add back individual signing policies

ES 9.0.8

pillar/ca/init.sls

@@ -0,0 +1,2 @@
+ca:
+  server:

pillar/top.sls

@@ -1,5 +1,6 @@
 base:
   '*':
+    - ca
     - global.soc_global
     - global.adv_global
     - docker.soc_docker

salt/allowed_states.map.jinja

@@ -15,11 +15,7 @@
     'salt.minion-check',
     'sensoroni',
     'salt.lasthighstate',
-    'salt.minion'
-] %}
-
-{% set ssl_states = [
-    'ssl',
+    'salt.minion',
     'telegraf',
     'firewall',
     'schedule',
@@ -28,7 +24,7 @@
 
 {% set manager_states = [
     'salt.master',
-    'ca',
+    'ca.server',
     'registry',
     'manager',
     'nginx',
@@ -75,28 +71,23 @@
     {# Map role-specific states #}
     {% set role_states = {
         'so-eval': (
-            ssl_states +
             manager_states +
             sensor_states +
             elastic_stack_states | reject('equalto', 'logstash') | list
         ),
         'so-heavynode': (
-            ssl_states +
             sensor_states +
             ['elasticagent', 'elasticsearch', 'logstash', 'redis', 'nginx']
         ),
         'so-idh': (
-            ssl_states +
             ['idh']
         ),
         'so-import': (
-            ssl_states +
             manager_states +
             sensor_states | reject('equalto', 'strelka') | reject('equalto', 'healthcheck') | list +
             ['elasticsearch', 'elasticsearch.auth', 'kibana', 'kibana.secrets', 'strelka.manager']
         ),
         'so-manager': (
-            ssl_states +
             manager_states +
             ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users', 'strelka.manager'] +
             stig_states +
@@ -104,7 +95,6 @@
             elastic_stack_states
         ),
         'so-managerhype': (
-            ssl_states +
             manager_states +
             ['salt.cloud', 'strelka.manager', 'hypervisor', 'libvirt'] +
             stig_states +
@@ -112,7 +102,6 @@
             elastic_stack_states
         ),
         'so-managersearch': (
-            ssl_states +
             manager_states +
             ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users', 'strelka.manager'] +
             stig_states +
@@ -120,12 +109,10 @@
             elastic_stack_states
         ),
         'so-searchnode': (
-            ssl_states +
             ['kafka.ca', 'kafka.ssl', 'elasticsearch', 'logstash', 'nginx'] +
             stig_states
         ),
         'so-standalone': (
-            ssl_states +
             manager_states +
             ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users'] +
             sensor_states +
@@ -134,29 +121,24 @@
             elastic_stack_states
         ),
         'so-sensor': (
-            ssl_states +
             sensor_states +
             ['nginx'] +
             stig_states
         ),
         'so-fleet': (
-            ssl_states +
             stig_states +
             ['logstash', 'nginx', 'healthcheck', 'elasticfleet']
         ),
         'so-receiver': (
-            ssl_states +
             kafka_states +
             stig_states +
             ['logstash', 'redis']
         ),
         'so-hypervisor': (
-            ssl_states +
             stig_states +
             ['hypervisor', 'libvirt']
         ),
         'so-desktop': (
-            ['ssl', 'docker_clean', 'telegraf'] +
             stig_states
         )
     } %}

salt/ca/dirs.sls

@@ -1,4 +0,0 @@
-pki_issued_certs:
-  file.directory:
-    - name: /etc/pki/issued_certs
-    - makedirs: True

salt/ca/init.sls

@@ -3,70 +3,10 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
-
 include:
-  - ca.dirs
-
-/etc/salt/minion.d/signing_policies.conf:
-  file.managed:
-    - source: salt://ca/files/signing_policies.conf
-
-pki_private_key:
-  x509.private_key_managed:
-    - name: /etc/pki/ca.key
-    - keysize: 4096
-    - passphrase:
-    - backup: True
-    {% if salt['file.file_exists']('/etc/pki/ca.key') -%}
-    - prereq:
-      - x509: /etc/pki/ca.crt
-    {%- endif %}
-
-pki_public_ca_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/ca.crt
-    - signing_private_key: /etc/pki/ca.key
-    - CN: {{ GLOBALS.manager }}
-    - C: US
-    - ST: Utah
-    - L: Salt Lake City
-    - basicConstraints: "critical CA:true"
-    - keyUsage: "critical cRLSign, keyCertSign"
-    - extendedkeyUsage: "serverAuth, clientAuth"
-    - subjectKeyIdentifier: hash
-    - authorityKeyIdentifier: keyid:always, issuer
-    - days_valid: 3650
-    - days_remaining: 0
-    - backup: True
-    - replace: False
-    - require:
-      - sls: ca.dirs
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-mine_update_ca_crt:
-  module.run:
-    - mine.update: []
-    - onchanges:
-      - x509: pki_public_ca_crt
-
-cakeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/ca.key
-    - mode: 640
-    - group: 939
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
+{% if GLOBALS.is_manager %}
+  - ca.server
 {% endif %}
+  - ca.trustca

salt/ca/map.jinja

@@ -0,0 +1,3 @@
+{% set CA = {
+    'server': pillar.ca.server
+}%}

salt/ca/remove.sls

@@ -1,7 +1,35 @@
-pki_private_key:
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% set setup_running = salt['cmd.retcode']('pgrep -x so-setup') == 0 %}
+
+{% if setup_running%}
+
+include:
+  - ssl.remove
+
+remove_pki_private_key:
   file.absent:
     - name: /etc/pki/ca.key
 
-pki_public_ca_crt:
+remove_pki_public_ca_crt:
   file.absent:
     - name: /etc/pki/ca.crt
+
+remove_trusttheca:
+  file.absent:
+    - name: /etc/pki/tls/certs/intca.crt
+
+remove_pki_public_ca_crt_symlink:
+  file.absent:
+    - name: /opt/so/saltstack/local/salt/ca/files/ca.crt
+
+{% else %}
+
+so-setup_not_running:
+  test.show_notification:
+    - text: "This state is reserved for usage during so-setup."
+
+{% endif %}

salt/ca/server.sls

@@ -0,0 +1,63 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+
+pki_private_key:
+  x509.private_key_managed:
+    - name: /etc/pki/ca.key
+    - keysize: 4096
+    - passphrase:
+    - backup: True
+    {% if salt['file.file_exists']('/etc/pki/ca.key') -%}
+    - prereq:
+      - x509: /etc/pki/ca.crt
+    {%- endif %}
+
+pki_public_ca_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/ca.crt
+    - signing_private_key: /etc/pki/ca.key
+    - CN: {{ GLOBALS.manager }}
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:true"
+    - keyUsage: "critical cRLSign, keyCertSign"
+    - extendedkeyUsage: "serverAuth, clientAuth"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid:always, issuer
+    - days_valid: 3650
+    - days_remaining: 7
+    - backup: True
+    - replace: False
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+pki_public_ca_crt_symlink:
+  file.symlink:
+    - name: /opt/so/saltstack/local/salt/ca/files/ca.crt
+    - target: /etc/pki/ca.crt
+    - require:
+      - x509: pki_public_ca_crt
+
+cakeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/ca.key
+    - mode: 640
+    - group: 939
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/ca/signing_policy.sls

@@ -0,0 +1,15 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# when the salt-minion signs the cert, a copy is stored here
+issued_certs_copypath:
+  file.directory:
+    - name: /etc/pki/issued_certs
+    - makedirs: True
+
+signing_policy:
+  file.managed:
+    - name: /etc/salt/minion.d/signing_policies.conf
+    - source: salt://ca/files/signing_policies.conf

salt/ca/trustca.sls

@@ -0,0 +1,30 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+include:
+  - docker
+
+cacertdir:
+  file.directory:
+    - name: /etc/pki/tls/certs
+    - makedirs: True
+
+# Trust the CA
+trusttheca:
+  file.managed:
+    - name: /etc/pki/tls/certs/intca.crt
+    - source: salt://ca/files/ca.crt
+    - watch_in:
+      - service: docker_running
+    - show_changes: False
+
+{% if GLOBALS.os_family == 'Debian' %}
+symlinkca:
+  file.symlink:
+    - target: /etc/pki/tls/certs/intca.crt
+    - name: /etc/ssl/certs/intca.crt
+{% endif %}

salt/common/init.sls

@@ -177,7 +177,7 @@ so-status_script:
     - source: salt://common/tools/sbin/so-status
     - mode: 755
 
-{% if GLOBALS.role in GLOBALS.sensor_roles %}
+{% if GLOBALS.is_sensor %}
 # Add sensor cleanup
 so-sensor-clean:
   cron.present:

salt/common/tools/sbin/so-common

@@ -554,21 +554,36 @@ run_check_net_err() {
 }
 
 wait_for_salt_minion() {
-	local minion="$1"
-	local timeout="${2:-5}"
-	local logfile="${3:-'/dev/stdout'}"
-	retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$logfile" 2>&1 || fail
-	local attempt=0
-	# each attempts would take about 15 seconds
-	local maxAttempts=20
-	until check_salt_minion_status "$minion" "$timeout" "$logfile"; do
-		attempt=$((attempt+1))
-		if [[ $attempt -eq $maxAttempts ]]; then
-			return 1
-		fi
-		sleep 10
-	done
-	return 0
+    local minion="$1"
+    local max_wait="${2:-30}"
+    local interval="${3:-2}"
+    local logfile="${4:-'/dev/stdout'}"
+    local elapsed=0
+
+	echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - Waiting for salt-minion '$minion' to be ready..." | tee -a "$logfile"
+
+    while [ $elapsed -lt $max_wait ]; do
+        # Check if service is running
+        if ! systemctl is-active --quiet salt-minion; then
+            echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - salt-minion service not running (elapsed: ${elapsed}s)" | tee -a "$logfile"
+            sleep $interval
+            elapsed=$((elapsed + interval))
+            continue
+        fi
+        
+        # Check if minion responds to ping
+        if salt "$minion" test.ping --timeout=3 --out=json 2>> "$logfile" | grep -q "true"; then
+            echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - salt-minion '$minion' is connected and ready!" | tee -a "$logfile"
+            return 0
+        fi
+        
+        echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - Waiting... (${elapsed}s / ${max_wait}s)" | tee -a "$logfile"
+        sleep $interval
+        elapsed=$((elapsed + interval))
+    done
+
+    echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - ERROR: salt-minion '$minion' not ready after $max_wait seconds" | tee -a "$logfile"
+    return 1
 }
 
 salt_minion_count() {

salt/desktop/trusted-ca.sls

@@ -3,29 +3,16 @@
 {# we only want this state to run it is CentOS #}
 {% if GLOBALS.os == 'OEL' %}
 
-  {% set global_ca_text = [] %}
-  {% set global_ca_server = [] %}
-  {% set manager = GLOBALS.manager %}
-  {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %}
-    {% for host in x509dict %}
-      {% if host.split('_')|last in ['manager', 'managersearch', 'standalone', 'import', 'eval'] %}
-        {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
-        {% do global_ca_server.append(host) %}
-      {% endif %}
-    {% endfor %}
-  {% set trusttheca_text = global_ca_text[0] %}
-  {% set ca_server = global_ca_server[0] %}
-
 trusted_ca:
-  x509.pem_managed:
+  file.managed:
     - name: /etc/pki/ca-trust/source/anchors/ca.crt
-    - text:  {{ trusttheca_text }}
+    - source: salt://ca/files/ca.crt
 
 update_ca_certs:
   cmd.run:
     - name: update-ca-trust
     - onchanges:
-      - x509: trusted_ca
+      - file: trusted_ca
 
