merge

Merge pull request #15498 from Security-Onion-Solutions/reyesj2-patch-15
unmount current agupdate dir, before final upgrade on airgap
2026-03-23 21:12:39 +01:00 · 2026-03-05 11:51:21 -05:00 · 2026-02-18 10:18:03 -06:00 · 2026-02-17 18:39:17 -06:00
217 changed files with 3283 additions and 1153 deletions
--- a/.github/DISCUSSION_TEMPLATE/2-4.yml
+++ b/.github/DISCUSSION_TEMPLATE/2-4.yml
@@ -33,7 +33,7 @@ body:
        - 2.4.200
        - 2.4.201
        - 2.4.210
-        - 2.4.211
+        - 3.0.0
        - Other (please provide detail below)
    validations:
      required: true
--- a/.github/DISCUSSION_TEMPLATE/3-0.yml
+++ b/.github/DISCUSSION_TEMPLATE/3-0.yml
@@ -1,177 +0,0 @@
-body:
-  - type: markdown
-    attributes:
-      value: |
-        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
-  - type: dropdown
-    attributes:
-      label: Version
-      description: Which version of Security Onion are you asking about?
-      options:
-        -
-        - 3.0.0
-        - Other (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Installation Method
-      description: How did you install Security Onion?
-      options:
-        -
-        - Security Onion ISO image
-        - Cloud image (Amazon, Azure, Google)
-        - Network installation on Oracle 9 (unsupported)
-        - Other (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Description
-      description: >
-        Is this discussion about installation, configuration, upgrading, or other?
-      options:
-        -
-        - installation
-        - configuration
-        - upgrading
-        - other (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Installation Type
-      description: >
-        When you installed, did you choose Import, Eval, Standalone, Distributed, or something else?
-      options:
-        -
-        - Import
-        - Eval
-        - Standalone
-        - Distributed
-        - other (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Location
-      description: >
-        Is this deployment in the cloud, on-prem with Internet access, or airgap?
-      options:
-        -
-        - cloud
-        - on-prem with Internet access
-        - airgap
-        - other (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Hardware Specs
-      description: >
-        Does your hardware meet or exceed the minimum requirements for your installation type as shown at https://securityonion.net/docs/hardware?
-      options:
-        -
-        - Meets minimum requirements
-        - Exceeds minimum requirements
-        - Does not meet minimum requirements
-        - other (please provide detail below)
-    validations:
-      required: true
-  - type: input
-    attributes:
-      label: CPU
-      description: How many CPU cores do you have?
-    validations:
-      required: true
-  - type: input
-    attributes:
-      label: RAM
-      description: How much RAM do you have?
-    validations:
-      required: true
-  - type: input
-    attributes:
-      label: Storage for /
-      description: How much storage do you have for the / partition?
-    validations:
-      required: true
-  - type: input
-    attributes:
-      label: Storage for /nsm
-      description: How much storage do you have for the /nsm partition?
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Network Traffic Collection
-      description: >
-        Are you collecting network traffic from a tap or span port?
-      options:
-        -
-        - tap
-        - span port
-        - other (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Network Traffic Speeds
-      description: >
-        How much network traffic are you monitoring?
-      options:
-        -
-        - Less than 1Gbps
-        - 1Gbps to 10Gbps
-        - more than 10Gbps
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Status
-      description: >
-        Does SOC Grid show all services on all nodes as running OK?
-      options:
-        -
-        - Yes, all services on all nodes are running OK
-        - No, one or more services are failed (please provide detail below)
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Salt Status
-      description: >
-        Do you get any failures when you run "sudo salt-call state.highstate"?
-      options:
-        -
-        - Yes, there are salt failures (please provide detail below)
-        - No, there are no failures
-    validations:
-      required: true
-  - type: dropdown
-    attributes:
-      label: Logs
-      description: >
-        Are there any additional clues in /opt/so/log/?
-      options:
-        -
-        - Yes, there are additional clues in /opt/so/log/ (please provide detail below)
-        - No, there are no additional clues
-    validations:
-      required: true
-  - type: textarea
-    attributes:
-      label: Detail
-      description: Please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and then provide detailed information to help us help you.
-      placeholder: |-
-        STOP! Before typing, please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 in their entirety!
-
-        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
-    validations:
-      required: true
-  - type: checkboxes
-    attributes:
-      label: Guidelines
-      options:
-        - label: I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines.
-          required: true
--- a/.github/workflows/pythontest.yml
+++ b/.github/workflows/pythontest.yml
@@ -13,7 +13,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        python-version: ["3.14"]
+        python-version: ["3.13"]
        python-code-path: ["salt/sensoroni/files/analyzers", "salt/manager/tools/sbin"]

    steps:
--- a/2
+++ b/2
@@ -1 +1 @@
-3.0.0
+3.0.0-foxtrot
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -87,6 +87,8 @@ base:
    - zeek.adv_zeek
    - bpf.soc_bpf
    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
    - suricata.soc_suricata
    - suricata.adv_suricata
    - minions.{{ grains.id }}
@@ -132,6 +134,8 @@ base:
    - zeek.adv_zeek
    - bpf.soc_bpf
    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
    - suricata.soc_suricata
    - suricata.adv_suricata
    - minions.{{ grains.id }}
@@ -181,6 +185,8 @@ base:
    - zeek.adv_zeek
    - bpf.soc_bpf
    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
    - suricata.soc_suricata
    - suricata.adv_suricata
    - minions.{{ grains.id }}
@@ -203,6 +209,8 @@ base:
    - zeek.adv_zeek
    - bpf.soc_bpf
    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
    - suricata.soc_suricata
    - suricata.adv_suricata
    - strelka.soc_strelka
@@ -289,6 +297,8 @@ base:
    - zeek.adv_zeek
    - bpf.soc_bpf
    - bpf.adv_bpf
+    - pcap.soc_pcap
+    - pcap.adv_pcap
    - suricata.soc_suricata
    - suricata.adv_suricata
    - strelka.soc_strelka
--- a/salt/_modules/needs_restarting.py
+++ b/salt/_modules/needs_restarting.py
@@ -1,14 +1,24 @@
+from os import path
 import subprocess

 def check():

+  osfam = __grains__['os_family']
  retval = 'False'

-  cmd = 'needs-restarting -r > /dev/null 2>&1'
+  if osfam == 'Debian':
+    if path.exists('/var/run/reboot-required'):
+      retval = 'True'

-  try:
-    needs_restarting = subprocess.check_call(cmd, shell=True)
-  except subprocess.CalledProcessError:
-    retval = 'True'
+  elif osfam == 'RedHat':
+    cmd = 'needs-restarting -r > /dev/null 2>&1'
+    
+    try:
+      needs_restarting = subprocess.check_call(cmd, shell=True)
+    except subprocess.CalledProcessError:
+      retval = 'True'
+
+  else:
+    retval = 'Unsupported OS: %s' % os

  return retval
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -38,6 +38,7 @@
 ] %}

 {% set sensor_states = [
+    'pcap',
    'suricata',
    'healthcheck',
    'tcpreplay',
--- a/salt/bpf/pcap.map.jinja
+++ b/salt/bpf/pcap.map.jinja
@@ -1,15 +1,21 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% set PCAP_BPF_STATUS = 0  %}
+{% set STENO_BPF_COMPILED = "" %}

+{% if GLOBALS.pcap_engine == "TRANSITION" %}
+{%   set PCAPBPF = ["ip and host 255.255.255.1 and port 1"] %}
+{% else %}
 {%   import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {%   set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
 {%   import 'bpf/macros.jinja' as MACROS %}
 {{   MACROS.remove_comments(BPFMERGED, 'pcap') }}
 {%   set PCAPBPF = BPFMERGED.pcap %}
+{% endif %}

 {% if PCAPBPF %}
   {% set PCAP_BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %}
   {% if PCAP_BPF_CALC['retcode'] == 0 %}
      {% set PCAP_BPF_STATUS = 1 %}
+      {% set STENO_BPF_COMPILED =  ",\\\"--filter=" + PCAP_BPF_CALC['stdout'] + "\\\""  %}
   {% endif %}
 {% endif %}
--- a/salt/ca/trustca.sls
+++ b/salt/ca/trustca.sls
@@ -3,6 +3,8 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
 include:
  - docker

@@ -16,3 +18,9 @@ trusttheca:
    - show_changes: False
    - makedirs: True

+{% if GLOBALS.os_family == 'Debian' %}
+symlinkca:
+  file.symlink:
+    - target: /etc/pki/tls/certs/intca.crt
+    - name: /etc/ssl/certs/intca.crt
+{% endif %}
--- a/salt/common/files/daemon.json
+++ b/salt/common/files/daemon.json
@@ -0,0 +1,12 @@
+{
+  "registry-mirrors": [
+    "https://:5000"
+  ],
+  "bip": "172.17.0.1/24",
+  "default-address-pools": [
+    {
+      "base": "172.17.0.0/24",
+      "size": 24
+    }
+  ]
+}
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -20,6 +20,11 @@ kernel.printk:
  sysctl.present:
    - value: "3 4 1 3"

+# Remove variables.txt from /tmp - This is temp
+rmvariablesfile:
+  file.absent:
+    - name: /tmp/variables.txt
+
 # Add socore Group
 socoregroup:
  group.present:
@@ -144,6 +149,28 @@ common_sbin_jinja:
      - so-import-pcap
 {% endif %}

