable: true
 Docker socket:
  file.symlink:
    - name: /var/run/docker.sock
    - target: /var/run/podman/podman.sock
 podman_docker_symlink:
  file.symlink:
    - name: /usr/bin/docker
    - target: /usr/bin/podman
 {#
 sos_docker_net:
  docker_network.present:
    - name: sobridge
    - subnet: {{ DOCKER.range }}
    - gateway: {{ DOCKER.bip }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
        com.docker.network.bridge.enable_ip_masquerade: 'true'
        com.docker.network.bridge.enable_icc: 'true'
        com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
    - unless: 'docker network ls | grep sobridge'
 #}
--- a/salt/redis/enabled.sls
+++ b/salt/redis/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -21,9 +21,9 @@ so-redis:
    - user: socore
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-redis'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -34,29 +34,23 @@ so-redis:
      - /etc/pki/redis.crt:/certs/redis.crt:ro
      - /etc/pki/redis.key:/certs/redis.key:ro
      - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
-      {% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-redis'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-redis'].extra_hosts %}
+    {% if DOCKER.containers['so-redis'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-redis'].extra_env %}
+    {% if DOCKER.containers['so-redis'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %}
+      {% for XTRAENV in DOCKER.containers['so-redis'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-redis'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
    - watch:
      - file: trusttheca
--- a/salt/registry/enabled.sls
+++ b/salt/registry/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 include:
  - registry.ssl
@@ -20,10 +20,10 @@ so-dockerregistry:
    - hostname: so-registry
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
    - restart_policy: always
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -32,31 +32,25 @@ so-dockerregistry:
      - /nsm/docker-registry/docker:/var/lib/registry/docker:rw
      - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
      - /etc/pki/registry.key:/etc/pki/registry.key:ro
-      {% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
+    {% if DOCKER.containers['so-dockerregistry'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
    - client_timeout: 180
    - environment:
      - HOME=/root
-      {% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
+      {% if DOCKER.containers['so-dockerregistry'].extra_env %}
-        {% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - retry:
        attempts: 5
        interval: 30
--- a/salt/repo/client/map.jinja
+++ b/salt/repo/client/map.jinja
@@ -1,29 +1,43 @@
-{% set REPOPATH = '/etc/yum.repos.d/' %}
+{% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set ABSENTFILES = [
+
-       'centos-addons.repo',
+{% if GLOBALS.os_family == 'RedHat' %}
-       'centos-devel.repo',
+  {% set REPOPATH = '/etc/yum.repos.d/' %}
-       'centos-extras.repo',
+{%     if GLOBALS.os == 'OEL' %}
-       'centos.repo',
+  {% set ABSENTFILES = [
-       'docker-ce.repo',
+         'centos-addons.repo',
-       'epel.repo',
+         'centos-devel.repo',
-       'epel-testing.repo',
+         'centos-extras.repo',
-       'saltstack.repo',
+         'centos.repo',
-       'salt-latest.repo',
+         'docker-ce.repo',
-       'wazuh.repo'
+         'epel.repo',
-       'Rocky-Base.repo',
+         'epel-testing.repo',
-       'Rocky-CR.repo',
+         'saltstack.repo',
-       'Rocky-Debuginfo.repo',
+         'salt-latest.repo',
-       'Rocky-fasttrack.repo',
+         'wazuh.repo'
-       'Rocky-Media.repo',
+         'Rocky-Base.repo',
-       'Rocky-Sources.repo',
+         'Rocky-CR.repo',
-       'Rocky-Vault.repo',
+         'Rocky-Debuginfo.repo',
-       'Rocky-x86_64-kernel.repo',
+         'Rocky-fasttrack.repo',
-       'rocky-addons.repo',
+         'Rocky-Media.repo',
-       'rocky-devel.repo',
+         'Rocky-Sources.repo',
-       'rocky-extras.repo',
+         'Rocky-Vault.repo',
-       'rocky.repo',
+         'Rocky-x86_64-kernel.repo',
-       'oracle-linux-ol9.repo',
+         'rocky-addons.repo',
-       'uek-ol9.repo',
+         'rocky-devel.repo',
-       'virt-ol9.repo'
+         'rocky-extras.repo',
-     ]
+         'rocky.repo',
-%}
+         'oracle-linux-ol9.repo',
         'uek-ol9.repo',
         'virt-ol9.repo'
       ]
  %}
 {%     else %}
  {% set ABSENTFILES = [] %}
 {%    endif %}
 {% else %}
  {% set REPOPATH = '/etc/apt/sources.list.d/' %}
  {% set ABSENTFILES = [] %}
 {% endif %}
--- a/salt/salt/init.sls
+++ b/salt/salt/init.sls
@@ -1,3 +1,10 @@
 {% if grains.oscodename == 'focal' %}
 saltpymodules:
  pkg.installed:
    - pkgs:
      - python3-docker
 {% endif %}
 # distribute to minions for salt upgrades
 salt_bootstrap:
  file.managed:
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -17,12 +17,22 @@
 {% set SALTVERSION = saltminion.salt.minion.version | string %}