 {% else %}
 

salt/docker/init.sls

@@ -6,9 +6,9 @@
 {% from 'docker/docker.map.jinja' import DOCKER %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
-# include ssl since docker service requires the intca
+# docker service requires the ca.crt
 include:
-  - ssl
+  - ca
 
 dockergroup:
   group.present:
@@ -89,10 +89,9 @@ docker_running:
     - enable: True
     - watch:
       - file: docker_daemon
-      - x509: trusttheca
     - require:
       - file: docker_daemon
-      - x509: trusttheca
+      - file: trusttheca
 
 
 # Reserve OS ports for Docker proxy in case boot settings are not already applied/present

salt/elastalert/enabled.sls

@@ -60,7 +60,7 @@ so-elastalert:
     - watch:
       - file: elastaconf
     - onlyif:
-      - "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #}
+      - "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 9" {# only run this state if elasticsearch is version 9 #}
 
 delete_so-elastalert_so-status.disabled:
   file.uncomment:

salt/elasticagent/enabled.sls

@@ -9,6 +9,7 @@
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 
 include:
+  - ca
   - elasticagent.config
   - elasticagent.sostatus
 
@@ -55,8 +56,10 @@ so-elastic-agent:
       {% endif %}
     - require:
       - file: create-elastic-agent-config
+      - file: trusttheca
     - watch:
       - file: create-elastic-agent-config
+      - file: trusttheca
 
 delete_so-elastic-agent_so-status.disabled:
   file.uncomment:

salt/elasticfleet/enabled.sls

@@ -13,9 +13,11 @@
 {%   set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %}
 
 include:
+  - ca
+  - logstash.ssl
+  - elasticfleet.ssl
   - elasticfleet.config
   - elasticfleet.sostatus
-  - ssl
 
 {% if grains.role not in ['so-fleet'] %}
 # Wait for Elasticsearch to be ready - no reason to try running Elastic Fleet server if ES is not ready
@@ -133,6 +135,11 @@ so-elastic-fleet:
         {% endfor %}
       {% endif %}
     - watch:
+      - file: trusttheca
+      - x509: etc_elasticfleet_key
+      - x509: etc_elasticfleet_crt
+    - require:
+      - file: trusttheca
       - x509: etc_elasticfleet_key
       - x509: etc_elasticfleet_crt
 {%   endif %}

salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json

@@ -5,7 +5,7 @@
   "package": {
     "name": "endpoint",
     "title": "Elastic Defend",
-    "version": "8.18.1",
+    "version": "9.0.2",
     "requires_root": true
   },
   "enabled": true,

salt/elasticfleet/integration-defaults.map.jinja

@@ -21,6 +21,7 @@
     'azure_application_insights.app_state': 'azure.app_state',
     'azure_billing.billing': 'azure.billing',
     'azure_functions.metrics': 'azure.function',
+    'azure_ai_foundry.metrics': 'azure.ai_foundry',
     'azure_metrics.compute_vm_scaleset': 'azure.compute_vm_scaleset',
     'azure_metrics.compute_vm': 'azure.compute_vm',
     'azure_metrics.container_instance': 'azure.container_instance',

salt/elasticfleet/ssl.sls

@@ -0,0 +1,186 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+{%   from 'ca/map.jinja' import CA %}
+
+{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %}
+
+{% if grains['role'] not in [ 'so-heavynode', 'so-receiver'] %}
+# Start -- Elastic Fleet Host Cert
+etc_elasticfleet_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-server.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-server.key') -%}
+    - prereq:
+      - x509: etc_elasticfleet_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+etc_elasticfleet_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-server.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: elasticfleet
+    - private_key: /etc/pki/elasticfleet-server.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+efperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-server.key
+    - mode: 640
+    - group: 939
+
+chownelasticfleetcrt:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-server.crt
+    - mode: 640
+    - user: 947
+    - group: 939
+
+chownelasticfleetkey:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-server.key
+    - mode: 640
+    - user: 947
+    - group: 939
+# End -- Elastic Fleet Host Cert
+{% endif %} # endif is for not including HeavyNodes & Receivers 
+
+
+# Start -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output)
+etc_elasticfleet_agent_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-agent.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-agent.key') -%}
+    - prereq:
+      - x509: etc_elasticfleet_agent_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+etc_elasticfleet_agent_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-agent.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: elasticfleet
+    - private_key: /etc/pki/elasticfleet-agent.key
+    - CN: {{ GLOBALS.hostname }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-agent.key -topk8 -out /etc/pki/elasticfleet-agent.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_elasticfleet_agent_key
+
+efagentperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-agent.key
+    - mode: 640
+    - group: 939
+
+chownelasticfleetagentcrt:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-agent.crt
+    - mode: 640
+    - user: 947
+    - group: 939
+
+chownelasticfleetagentkey:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-agent.key
+    - mode: 640
+    - user: 947
+    - group: 939
+# End -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output)
+
+{% endif %}
+
+{% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone'] %}
+elasticfleet_kafka_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-kafka.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-kafka.key') -%}
+    - prereq:
+      - x509: elasticfleet_kafka_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+elasticfleet_kafka_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-kafka.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: kafka
+    - private_key: /etc/pki/elasticfleet-kafka.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+elasticfleet_kafka_cert_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-kafka.crt
+    - mode: 640
+    - user: 947
+    - group: 939
+
+elasticfleet_kafka_key_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-kafka.key
+    - mode: 640
+    - user: 947
+    - group: 939
+{% endif %}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load

@@ -86,7 +86,7 @@ if [[ -f $STATE_FILE_SUCCESS  ]]; then
         latest_package_list=$(/usr/sbin/so-elastic-fleet-package-list)
         echo '{ "packages" : []}' > $BULK_INSTALL_PACKAGE_LIST
         rm -f $INSTALLED_PACKAGE_LIST
-        echo $latest_package_list | jq '{packages: [.items[] | {name: .name, latest_version: .version, installed_version: .savedObject.attributes.install_version, subscription: .conditions.elastic.subscription }]}' >> $INSTALLED_PACKAGE_LIST
+        echo $latest_package_list | jq '{packages: [.items[] | {name: .name, latest_version: .version, installed_version: .installationInfo.version, subscription: .conditions.elastic.subscription }]}' >> $INSTALLED_PACKAGE_LIST
 
         while read -r package; do
             # get package details

salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy

@@ -47,7 +47,7 @@ if ! kafka_output=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L "http://l
     --arg KAFKACA "$KAFKACA" \
     --arg MANAGER_IP "{{ GLOBALS.manager_ip }}:9092" \
     --arg KAFKA_OUTPUT_VERSION "$KAFKA_OUTPUT_VERSION" \
-      '{"name":"grid-kafka", "id":"so-manager_kafka","type":"kafka","hosts":[ $MANAGER_IP ],"is_default":false,"is_default_monitoring":false,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topics":[{"topic":"default-securityonion"}],"headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}'
+      '{"name":"grid-kafka", "id":"so-manager_kafka","type":"kafka","hosts":[ $MANAGER_IP ],"is_default":false,"is_default_monitoring":false,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topic":"default-securityonion","headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}'
     )
     if ! response=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" --fail 2>/dev/null); then
       echo -e "\nFailed to setup Elastic Fleet output policy for Kafka...\n"
@@ -67,7 +67,7 @@ elif kafka_output=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L "http://l
     --arg ENABLED_DISABLED "$ENABLED_DISABLED"\
     --arg KAFKA_OUTPUT_VERSION "$KAFKA_OUTPUT_VERSION" \
     --argjson HOSTS "$HOSTS" \
-      '{"name":"grid-kafka","type":"kafka","hosts":$HOSTS,"is_default":$ENABLED_DISABLED,"is_default_monitoring":$ENABLED_DISABLED,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topics":[{"topic":"default-securityonion"}],"headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}'
+      '{"name":"grid-kafka","type":"kafka","hosts":$HOSTS,"is_default":$ENABLED_DISABLED,"is_default_monitoring":$ENABLED_DISABLED,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topic":"default-securityonion","headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}'
     )
   if ! response=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_kafka" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" --fail 2>/dev/null); then
     echo -e "\nFailed to force update to Elastic Fleet output policy for Kafka...\n"

salt/elasticsearch/ca.sls

@@ -26,14 +26,14 @@ catrustscript:
         GLOBALS: {{ GLOBALS }}
 {%   endif %}
 
-cacertz:
+elasticsearch_cacerts:
   file.managed:
     - name: /opt/so/conf/ca/cacerts
     - source: salt://elasticsearch/cacerts
     - user: 939
     - group: 939
 
-capemz:
+elasticsearch_capems:
   file.managed:
     - name: /opt/so/conf/ca/tls-ca-bundle.pem
     - source: salt://elasticsearch/tls-ca-bundle.pem

salt/elasticsearch/config.sls

@@ -5,11 +5,6 @@
 
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-
-include:
-  - ssl
-  - elasticsearch.ca
-
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
 

salt/elasticsearch/defaults.yaml

@@ -1,6 +1,6 @@
 elasticsearch:
   enabled: false
-  version: 8.18.8
+  version: 9.0.8
   index_clean: true
   config:
     action:

salt/elasticsearch/enabled.sls

@@ -14,6 +14,9 @@
 {%   from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS %}
 
 include:
+  - ca
+  - elasticsearch.ca
+  - elasticsearch.ssl
   - elasticsearch.config
   - elasticsearch.sostatus
 
@@ -61,11 +64,7 @@ so-elasticsearch:
       - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw
       - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw
       - /opt/so/conf/ca/cacerts:/usr/share/elasticsearch/jdk/lib/security/cacerts:ro
-      {% if GLOBALS.is_manager %}
-      - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro
-      {% else %}
       - /etc/pki/tls/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro
-      {% endif %}
       - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro
       - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro
       - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro
@@ -82,22 +81,21 @@ so-elasticsearch:
         {% endfor %}
       {% endif %}
     - watch:
-      - file: cacertz
+      - file: trusttheca
+      - x509: elasticsearch_crt
+      - x509: elasticsearch_key
+      - file: elasticsearch_cacerts
       - file: esyml
     - require:
+      - file: trusttheca
+      - x509: elasticsearch_crt
+      - x509: elasticsearch_key
+      - file: elasticsearch_cacerts
       - file: esyml
       - file: eslog4jfile
       - file: nsmesdir
       - file: eslogdir
-      - file: cacertz
-      - x509: /etc/pki/elasticsearch.crt
-      - x509: /etc/pki/elasticsearch.key
       - file: elasticp12perms
-      {% if GLOBALS.is_manager %}
-      - x509: pki_public_ca_crt
-      {% else %}
-      - x509: trusttheca
-      {% endif %}
       - cmd: auth_users_roles_inode
       - cmd: auth_users_inode
 

salt/elasticsearch/ssl.sls

@@ -0,0 +1,66 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
+
+# Create a cert for elasticsearch
+elasticsearch_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticsearch.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
+    - prereq:
+      - x509: /etc/pki/elasticsearch.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+elasticsearch_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticsearch.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: registry
+    - private_key: /etc/pki/elasticsearch.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
+    - onchanges:
+      - x509: /etc/pki/elasticsearch.key
+
+elastickeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticsearch.key
+    - mode: 640
+    - group: 930
+    
+elasticp12perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticsearch.p12
+    - mode: 640
+    - group: 930
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/elasticsearch/tools/sbin_jinja/so-catrust