+{% if GLOBALS.role == 'so-heavynode' %}
+remove_so-pcap-import_heavynode:
+  file.absent:
+    - name: /usr/sbin/so-pcap-import
+
+remove_so-import-pcap_heavynode:
+  file.absent:
+    - name: /usr/sbin/so-import-pcap
+{% endif %}
+
+{% if not GLOBALS.is_manager%}
+# prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
+# these two states remove the scripts from non manager nodes
+remove_soup:
+  file.absent:
+    - name: /usr/sbin/soup
+
+remove_so-firewall:
+  file.absent:
+    - name: /usr/sbin/so-firewall
+{% endif %}
+
 so-status_script:
  file.managed:
    - name: /usr/sbin/so-status
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -1,5 +1,52 @@
 # we cannot import GLOBALS from vars/globals.map.jinja in this state since it is called in setup.virt.init
 # since it is early in setup of a new VM, the pillars imported in GLOBALS are not yet defined
+{% if grains.os_family == 'Debian' %}
+commonpkgs:
+  pkg.installed:
+    - skip_suggestions: True
+    - pkgs:
+      - apache2-utils
+      - wget
+      - ntpdate
+      - jq
+      - curl
+      - ca-certificates
+      - software-properties-common
+      - apt-transport-https
+      - openssl
+      - netcat-openbsd
+      - sqlite3
+      - libssl-dev
+      - procps
+      - python3-dateutil
+      - python3-docker
+      - python3-packaging
+      - python3-lxml
+      - git
+      - rsync
+      - vim
+      - tar
+      - unzip
+      - bc
+      {% if grains.oscodename != 'focal' %}
+      - python3-rich
+      {% endif %}
+
+{%     if grains.oscodename == 'focal' %}
+# since Ubuntu requires and internet connection we can use pip to install modules
+python3-pip:
+  pkg.installed
+
+python-rich:
+  pip.installed:
+    - name: rich
+    - target: /usr/local/lib/python3.8/dist-packages/
+    - require:
+      - pkg: python3-pip
+{%     endif %}
+{% endif %}
+
+{% if grains.os_family == 'RedHat' %}

 remove_mariadb:
  pkg.removed:
@@ -37,3 +84,5 @@ commonpkgs:
      - unzip
      - wget
      - yum-utils
+
+{% endif %}
--- a/salt/common/soup_scripts.sls
+++ b/salt/common/soup_scripts.sls
@@ -11,6 +11,14 @@
 {%   endif %}
 {%   set SOVERSION = salt['file.read']('/etc/soversion').strip() %}

+remove_common_soup:
+  file.absent:
+    - name: /opt/so/saltstack/default/salt/common/tools/sbin/soup
+
+remove_common_so-firewall:
+  file.absent:
+    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall
+
 # This section is used to put the scripts in place in the Salt file system
 # in case a state run tries to overwrite what we do in the next section.
 copy_so-common_common_tools_sbin:
--- a/salt/common/tools/sbin/so-bpf-compile
+++ b/salt/common/tools/sbin/so-bpf-compile
@@ -16,7 +16,7 @@

 if [ "$#" -lt 2 ]; then
  cat 1>&2 <<EOF
-$0 compiles a BPF expression to be passed to PCAP to apply a socket filter.
+$0 compiles a BPF expression to be passed to stenotype to apply a socket filter.
 Its first argument is the interface (link type is required) and all other arguments
 are passed to TCPDump.

--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -349,16 +349,21 @@ get_random_value() {
 }

 gpg_rpm_import() {
-	if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-		local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
-	else
-		local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
+	if [[ $is_oracle ]]; then
+	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
+	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
+	    else
+	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
+	    fi
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+		for RPMKEY in "${RPMKEYS[@]}"; do
+    	        rpm --import $RPMKEYSLOC/$RPMKEY
+	        echo "Imported $RPMKEY"
+	    done
+	elif [[ $is_rpm ]]; then
+		echo "Importing the security onion GPG key"
+		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
 	fi
-	RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
-	for RPMKEY in "${RPMKEYS[@]}"; do
-		rpm --import $RPMKEYSLOC/$RPMKEY
-		echo "Imported $RPMKEY"
-	done
 }

 header() {
@@ -610,19 +615,69 @@ salt_minion_count() {
 }

 set_os() {
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
-		OS=oracle
-		OSVER=9
-		is_oracle=true
-		is_rpm=true
+	if [ -f /etc/redhat-release ]; then
+		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
+			OS=rocky
+			OSVER=9
+			is_rocky=true
+			is_rpm=true
+		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
+			OS=centos
+			OSVER=9
+			is_centos=true
+			is_rpm=true
+		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
+			OS=alma
+			OSVER=9
+			is_alma=true
+			is_rpm=true
+		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
+			if [ -f /etc/oracle-release ]; then
+				OS=oracle
+				OSVER=9
+				is_oracle=true
+				is_rpm=true
+			else
+				OS=rhel
+				OSVER=9
+				is_rhel=true
+				is_rpm=true
+			fi
+		fi
+		cron_service_name="crond"
+	elif [ -f /etc/os-release ]; then
+		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
+			OSVER=focal
+			UBVER=20.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
+			OSVER=jammy
+			UBVER=22.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
+			OSVER=bookworm
+			DEBVER=12
+			is_debian=true
+			OS=debian
+			is_deb=true
+		fi
+		cron_service_name="cron"
 	fi
-	cron_service_name="crond"
 }

 set_minionid() {
 	MINIONID=$(lookup_grain id)
 }

+set_palette() {
+	if [[ $is_deb ]]; then
+	    update-alternatives --set newt-palette /etc/newt/palette.original
+    fi
+}

 set_version() {
 	CURRENTVERSION=0.0.0
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -32,6 +32,7 @@ container_list() {
      "so-nginx"
      "so-pcaptools"
      "so-soc"
+      "so-steno"
      "so-suricata"
      "so-telegraf"
      "so-zeek"
@@ -57,6 +58,7 @@ container_list() {
      "so-pcaptools"
      "so-redis"
      "so-soc"
+      "so-steno"
      "so-strelka-backend"
      "so-strelka-manager"
      "so-suricata"
@@ -69,6 +71,7 @@ container_list() {
      "so-logstash"
      "so-nginx"
      "so-redis"
+      "so-steno"
      "so-suricata"
      "so-soc"
      "so-telegraf"
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -179,6 +179,7 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|salt-minion-check"            # bug in early 2.4 place Jinja script in non-jinja salt dir causing cron output errors
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics"           # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf"            # known issue with reposync on pre-2.4.20 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record"      # stenographer corrupt index
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field."                   # known ingest type collisions issue with earlier versions of SO
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error parsing signature"      # Malformed Suricata rule, from upstream provider
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sticky buffer has no matches" # Non-critical Suricata error
--- a/salt/common/tools/sbin/so-nsm-clear
+++ b/salt/common/tools/sbin/so-nsm-clear
@@ -55,22 +55,19 @@ if [ $SKIP -ne 1 ]; then
 fi

 delete_pcap() {
-  PCAP_DATA="/nsm/suripcap/"
-  [ -d $PCAP_DATA ] && rm -rf $PCAP_DATA/*
+  PCAP_DATA="/nsm/pcap/"
+  [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
 }
 delete_suricata() {
  SURI_LOG="/nsm/suricata/"
-  [ -d $SURI_LOG ] && rm -rf $SURI_LOG/*
+  [ -d $SURI_LOG ] && so-suricata-stop && rm -rf $SURI_LOG/* && so-suricata-start
 }
 delete_zeek() {
  ZEEK_LOG="/nsm/zeek/logs/"
  [ -d $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start
 }

-so-suricata-stop
 delete_pcap
 delete_suricata
 delete_zeek
-so-suricata-start
-

--- a/salt/common/tools/sbin/so-restart
+++ b/salt/common/tools/sbin/so-restart
@@ -23,6 +23,7 @@ if [ $# -ge 1 ]; then
        fi

        case $1 in
+                "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
                "elastic-fleet") docker stop so-elastic-fleet && docker rm so-elastic-fleet && salt-call state.apply elasticfleet queue=True;;
                *)  docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
        esac
--- a/salt/common/tools/sbin/so-sensor-clean
+++ b/salt/common/tools/sbin/so-sensor-clean
@@ -72,7 +72,7 @@ clean() {
 		done
 	fi

-	## Clean up extracted pcaps
+	## Clean up extracted pcaps from Steno
 	PCAPS='/nsm/pcapout'
 	OLDEST_PCAP=$(find $PCAPS -type f -printf '%T+ %p\n' | sort -n | head -n 1)
 	if [ -z "$OLDEST_PCAP" -o "$OLDEST_PCAP" == ".." -o "$OLDEST_PCAP" == "." ]; then
--- a/salt/common/tools/sbin/so-start
+++ b/salt/common/tools/sbin/so-start
@@ -23,6 +23,7 @@ if [ $# -ge 1 ]; then

 	case $1 in
   		"all") salt-call state.highstate queue=True;;
+   		"steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
   		"elastic-fleet") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply elasticfleet queue=True; fi ;; 
   		*) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 	esac
--- a/salt/curator/disabled.sls
+++ b/salt/curator/disabled.sls
@@ -0,0 +1,34 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+so-curator:
+  docker_container.absent:
+    - force: True
+
+so-curator_so-status.disabled:
+  file.line:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - match: ^so-curator$
+    - mode: delete
+
+so-curator-cluster-close:
+  cron.absent:
+    - identifier: so-curator-cluster-close
+
+so-curator-cluster-delete:
+  cron.absent:
+    - identifier: so-curator-cluster-delete
+
+delete_curator_configuration:
+  file.absent:
+    - name: /opt/so/conf/curator
+    - recurse: True
+
+{% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
+{% if files|length > 0 %}
+delete_curator_scripts:
+  file.absent:
+    - names: {{files|yaml}}
+{% endif %}
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -1,10 +1,6 @@
 docker:
  range: '172.17.1.0/24'
  gateway: '172.17.1.1'
-  ulimits:
-    - name: nofile
-      soft: 1048576
-      hard: 1048576
  containers:
    'so-dockerregistry':
      final_octet: 20
@@ -13,7 +9,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-elastic-fleet':
      final_octet: 21
      port_bindings:
@@ -21,7 +16,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-elasticsearch':
      final_octet: 22
      port_bindings:
@@ -30,16 +24,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits:
-        - name: memlock
-          soft: -1
-          hard: -1
-        - name: nofile
-          soft: 65536
-          hard: 65536
-        - name: nproc
-          soft: 4096
-          hard: 4096
    'so-influxdb':
      final_octet: 26
      port_bindings:
@@ -47,7 +31,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-kibana':
      final_octet: 27
      port_bindings:
@@ -55,7 +38,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-kratos':
      final_octet: 28
      port_bindings:
@@ -64,7 +46,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-hydra':
      final_octet: 30
      port_bindings:
@@ -73,7 +54,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-logstash':
      final_octet: 29
      port_bindings:
@@ -90,7 +70,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-nginx':
      final_octet: 31
      port_bindings:
@@ -102,7 +81,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-nginx-fleet-node':
      final_octet: 31
      port_bindings:
@@ -110,7 +88,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-redis':
      final_octet: 33
      port_bindings:
@@ -119,13 +96,11 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-sensoroni':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-soc':
      final_octet: 34
      port_bindings:
@@ -133,19 +108,16 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-strelka-backend':
      final_octet: 36
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-strelka-filestream':
      final_octet: 37
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-strelka-frontend':
      final_octet: 38
      port_bindings:
@@ -153,13 +125,11 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-strelka-manager':
      final_octet: 39
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-strelka-gatekeeper':
      final_octet: 40
      port_bindings:
@@ -167,7 +137,6 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-strelka-coordinator':
      final_octet: 41
      port_bindings:
@@ -175,13 +144,11 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-elastalert':
      final_octet: 42
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-elastic-fleet-package-registry':
      final_octet: 44
      port_bindings:
@@ -189,13 +156,11 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-idh':
      final_octet: 45
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-elastic-agent':
      final_octet: 46
      port_bindings:
@@ -204,34 +169,28 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
    'so-telegraf':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
+    'so-steno':
+      final_octet: 99
+      custom_bind_mounts: []
+      extra_hosts: []
+      extra_env: []
    'so-suricata':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits:
-        - name: memlock
-          soft: 524288000
-          hard: 524288000
+        - memlock=524288000
    'so-zeek':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits:
-        - name: core
-          soft: 0
-          hard: 0
-        - name: nofile
-          soft: 1048576
-          hard: 1048576
    'so-kafka':
      final_octet: 88
      port_bindings:
@@ -242,4 +201,3 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits: []
--- a/salt/docker/docker.map.jinja
+++ b/salt/docker/docker.map.jinja
@@ -1,8 +1,8 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
-{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKERMERGED.range.split('.') %}
+{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
+{% set RANGESPLIT = DOCKER.range.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}