 {% set INSTALLEDSALTVERSION = grains.saltversion | string %}
-{% set SPLITCHAR = '-' %}
+{% if grains.os_family == 'Debian' %}
-{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
+  {% set SPLITCHAR = '+' %}
-{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
+  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %}
  {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
 {% else %}
  {% set SPLITCHAR = '-' %}
  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
  {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
 {% endif %}
 {% if INSTALLEDSALTVERSION != SALTVERSION %}
-  {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
+  {% if grains.os_family|lower == 'redhat' %}
      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
  {% elif grains.os_family|lower == 'debian' %}
    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -F stable ' ~ SALTVERSION %}
  {% endif %}
 {% else %}
  {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
 {% endif %}
--- a/salt/salt/master.sls
+++ b/salt/salt/master.sls
@@ -23,6 +23,15 @@ sync_runners:
    - name: saltutil.sync_runners
 {% endif %}
 # prior to 2.4.30 this engine ran on the manager with salt-minion
 # this has changed to running with the salt-master in 2.4.30
 remove_engines_config:
  file.absent:
    - name: /etc/salt/minion.d/engines.conf
    - source: salt://salt/files/engines.conf
    - watch_in:
      - service: salt_minion_service
 checkmine_engine:
  file.managed:
    - name: /etc/salt/engines/checkmine.py
--- a/salt/sensoroni/enabled.sls
+++ b/salt/sensoroni/enabled.sls
@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{% from 'docker/docker.map.jinja' import DOCKER %}
 include:
@@ -23,29 +23,23 @@ so-sensoroni:
      - /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
      - /nsm/suripcap/:/nsm/suripcap:rw
-      {% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
+    {% if DOCKER.containers['so-sensoroni'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-sensoroni'].extra_env %}
+    {% if DOCKER.containers['so-sensoroni'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %}
+      {% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-sensoroni'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: /opt/so/conf/sensoroni/sensoroni.json
    - require:
--- a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2026.1.4-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2026.1.4-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2026.2.25-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2026.2.25-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/emailrep/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/emailrep/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/emailrep/source-packages/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/emailrep/source-packages/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2026.2.25-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2026.2.25-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/greynoise/source-packages/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/greynoise/source-packages/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2026.2.25-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2026.2.25-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/localfile/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/localfile/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/localfile/source-packages/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/localfile/source-packages/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2026.1.4-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2026.1.4-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2026.2.25-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2026.2.25-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2026.1.4-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2026.1.4-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2026.2.25-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2026.2.25-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2026.1.4-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2026.1.4-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2026.2.25-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2026.2.25-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.6-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/otx/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/otx/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/otx/source-packages/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
+++ b/salt/sensoroni/files/analyzers/otx/source-packages/pyyaml-6.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
--- a/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2026.1.4-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2026.1.4-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2026.2.25-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2026.2.25-py3-none-any.whl
--- a/Show More
+++ b/Show More