@@ -15,7 +15,7 @@ set -e
 if [ ! -f /opt/so/saltstack/local/salt/elasticsearch/cacerts ]; then
     docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:$ELASTIC_AGENT_TARBALL_VERSION -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt
     docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts
-    docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
+    docker cp so-elasticsearchca:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
     docker rm so-elasticsearchca
     echo "" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem
     echo "sosca" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem

salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load

@@ -121,7 +121,7 @@ if [ ! -f $STATE_FILE_SUCCESS ]; then
     echo "Loading Security Onion index templates..."
     shopt -s extglob
     {% if GLOBALS.role == 'so-heavynode' %}
-    pattern="!(*1password*|*aws*|*azure*|*cloudflare*|*elastic_agent*|*fim*|*github*|*google*|*osquery*|*system*|*windows*)"
+    pattern="!(*1password*|*aws*|*azure*|*cloudflare*|*elastic_agent*|*fim*|*github*|*google*|*osquery*|*system*|*windows*|*endpoint*|*elasticsearch*|*generic*|*fleet_server*|*soc*)"
     {% else %}
     pattern="*"
     {% endif %}

salt/influxdb/config.sls

@@ -9,7 +9,6 @@
 
 include:
   - salt.minion
-  - ssl
   
 # Influx DB
 influxconfdir:

salt/influxdb/enabled.sls

@@ -11,6 +11,7 @@
 {%   set TOKEN = salt['pillar.get']('influxdb:token') %}
 
 include:
+  - influxdb.ssl
   - influxdb.config
   - influxdb.sostatus
 
@@ -59,6 +60,8 @@ so-influxdb:
     {% endif %}
     - watch:
       - file: influxdbconf
+      - x509: influxdb_key
+      - x509: influxdb_crt
     - require:
       - file: influxdbconf
       - x509: influxdb_key

salt/influxdb/ssl.sls

@@ -0,0 +1,55 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
+
+influxdb_key:
+  x509.private_key_managed:
+    - name: /etc/pki/influxdb.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/influxdb.key') -%}
+    - prereq:
+      - x509: /etc/pki/influxdb.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Create a cert for the talking to influxdb
+influxdb_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/influxdb.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: influxdb
+    - private_key: /etc/pki/influxdb.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} 
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+influxkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/influxdb.key
+    - mode: 640
+    - group: 939
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/kafka/enabled.sls

@@ -68,6 +68,8 @@ so-kafka:
       - file: kafka_server_jaas_properties
       {% endif %}
       - file: kafkacertz
+      - x509: kafka_client_crt
+      - file: kafka_pkcs12_perms
     - require:
       - file: kafkacertz
 
@@ -95,4 +97,4 @@ include:
   test.fail_without_changes:
     - name: {{sls}}_state_not_allowed
 
-{% endif %}
+{% endif %}

salt/kafka/ssl.sls

@@ -6,18 +6,11 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states or sls in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
 {%   set kafka_password = salt['pillar.get']('kafka:config:password') %}
 
 include:
-  - ca.dirs
-    {% set global_ca_server = [] %}
-    {% set x509dict = salt['mine.get'](GLOBALS.manager | lower~'*', 'x509.get_pem_entries') %}
-    {% for host in x509dict %}
-      {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %}
-        {% do global_ca_server.append(host) %}
-      {% endif %}
-    {% endfor %}
-    {% set ca_server = global_ca_server[0] %}
+  - ca
 
 {% if GLOBALS.pipeline == "KAFKA" %}
 
@@ -39,12 +32,12 @@ kafka_client_key:
 kafka_client_crt:
   x509.certificate_managed:
     - name: /etc/pki/kafka-client.crt
-    - ca_server: {{ ca_server }}
+    - ca_server: {{ CA.server }}
     - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
     - signing_policy: kafka
     - private_key: /etc/pki/kafka-client.key
     - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 0
+    - days_remaining: 7
     - days_valid: 820
     - backup: True
     - timeout: 30
@@ -87,12 +80,12 @@ kafka_key:
 kafka_crt:
   x509.certificate_managed:
     - name: /etc/pki/kafka.crt
-    - ca_server: {{ ca_server }}
+    - ca_server: {{ CA.server }}
     - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
     - signing_policy: kafka
     - private_key: /etc/pki/kafka.key
     - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 0
+    - days_remaining: 7
     - days_valid: 820
     - backup: True
     - timeout: 30
@@ -103,6 +96,7 @@ kafka_crt:
     - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka.key -in /etc/pki/kafka.crt -export -out /etc/pki/kafka.p12 -nodes -passout pass:{{ kafka_password }}"
     - onchanges:
       - x509: /etc/pki/kafka.key
+
 kafka_key_perms:
   file.managed:
     - replace: False
@@ -148,12 +142,12 @@ kafka_logstash_key:
 kafka_logstash_crt:
   x509.certificate_managed:
     - name: /etc/pki/kafka-logstash.crt
-    - ca_server: {{ ca_server }}
+    - ca_server: {{ CA.server }}
     - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
     - signing_policy: kafka
     - private_key: /etc/pki/kafka-logstash.key
     - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 0
+    - days_remaining: 7
     - days_valid: 820
     - backup: True
     - timeout: 30
@@ -198,4 +192,4 @@ kafka_logstash_pkcs12_perms:
   test.fail_without_changes:
     - name: {{sls}}_state_not_allowed
 
-{% endif %}
+{% endif %}

salt/logstash/config.sls

@@ -11,7 +11,6 @@
 {%   set ASSIGNED_PIPELINES = LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %}
 
 include:
-  - ssl
   {% if GLOBALS.role not in ['so-receiver','so-fleet'] %}
   - elasticsearch
   {% endif %}

salt/logstash/defaults.yaml

@@ -63,7 +63,7 @@ logstash:
   settings:
     lsheap: 500m
   config:
-    http_x_host: 0.0.0.0
+    api_x_http_x_host: 0.0.0.0
     path_x_logs: /var/log/logstash
     pipeline_x_workers: 1
     pipeline_x_batch_x_size: 125

salt/logstash/enabled.sls

@@ -12,6 +12,7 @@
 {%   set lsheap = LOGSTASH_MERGED.settings.lsheap %}
 
 include:
+  - ca
 {%   if GLOBALS.role not in ['so-receiver','so-fleet'] %}
   - elasticsearch.ca
 {%   endif %}
@@ -20,9 +21,9 @@ include:
   - kafka.ca
   - kafka.ssl
 {%   endif %}
+  - logstash.ssl
   - logstash.config
   - logstash.sostatus
-  - ssl
 
 so-logstash:
   docker_container.running:
@@ -65,22 +66,18 @@ so-logstash:
       - /opt/so/log/logstash:/var/log/logstash:rw
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
       - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro
-      {% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
-      - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
-      - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
-      {% endif %}
+      - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
       {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-heavynode', 'so-receiver'] %}
       - /etc/pki/elasticfleet-logstash.crt:/usr/share/logstash/elasticfleet-logstash.crt:ro
       - /etc/pki/elasticfleet-logstash.key:/usr/share/logstash/elasticfleet-logstash.key:ro
       - /etc/pki/elasticfleet-lumberjack.crt:/usr/share/logstash/elasticfleet-lumberjack.crt:ro
       - /etc/pki/elasticfleet-lumberjack.key:/usr/share/logstash/elasticfleet-lumberjack.key:ro
+          {% if GLOBALS.role != 'so-fleet' %}
+      - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro
+      - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro
+          {% endif %}
       {% endif %}
-      {% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import'] %}
-      - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro
-      {% else %}
-      - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro
-      {% endif %}
-      {% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode' ] %}
+      {% if GLOBALS.role not in ['so-receiver','so-fleet'] %}
       - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
       - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
       {% endif %}
@@ -100,11 +97,22 @@ so-logstash:
         {% endfor %}
       {% endif %}
     - watch:
-      {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-receiver'] %}
-      - x509: etc_elasticfleet_logstash_key
-      - x509: etc_elasticfleet_logstash_crt
-      {% endif %}
       - file: lsetcsync
+      - file: trusttheca
+      {% if GLOBALS.is_manager %}
+      - file: elasticsearch_cacerts
+      - file: elasticsearch_capems
+      {% endif %}
+      {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-heavynode', 'so-receiver'] %}
+      - x509: etc_elasticfleet_logstash_crt
+      - x509: etc_elasticfleet_logstash_key
+      - x509: etc_elasticfleetlumberjack_crt
+      - x509: etc_elasticfleetlumberjack_key
+        {% if GLOBALS.role != 'so-fleet' %}
+      - x509: etc_filebeat_crt
+      - file: logstash_filebeat_p8
+        {% endif %}
+      {% endif %}
       {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %}
       - file: ls_pipeline_{{assigned_pipeline}}
         {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %}
@@ -115,17 +123,20 @@ so-logstash:
       - file: kafkacertz
       {% endif %}
     - require:
-      {% if grains['role'] in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
+      - file: trusttheca
+      {% if GLOBALS.is_manager %}
+      - file: elasticsearch_cacerts
+      - file: elasticsearch_capems
+      {% endif %}
+      {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-heavynode', 'so-receiver'] %}
+      - x509: etc_elasticfleet_logstash_crt
+      - x509: etc_elasticfleet_logstash_key
+      - x509: etc_elasticfleetlumberjack_crt
+      - x509: etc_elasticfleetlumberjack_key
+        {% if GLOBALS.role != 'so-fleet' %}
       - x509: etc_filebeat_crt
-      {% endif %}
-      {% if grains['role'] in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import'] %}
-      - x509: pki_public_ca_crt
-      {% else %}
-      - x509: trusttheca
-      {% endif %}
-      {% if grains.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import'] %}
-      - file: cacertz
-      - file: capemz
+      - file: logstash_filebeat_p8
+        {% endif %}
       {% endif %}
       {% if GLOBALS.pipeline == 'KAFKA' and GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-searchnode'] %}
       - file: kafkacertz

salt/logstash/pipelines/config/so/0011_input_endgame.conf

@@ -5,10 +5,10 @@ input {
     codec => es_bulk
     request_headers_target_field => client_headers
     remote_host_target_field => client_host
-    ssl => true
+    ssl_enabled => true
     ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
     ssl_certificate => "/usr/share/logstash/filebeat.crt"
     ssl_key => "/usr/share/logstash/filebeat.key"
-    ssl_verify_mode => "peer"
+    ssl_client_authentication => "required"
   }
 }

salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf.jinja

@@ -2,11 +2,11 @@ input {
   elastic_agent {
     port => 5055
     tags => [ "elastic-agent", "input-{{ GLOBALS.hostname }}" ]
-    ssl => true
+    ssl_enabled => true
     ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
     ssl_certificate => "/usr/share/logstash/elasticfleet-logstash.crt"
     ssl_key => "/usr/share/logstash/elasticfleet-logstash.key"
-    ssl_verify_mode => "force_peer"
+    ssl_client_authentication => "required"
     ecs_compatibility => v8
   }
 }

salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf

@@ -2,7 +2,7 @@ input {
   elastic_agent {
     port => 5056
     tags => [ "elastic-agent", "fleet-lumberjack-input" ]
-    ssl => true
+    ssl_enabled => true
     ssl_certificate => "/usr/share/logstash/elasticfleet-lumberjack.crt"
     ssl_key => "/usr/share/logstash/elasticfleet-lumberjack.key"
     ecs_compatibility => v8

salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja

@@ -8,8 +8,8 @@ output {
       document_id => "%{[metadata][_id]}"
       index => "so-ip-mappings"
       silence_errors_in_log => ["version_conflict_engine_exception"]
-      ssl => true
-      ssl_certificate_verification => false
+      ssl_enabled => true
+      ssl_verification_mode => "none"
     }
   }
   else {
@@ -25,8 +25,8 @@ output {
             document_id => "%{[metadata][_id]}"
             pipeline => "%{[metadata][pipeline]}"
             silence_errors_in_log => ["version_conflict_engine_exception"]
-            ssl => true
-            ssl_certificate_verification => false
+            ssl_enabled => true
+            ssl_verification_mode => "none"
           }
         }
         else {
@@ -37,8 +37,8 @@ output {
             user => "{{ ES_USER }}"
             password => "{{ ES_PASS }}"
             pipeline => "%{[metadata][pipeline]}"
-            ssl => true
-            ssl_certificate_verification => false
+            ssl_enabled => true
+            ssl_verification_mode => "none"
           }
         }
       }
@@ -49,8 +49,8 @@ output {
           data_stream => true
           user => "{{ ES_USER }}"
           password => "{{ ES_PASS }}"
-          ssl => true
-          ssl_certificate_verification => false
+          ssl_enabled => true
+          ssl_verification_mode=> "none"
         }
       }
     }

salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja

@@ -13,8 +13,8 @@ output {
       user => "{{ ES_USER }}"
       password => "{{ ES_PASS }}"
       index => "endgame-%{+YYYY.MM.dd}"
-      ssl => true
-      ssl_certificate_verification => false
+      ssl_enabled => true
+      ssl_verification_mode => "none"
     }
   }
 }

salt/logstash/soc_logstash.yaml

@@ -56,7 +56,7 @@ logstash:
       helpLink: logstash.html
       global: False
   config:
-    http_x_host: 
+    api_x_http_x_host:
       description: Host interface to listen to connections.
       helpLink: logstash.html
       readonly: True

salt/logstash/ssl.sls

@@ -0,0 +1,287 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+{%   from 'ca/map.jinja' import CA %}
+
+{%   if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %}
+
+{%     if grains['role'] not in [ 'so-heavynode'] %}
+# Start -- Elastic Fleet Logstash Input Cert
+etc_elasticfleet_logstash_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-logstash.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%}
+    - prereq:
+      - x509: etc_elasticfleet_logstash_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+etc_elasticfleet_logstash_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-logstash.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: elasticfleet
+    - private_key: /etc/pki/elasticfleet-logstash.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-logstash.key -topk8 -out /etc/pki/elasticfleet-logstash.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_elasticfleet_logstash_key
+
+eflogstashperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-logstash.key
+    - mode: 640
+    - group: 939
+
+chownelasticfleetlogstashcrt:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-logstash.crt
+    - mode: 640
+    - user: 931
+    - group: 939
+
+chownelasticfleetlogstashkey:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-logstash.key
+    - mode: 640
+    - user: 931
+    - group: 939
+# End -- Elastic Fleet Logstash Input Cert
+{%     endif %} # endif is for not including HeavyNodes 
+
+# Start -- Elastic Fleet Node - Logstash Lumberjack Input / Output
+# Cert needed on: Managers, Receivers
+etc_elasticfleetlumberjack_key:
+  x509.private_key_managed:
+    - name: /etc/pki/elasticfleet-lumberjack.key
+    - bits: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-lumberjack.key') -%}
+    - prereq:
+      - x509: etc_elasticfleetlumberjack_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+etc_elasticfleetlumberjack_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/elasticfleet-lumberjack.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: elasticfleet
+    - private_key: /etc/pki/elasticfleet-lumberjack.key
+    - CN: {{ GLOBALS.node_ip }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-lumberjack.key -topk8 -out /etc/pki/elasticfleet-lumberjack.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_elasticfleetlumberjack_key
+
+eflogstashlumberjackperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-lumberjack.key
+    - mode: 640
+    - group: 939
+
+chownilogstashelasticfleetlumberjackp8:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-lumberjack.p8
+    - mode: 640
+    - user: 931
+    - group: 939
+
+chownilogstashelasticfleetlogstashlumberjackcrt:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-lumberjack.crt
+    - mode: 640
+    - user: 931
+    - group: 939
+
+chownilogstashelasticfleetlogstashlumberjackkey:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-lumberjack.key
+    - mode: 640
+    - user: 931
+    - group: 939
+# End -- Elastic Fleet Node - Logstash Lumberjack Input / Output
+{%   endif %}
+
+{%   if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-receiver'] %}
+etc_filebeat_key:
+  x509.private_key_managed:
+    - name: /etc/pki/filebeat.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%}
+    - prereq:
+      - x509: etc_filebeat_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Request a cert and drop it where it needs to go to be distributed
+etc_filebeat_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/filebeat.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: filebeat
+    - private_key: /etc/pki/filebeat.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
+    - onchanges:
+      - x509: etc_filebeat_key
+
+fbperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/filebeat.key
+    - mode: 640
+    - group: 939
+
+logstash_filebeat_p8:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/filebeat.p8
+    - mode: 640
+    - user: 931
+    - group: 939
+
+{%     if grains.role not in ['so-heavynode', 'so-receiver'] %}
+# Create Symlinks to the keys so I can distribute it to all the things
+filebeatdir:
+  file.directory:
+    - name: /opt/so/saltstack/local/salt/filebeat/files
+    - makedirs: True
+
+fbkeylink:
+  file.symlink:
+    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.p8
+    - target: /etc/pki/filebeat.p8
+    - user: socore
+    - group: socore
+
+fbcrtlink:
+  file.symlink:
+    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.crt
+    - target: /etc/pki/filebeat.crt
+    - user: socore
+    - group: socore
+
+{%     endif %}
+{%   endif %}
+
+{%   if GLOBALS.is_manager or GLOBALS.role in ['so-sensor', 'so-searchnode', 'so-heavynode', 'so-fleet', 'so-idh', 'so-receiver'] %}
+   
+fbcertdir:
+  file.directory:
+    - name: /opt/so/conf/filebeat/etc/pki
+    - makedirs: True
+
+conf_filebeat_key:
+  x509.private_key_managed:
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%}
+    - prereq:
+      - x509: conf_filebeat_crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Request a cert and drop it where it needs to go to be distributed
+conf_filebeat_crt:
+  x509.certificate_managed:
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: filebeat
+    - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Convert the key to pkcs#8 so logstash will work correctly.
+filebeatpkcs:
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
+    - onchanges:
+      - x509: conf_filebeat_key
+
+filebeatkeyperms:
+  file.managed:
+    - replace: False
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - mode: 640
+    - group: 939
+
+chownfilebeatp8:
+  file.managed:
+    - replace: False
+    - name: /opt/so/conf/filebeat/etc/pki/filebeat.p8
+    - mode: 640
+    - user: 931
+    - group: 939
+    
+{%   endif %}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/manager/elasticsearch.sls

@@ -1,3 +1,8 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
 elastic_curl_config_distributed:
   file.managed:
     - name: /opt/so/saltstack/local/salt/elasticsearch/curl.config

salt/manager/kibana.sls

@@ -1,3 +1,8 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
 kibana_curl_config_distributed:
   file.managed:
     - name: /opt/so/conf/kibana/curl.config
@@ -5,4 +10,4 @@ kibana_curl_config_distributed:
     - template: jinja
     - mode: 600
     - show_changes: False
-    - makedirs: True
+    - makedirs: True

salt/manager/sync_es_users.sls

@@ -1,3 +1,8 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
 include:
   - elasticsearch.auth
   - kratos

salt/manager/tools/sbin/so-minion

@@ -716,6 +716,18 @@ function checkMine() {
 	}
 }
 
+function create_ca_pillar() {
+	local capillar=/opt/so/saltstack/local/pillar/ca/init.sls
+    printf '%s\n'\
+    "ca:"\
+    "  server: $MINION_ID"\
+	"  " > $capillar
+    if [ $? -ne 0 ]; then
+        log "ERROR" "Failed to add $MINION_ID to $capillar"
+        return 1
+    fi
+}
+
 function createEVAL() {
 	log "INFO" "Creating EVAL configuration for minion $MINION_ID"
 	is_pcaplimit=true
@@ -1013,6 +1025,7 @@ function setupMinionFiles() {
 	managers=("EVAL" "STANDALONE" "IMPORT" "MANAGER" "MANAGERSEARCH")
 	if echo "${managers[@]}" | grep -qw "$NODETYPE"; then
 		add_sensoroni_with_analyze_to_minion || return 1
+		create_ca_pillar || return 1
 	else
 		add_sensoroni_to_minion || return 1
 	fi

salt/manager/tools/sbin/soup

@@ -87,6 +87,12 @@ check_err() {
       113)
         echo 'No route to host'
       ;;
+      160)
+        echo 'Incompatiable Elasticsearch upgrade'
+      ;;
+      161)
+        echo 'Required intermediate Elasticsearch upgrade not complete'
+      ;;
       *)
         echo 'Unhandled error'
         echo "$err_msg"
@@ -319,6 +325,19 @@ clone_to_tmp() {
   fi
 }
 
+# there is a function like this in so-minion, but we cannot source it since args required for so-minion
+create_ca_pillar() {
+  local ca_pillar_dir="/opt/so/saltstack/local/pillar/ca"
+  local ca_pillar_file="${ca_pillar_dir}/init.sls"
+
+  echo "Updating CA pillar configuration"
+  mkdir -p "$ca_pillar_dir"
+  echo "ca: {}" > "$ca_pillar_file"
+
+  so-yaml.py add "$ca_pillar_file" ca.server "$MINIONID"
+  chown -R socore:socore "$ca_pillar_dir"
+}
+
 disable_logstash_heavynodes() {
   c=0
   printf "\nChecking for heavynodes and disabling Logstash if they exist\n"
@@ -362,7 +381,6 @@ masterlock() {
   echo "base:" > $TOPFILE
   echo "  $MINIONID:" >> $TOPFILE
   echo "    - ca" >> $TOPFILE
-  echo "    - ssl" >> $TOPFILE
   echo "    - elasticsearch" >> $TOPFILE
 }
 
@@ -428,6 +446,7 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.4.180 ]] && up_to_2.4.190
     [[ "$INSTALLEDVERSION" == 2.4.190 ]] && up_to_2.4.200
     [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.210
+    [[ "$INSTALLEDVERSION" == 2.4.210 ]] && up_to_2.4.220
     true
 }
 
@@ -461,6 +480,7 @@ postupgrade_changes() {
     [[ "$POSTVERSION"  == 2.4.180 ]] && post_to_2.4.190
     [[ "$POSTVERSION"  == 2.4.190 ]] && post_to_2.4.200
     [[ "$POSTVERSION"  == 2.4.200 ]] && post_to_2.4.210
+    [[ "$POSTVERSION"  == 2.4.210 ]] && post_to_2.4.220    
     true
 }
 
@@ -617,9 +637,6 @@ post_to_2.4.180() {
 }
 
 post_to_2.4.190() {
-    echo "Regenerating Elastic Agent Installers"
-    /sbin/so-elastic-agent-gen-installers
-
     # Only need to update import / eval nodes
     if [[ "$MINION_ROLE" == "import" ]] || [[ "$MINION_ROLE" == "eval" ]]; then
         update_import_fleet_output
@@ -652,9 +669,17 @@ post_to_2.4.210() {
 
   rollover_index "logs-kratos-so"
 
+  echo "Regenerating Elastic Agent Installers"
+  /sbin/so-elastic-agent-gen-installers
+
   POSTVERSION=2.4.210
 }
 