-{% for container, vals in DOCKERMERGED.containers.items() %}
-{%   do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %}
+{% for container, vals in DOCKER.containers.items() %}
+{%   do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %}
 {% endfor %}
--- a/salt/docker/files/daemon.json.jinja
+++ b/salt/docker/files/daemon.json.jinja
@@ -1,24 +0,0 @@
-{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
-{
-  "registry-mirrors": [
-    "https://:5000"
-  ],
-  "bip": "172.17.0.1/24",
-  "default-address-pools": [
-    {
-      "base": "172.17.0.0/24",
-      "size": 24
-    }
-  ]
-{%- if DOCKERMERGED.ulimits %},
-  "default-ulimits": {
-{%-   for ULIMIT in DOCKERMERGED.ulimits %}
-    "{{ ULIMIT.name }}": {
-      "Name": "{{ ULIMIT.name }}",
-      "Soft": {{ ULIMIT.soft }},
-      "Hard": {{ ULIMIT.hard }}
-    }{{ "," if not loop.last else "" }}
-{%-   endfor %}
-  }
-{%- endif %}
-}
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}

 # docker service requires the ca.crt
@@ -15,6 +15,39 @@ dockergroup:
    - name: docker
    - gid: 920

+{% if GLOBALS.os_family == 'Debian' %}
+{%    if grains.oscodename == 'bookworm' %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 2.2.1-1~debian.12~bookworm
+      - docker-ce: 5:29.2.1-1~debian.12~bookworm
+      - docker-ce-cli: 5:29.2.1-1~debian.12~bookworm
+      - docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm
+    - hold: True
+    - update_holds: True
+{%    elif grains.oscodename == 'jammy' %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 2.2.1-1~ubuntu.22.04~jammy
+      - docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy
+      - docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy
+      - docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy
+    - hold: True
+    - update_holds: True
+{%    else %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 1.7.21-1
+      - docker-ce: 5:27.2.0-1~ubuntu.20.04~focal
+      - docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal
+      - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal
+    - hold: True
+    - update_holds: True
+{%   endif %}
+{% else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
@@ -24,6 +57,7 @@ dockerheldpackages:
      - docker-ce-rootless-extras: 29.2.1-1.el9
    - hold: True
    - update_holds: True
+{% endif %}

 #disable docker from managing iptables
 iptables_disabled:
@@ -41,9 +75,10 @@ dockeretc:
  file.directory:
    - name: /etc/docker

+# Manager daemon.json
 docker_daemon:
  file.managed:
-    - source: salt://docker/files/daemon.json.jinja
+    - source: salt://common/files/daemon.json
    - name: /etc/docker/daemon.json
    - template: jinja 

@@ -74,8 +109,8 @@ dockerreserveports:
 sos_docker_net:
  docker_network.present:
    - name: sobridge
-    - subnet: {{ DOCKERMERGED.range }}
-    - gateway: {{ DOCKERMERGED.gateway }}
+    - subnet: {{ DOCKER.range }}
+    - gateway: {{ DOCKER.gateway }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
--- a/salt/docker/soc_docker.yaml
+++ b/salt/docker/soc_docker.yaml
@@ -7,25 +7,6 @@ docker:
    description: Default docker IP range for containers.
    helpLink: docker.html
    advanced: True
-  ulimits:
-    description: |
-      Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
-    forcedType: "[]{}"
-    syntax: json
-    advanced: True
-    helpLink: docker.html
-    uiElements:
-    - field: name
-      label: Resource Name
-      required: True
-      regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
-      regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
-    - field: soft
-      label: Soft Limit
-      forcedType: int
-    - field: hard
-      label: Hard Limit
-      forcedType: int
  containers:
    so-dockerregistry: &dockerOptions
      final_octet:
@@ -58,25 +39,6 @@ docker:
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
-      ulimits:
-        description: |
-          Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
-        advanced: True
-        helpLink: docker.html
-        forcedType: "[]{}"
-        syntax: json
-        uiElements:
-        - field: name
-          label: Resource Name
-          required: True
-          regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
-          regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
-        - field: soft
-          label: Soft Limit
-          forcedType: int
-        - field: hard
-          label: Hard Limit
-          forcedType: int
    so-elastic-fleet: *dockerOptions
    so-elasticsearch: *dockerOptions
    so-influxdb: *dockerOptions
@@ -100,6 +62,43 @@ docker:
    so-idh: *dockerOptions
    so-elastic-agent: *dockerOptions
    so-telegraf: *dockerOptions
-    so-suricata: *dockerOptions
+    so-steno: *dockerOptions
+    so-suricata:
+      final_octet:
+        description: Last octet of the container IP address.
+        helpLink: docker.html
+        readonly: True
+        advanced: True
+        global: True
+      port_bindings:
+        description: List of port bindings for the container.
+        helpLink: docker.html
+        advanced: True
+        multiline: True
+        forcedType: "[]string"
+      custom_bind_mounts:
+        description: List of custom local volume bindings.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
+      extra_hosts:
+        description: List of additional host entries for the container.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
+      extra_env:
+        description: List of additional ENV entries for the container.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
+      ulimits:
+        description: Ulimits for the container, in bytes.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
    so-zeek: *dockerOptions
    so-kafka: *dockerOptions
--- a/salt/elastalert/enabled.sls
+++ b/salt/elastalert/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}

 include:
  - elastalert.config
@@ -24,7 +24,7 @@ so-elastalert:
    - user: so-elastalert
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
    - detach: True
    - binds:
      - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
@@ -33,30 +33,24 @@ so-elastalert:
      - /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
      - /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
      - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
-      {% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-elastalert'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-      {% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
-        {% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
+      {% if DOCKER.containers['so-elastalert'].extra_hosts %}
+        {% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-      {% if DOCKERMERGED.containers['so-elastalert'].extra_env %}
+      {% if DOCKER.containers['so-elastalert'].extra_env %}
    - environment:
-        {% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-elastalert'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - require:
      - cmd: wait_for_elasticsearch
      - file: elastarules
--- a/salt/elastalert/files/custom/placeholder
+++ b/salt/elastalert/files/custom/placeholder
@@ -0,0 +1 @@
+THIS IS A PLACEHOLDER FILE
--- a/salt/elastic-fleet-package-registry/enabled.sls
+++ b/salt/elastic-fleet-package-registry/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}

 include:
  - elastic-fleet-package-registry.config
@@ -21,36 +21,30 @@ so-elastic-fleet-package-registry:
    - user: 948
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
    - extra_hosts:
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
-          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+        {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+    {% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
    - binds:
-        {% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
+    {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
    - environment:
-        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
 delete_so-elastic-fleet-package-registry_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}

 include:
  - ca
@@ -22,17 +22,17 @@ so-elastic-agent:
    - user: 949
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
-          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
+        {% if DOCKER.containers['so-elastic-agent'].extra_hosts %}
+          {% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -41,25 +41,19 @@ so-elastic-agent:
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro 
      - /nsm:/nsm:ro
      - /opt/so/log:/opt/so/log:ro
-     {% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
+     {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - environment:
      - FLEET_CA=/etc/pki/tls/certs/intca.crt
      - LOGS_PATH=logs
-      {% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
-        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
+      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - require:
      - file: create-elastic-agent-config
      - file: trusttheca
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}

 {#   This value is generated during node install and stored in minion pillar #}
@@ -94,17 +94,17 @@ so-elastic-fleet:
    - user: 947
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
-          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
+        {% if DOCKER.containers['so-elastic-fleet'].extra_hosts %}
+          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -112,8 +112,8 @@ so-elastic-fleet:
      - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
      - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
-     {% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
+     {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}      
@@ -128,17 +128,11 @@ so-elastic-fleet:
      - FLEET_CA=/etc/pki/tls/certs/intca.crt     
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
      - LOGS_PATH=logs
-      {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
-        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
+      {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - watch:
      - file: trusttheca
      - x509: etc_elasticfleet_key
--- a/salt/elasticfleet/files/certs/placeholder
+++ b/salt/elasticfleet/files/certs/placeholder
--- a/salt/elasticsearch/config.map.jinja
+++ b/salt/elasticsearch/config.map.jinja
@@ -6,6 +6,8 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}

+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
+
 {# this is a list of dicts containing hostname:ip for elasticsearch nodes that need to know about each other for cluster #}
 {% set ELASTICSEARCH_SEED_HOSTS = [] %}
 {% set node_data = salt['pillar.get']('elasticsearch:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
@@ -34,8 +36,14 @@
      {% endfor %}
    {% endif %}
 {% elif grains.id.split('_') | last == 'searchnode' %}
+  {% if HIGHLANDER %}
+        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
+  {% endif %}
  {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
 {% endif %}
+{% if HIGHLANDER %}
+      {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
+{% endif %}

 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}
--- a/salt/elasticsearch/config.sls
+++ b/salt/elasticsearch/config.sls
@@ -98,6 +98,10 @@ esrolesdir:
    - group: 939
    - makedirs: True

+eslibdir:
+  file.absent:
+    - name: /opt/so/conf/elasticsearch/lib
+
 esingestdynamicconf:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/ingest
@@ -115,6 +119,11 @@ esingestconf:
    - group: 939
    - show_changes: False