+post_to_2.4.220() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.220
+}
+
 repo_sync() {
   echo "Sync the local repo."
   su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -916,9 +941,7 @@ up_to_2.4.180() {
 }
 
 up_to_2.4.190() {
-  # Elastic Update for this release, so download Elastic Agent files
-  determine_elastic_agent_upgrade
-
+  echo "Nothing to do for 2.4.190"
   INSTALLEDVERSION=2.4.190
 }
 
@@ -932,11 +955,18 @@ up_to_2.4.200() {
 }
 
 up_to_2.4.210() {
-  echo "Nothing to do for 2.4.210"
+  # Elastic Update for this release, so download Elastic Agent files
+  determine_elastic_agent_upgrade
 
   INSTALLEDVERSION=2.4.210
 }
 
+up_to_2.4.220() {
+  create_ca_pillar
+
+  INSTALLEDVERSION=2.4.220
+}
+
 add_hydra_pillars() {
   mkdir -p /opt/so/saltstack/local/pillar/hydra
   touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
@@ -1628,6 +1658,243 @@ verify_latest_update_script() {
   fi
 
 }
+
+verify_es_version_compatibility() {
+
+  local es_required_version_statefile="/opt/so/state/so_es_required_upgrade_version.txt"
+  local es_verification_script="/tmp/so_intermediate_upgrade_verification.sh"
+  # supported upgrade paths for SO-ES versions
+  declare -A es_upgrade_map=(
+    ["8.14.3"]="8.17.3 8.18.4 8.18.6 8.18.8"
+    ["8.17.3"]="8.18.4 8.18.6 8.18.8"
+    ["8.18.4"]="8.18.6 8.18.8 9.0.8"
+    ["8.18.6"]="8.18.8 9.0.8"
+    ["8.18.8"]="9.0.8"
+  )
+
+  # Elasticsearch MUST upgrade through these versions
+  declare -A es_to_so_version=(
+    ["8.18.8"]="2.4.190-20251024"
+  )
+
+  # Get current Elasticsearch version
+  if es_version_raw=$(so-elasticsearch-query / --fail --retry 5 --retry-delay 10); then
+    es_version=$(echo "$es_version_raw" | jq -r '.version.number' )
+  else
+    echo "Could not determine current Elasticsearch version to validate compatibility with post soup Elasticsearch version."
+    exit 160
+  fi
+
+  if ! target_es_version=$(so-yaml.py get $UPDATE_DIR/salt/elasticsearch/defaults.yaml elasticsearch.version | sed -n '1p'); then
+    # so-yaml.py failed to get the ES version from upgrade versions elasticsearch/defaults.yaml file. Likely they are upgrading to an SO version older than 2.4.110 prior to the ES version pinning and should be OKAY to continue with the upgrade.
+
+    # if so-yaml.py failed to get the ES version AND the version we are upgrading to is newer than 2.4.110 then we should bail
+    if [[ $(cat $UPDATE_DIR/VERSION | cut -d'.' -f3) > 110 ]]; then
+      echo "Couldn't determine the target Elasticsearch version (post soup version) to ensure compatibility with current Elasticsearch version. Exiting"
+      exit 160
+    fi
+
+    # allow upgrade to version < 2.4.110 without checking ES version compatibility
+    return 0
+
+  fi
+
+  # if this statefile exists then we have done an intermediate upgrade and we need to ensure that ALL ES nodes have been upgraded to the version in the statefile before allowing soup to continue
+  if [[ -f "$es_required_version_statefile" ]]; then
+    # required so verification script should have already been created
+    if [[ ! -f "$es_verification_script" ]]; then
+        create_intermediate_upgrade_verification_script $es_verification_script
+    fi
+
+    local es_required_version_statefile_value=$(cat $es_required_version_statefile)
+    echo -e "\n##############################################################################################################################\n"
+    echo "A previously required intermediate Elasticsearch upgrade was detected. Verifying that all Searchnodes/Heavynodes have successfully upgraded Elasticsearch to $es_required_version_statefile_value before proceeding with soup to avoid potential data loss!"
+    # create script using version in statefile
+    timeout --foreground 4000 bash "$es_verification_script" "$es_required_version_statefile_value" "$es_required_version_statefile"
+    if [[ $? -ne 0 ]]; then
+        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
+
+        echo "A previous required intermediate Elasticsearch upgrade to $es_required_version_statefile_value has yet to successfully complete across the grid. Please allow time for all Searchnodes/Heavynodes to have upgraded Elasticsearch to $es_required_version_statefile_value before running soup again to avoid potential data loss!"
+
+        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
+        exit 161
+    fi
+    echo -e "\n##############################################################################################################################\n"
+  fi
+
+  if [[ " ${es_upgrade_map[$es_version]} " =~ " $target_es_version " || "$es_version" == "$target_es_version" ]]; then
+    # supported upgrade
+    return 0
+  else
+    compatible_versions=${es_upgrade_map[$es_version]}
+    next_step_so_version=${es_to_so_version[${compatible_versions##* }]}
+    echo -e "\n##############################################################################################################################\n"
+    echo -e "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version $next_step_so_version before updating to $(cat $UPDATE_DIR/VERSION).\n"
+
+    echo "${compatible_versions##* }" > "$es_required_version_statefile"
+
+    # We expect to upgrade to the latest compatiable minor version of ES
+    create_intermediate_upgrade_verification_script $es_verification_script
+
+    if [[ $is_airgap -eq 0 ]]; then
+      echo "You can download the $next_step_so_version ISO image from https://download.securityonion.net/file/securityonion/securityonion-$next_step_so_version.iso"
+      echo "*** Once you have updated to $next_step_so_version, you can then run soup again to update to $(cat $UPDATE_DIR/VERSION). ***"
+      echo -e "\n##############################################################################################################################\n"
+      exit 160
+    else
+      # preserve BRANCH value if set originally
+      if [[ -n "$BRANCH" ]]; then
+        local originally_requested_so_version="$BRANCH"
+      else
+        local originally_requested_so_version="2.4/main"
+      fi
+
+      echo "Starting automated intermediate upgrade to $next_step_so_version."
+      echo "After completion, the system will automatically attempt to upgrade to the latest version."
+      echo -e "\n##############################################################################################################################\n"
+      exec bash -c "BRANCH=$next_step_so_version soup -y && BRANCH=$next_step_so_version soup -y && \
+       echo -e \"\n##############################################################################################################################\n\" && \
+       echo -e \"Verifying Elasticsearch was successfully upgraded to ${compatible_versions##* } across the grid. This part can take a while as Searchnodes/Heavynodes sync up with the Manager! \n\nOnce verification completes the next soup will begin automatically. If verification takes longer than 1 hour it will stop waiting and your grid will remain at $next_step_so_version. Allowing for all Searchnodes/Heavynodes to upgrade Elasticsearch to the required version on their own time.\n\" \
+       && timeout --foreground 4000 bash /tmp/so_intermediate_upgrade_verification.sh ${compatible_versions##* } $es_required_version_statefile && \
+       echo -e \"\n##############################################################################################################################\n\" \
+       && BRANCH=$originally_requested_so_version soup -y && BRANCH=$originally_requested_so_version soup -y"
+    fi
+  fi
+
+}
+
+create_intermediate_upgrade_verification_script() {
+    # After an intermediate upgrade, verify that ALL nodes running Elasticsearch are at the expected version BEFORE proceeding to the next upgrade step. This is a CRITICAL step
+    local verification_script="$1"
+
+    cat << 'EOF' > "$verification_script"
+    #!/bin/bash
+
+    SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE="/root/so_intermediate_upgrade_verification_failures.log"
+    CURRENT_TIME=$(date +%Y%m%d.%H%M%S)
+    EXPECTED_ES_VERSION="$1"
+
+    if [[ -z "$EXPECTED_ES_VERSION" ]]; then
+        echo -e "\nExpected Elasticsearch version not provided. Usage: $0 <expected_es_version>"
+        exit 1
+    fi
+
+    if [[ -f "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE" ]]; then
+        mv "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE" "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE.$CURRENT_TIME"
+    fi
+
+    check_heavynodes_es_version() {
+        # Check if heavynodes are in this grid
+        if ! salt-key -l accepted | grep -q 'heavynode$'; then
+
+            # No heavynodes, skip version check
+            echo "No heavynodes detected in this Security Onion deployment. Skipping heavynode Elasticsearch version verification."
+            return 0
+        fi
+
+        echo -e "\nOne or more heavynodes detected. Verifying their Elasticsearch versions."
+
+        local retries=20
+        local retry_count=0
+        local delay=180
+
+        while [[ $retry_count -lt $retries ]]; do
+            # keep stderr with variable for logging
+            heavynode_versions=$(salt -C 'G@role:so-heavynode' cmd.run 'so-elasticsearch-query / --retry 3 --retry-delay 10 | jq ".version.number"' shell=/bin/bash --out=json 2> /dev/null)
+            local exit_status=$?
+
+            # Check that all heavynodes returned good data
+            if [[ $exit_status -ne 0 ]]; then
+                echo "Failed to retrieve Elasticsearch version from one or more heavynodes... Retrying in $delay seconds. Attempt $((retry_count + 1)) of $retries."
+                ((retry_count++))
+                sleep $delay
+
+                continue
+            else
+                if echo "$heavynode_versions" | jq -s --arg expected "\"$EXPECTED_ES_VERSION\"" --exit-status 'all(.[]; . | to_entries | all(.[]; .value == $expected))' > /dev/null; then
+                    echo -e "\nAll heavynodes are at the expected Elasticsearch version $EXPECTED_ES_VERSION."
+
+                    return 0
+                else
+                    echo "One or more heavynodes are not at the expected Elasticsearch version $EXPECTED_ES_VERSION. Rechecking in $delay seconds. Attempt $((retry_count + 1)) of $retries."
+                    ((retry_count++))
+                    sleep $delay
+
+                    continue
+                fi
+            fi
+        done
+
+        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
+        echo "One or more heavynodes is not at the expected Elasticsearch version $EXPECTED_ES_VERSION."
+        echo "Current versions:"
+        echo "$heavynode_versions" | jq -s 'add'
+        echo "$heavynode_versions" | jq -s 'add' >> "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE"
+        echo -e "\n Stopping automatic upgrade to latest Security Onion version. Heavynodes must ALL be at Elasticsearch version $EXPECTED_ES_VERSION before proceeding with the next upgrade step to avoid potential data loss!"
+        echo -e "\n Heavynodes will upgrade themselves to Elasticsearch $EXPECTED_ES_VERSION on their own, but this process can take a long time depending on network link between Manager and Heavynodes."
+        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
+
+        return 1
+    }
+
+    check_searchnodes_es_version() {
+        local retries=20
+        local retry_count=0
+        local delay=180
+
+        while [[ $retry_count -lt $retries ]]; do
+            # keep stderr with variable for logging
+            cluster_versions=$(so-elasticsearch-query _nodes/_all/version --retry 5 --retry-delay 10 --fail 2>&1)
+            local exit_status=$?
+
+            if [[ $exit_status -ne 0 ]]; then
+                echo "Failed to retrieve Elasticsearch versions from searchnodes... Retrying in $delay seconds. Attempt $((retry_count + 1)) of $retries."
+                ((retry_count++))
+                sleep $delay
+
+                continue
+            else
+                if echo "$cluster_versions" | jq --arg expected "$EXPECTED_ES_VERSION" --exit-status '.nodes | to_entries | all(.[].value.version; . == $expected)' > /dev/null; then
+                    echo "All Searchnodes are at the expected Elasticsearch version $EXPECTED_ES_VERSION."
+
+                    return 0
+                else
+                    echo "One or more Searchnodes is not at the expected Elasticsearch version $EXPECTED_ES_VERSION. Rechecking in $delay seconds. Attempt $((retry_count + 1)) of $retries."
+                    ((retry_count++))
+                    sleep $delay
+
+                    continue
+                fi
+            fi
+        done
+
+        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
+        echo "One or more Searchnodes is not at the expected Elasticsearch version $EXPECTED_ES_VERSION."
+        echo "Current versions:"
+        echo "$cluster_versions" | jq '.nodes | to_entries | map({(.value.name): .value.version}) | sort | add'
+        echo "$cluster_versions" >> "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE"
+        echo -e "\nStopping automatic upgrade to latest version. Searchnodes must ALL be at Elasticsearch version $EXPECTED_ES_VERSION before proceeding with the next upgrade step to avoid potential data loss!"
+        echo -e "\nSearchnodes will upgrade themselves to Elasticsearch $EXPECTED_ES_VERSION on their own, but this process can take a while depending on cluster size / network link between Manager and Searchnodes."
+        echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n"
+
+        echo "$cluster_versions" > "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE"
+
+        return 1
+
+    }
+
+    # Need to add a check for heavynodes and ensure all heavynodes get their own "cluster" upgraded before moving on to final upgrade.
+    check_searchnodes_es_version || exit 1
+    check_heavynodes_es_version || exit 1
+
+    # Remove required version state file after successful verification
+    rm -f "$2"
+
+    exit 0
+
+EOF
+}
+
 # Keeping this block in case we need to do a hotfix that requires salt update
 apply_hotfix() {
   if [[ "$INSTALLEDVERSION" == "2.4.20" ]] ; then
@@ -1654,7 +1921,7 @@ apply_hotfix() {
       mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old
       mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old
       systemctl_func "start" "salt-minion"
-      (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
+      (wait_for_salt_minion "$MINIONID" "120" "4" "$SOUP_LOG" || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
     fi
   else
    echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
@@ -1724,6 +1991,8 @@ main() {
   echo "Verifying we have the latest soup script."
   verify_latest_update_script
 
+  verify_es_version_compatibility
+
   echo "Let's see if we need to update Security Onion."
   upgrade_check
   upgrade_space
@@ -1851,7 +2120,7 @@ main() {
     echo ""
     echo "Running a highstate. This could take several minutes."
     set +e
-    (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
+    (wait_for_salt_minion "$MINIONID" "120" "4" "$SOUP_LOG" || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
     highstate
     set -e
 
@@ -1864,7 +2133,7 @@ main() {
     check_saltmaster_status
 
     echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
-    (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
+    (wait_for_salt_minion "$MINIONID" "120" "4" "$SOUP_LOG" || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG"
 
     # Stop long-running scripts to allow potentially updated scripts to load on the next execution.
     killall salt-relay.sh

salt/nginx/config.sls

@@ -6,9 +6,6 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 
-include:
-  - ssl
-
 # Drop the correct nginx config based on role
 nginxconfdir:
   file.directory:

salt/nginx/enabled.sls

@@ -8,81 +8,14 @@
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'nginx/map.jinja' import NGINXMERGED %}
-{%   set ca_server = GLOBALS.minion_id %}
 
 include:
+  - nginx.ssl
   - nginx.config
   - nginx.sostatus
 
-
-{%   if grains.role not in ['so-fleet'] %}
-
-{#   if the user has selected to replace the crt and key in the ui #}
-{%   if NGINXMERGED.ssl.replace_cert %}
-
-managerssl_key:
-  file.managed:
-    - name: /etc/pki/managerssl.key
-    - source: salt://nginx/ssl/ssl.key
-    - mode: 640
-    - group: 939
-    - watch_in:
-      - docker_container: so-nginx
-
-managerssl_crt:
-  file.managed:
-    - name: /etc/pki/managerssl.crt
-    - source: salt://nginx/ssl/ssl.crt
-    - mode: 644
-    - watch_in:
-      - docker_container: so-nginx
-
-{%   else %}
-
-managerssl_key:
-  x509.private_key_managed:
-    - name: /etc/pki/managerssl.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
-    - prereq:
-      - x509: /etc/pki/managerssl.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-    - watch_in:
-      - docker_container: so-nginx
-
-# Create a cert for the reverse proxy
-managerssl_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/managerssl.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: managerssl
-    - private_key: /etc/pki/managerssl.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" 
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-    - watch_in:
-      - docker_container: so-nginx
-
-{%   endif %}
-
-msslkeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/managerssl.key
-    - mode: 640
-    - group: 939
-
+{%   if GLOBALS.role != 'so-fleet' %}
+{%     set container_config = 'so-nginx' %}
 make-rule-dir-nginx:
   file.directory:
     - name: /nsm/rules
@@ -92,15 +25,11 @@ make-rule-dir-nginx:
       - user
       - group
     - show_changes: False
-      
-{%   endif %}
 
-{# if this is an so-fleet node then we want to use the port bindings, custom bind mounts defined for fleet #}
-{% if GLOBALS.role == 'so-fleet' %}
-{%   set container_config = 'so-nginx-fleet-node' %}
-{% else %}
-{%   set container_config = 'so-nginx' %}
-{% endif %}
+{%   else %}
+{#     if this is an so-fleet node then we want to use the port bindings, custom bind mounts defined for fleet #}
+{%     set container_config = 'so-nginx-fleet-node' %}
+{%   endif %}
 
 so-nginx:
   docker_container.running:
@@ -154,18 +83,27 @@ so-nginx:
     - watch:
       - file: nginxconf
       - file: nginxconfdir
-    - require:
-      - file: nginxconf
-{% if GLOBALS.is_manager %}
-{%     if NGINXMERGED.ssl.replace_cert %}
+      {% if GLOBALS.is_manager %}
+      {%   if NGINXMERGED.ssl.replace_cert %}
       - file: managerssl_key
       - file: managerssl_crt
-{%     else %}
+      {%   else %}
       - x509: managerssl_key
       - x509: managerssl_crt
-{%     endif%}
+      {%   endif%}
+      {% endif %}
+    - require:
+      - file: nginxconf
+      {% if GLOBALS.is_manager %}
+      {%   if NGINXMERGED.ssl.replace_cert %}
+      - file: managerssl_key
+      - file: managerssl_crt
+      {%   else %}
+      - x509: managerssl_key
+      - x509: managerssl_crt
+      {%   endif%}
       - file: navigatorconfig
-{%   endif %}
+      {% endif %}
 
 delete_so-nginx_so-status.disabled:
   file.uncomment:

salt/nginx/ssl.sls

@@ -0,0 +1,87 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'nginx/map.jinja' import NGINXMERGED %}
+{%   from 'ca/map.jinja' import CA %}
+
+{%   if GLOBALS.role != 'so-fleet' %}
+{#     if the user has selected to replace the crt and key in the ui #}
+{%     if NGINXMERGED.ssl.replace_cert %}
+
+managerssl_key:
+  file.managed:
+    - name: /etc/pki/managerssl.key
+    - source: salt://nginx/ssl/ssl.key
+    - mode: 640
+    - group: 939
+    - watch_in:
+      - docker_container: so-nginx
+
+managerssl_crt:
+  file.managed:
+    - name: /etc/pki/managerssl.crt
+    - source: salt://nginx/ssl/ssl.crt
+    - mode: 644
+    - watch_in:
+      - docker_container: so-nginx
+
+{%   else %}
+
+managerssl_key:
+  x509.private_key_managed:
+    - name: /etc/pki/managerssl.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
+    - prereq:
+      - x509: /etc/pki/managerssl.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+    - watch_in:
+      - docker_container: so-nginx
+
+# Create a cert for the reverse proxy
+managerssl_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/managerssl.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: managerssl
+    - private_key: /etc/pki/managerssl.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" 
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+    - watch_in:
+      - docker_container: so-nginx
+
+{%     endif %}
+
+msslkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/managerssl.key
+    - mode: 640
+    - group: 939
+
+{%   endif %}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/pcap/ca.sls

@@ -0,0 +1,22 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states or sls in allowed_states%}
+
+stenoca:
+  file.directory:
+    - name: /opt/so/conf/steno/certs
+    - user: 941
+    - group: 939
+    - makedirs: True
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/pcap/config.sls

@@ -57,12 +57,6 @@ stenoconf:
         PCAPMERGED: {{ PCAPMERGED }}
         STENO_BPF_COMPILED: "{{ STENO_BPF_COMPILED }}"
 
-stenoca:
-  file.directory:
-    - name: /opt/so/conf/steno/certs
-    - user: 941
-    - group: 939
-
 pcaptmpdir:
   file.directory:
     - name: /nsm/pcaptmp

salt/pcap/enabled.sls

@@ -10,6 +10,7 @@
 
 
 include:
+  - pcap.ca
   - pcap.config
   - pcap.sostatus
 

salt/redis/config.sls

@@ -7,9 +7,6 @@
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'redis/map.jinja' import REDISMERGED %}
 
-include:
-  - ssl
-
 # Redis Setup
 redisconfdir:
   file.directory:

salt/redis/enabled.sls

@@ -9,6 +9,8 @@
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 
 include:
+  - ca
+  - redis.ssl
   - redis.config
   - redis.sostatus
 
@@ -31,11 +33,7 @@ so-redis:
       - /nsm/redis/data:/data:rw
       - /etc/pki/redis.crt:/certs/redis.crt:ro
       - /etc/pki/redis.key:/certs/redis.key:ro
-      {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %}
-      - /etc/pki/ca.crt:/certs/ca.crt:ro
-      {% else %}
       - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
-      {% endif %}
       {% if DOCKER.containers['so-redis'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
       - {{ BIND }}
@@ -55,16 +53,14 @@ so-redis:
     {% endif %}
     - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
     - watch:
-      - file: /opt/so/conf/redis/etc
-    - require:
-      - file: redisconf
+      - file: trusttheca
+      - x509: redis_crt
+      - x509: redis_key
+      - file: /opt/so/conf/redis/etc
+    - require:
+      - file: trusttheca
       - x509: redis_crt
       - x509: redis_key
-      {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %}
-      - x509: pki_public_ca_crt
-      {% else %}
-      - x509: trusttheca
-      {% endif %}
 
 delete_so-redis_so-status.disabled:
   file.uncomment:

salt/redis/ssl.sls

@@ -0,0 +1,54 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
+
+redis_key:
+  x509.private_key_managed:
+    - name: /etc/pki/redis.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/redis.key') -%}
+    - prereq:
+      - x509: /etc/pki/redis.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+redis_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/redis.crt
+    - ca_server: {{ CA.server }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - signing_policy: registry
+    - private_key: /etc/pki/redis.key
+    - CN: {{ GLOBALS.hostname }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+rediskeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/redis.key
+    - mode: 640
+    - group: 939
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/registry/config.sls

@@ -6,9 +6,6 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 
-include:
-  - ssl
-
 # Create the config directory for the docker registry
 dockerregistryconfdir:
   file.directory:

salt/registry/enabled.sls

@@ -9,6 +9,7 @@
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 
 include:
+  - registry.ssl
   - registry.config
   - registry.sostatus
 