+# Remove .fleet_final_pipeline-1 because we are using global@custom now
+so-fleet-final-pipeline-remove:
+  file.absent:
+    - name: /opt/so/conf/elasticsearch/ingest/.fleet_final_pipeline-1
+
 # Auto-generate Elasticsearch ingest node pipelines from pillar
 {% for pipeline, config in ELASTICSEARCHMERGED.pipelines.items() %}
 es_ingest_conf_{{pipeline}}:
--- a/salt/elasticsearch/enabled.sls
+++ b/salt/elasticsearch/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
@@ -28,15 +28,15 @@ so-elasticsearch:
    - user: elasticsearch
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
    - extra_hosts:
    {% for node in ELASTICSEARCH_NODES %}
    {%   for hostname, ip in node.items() %}
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
-      {% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
+    {% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -45,19 +45,17 @@ so-elasticsearch:
      - discovery.type=single-node
      {% endif %}
      - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
-      {% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
-        {% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
+      ulimits:
+      - memlock=-1:-1
+      - nofile=65536:65536
+      - nproc=4096
+      {% if DOCKER.containers['so-elasticsearch'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -77,8 +75,8 @@ so-elasticsearch:
      - {{ repo }}:{{ repo }}:rw
        {% endfor %}
      {% endif %}
-      {% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
--- a/salt/elasticsearch/files/ingest-dynamic/.gitkeep
+++ b/salt/elasticsearch/files/ingest-dynamic/.gitkeep
--- a/salt/elasticsearch/files/ingest-dynamic/common
+++ b/salt/elasticsearch/files/ingest-dynamic/common
@@ -1,3 +1,5 @@
+{%- set HIGHLANDER = salt['pillar.get']('global:highlander', False) -%}
+{%- raw -%}
 {
  "description" : "common",
  "processors" : [
@@ -65,7 +67,19 @@
    { "append":          { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  } },
    { "grok":            { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]} },
    { "set":             { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
-    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } },
+    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
+{%- endraw %}
+{%- if HIGHLANDER %}
+    ,
+    {
+      "pipeline": {
+        "name": "ecs"
+      }
+    }
+{%- endif %}
+{%- raw %}
+    ,
    { "pipeline": { "name": "global@custom", "ignore_missing_pipeline": true, "description": "[Fleet] Global pipeline for all data streams" } }
  ]
 }
+{% endraw %}
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -27,12 +27,14 @@ iptables_config:
    - source: salt://firewall/iptables.jinja
    - template: jinja

+{%   if grains.os_family == 'RedHat' %}
 disable_firewalld:
  service.dead:
    - name: firewalld
    - enable: False
    - require:
      - file: iptables_config
+{%   endif %}

 iptables_restore:
  cmd.run:
@@ -42,6 +44,7 @@ iptables_restore:
    - onlyif:
      - iptables-restore --test {{ iptmap.configfile }}

+{%   if grains.os_family == 'RedHat' %}
 enable_firewalld:
  service.running:
    - name: firewalld
@@ -49,6 +52,7 @@ enable_firewalld:
    - onfail:
      - file: iptables_config
      - cmd: iptables_restore
+{%   endif %}

 {% else %}

--- a/salt/firewall/ipt.map.jinja
+++ b/salt/firewall/ipt.map.jinja
@@ -1,6 +1,14 @@
-{% set iptmap = {
-    'service': 'iptables',
-    'iptpkg': 'iptables-nft',
-    'persistpkg': 'iptables-nft-services',
-    'configfile': '/etc/sysconfig/iptables'
-} %}
+{% set iptmap = salt['grains.filter_by']({
+    'Debian': {
+        'service': 'netfilter-persistent',
+        'iptpkg': 'iptables',
+        'persistpkg': 'iptables-persistent',
+        'configfile': '/etc/iptables/rules.v4'
+    },
+    'RedHat': {
+        'service': 'iptables',
+        'iptpkg': 'iptables-nft',
+        'persistpkg': 'iptables-nft-services',
+        'configfile': '/etc/sysconfig/iptables'
+    },
+}) %}
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -1,5 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%- from 'docker/docker.map.jinja' import DOCKER %}
 {%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
 {%- set role = GLOBALS.role.split('-')[1] %}
 {%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
@@ -8,9 +8,9 @@
 {%- set D1 = [] %}
 {%- set D2 = [] %}
 {%- for container in NODE_CONTAINERS %}
-{%-   set IP = DOCKERMERGED.containers[container].ip %}
-{%-   if DOCKERMERGED.containers[container].port_bindings is defined %}
-{%-     for binding in DOCKERMERGED.containers[container].port_bindings %}
+{%-   set IP = DOCKER.containers[container].ip %}
+{%-   if DOCKER.containers[container].port_bindings is defined %}
+{%-     for binding in DOCKER.containers[container].port_bindings %}
 {#-       cant split int so we convert to string #}
 {%-       set binding = binding|string %}
 {#-          split the port binding by /. if proto not specified, default is tcp #}
@@ -33,13 +33,13 @@
 {%-           set hostPort = bsa[0] %}
 {%-           set containerPort = bsa[1] %}
 {%-         endif %}
-{%-         do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
+{%-         do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
 {%-         if bindip | length and bindip != '0.0.0.0' %}
-{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         else %}
-{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         endif %}
-{%-         do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
+{%-         do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
 {%-     endfor %}
 {%-   endif %}
 {%- endfor %}
@@ -52,7 +52,7 @@
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE
+-A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
 {%- for rule in PR %}
 {{ rule }}
 {%- endfor %}
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -1,11 +1,11 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{% from 'docker/docker.map.jinja' import DOCKER %}
 {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}

 {# add our ip to self #}
 {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
 {# add dockernet range #}
-{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %}
+{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}

 {% if GLOBALS.role == 'so-idh' %}
 {%   from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
--- a/salt/global/defaults.yaml
+++ b/salt/global/defaults.yaml
@@ -1,3 +1,3 @@
 global:
-  pcapengine: SURICATA
+  pcapengine: STENO
  pipeline: REDIS
--- a/salt/global/soc_global.yaml
+++ b/salt/global/soc_global.yaml
@@ -18,11 +18,13 @@ global:
    regexFailureMessage: You must enter either ZEEK or SURICATA.
    global: True
  pcapengine:
-    description: Which engine to use for generating pcap. Currently only SURICATA is supported.
-    regex: ^(SURICATA)$
+    description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION.
+    regex: ^(STENO|SURICATA|TRANSITION)$
    options:
+      - STENO
      - SURICATA
-    regexFailureMessage: You must enter either SURICATA.
+      - TRANSITION
+    regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION.
    global: True
  ids:
    description: Which IDS engine to use. Currently only Suricata is supported.
--- a/salt/hydra/enabled.sls
+++ b/salt/hydra/enabled.sls
@@ -11,7 +11,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   if 'api' in salt['pillar.get']('features', []) %}

@@ -26,38 +26,32 @@ so-hydra:
    - name: so-hydra
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
    - binds:
      - /opt/so/conf/hydra/:/hydra-conf:ro
      - /opt/so/log/hydra/:/hydra-log:rw
      - /nsm/hydra/db:/hydra-data:rw
-      {% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKERMERGED.containers['so-hydra'].extra_hosts %}
+    {% if DOCKER.containers['so-hydra'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-hydra'].extra_env %}
+    {% if DOCKER.containers['so-hydra'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %}
+      {% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-hydra'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - restart_policy: unless-stopped
    - watch:
      - file: hydraconfig
@@ -73,7 +67,7 @@ delete_so-hydra_so-status.disabled:

 wait_for_hydra:
  http.wait_for_successful_query:
-    - name: 'http://{{ GLOBALS.manager }}:4444/health/alive'
+    - name: 'http://{{ GLOBALS.manager }}:4444/'
    - ssl: True
    - verify_ssl: False
    - status:
--- a/salt/idh/enabled.sls
+++ b/salt/idh/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}

 include:
  - idh.config
@@ -22,29 +22,23 @@ so-idh:
      - /nsm/idh:/var/tmp:rw
      - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
      - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
-      {% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-idh'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-idh'].extra_hosts %}
+    {% if DOCKER.containers['so-idh'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-idh'].extra_env %}
+    {% if DOCKER.containers['so-idh'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %}
+      {% for XTRAENV in DOCKER.containers['so-idh'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-idh'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - watch:
      - file: opencanary_config
    - require:
--- a/salt/idh/openssh/config.sls
+++ b/salt/idh/openssh/config.sls
@@ -3,6 +3,7 @@
 include:
  - idh.openssh

+{% if grains.os_family == 'RedHat' %}
 idh_sshd_selinux:
  selinux.port_policy_present:
    - port: {{ openssh_map.config.port }}
@@ -12,6 +13,7 @@ idh_sshd_selinux:
      - file: openssh_config
    - require:
      - pkg: python_selinux_mgmt_tools
+{% endif %}

 openssh_config:
  file.replace:
--- a/salt/idh/openssh/init.sls
+++ b/salt/idh/openssh/init.sls
@@ -16,6 +16,8 @@ openssh:
    - name: {{ openssh_map.service }}
  {% endif %}

+{% if grains.os_family == 'RedHat' %}
 python_selinux_mgmt_tools:
  pkg.installed:
    - name: policycoreutils-python-utils
+{% endif %}
--- a/salt/influxdb/enabled.sls
+++ b/salt/influxdb/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
 {%   set TOKEN = salt['pillar.get']('influxdb:token') %}