@@ -53,6 +54,9 @@ so-dockerregistry:
     - retry:
         attempts: 5
         interval: 30
+    - watch:
+      - x509: registry_crt
+      - x509: registry_key
     - require:
       - file: dockerregistryconf
       - x509: registry_crt

salt/registry/ssl.sls

@@ -0,0 +1,77 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
+
+include:
+  - ca
+
+# Delete directory if it exists at the key path
+registry_key_cleanup:
+  file.absent:
+    - name: /etc/pki/registry.key
+    - onlyif:
+      - test -d /etc/pki/registry.key
+
+registry_key:
+  x509.private_key_managed:
+    - name: /etc/pki/registry.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    - require:
+      - file: registry_key_cleanup
+    {% if salt['file.file_exists']('/etc/pki/registry.key') -%}
+    - prereq:
+      - x509: /etc/pki/registry.crt
+    {%- endif %}
+    - retry:
+        attempts: 15
+        interval: 10
+
+# Delete directory if it exists at the crt path
+registry_crt_cleanup:
+  file.absent:
+    - name: /etc/pki/registry.crt
+    - onlyif:
+      - test -d /etc/pki/registry.crt
+
+# Create a cert for the docker registry
+registry_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/registry.crt
+    - ca_server: {{ CA.server }}
+    - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} 
+    - signing_policy: registry
+    - private_key: /etc/pki/registry.key
+    - CN: {{ GLOBALS.manager }}
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - require:
+      - file: registry_crt_cleanup
+    - timeout: 30
+    - retry:
+        attempts: 15
+        interval: 10
+
+
+regkeyperms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/registry.key
+    - mode: 640
+    - group: 939
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/salt/engines/master/checkmine.py

@@ -46,33 +46,6 @@ def start(interval=60):
                 mine_update(minion)
                 continue
 
-            # if a manager check that the ca in in the mine and it is correct
-            if minion.split('_')[-1] in ['manager', 'managersearch', 'eval', 'standalone', 'import']:
-                x509 = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='x509.get_pem_entries')
-                try:
-                    ca_crt = x509[minion]['/etc/pki/ca.crt']
-                    log.debug('checkmine engine: found minion %s has ca_crt: %s' % (minion, ca_crt))
-                    # since the cert is defined, make sure it is valid
-                    import salt.modules.x509_v2 as x509_v2
-                    if not x509_v2.verify_private_key('/etc/pki/ca.key', '/etc/pki/ca.crt'):
-                        log.error('checkmine engine: found minion %s does\'t have a valid ca_crt in the mine' % (minion))
-                        log.error('checkmine engine: %s: ca_crt: %s' % (minion, ca_crt))
-                        mine_delete(minion, 'x509.get_pem_entries')
-                        mine_update(minion)
-                        continue
-                    else:
-                        log.debug('checkmine engine: found minion %s has a valid ca_crt in the mine' % (minion))
-                except IndexError:
-                    log.error('checkmine engine: found minion %s does\'t have a ca_crt in the mine' % (minion))
-                    mine_delete(minion, 'x509.get_pem_entries')
-                    mine_update(minion)
-                    continue
-                except KeyError:
-                    log.error('checkmine engine: found minion %s is not in the mine' % (minion))
-                    mine_flush(minion)
-                    mine_update(minion)
-                    continue
-
             # Update the mine if the ip in the mine doesn't match returned from manage.alived
             network_ip_addrs = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='network.ip_addrs')
             try:

salt/salt/mine_functions.sls

@@ -18,10 +18,6 @@ mine_functions:
         mine_functions:
           network.ip_addrs:
             - interface: {{ interface }}
-        {%- if role in ['so-eval','so-import','so-manager','so-managerhype','so-managersearch','so-standalone'] %}
-          x509.get_pem_entries:
-            - glob_path: '/etc/pki/ca.crt'
-        {% endif %}
 
 mine_update_mine_functions:
   module.run:

salt/salt/minion/init.sls

@@ -17,8 +17,8 @@ include:
   - repo.client
   - salt.mine_functions
   - salt.minion.service_file
-{% if GLOBALS.role in GLOBALS.manager_roles %}
-  - ca
+{% if GLOBALS.is_manager %}
+  - ca.signing_policy
 {% endif %}
 
 {% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}
@@ -111,7 +111,7 @@ salt_minion_service:
 {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
       - file: set_log_levels
 {% endif %}
-{% if GLOBALS.role in GLOBALS.manager_roles %}
-      - file: /etc/salt/minion.d/signing_policies.conf
+{% if GLOBALS.is_manager %}
+      - file: signing_policy
 {% endif %}
     - order: last

salt/sensoroni/enabled.sls

@@ -8,6 +8,9 @@
 
 
 include:
+{% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %}
+  - pcap.ca
+{% endif %}
   - sensoroni.config
   - sensoroni.sostatus
 
@@ -16,7 +19,9 @@ so-sensoroni:
     - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }}
     - network_mode: host
     - binds:
+      {% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %}
       - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      {% endif %}
       - /nsm/pcap:/nsm/pcap:rw
       - /nsm/import:/nsm/import:rw
       - /nsm/pcapout:/nsm/pcapout:rw

salt/soc/enabled.sls

@@ -11,6 +11,7 @@
 {%   from 'soc/merged.map.jinja' import SOCMERGED %}
 
 include:
+  - ca
   - soc.config
   - soc.sostatus
 
@@ -55,7 +56,7 @@ so-soc:
       - /opt/so/conf/soc/migrations:/opt/so/conf/soc/migrations:rw
       - /nsm/backup/detections-migration:/nsm/backup/detections-migration:ro
       - /opt/so/state:/opt/so/state:rw
-      - /etc/pki/ca.crt:/opt/sensoroni/html/so-ca.crt:ro
+      - /etc/pki/tls/certs/intca.crt:/opt/sensoroni/html/so-ca.crt:ro
     - extra_hosts:
     {% for node in DOCKER_EXTRA_HOSTS %}
     {%   for hostname, ip in node.items() %}
@@ -78,8 +79,10 @@ so-soc:
     {%   endfor %}
     {% endif %}
     - watch:
+      - file: trusttheca
       - file: /opt/so/conf/soc/*
     - require:
+      - file: trusttheca
       - file: socdatadir
       - file: soclogdir
       - file: socconfig