@@ -21,7 +21,7 @@ so-influxdb:
    - hostname: influxdb
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
    - environment:
      - INFLUXD_CONFIG_PATH=/conf/config.yaml
      - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -31,8 +31,8 @@ so-influxdb:
      - DOCKER_INFLUXDB_INIT_ORG=Security Onion
      - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
      - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
-      {% if DOCKERMERGED.containers['so-influxdb'].extra_env %}
-        {% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %}
+      {% if DOCKER.containers['so-influxdb'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
@@ -43,27 +43,21 @@ so-influxdb:
      - /nsm/influxdb:/var/lib/influxdb2:rw
      - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
      - /etc/pki/influxdb.key:/conf/influxdb.key:ro
-      {% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-influxdb'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
+    {% if DOCKER.containers['so-influxdb'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-influxdb'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - watch:
      - file: influxdbconf
      - x509: influxdb_key
--- a/salt/influxdb/templates/alarm_steno_packet_loss.json
+++ b/salt/influxdb/templates/alarm_steno_packet_loss.json
@@ -0,0 +1,27 @@
+[{
+	"apiVersion": "influxdata.com/v2alpha1",
+	"kind": "CheckThreshold",
+	"metadata": {
+		"name": "steno-packet-loss"
+	},
+	"spec": {
+		"description": "Triggers when the average percent of packet loss is above the defined threshold. To tune this alert, modify the value for the appropriate alert level.",
+		"every": "1m",
+		"name": "Stenographer Packet Loss",
+		"query": "from(bucket: \"telegraf/so_short_term\")\n  |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n  |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"stenodrop\")\n  |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"drop\")\n  |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n  |\u003e yield(name: \"mean\")",
+		"status": "active",
+		"statusMessageTemplate": "Stenographer Packet Loss on node ${r.host} has reached the ${ r._level } threshold. The current packet loss is ${ r.drop }%.",
+		"thresholds": [
+			{
+				"level": "CRIT",
+				"type": "greater", 
+				"value": 5
+			},
+			{
+				"level": "WARN",
+				"type": "greater",
+				"value": 3
+			}
+		]
+	}
+}]
--- a/salt/influxdb/templates/dashboard-security_onion_performance.json
+++ b/salt/influxdb/templates/dashboard-security_onion_performance.json
--- a/salt/kafka/enabled.sls
+++ b/salt/kafka/enabled.sls
@@ -12,7 +12,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
 {%   set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
 {%   if 'gmd' in salt['pillar.get']('features', []) %}
@@ -31,22 +31,22 @@ so-kafka:
    - name: so-kafka
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-kafka'].ip }}
    - user: kafka
    - environment:
        KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
-        KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
+        KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
    - extra_hosts:
      {% for node in KAFKANODES %}
      - {{ node }}:{{ KAFKANODES[node].ip }}
      {% endfor %}
-      {% if DOCKERMERGED.containers['so-kafka'].extra_hosts %}
-      {%   for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %}
+      {% if DOCKER.containers['so-kafka'].extra_hosts %}
+      {%   for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %}
      - {{ XTRAHOST }}
      {%   endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-kafka'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -60,12 +60,6 @@ so-kafka:
      {% if KAFKA_EXTERNAL_ACCESS %}
      - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
      {% endif %}
-    {% if DOCKERMERGED.containers['so-kafka'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - watch:
      {% for sc in ['server', 'client'] %}
      - file: kafka_kraft_{{sc}}_properties
--- a/salt/kibana/enabled.sls
+++ b/salt/kibana/enabled.sls
@@ -5,7 +5,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
@@ -20,20 +20,20 @@ so-kibana:
    - user: kibana
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
    - environment:
      - ELASTICSEARCH_HOST={{ GLOBALS.manager }}
      - ELASTICSEARCH_PORT=9200
      - MANAGER={{ GLOBALS.manager }}
-      {% if DOCKERMERGED.containers['so-kibana'].extra_env %}
-        {% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %}
+      {% if DOCKER.containers['so-kibana'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKERMERGED.containers['so-kibana'].extra_hosts %}
-      {% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %}
+    {% if DOCKER.containers['so-kibana'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -42,21 +42,15 @@ so-kibana:
      - /opt/so/log/kibana:/var/log/kibana:rw
      - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      {% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-kibana'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKERMERGED.containers['so-kibana'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - watch:
      - file: kibanaconfig

--- a/salt/kibana/map.jinja
+++ b/salt/kibana/map.jinja
@@ -5,6 +5,7 @@

 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'kibana/defaults.yaml' as KIBANADEFAULTS with context %}
+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}

 {% do KIBANADEFAULTS.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
 {% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}
--- a/salt/kibana/so_dashboard_load.sls
+++ b/salt/kibana/so_dashboard_load.sls
@@ -3,6 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 include:
  - kibana.enabled

@@ -28,3 +29,27 @@ so-kibana-dashboard-load:
    - require:
      - sls: kibana.enabled
      - file: dashboard_saved_objects_template
+{%- if HIGHLANDER %}
+dashboard_saved_objects_template_hl:
+  file.managed:
+    - name: /opt/so/conf/kibana/hl.ndjson.template
+    - source: salt://kibana/files/hl.ndjson
+    - user: 932
+    - group: 939
+    - show_changes: False
+
+dashboard_saved_objects_hl_changes:
+  file.absent:
+    - names:
+      - /opt/so/state/kibana_hl.txt
+    - onchanges:
+      - file: dashboard_saved_objects_template_hl
+
+so-kibana-dashboard-load_hl:
+  cmd.run:
+    - name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/hl.ndjson.template
+    - cwd: /opt/so
+    - require:
+      - sls: kibana.enabled
+      - file: dashboard_saved_objects_template_hl
+{%- endif %}
--- a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults
+++ b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults
@@ -1,5 +1,6 @@
 #!/bin/bash
 . /usr/sbin/so-common
+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
 ## This hackery will be removed if using Elastic Auth ##

@@ -8,6 +9,10 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http:

 # Disable certain Features from showing up in the Kibana UI
 echo
-echo "Setting up default Kibana Space:"
+echo "Setting up default Space:"
+{% if HIGHLANDER %}
+curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log
+{% else %}
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV3","inventory","dataQuality","searchSynonyms","enterpriseSearchApplications","enterpriseSearchAnalytics","securitySolutionTimeline","securitySolutionNotes","entityManager"]} ' >> /opt/so/log/kibana/misc.log
+{% endif %}
 echo
--- a/salt/kratos/enabled.sls
+++ b/salt/kratos/enabled.sls
@@ -5,7 +5,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
@@ -19,38 +19,32 @@ so-kratos:
    - name: so-kratos
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
    - binds:
      - /opt/so/conf/kratos/:/kratos-conf:ro
      - /opt/so/log/kratos/:/kratos-log:rw
      - /nsm/kratos/db:/kratos-data:rw
-      {% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-kratos'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKERMERGED.containers['so-kratos'].extra_hosts %}
+    {% if DOCKER.containers['so-kratos'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-kratos'].extra_env %}
+    {% if DOCKER.containers['so-kratos'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %}
+      {% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-kratos'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - restart_policy: unless-stopped
    - watch:
      - file: kratosschema
--- a/salt/logrotate/defaults.yaml
+++ b/salt/logrotate/defaults.yaml
@@ -180,6 +180,16 @@ logrotate:
      - extension .log
      - dateext
      - dateyesterday
+    /opt/so/log/stenographer/*_x_log:
+      - daily
+      - rotate 14
+      - missingok
+      - copytruncate
+      - compress
+      - create
+      - extension .log
+      - dateext
+      - dateyesterday
    /opt/so/log/salt/so-salt-minion-check:
      - daily
      - rotate 14
--- a/salt/logrotate/soc_logrotate.yaml
+++ b/salt/logrotate/soc_logrotate.yaml
@@ -112,6 +112,13 @@ logrotate:
      multiline: True
      global: True
      forcedType: "[]string"
+    "/opt/so/log/stenographer/*_x_log":
+      description: List of logrotate options for this file.
+      title: /opt/so/log/stenographer/*.log
+      advanced: True
+      multiline: True
+      global: True
+      forcedType: "[]string"
    "/opt/so/log/salt/so-salt-minion-check":
      description: List of logrotate options for this file.
      title: /opt/so/log/salt/so-salt-minion-check
--- a/salt/logstash/config.sls
+++ b/salt/logstash/config.sls
@@ -36,6 +36,10 @@ logstash:
    - gid: 931
    - home: /opt/so/conf/logstash

+lslibdir:
+  file.absent:
+    - name: /opt/so/conf/logstash/lib
+
 logstash_sbin:
  file.recurse:
    - name: /usr/sbin
--- a/salt/logstash/enabled.sls
+++ b/salt/logstash/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'logstash/map.jinja' import LOGSTASH_MERGED %}
 {%   from 'logstash/map.jinja' import LOGSTASH_NODES %}
 {%   set lsheap = LOGSTASH_MERGED.settings.lsheap %}
@@ -32,7 +32,7 @@ so-logstash:
    - name: so-logstash
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
    - user: logstash
    - extra_hosts:
    {% for node in LOGSTASH_NODES %}
@@ -40,20 +40,20 @@ so-logstash:
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKERMERGED.containers['so-logstash'].extra_hosts %}
-    {%   for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %}
+    {% if DOCKER.containers['so-logstash'].extra_hosts %}
+    {%   for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
      - {{ XTRAHOST }}
    {%   endfor %}
    {% endif %}
    - environment:
      - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
-    {% if DOCKERMERGED.containers['so-logstash'].extra_env %}
-    {%   for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %}
+    {% if DOCKER.containers['so-logstash'].extra_env %}
+    {%   for XTRAENV in DOCKER.containers['so-logstash'].extra_env %}
      - {{ XTRAENV }}
    {%   endfor %}
    {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -91,17 +91,11 @@ so-logstash:
      - /opt/so/log/fleet/:/osquery/logs:ro
      - /opt/so/log/strelka:/strelka:ro
      {% endif %}
-      {% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-logstash'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-logstash'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - watch:
      - file: lsetcsync
      - file: trusttheca
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -63,9 +63,11 @@ yara_log_dir:
      - user
      - group

+{% if GLOBALS.os_family == 'RedHat' %}
 install_createrepo:
  pkg.installed:
    - name: createrepo_c
+{% endif %}

 repo_conf_dir:
  file.directory:
--- a/salt/manager/tools/sbin/so-client
+++ b/salt/manager/tools/sbin/so-client
@@ -134,8 +134,8 @@ function require() {
 function verifyEnvironment() {
  require "jq"
  require "curl"
-  response=$(curl -Ss -L ${hydraUrl}/health/alive)
-  [[ "$response" != '{"status":"ok"}' ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
+  response=$(curl -Ss -L ${hydraUrl}/)
+  [[ "$response" != *"Error 404"* ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
 }

 function createFile() {
--- a/salt/manager/tools/sbin/so-minion
+++ b/salt/manager/tools/sbin/so-minion
@@ -462,14 +462,19 @@ function add_sensor_to_minion() {
        echo "      lb_procs: '$CORECOUNT'"
        echo "suricata:"
        echo "  enabled: True "
-        echo "  pcap:"
-        echo "    enabled: True"
        if [[ $is_pcaplimit ]]; then
+            echo "  pcap:"
            echo "    maxsize: $MAX_PCAP_SPACE"
        fi
        echo "  config:"
        echo "    af-packet:"
        echo "      threads: '$CORECOUNT'"
+        echo "pcap:"
+        echo "  enabled: True"
+        if [[ $is_pcaplimit ]]; then
+            echo "  config:"
+            echo "    diskfreepercentage: $DFREEPERCENT"
+        fi
        echo "  "
    } >> $PILLARFILE
    if [ $? -ne 0 ]; then
--- a/salt/manager/tools/sbin/so-yaml.py
+++ b/salt/manager/tools/sbin/so-yaml.py
@@ -22,7 +22,7 @@ def showUsage(args):
    print('    removelistitem   - Remove a list item from a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr)
    print('    replacelistobject  - Replace a list object based on a condition. Requires KEY, CONDITION_FIELD, CONDITION_VALUE, and JSON_OBJECT args.', file=sys.stderr)
    print('    add              - Add a new key and set its value. Fails if key already exists. Requires KEY and VALUE args.', file=sys.stderr)
-    print('    get [-r]         - Displays (to stdout) the value stored in the given key. Requires KEY arg. Use -r for raw output without YAML formatting.', file=sys.stderr)
+    print('    get              - Displays (to stdout) the value stored in the given key. Requires KEY arg.', file=sys.stderr)
    print('    remove           - Removes a yaml key, if it exists. Requires KEY arg.', file=sys.stderr)
    print('    replace          - Replaces (or adds) a new key and set its value. Requires KEY and VALUE args.', file=sys.stderr)
    print('    help             - Prints this usage information.', file=sys.stderr)
@@ -256,7 +256,7 @@ def replacelistobject(args):
 def addKey(content, key, value):
    pieces = key.split(".", 1)
    if len(pieces) > 1:
-        if pieces[0] not in content or content[pieces[0]] is None:
+        if not pieces[0] in content:
            content[pieces[0]] = {}
        addKey(content[pieces[0]], pieces[1], value)
    elif key in content:
@@ -332,11 +332,6 @@ def getKeyValue(content, key):


 def get(args):
-    raw = False
-    if len(args) > 0 and args[0] == '-r':
-        raw = True
-        args = args[1:]
-
    if len(args) != 2:
        print('Missing filename or key arg', file=sys.stderr)
        showUsage(None)
@@ -351,15 +346,7 @@ def get(args):
        print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr)
        return 2

-    if raw:
-        if isinstance(output, bool):
-            print(str(output).lower())
-        elif isinstance(output, (dict, list)):
-            print(yaml.safe_dump(output).strip())
-        else:
-            print(output)
-    else:
-        print(yaml.safe_dump(output))
+    print(yaml.safe_dump(output))
    return 0


--- a/salt/manager/tools/sbin/so-yaml_test.py
+++ b/salt/manager/tools/sbin/so-yaml_test.py
@@ -395,17 +395,6 @@ class TestRemove(unittest.TestCase):
            self.assertEqual(result, 0)
            self.assertIn("45\n...", mock_stdout.getvalue())

-    def test_get_int_raw(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
-            self.assertEqual(result, 0)
-            self.assertEqual("45\n", mock_stdout.getvalue())
-
    def test_get_str(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
            filename = "/tmp/so-yaml_test-get.yaml"
@@ -417,51 +406,6 @@ class TestRemove(unittest.TestCase):
            self.assertEqual(result, 0)
            self.assertIn("hello\n...", mock_stdout.getvalue())

-    def test_get_str_raw(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: \"hello\" } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
-            self.assertEqual(result, 0)
-            self.assertEqual("hello\n", mock_stdout.getvalue())
-
-    def test_get_bool(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get([filename, "key2"])
-            self.assertEqual(result, 0)
-            self.assertIn("false\n...", mock_stdout.getvalue())
-
-    def test_get_bool_raw(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get(["-r", filename, "key2"])
-            self.assertEqual(result, 0)
-            self.assertEqual("false\n", mock_stdout.getvalue())
-
-    def test_get_dict_raw(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get(["-r", filename, "key1"])
-            self.assertEqual(result, 0)
-            self.assertIn("child1: 123", mock_stdout.getvalue())
-            self.assertNotIn("...", mock_stdout.getvalue())
-
    def test_get_list(self):
        with patch('sys.stdout', new=StringIO()) as mock_stdout:
            filename = "/tmp/so-yaml_test-get.yaml"
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
--- a/salt/nginx/enabled.sls
+++ b/salt/nginx/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'nginx/map.jinja' import NGINXMERGED %}

 include:
@@ -37,11 +37,11 @@ so-nginx:
    - hostname: so-nginx
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }}
+        - ipv4_address: {{ DOCKER.containers[container_config].ip }}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKERMERGED.containers[container_config].extra_hosts %}
-      {% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %}
+    {% if DOCKER.containers[container_config].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -64,26 +64,20 @@ so-nginx:
      - /opt/so/rules/nids/suri:/surirules:ro
      {%   endif %}
      {% endif %}
-      {% if DOCKERMERGED.containers[container_config].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %}
+      {% if DOCKER.containers[container_config].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers[container_config].extra_env %}
+    {% if DOCKER.containers[container_config].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %}
+      {% for XTRAENV in DOCKER.containers[container_config].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers[container_config].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - cap_add: NET_BIND_SERVICE
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %}
+      {% for BINDING in DOCKER.containers[container_config].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - watch:
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -1,5 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%- from 'docker/docker.map.jinja' import DOCKER %}
 {%- from 'nginx/map.jinja' import NGINXMERGED %}
 {%- set role = grains.id.split('_') | last %}
 {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
@@ -387,13 +387,15 @@ http {
 		error_page 429 = @error429;

 		location @error401 {
-			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
+			if ($request_uri ~* (^/connect/.*|^/oauth2/.*)) {
 				return    401;
 			}

-			add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
+			if ($request_uri ~* ^/(?!(^/api/.*))) {
+				add_header    Strict-Transport-Security   "max-age=31536000; includeSubDomains";
+			}

-			if ($request_uri ~* ^/(?!(login|auth|oauth2|$))) {
+			if ($request_uri ~* ^/(?!(api/|login|auth|oauth2|$))) {
 				add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
 			}
 			return        302 /auth/self-service/login/browser;
--- a/salt/ntp/init.sls
+++ b/salt/ntp/init.sls
@@ -2,6 +2,7 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
+{% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'ntp/config.map.jinja' import NTPCONFIG %}

 chrony_pkg:
@@ -16,7 +17,11 @@ chronyconf:
    - defaults:
        NTPCONFIG: {{ NTPCONFIG }}

+{% if GLOBALS.os_family == 'RedHat' %}
 chronyd:
+{% else %}
+chrony:
+{% endif %}
  service.running:
    - enable: True
    - watch: 
--- a/salt/pcap/ca.sls
+++ b/salt/pcap/ca.sls
@@ -0,0 +1,22 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states or sls in allowed_states%}
+
+stenoca:
+  file.directory:
+    - name: /opt/so/conf/steno/certs
+    - user: 941
+    - group: 939
+    - makedirs: True
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
--- a/salt/pcap/cleanup.sls
+++ b/salt/pcap/cleanup.sls
@@ -1,59 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
-{% if GLOBALS.is_sensor %}
-
-delete_so-steno_so-status.conf:
-  file.line:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - mode: delete
-    - match: so-steno
-
-remove_stenographer_user:
-  user.absent:
-    - name: stenographer
-    - force: True
-
-remove_stenographer_log_dir:
-  file.absent:
-    - name: /opt/so/log/stenographer
-
-remove_stenoloss_script:
-  file.absent:
-    - name: /opt/so/conf/telegraf/scripts/stenoloss.sh
-
-remove_steno_conf_dir:
-  file.absent:
-    - name: /opt/so/conf/steno
-
-remove_so_pcap_export:
-  file.absent:
-    - name: /usr/sbin/so-pcap-export
-
-remove_so_pcap_restart:
-  file.absent:
-    - name: /usr/sbin/so-pcap-restart
-
-remove_so_pcap_start:
-  file.absent:
-    - name: /usr/sbin/so-pcap-start
-
-remove_so_pcap_stop:
-  file.absent:
-    - name: /usr/sbin/so-pcap-stop
-
-so-steno:
-  docker_container.absent:
-    - force: True
-
-{% else %}
-
-{{sls}}.non_sensor_node:
-  test.show_notification:
-    - text: "Stenographer cleanup not applicable on non-sensor nodes."
-
-{% endif %}
--- a/salt/pcap/config.map.jinja
+++ b/salt/pcap/config.map.jinja
@@ -0,0 +1,13 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% import_yaml 'pcap/defaults.yaml' as PCAPDEFAULTS %}
+{% set PCAPMERGED = salt['pillar.get']('pcap', PCAPDEFAULTS.pcap, merge=True) %}
+
+{# disable stenographer if the pcap engine is set to SURICATA #}
+{% if GLOBALS.pcap_engine == "SURICATA" %}
+{%   do PCAPMERGED.update({'enabled': False}) %}
+{% endif %}
--- a/salt/pcap/config.sls
+++ b/salt/pcap/config.sls
@@ -0,0 +1,87 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% from "pcap/config.map.jinja" import PCAPMERGED %}
+{% from 'bpf/pcap.map.jinja' import PCAPBPF, PCAP_BPF_STATUS, PCAP_BPF_CALC, STENO_BPF_COMPILED %}
+
+# PCAP Section
+stenographergroup:
+  group.present:
+    - name: stenographer
+    - gid: 941
+
+stenographer:
+  user.present:
+    - uid: 941
+    - gid: 941
+    - home: /opt/so/conf/steno
+
+stenoconfdir:
+  file.directory:
+    - name: /opt/so/conf/steno
+    - user: 941
+    - group: 939
+    - makedirs: True
+
+pcap_sbin:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://pcap/tools/sbin
+    - user: 939
+    - group: 939
+    - file_mode: 755
+
+{% if PCAPBPF and not PCAP_BPF_STATUS %}
+stenoPCAPbpfcompilationfailure:
+  test.configurable_test_state:
+   - changes: False
+   - result: False
+  - comment: "BPF Syntax Error - Discarding Specified BPF. Error: {{ PCAP_BPF_CALC['stderr'] }}"
+{% endif %}
+
+stenoconf:
+  file.managed:
+    - name: /opt/so/conf/steno/config
+    - source: salt://pcap/files/config.jinja
+    - user: stenographer
+    - group: stenographer
+    - mode: 644
+    - template: jinja
+    - defaults:
+        PCAPMERGED: {{ PCAPMERGED }}
+        STENO_BPF_COMPILED: "{{ STENO_BPF_COMPILED }}"
+
+pcaptmpdir:
+  file.directory:
+    - name: /nsm/pcaptmp
+    - user: 941
+    - group: 941
+    - makedirs: True
+
+pcapindexdir:
+  file.directory:
+    - name: /nsm/pcapindex
+    - user: 941
+    - group: 941
+    - makedirs: True
+
+stenolog:
+  file.directory:
+    - name: /opt/so/log/stenographer
+    - user: 941
+    - group: 941
+    - makedirs: True
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
--- a/salt/pcap/defaults.yaml
+++ b/salt/pcap/defaults.yaml
@@ -0,0 +1,11 @@
+pcap:
+  enabled: False
+  config:
+    maxdirectoryfiles: 30000
+    diskfreepercentage: 10
+    blocks: 2048
+    preallocate_file_mb: 4096
+    aiops: 128
+    pin_to_cpu: False
+    cpus_to_pin_to: []
+    disks: []
--- a/salt/pcap/disabled.sls
+++ b/salt/pcap/disabled.sls
@@ -0,0 +1,27 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+include:
+  - pcap.sostatus
+  
+so-steno:
+  docker_container.absent:
+    - force: True
+
+so-steno_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-steno$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
--- a/salt/pcap/enabled.sls
+++ b/salt/pcap/enabled.sls
@@ -0,0 +1,63 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
+
+
+include:
+  - pcap.ca
+  - pcap.config
+  - pcap.sostatus
+
+so-steno:
+  docker_container.running:
+    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-steno:{{ GLOBALS.so_version }}
+    - start: True
+    - network_mode: host
+    - privileged: True
+    - binds:
+      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      - /opt/so/conf/steno/config:/etc/stenographer/config:rw
+      - /nsm/pcap:/nsm/pcap:rw
+      - /nsm/pcapindex:/nsm/pcapindex:rw
+      - /nsm/pcaptmp:/tmp:rw
+      - /opt/so/log/stenographer:/var/log/stenographer:rw
+    {% if DOCKER.containers['so-steno'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-steno'].custom_bind_mounts %}
+      - {{ BIND }}
+        {% endfor %}
+      {% endif %}
+    {% if DOCKER.containers['so-steno'].extra_hosts %}
+    - extra_hosts:
+      {% for XTRAHOST in DOCKER.containers['so-steno'].extra_hosts %}
+      - {{ XTRAHOST }}
+      {% endfor %}
+    {% endif %}
+    {% if DOCKER.containers['so-steno'].extra_env %}
+    - environment:
+      {% for XTRAENV in DOCKER.containers['so-steno'].extra_env %}
+      - {{ XTRAENV }}
+      {% endfor %}
+    {% endif %}
+    - watch:
+      - file: stenoconf
+    - require:
+      - file: stenoconf
+
+delete_so-steno_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-steno$
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
--- a/salt/pcap/files/config.jinja
+++ b/salt/pcap/files/config.jinja
@@ -0,0 +1,11 @@
+{
+  "Threads": [
+    { "PacketsDirectory": "/nsm/pcap", "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ PCAPMERGED.config.maxdirectoryfiles }}, "DiskFreePercentage": {{ PCAPMERGED.config.diskfreepercentage }} }
+  ]
+  , "StenotypePath": "/usr/bin/stenotype"
+  , "Interface": "{{ pillar.sensor.interface }}"
+  , "Port": 1234
+  , "Host": "127.0.0.1"
+  , "Flags": ["-v", "--blocks={{ PCAPMERGED.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ STENO_BPF_COMPILED }}]
+  , "CertPath": "/etc/stenographer/certs"
+}
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -0,0 +1,41 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% from 'pcap/config.map.jinja' import PCAPMERGED %}
+
+include:
+{% if PCAPMERGED.enabled and GLOBALS.role != 'so-import'%}
+  - pcap.enabled
+{% elif GLOBALS.role == 'so-import' %}
+  - pcap.config
+  - pcap.disabled
+{% else %}
+  - pcap.disabled
+{% endif %}
+
+# This directory needs to exist regardless of whether STENO is enabled or not, in order for
+# Sensoroni to be able to look at old steno PCAP data
+
+# if stenographer has never run as the pcap engine no 941 user is created, so we use socore as a placeholder.
+# /nsm/pcap is empty until stenographer is used as pcap engine
+{% set pcap_id = 941 %}
+{% set user_list = salt['user.list_users']() %}
+{% if GLOBALS.pcap_engine == "SURICATA" and 'stenographer' not in user_list %}
+{%   set pcap_id = 939 %}
+{% endif %}
+pcapdir:
+  file.directory:
+    - name: /nsm/pcap
+    - user: {{ pcap_id }}
+    - group: {{ pcap_id }}
+    - makedirs: True
+
+pcapoutdir:
+  file.directory:
+    - name: /nsm/pcapout
+    - user: 939
+    - group: 939
+    - makedirs: True
--- a/salt/pcap/soc_pcap.yaml
+++ b/salt/pcap/soc_pcap.yaml
@@ -0,0 +1,35 @@
+pcap:
+  enabled: 
+    description: Enables or disables the Stenographer packet recording process. This process may already be disabled if Suricata is being used as the packet capture process.
+    helpLink: stenographer.html
+  config:
+    maxdirectoryfiles:
+      description: By default, Stenographer limits the number of files in the pcap directory to 30000 to avoid limitations with the ext3 filesystem. However, if you're using the ext4 or xfs filesystems, then it is safe to increase this value. So if you have a large amount of storage and find that you only have 3 weeks worth of PCAP on disk while still having plenty of free space, then you may want to increase this default setting.
+      helpLink: stenographer.html
+    diskfreepercentage:
+      description: Stenographer will purge old PCAP on a regular basis to keep the disk free percentage at this level. If you have a distributed deployment with dedicated Sensor nodes, then the default value of 10 should be reasonable since Stenographer should be the main consumer of disk space in the /nsm partition. However, if you have systems that run both Stenographer and Elasticsearch at the same time (like eval and standalone installations), then you’ll want to make sure that this value is no lower than 21 so that you avoid Elasticsearch hitting its watermark setting at 80% disk usage. If you have an older standalone installation, then you may need to manually change this value to 21.
+      helpLink: stenographer.html
+    blocks:
+      description: The number of 1MB packet blocks used by Stenographer and AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. 
+      advanced: True
+      helpLink: stenographer.html
+    preallocate_file_mb:
+      description: File size to pre-allocate for individual Stenographer PCAP files. You shouldn't need to change this. 
+      advanced: True
+      helpLink: stenographer.html
+    aiops:
+      description: The max number of async writes to allow for Stenographer at once.
+      advanced: True
+      helpLink: stenographer.html
+    pin_to_cpu:
+      description: Enable CPU pinning for Stenographer PCAP.
+      advanced: True
+      helpLink: stenographer.html
+    cpus_to_pin_to:
+      description: CPU to pin Stenographer PCAP to. Currently only a single CPU is supported.
+      advanced: True
+      helpLink: stenographer.html
+    disks:
+      description: List of disks to use for Stenographer PCAP. This is currently not used.
+      advanced: True
+      helpLink: stenographer.html
--- a/salt/pcap/sostatus.sls
+++ b/salt/pcap/sostatus.sls
@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+
+append_so-steno_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-steno
+    - unless: grep -q so-steno /opt/so/conf/so-status/so-status.conf
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
--- a/salt/pcap/tools/sbin/so-pcap-export
+++ b/salt/pcap/tools/sbin/so-pcap-export
@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+if [ $# -lt 2 ]; then
+  echo "Usage: $0 <steno-query> Output-Filename"
+  exit 1
+fi
+
+docker exec -t so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap
+
+echo ""
+echo "If successful, the output was written to: /nsm/pcapout/$2.pcap"
--- a/salt/pcap/tools/sbin/so-pcap-restart
+++ b/salt/pcap/tools/sbin/so-pcap-restart
@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart steno $1
--- a/salt/pcap/tools/sbin/so-pcap-start
+++ b/salt/pcap/tools/sbin/so-pcap-start
@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start steno $1
--- a/salt/pcap/tools/sbin/so-pcap-stop
+++ b/salt/pcap/tools/sbin/so-pcap-stop
@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop steno $1
--- a/salt/podman/files/podman.service
+++ b/salt/podman/files/podman.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Podman API Service
+Requires=podman.socket
+After=podman.socket
+Documentation=man:podman-api(1)
+StartLimitIntervalSec=0
+
+[Service]
+Type=oneshot
+Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
+ExecStart=/usr/bin/podman system service
+TimeoutStopSec=30
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
+Also=podman.socket
--- a/salt/podman/files/podman.socket
+++ b/salt/podman/files/podman.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=Podman API Socket
+Documentation=man:podman-api(1)
+
+[Socket]
+ListenStream=%t/podman/podman.sock
+SocketMode=0660
+
+[Install]
+WantedBy=sockets.target
--- a/salt/podman/files/sobridge.conflist
+++ b/salt/podman/files/sobridge.conflist
@@ -0,0 +1,48 @@
+{
+   "args": {
+      "podman_options": {
+         "isolate": "true",
+         "mtu": "1500"
+      }
+   },
+   "cniVersion": "0.4.0",
+   "name": "sobridge",
+   "plugins": [
+      {
+         "type": "bridge",
+         "bridge": "sobridge",
+         "isGateway": true,
+         "ipMasq": false,
+         "mtu": 1500,
+         "hairpinMode": false,
+         "ipam": {
+            "type": "host-local",
+            "routes": [
+               {
+                  "dst": "0.0.0.0/0"
+               }
+            ],
+            "ranges": [
+               [
+                  {
+                     "subnet": "172.17.1.0/24",
+                     "gateway": "172.17.1.1"
+                  }
+               ]
+            ]
+         },
+         "capabilities": {
+            "ips": true
+         }
+      },
+      {
+         "type": "portmap",
+         "capabilities": {
+            "portMappings": false
+         }
+      },
+      {
+         "type": "tuning"
+      }
+   ]
+}
--- a/salt/podman/init.sls
+++ b/salt/podman/init.sls
@@ -0,0 +1,56 @@
+{% from 'docker/docker.map.jinja' import DOCKER %}
+
+Podman pkg:
+  pkg.installed:
+    - name: podman
+
+cnipkg:
+  pkg.installed:
+    - name: containernetworking-plugins
+
+{#
+Podman service:
+  file.managed:
+    - name: /usr/lib/systemd/system/podman.service
+    - source: salt://podman/podman.service
+#}
+
+sobridgeconf:
+  file.managed:
+    - name: /etc/cni/net.d/sobridge.conflist
+    - source: salt://podman/files/sobridge.conflist
+
+Podman_socket_service:
+  service.running:
+    - name: podman.socket
+    - enable: true
+
+Podman_service:
+  service.running:
+    - name: podman.service
+    - enable: true
+
+Docker socket:
+  file.symlink:
+    - name: /var/run/docker.sock
+    - target: /var/run/podman/podman.sock
+
+podman_docker_symlink:
+  file.symlink:
+    - name: /usr/bin/docker
+    - target: /usr/bin/podman
+
+{#
+sos_docker_net:
+  docker_network.present:
+    - name: sobridge
+    - subnet: {{ DOCKER.range }}
+    - gateway: {{ DOCKER.bip }}
+    - options:
+        com.docker.network.bridge.name: 'sobridge'
+        com.docker.network.driver.mtu: '1500'
+        com.docker.network.bridge.enable_ip_masquerade: 'true'
+        com.docker.network.bridge.enable_icc: 'true'
+        com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
+    - unless: 'docker network ls | grep sobridge'
+#}
--- a/salt/redis/enabled.sls
+++ b/salt/redis/enabled.sls
@@ -5,7 +5,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
@@ -21,9 +21,9 @@ so-redis:
    - user: socore
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-redis'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -34,29 +34,23 @@ so-redis:
      - /etc/pki/redis.crt:/certs/redis.crt:ro
      - /etc/pki/redis.key:/certs/redis.key:ro
      - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
-      {% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-redis'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-redis'].extra_hosts %}
+    {% if DOCKER.containers['so-redis'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-redis'].extra_env %}
+    {% if DOCKER.containers['so-redis'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %}
+      {% for XTRAENV in DOCKER.containers['so-redis'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-redis'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
    - watch:
      - file: trusttheca
--- a/salt/registry/enabled.sls
+++ b/salt/registry/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{%   from 'docker/docker.map.jinja' import DOCKER %}

 include:
  - registry.ssl
@@ -20,10 +20,10 @@ so-dockerregistry:
    - hostname: so-registry
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }}
+        - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
    - restart_policy: always
    - port_bindings:
-      {% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %}
+      {% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -32,31 +32,25 @@ so-dockerregistry:
      - /nsm/docker-registry/docker:/var/lib/registry/docker:rw
      - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
      - /etc/pki/registry.key:/etc/pki/registry.key:ro
-      {% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
+    {% if DOCKER.containers['so-dockerregistry'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
    - client_timeout: 180
    - environment:
      - HOME=/root
-      {% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
-        {% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
+      {% if DOCKER.containers['so-dockerregistry'].extra_env %}
+        {% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - retry:
        attempts: 5
        interval: 30
--- a/salt/repo/client/map.jinja
+++ b/salt/repo/client/map.jinja
@@ -1,29 +1,43 @@
-{% set REPOPATH = '/etc/yum.repos.d/' %}
-{% set ABSENTFILES = [
-       'centos-addons.repo',
-       'centos-devel.repo',
-       'centos-extras.repo',
-       'centos.repo',
-       'docker-ce.repo',
-       'epel.repo',
-       'epel-testing.repo',
-       'saltstack.repo',
-       'salt-latest.repo',
-       'wazuh.repo'
-       'Rocky-Base.repo',
-       'Rocky-CR.repo',
-       'Rocky-Debuginfo.repo',
-       'Rocky-fasttrack.repo',
-       'Rocky-Media.repo',
-       'Rocky-Sources.repo',
-       'Rocky-Vault.repo',
-       'Rocky-x86_64-kernel.repo',
-       'rocky-addons.repo',
-       'rocky-devel.repo',
-       'rocky-extras.repo',
-       'rocky.repo',
-       'oracle-linux-ol9.repo',
-       'uek-ol9.repo',
-       'virt-ol9.repo'
-     ]
-%}
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+{% if GLOBALS.os_family == 'RedHat' %}
+  {% set REPOPATH = '/etc/yum.repos.d/' %}
+{%     if GLOBALS.os == 'OEL' %}
+  {% set ABSENTFILES = [
+         'centos-addons.repo',
+         'centos-devel.repo',
+         'centos-extras.repo',
+         'centos.repo',
+         'docker-ce.repo',
+         'epel.repo',
+         'epel-testing.repo',
+         'saltstack.repo',
+         'salt-latest.repo',
+         'wazuh.repo'
+         'Rocky-Base.repo',
+         'Rocky-CR.repo',
+         'Rocky-Debuginfo.repo',
+         'Rocky-fasttrack.repo',
+         'Rocky-Media.repo',
+         'Rocky-Sources.repo',
+         'Rocky-Vault.repo',
+         'Rocky-x86_64-kernel.repo',
+         'rocky-addons.repo',
+         'rocky-devel.repo',
+         'rocky-extras.repo',
+         'rocky.repo',
+         'oracle-linux-ol9.repo',
+         'uek-ol9.repo',
+         'virt-ol9.repo'
+       ]
+  %}
+{%     else %}
+  {% set ABSENTFILES = [] %}
+{%    endif %}
+
+{% else %}
+
+  {% set REPOPATH = '/etc/apt/sources.list.d/' %}
+  {% set ABSENTFILES = [] %}
+
+{% endif %}
--- a/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja
+++ b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja
@@ -29,11 +29,7 @@ sool9_{{host}}:
    hypervisor_host: {{host ~ "_" ~ role}}
  preflight_cmds:
    - |
-      {%- set hostnames = [MANAGERHOSTNAME] %}
-      {%- if not (URL_BASE | ipaddr) and URL_BASE != MANAGERHOSTNAME %}
-      {%-   do hostnames.append(URL_BASE) %}
-      {%- endif %}
-      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ hostnames | join('  ') }}"
+      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ MANAGERHOSTNAME }}"
    - |
      timeout 600 bash -c 'trap "echo \"Preflight Check: Failed to establish repo connectivity\"; exit 1" TERM; \
        while ! dnf makecache --repoid=securityonion >/dev/null 2>&1; do echo "Preflight Check: Waiting for repo connectivity..."; \
--- a/salt/salt/cloud/config.sls
+++ b/salt/salt/cloud/config.sls
@@ -14,7 +14,6 @@
 {%   if 'vrt' in salt['pillar.get']('features', []) %}
 {%     set HYPERVISORS = salt['pillar.get']('hypervisor:nodes', {} ) %}
 {%     from 'salt/map.jinja' import SALTVERSION %}
-{%     from 'vars/globals.map.jinja' import GLOBALS %}

 {%     if HYPERVISORS %}
 cloud_providers:
@@ -35,7 +34,6 @@ cloud_profiles:
        MANAGERHOSTNAME: {{ grains.host }}
        MANAGERIP: {{ pillar.host.mainip }}
        SALTVERSION: {{ SALTVERSION }}
-        URL_BASE: {{ GLOBALS.url_base }}
    - template: jinja
    - makedirs: True
 {%     else %}
--- a/salt/salt/engines/master/virtual_node_manager.py
+++ b/salt/salt/engines/master/virtual_node_manager.py
@@ -805,6 +805,11 @@ def process_vm_creation(hypervisor_path: str, vm_config: dict) -> None:
                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
                                        {'nsm_size': 'Invalid nsm_size: must be positive integer'})
                    return
+                if size > 10000:  # 10TB reasonable maximum
+                    log.error("VM: %s - nsm_size %dGB exceeds reasonable maximum (10000GB)", vm_name, size)
+                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
+                                        {'nsm_size': f'Invalid nsm_size: {size}GB exceeds maximum (10000GB)'})
+                    return
                log.debug("VM: %s - nsm_size validated: %dGB", vm_name, size)
            except (ValueError, TypeError) as e:
                log.error("VM: %s - nsm_size must be a valid integer, got: %s", vm_name, vm_config.get('nsm_size'))
--- a/salt/salt/init.sls
+++ b/salt/salt/init.sls
@@ -1,3 +1,10 @@
+{% if grains.oscodename == 'focal' %}
+saltpymodules:
+  pkg.installed:
+    - pkgs:
+      - python3-docker
+{% endif %}
+
 # distribute to minions for salt upgrades
 salt_bootstrap:
  file.managed:
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -17,12 +17,22 @@
 {% set SALTVERSION = saltminion.salt.minion.version | string %}
 {% set INSTALLEDSALTVERSION = grains.saltversion | string %}

-{% set SPLITCHAR = '-' %}
-{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
-{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
+{% if grains.os_family == 'Debian' %}
+  {% set SPLITCHAR = '+' %}
+  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %}
+  {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
+{% else %}
+  {% set SPLITCHAR = '-' %}
+  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
+  {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
+{% endif %}

 {% if INSTALLEDSALTVERSION != SALTVERSION %}
-  {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
+  {% if grains.os_family|lower == 'redhat' %}
+      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
+  {% elif grains.os_family|lower == 'debian' %}
+    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -F stable ' ~ SALTVERSION %}
+  {% endif %}
 {% else %}
  {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
 {% endif %}
--- a/salt/salt/master.sls
+++ b/salt/salt/master.sls
@@ -23,6 +23,15 @@ sync_runners:
    - name: saltutil.sync_runners
 {% endif %}

+# prior to 2.4.30 this engine ran on the manager with salt-minion
+# this has changed to running with the salt-master in 2.4.30
+remove_engines_config:
+  file.absent:
+    - name: /etc/salt/minion.d/engines.conf
+    - source: salt://salt/files/engines.conf
+    - watch_in:
+      - service: salt_minion_service
+
 checkmine_engine:
  file.managed:
    - name: /etc/salt/engines/checkmine.py
--- a/salt/sensoroni/enabled.sls
+++ b/salt/sensoroni/enabled.sls
@@ -4,10 +4,13 @@
 # Elastic License 2.0.

 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
+{% from 'docker/docker.map.jinja' import DOCKER %}


 include:
+{% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %}
+  - pcap.ca
+{% endif %}
  - sensoroni.config
  - sensoroni.sostatus

@@ -16,6 +19,10 @@ so-sensoroni:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
    - network_mode: host
    - binds:
+      {% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %}
+      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      {% endif %}
+      - /nsm/pcap:/nsm/pcap:rw
      - /nsm/import:/nsm/import:rw
      - /nsm/pcapout:/nsm/pcapout:rw
      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
@@ -23,29 +30,23 @@ so-sensoroni:
      - /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
      - /nsm/suripcap/:/nsm/suripcap:rw
-      {% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
-        {% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
+      {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
+        {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
+    {% if DOCKER.containers['so-sensoroni'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
+      {% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-sensoroni'].extra_env %}
+    {% if DOCKER.containers['so-sensoroni'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %}
+      {% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
-    {% if DOCKERMERGED.containers['so-sensoroni'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
    - watch:
      - file: /opt/so/conf/sensoroni/sensoroni.json
    - require:
--- a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2026.2.25-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2026.2.25-py3-none-any.whl
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jason Ertel	9d8bae3183	merge	2026-03-05 11:51:21 -05:00
Jorge Reyes	b18fd591ac	Merge pull request #15498 from Security-Onion-Solutions/reyesj2-patch-15 unmount current agupdate dir, before final upgrade on airgap	2026-02-18 10:18:03 -06:00
Jorge Reyes	130cf279f9	Update VERSION	2026-02-17 18:39:17 -06:00