salt/ssl/init.sls

@@ -1,720 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls in allowed_states %}
-{% from 'vars/globals.map.jinja' import GLOBALS %}
-
-{%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
-
-{% set global_ca_text = [] %}
-{% set global_ca_server = [] %}
-{% if grains.role in ['so-heavynode'] %}
-  {% set COMMONNAME = GLOBALS.hostname %}
-{% else %}
-  {% set COMMONNAME = GLOBALS.manager %}
-{% endif %}
-
-{% if GLOBALS.is_manager %}
-include:
-  - ca
-    {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %}
-    {% set ca_server = grains.id %}
-{% else %}
-include:
-  - ca.dirs
-    {% set x509dict = salt['mine.get'](GLOBALS.manager | lower~'*', 'x509.get_pem_entries') %}
-    {% for host in x509dict %}
-      {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %}
-        {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
-        {% do global_ca_server.append(host) %}
-      {% endif %}
-    {% endfor %}
-    {% set trusttheca_text = global_ca_text[0] %}
-    {% set ca_server = global_ca_server[0] %}
-{% endif %}
-
-cacertdir:
-  file.directory:
-    - name: /etc/pki/tls/certs
-    - makedirs: True
-
-# Trust the CA
-trusttheca:
-  x509.pem_managed:
-    - name: /etc/pki/tls/certs/intca.crt
-    - text:  {{ trusttheca_text }}
-
-{% if GLOBALS.os_family == 'Debian' %}
-symlinkca:
-  file.symlink:
-    - target: /etc/pki/tls/certs/intca.crt
-    - name: /etc/ssl/certs/intca.crt
-{% endif %}
-
-# Install packages needed for the sensor
-m2cryptopkgs:
-  pkg.installed:
-    - skip_suggestions: False
-    - pkgs:
-      - python3-m2crypto
-
-influxdb_key:
-  x509.private_key_managed:
-    - name: /etc/pki/influxdb.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/influxdb.key') -%}
-    - prereq:
-      - x509: /etc/pki/influxdb.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Create a cert for the talking to influxdb
-influxdb_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/influxdb.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: influxdb
-    - private_key: /etc/pki/influxdb.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} 
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-influxkeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/influxdb.key
-    - mode: 640
-    - group: 939
-
-{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %}
-# Create a cert for Redis encryption
-redis_key:
-  x509.private_key_managed:
-    - name: /etc/pki/redis.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/redis.key') -%}
-    - prereq:
-      - x509: /etc/pki/redis.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-redis_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/redis.crt
-    - ca_server: {{ ca_server }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - signing_policy: registry
-    - private_key: /etc/pki/redis.key
-    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-rediskeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/redis.key
-    - mode: 640
-    - group: 939
-{% endif %}
-
-{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %}
-
-{% if grains['role'] not in [ 'so-heavynode', 'so-receiver'] %}
-# Start -- Elastic Fleet Host Cert
-etc_elasticfleet_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-server.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-server.key') -%}
-    - prereq:
-      - x509: etc_elasticfleet_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-etc_elasticfleet_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-server.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: elasticfleet
-    - private_key: /etc/pki/elasticfleet-server.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-efperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-server.key
-    - mode: 640
-    - group: 939
-
-chownelasticfleetcrt:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-server.crt
-    - mode: 640
-    - user: 947
-    - group: 939
-
-chownelasticfleetkey:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-server.key
-    - mode: 640
-    - user: 947
-    - group: 939
-# End -- Elastic Fleet Host Cert
-{% endif %} # endif is for not including HeavyNodes & Receivers 
-
-{% if grains['role'] not in [ 'so-heavynode'] %}
-# Start -- Elastic Fleet Logstash Input Cert
-etc_elasticfleet_logstash_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-logstash.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%}
-    - prereq:
-      - x509: etc_elasticfleet_logstash_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-etc_elasticfleet_logstash_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-logstash.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: elasticfleet
-    - private_key: /etc/pki/elasticfleet-logstash.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-logstash.key -topk8 -out /etc/pki/elasticfleet-logstash.p8 -nocrypt"
-    - onchanges:
-      - x509: etc_elasticfleet_logstash_key
-
-eflogstashperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-logstash.key
-    - mode: 640
-    - group: 939
-
-chownelasticfleetlogstashcrt:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-logstash.crt
-    - mode: 640
-    - user: 931
-    - group: 939
-
-chownelasticfleetlogstashkey:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-logstash.key
-    - mode: 640
-    - user: 931
-    - group: 939
-# End -- Elastic Fleet Logstash Input Cert
-{% endif %} # endif is for not including HeavyNodes 
-
-# Start -- Elastic Fleet Node - Logstash Lumberjack Input / Output
-# Cert needed on: Managers, Receivers
-etc_elasticfleetlumberjack_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-lumberjack.key
-    - bits: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-lumberjack.key') -%}
-    - prereq:
-      - x509: etc_elasticfleetlumberjack_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-etc_elasticfleetlumberjack_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-lumberjack.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: elasticfleet
-    - private_key: /etc/pki/elasticfleet-lumberjack.key
-    - CN: {{ GLOBALS.node_ip }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-lumberjack.key -topk8 -out /etc/pki/elasticfleet-lumberjack.p8 -nocrypt"
-    - onchanges:
-      - x509: etc_elasticfleetlumberjack_key
-
-eflogstashlumberjackperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-lumberjack.key
-    - mode: 640
-    - group: 939
-
-chownilogstashelasticfleetlumberjackp8:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-lumberjack.p8
-    - mode: 640
-    - user: 931
-    - group: 939
-
-chownilogstashelasticfleetlogstashlumberjackcrt:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-lumberjack.crt
-    - mode: 640
-    - user: 931
-    - group: 939
-
-chownilogstashelasticfleetlogstashlumberjackkey:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-lumberjack.key
-    - mode: 640
-    - user: 931
-    - group: 939
-
-# End -- Elastic Fleet Node - Logstash Lumberjack Input / Output
-
-# Start -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output)
-etc_elasticfleet_agent_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-agent.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-agent.key') -%}
-    - prereq:
-      - x509: etc_elasticfleet_agent_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-etc_elasticfleet_agent_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-agent.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: elasticfleet
-    - private_key: /etc/pki/elasticfleet-agent.key
-    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-agent.key -topk8 -out /etc/pki/elasticfleet-agent.p8 -nocrypt"
-    - onchanges:
-      - x509: etc_elasticfleet_agent_key
-
-efagentperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-agent.key
-    - mode: 640
-    - group: 939
-
-chownelasticfleetagentcrt:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-agent.crt
-    - mode: 640
-    - user: 947
-    - group: 939
-
-chownelasticfleetagentkey:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-agent.key
-    - mode: 640
-    - user: 947
-    - group: 939
-# End -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output)
-
-{% endif %}
-
-{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-receiver'] %}
-etc_filebeat_key:
-  x509.private_key_managed:
-    - name: /etc/pki/filebeat.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%}
-    - prereq:
-      - x509: etc_filebeat_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Request a cert and drop it where it needs to go to be distributed
-etc_filebeat_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/filebeat.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: filebeat
-    - private_key: /etc/pki/filebeat.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
-    - onchanges:
-      - x509: etc_filebeat_key
-
-fbperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/filebeat.key
-    - mode: 640
-    - group: 939
-
-chownilogstashfilebeatp8:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/filebeat.p8
-    - mode: 640
-    - user: 931
-    - group: 939
-
-  {% if grains.role not in ['so-heavynode', 'so-receiver'] %}
-# Create Symlinks to the keys so I can distribute it to all the things
-filebeatdir:
-  file.directory:
-    - name: /opt/so/saltstack/local/salt/filebeat/files
-    - makedirs: True
-
-fbkeylink:
-  file.symlink:
-    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.p8
-    - target: /etc/pki/filebeat.p8
-    - user: socore
-    - group: socore
-
-fbcrtlink:
-  file.symlink:
-    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.crt
-    - target: /etc/pki/filebeat.crt
-    - user: socore
-    - group: socore
-
-registry_key:
-  x509.private_key_managed:
-    - name: /etc/pki/registry.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/registry.key') -%}
-    - prereq:
-      - x509: /etc/pki/registry.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Create a cert for the docker registry
-registry_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/registry.crt
-    - ca_server: {{ ca_server }}
-    - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} 
-    - signing_policy: registry
-    - private_key: /etc/pki/registry.key
-    - CN: {{ GLOBALS.manager }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-regkeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/registry.key
-    - mode: 640
-    - group: 939
-
-  {% endif %}
-  {% if grains.role not in ['so-receiver'] %}
-# Create a cert for elasticsearch
-/etc/pki/elasticsearch.key:
-  x509.private_key_managed:
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
-    - prereq:
-      - x509: /etc/pki/elasticsearch.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-/etc/pki/elasticsearch.crt:
-  x509.certificate_managed:
-    - ca_server: {{ ca_server }}
-    - signing_policy: registry
-    - private_key: /etc/pki/elasticsearch.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
-    - onchanges:
-      - x509: /etc/pki/elasticsearch.key
-
-elastickeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticsearch.key
-    - mode: 640
-    - group: 930
-    
-elasticp12perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticsearch.p12
-    - mode: 640
-    - group: 930
-
-  {% endif %}
-
-
-{% endif %}
-
-{% if GLOBALS.is_manager or GLOBALS.role in ['so-sensor', 'so-searchnode', 'so-heavynode', 'so-fleet', 'so-idh', 'so-receiver'] %}
-   
-fbcertdir:
-  file.directory:
-    - name: /opt/so/conf/filebeat/etc/pki
-    - makedirs: True
-
-conf_filebeat_key:
-  x509.private_key_managed:
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%}
-    - prereq:
-      - x509: conf_filebeat_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Request a cert and drop it where it needs to go to be distributed
-conf_filebeat_crt:
-  x509.certificate_managed:
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: filebeat
-    - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-# Convert the key to pkcs#8 so logstash will work correctly.
-filebeatpkcs:
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
-    - onchanges:
-      - x509: conf_filebeat_key
-
-filebeatkeyperms:
-  file.managed:
-    - replace: False
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - mode: 640
-    - group: 939
-
-chownfilebeatp8:
-  file.managed:
-    - replace: False
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.p8
-    - mode: 640
-    - user: 931
-    - group: 939
-    
-{% endif %}
-
-{% if grains['role'] == 'so-searchnode' %}
-# Create a cert for elasticsearch
-/etc/pki/elasticsearch.key:
-  x509.private_key_managed:
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
-    - prereq:
-      - x509: /etc/pki/elasticsearch.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-/etc/pki/elasticsearch.crt:
-  x509.certificate_managed:
-    - ca_server: {{ ca_server }}
-    - signing_policy: registry
-    - private_key: /etc/pki/elasticsearch.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
-    - onchanges:
-      - x509: /etc/pki/elasticsearch.key
-
-elasticp12perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticsearch.p12
-    - mode: 640
-    - group: 930
-    
-elastickeyperms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticsearch.key
-    - mode: 640
-    - group: 930
-{%- endif %}
-
-{% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone'] %}
-elasticfleet_kafka_key:
-  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet-kafka.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet-kafka.key') -%}
-    - prereq:
-      - x509: elasticfleet_kafka_crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
-
-elasticfleet_kafka_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet-kafka.crt
-    - ca_server: {{ ca_server }}
-    - signing_policy: kafka
-    - private_key: /etc/pki/elasticfleet-kafka.key
-    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-
-elasticfleet_kafka_cert_perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-kafka.crt
-    - mode: 640
-    - user: 947
-    - group: 939
-
-elasticfleet_kafka_key_perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-kafka.key
-    - mode: 640
-    - user: 947
-    - group: 939
-{% endif %}
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}

salt/ssl/remove.sls

@@ -1,10 +1,7 @@
-trusttheca:
-  file.absent:
-    - name: /etc/pki/tls/certs/intca.crt
-
-symlinkca:
-  file.absent:
-    - name: /etc/ssl/certs/intca.crt
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
 
 influxdb_key:
   file.absent:
@@ -14,6 +11,14 @@ influxdb_crt:
   file.absent:
     - name: /etc/pki/influxdb.crt
 
+telegraf_key:
+  file.absent:
+    - name: /etc/pki/telegraf.key
+
+telegraf_crt:
+  file.absent:
+    - name: /etc/pki/telegraf.crt
+
 redis_key:
   file.absent:
     - name: /etc/pki/redis.key
@@ -30,6 +35,7 @@ etc_filebeat_crt:
   file.absent:
     - name: /etc/pki/filebeat.crt
 
+# manager has symlink to /etc/pki/filebeat.crt and /etc/pki/filebeat.p8
 filebeatdir:
   file.absent:
     - name: /opt/so/saltstack/local/salt/filebeat/files
@@ -42,11 +48,13 @@ registry_crt:
   file.absent:
     - name: /etc/pki/registry.crt
 
-/etc/pki/elasticsearch.key:
-  file.absent: []
+elasticsearch_key:
+  file.absent:
+    - name: /etc/pki/elasticsearch.key
 
-/etc/pki/elasticsearch.crt:
-  file.absent: []
+elasticsearch_crt:
+  file.absent:
+    - name: /etc/pki/elasticsearch.crt
 
 remove_elasticsearch.p12:
   file.absent:
@@ -75,6 +83,7 @@ fbcertdir:
 kafka_crt:
   file.absent:
     - name: /etc/pki/kafka.crt
+
 kafka_key:
   file.absent:
     - name: /etc/pki/kafka.key
@@ -82,9 +91,67 @@ kafka_key:
 kafka_logstash_crt:
   file.absent:
     - name: /etc/pki/kafka-logstash.crt
+
 kafka_logstash_key:
   file.absent:
     - name: /etc/pki/kafka-logstash.key
+
 kafka_logstash_keystore:
   file.absent:
     - name: /etc/pki/kafka-logstash.p12
+
+elasticfleet_agent_crt:
+  file.absent:
+    - name: /etc/pki/elasticfleet-agent.crt
+
+elasticfleet_agent_key:
+  file.absent:
+    - name: /etc/pki/elasticfleet-agent.key
+
+elasticfleet_agent_p8:
+  file.absent:
+    - name: /etc/pki/elasticfleet-agent.p8
+
+elasticfleet_kafka_crt:
+  file.absent:
+    - name: /etc/pki/elasticfleet-kafka.crt
+
+elasticfleet_kafka_key:
+  file.absent:
+    - name: /etc/pki/elasticfleet-kafka.key
+
+elasticfleet_logstash_crt:
+  file.absent:
+    - name: /etc/pki/elasticfleet-logstash.crt
+
+elasticfleet_logstash_key:
+  file.absent:
+    - name: /etc/pki/elasticfleet-logstash.key
+
+elasticfleet_logstash_p8:
+  file.absent:
+    - name: /etc/pki/elasticfleet-logstash.p8
+
+elasticfleet_lumberjack_crt:
+  file.absent:
+    - name: /etc/pki/elasticfleet-lumberjack.crt
+
+elasticfleet_lumberjack_key:
+  file.absent:
+    - name: /etc/pki/elasticfleet-lumberjack.key
+
+elasticfleet_lumberjack_p8:
+  file.absent:
+    - name: /etc/pki/elasticfleet-lumberjack.p8
+
+elasticfleet_server_crt:
+  file.absent:
+    - name: /etc/pki/elasticfleet-server.crt
+
+elasticfleet_server_key:
+  file.absent:
+    - name: /etc/pki/elasticfleet-server.key
+
+filebeat_p8:
+  file.absent:
+    - name: /etc/pki/filebeat.p8

salt/telegraf/config.sls

@@ -8,9 +8,6 @@
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}
 
-include:
-  - ssl
-
 # add Telegraf to monitor all the things
 tgraflogdir:
   file.directory:

salt/telegraf/enabled.sls

@@ -9,8 +9,9 @@
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}
 
-
 include:
+  - ca
+  - telegraf.ssl
   - telegraf.config
   - telegraf.sostatus
 
@@ -42,13 +43,9 @@ so-telegraf:
       - /proc:/host/proc:ro
       - /nsm:/host/nsm:ro
       - /etc:/host/etc:ro
-      {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %}
-      - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
-      {% else %}
       - /etc/pki/tls/certs/intca.crt:/etc/telegraf/ca.crt:ro
-      {% endif %}
-      - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro
-      - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro
+      - /etc/pki/telegraf.crt:/etc/telegraf/telegraf.crt:ro
+      - /etc/pki/telegraf.key:/etc/telegraf/telegraf.key:ro
       - /opt/so/conf/telegraf/scripts:/scripts:ro
       - /opt/so/log/stenographer:/var/log/stenographer:ro
       - /opt/so/log/suricata:/var/log/suricata:ro
@@ -71,21 +68,20 @@ so-telegraf:
       {% endfor %}
     {% endif %}
     - watch:
+      - file: trusttheca
+      - x509: telegraf_crt
+      - x509: telegraf_key
       - file: tgrafconf
       - file: node_config
     {% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
       - file: tgraf_sync_script_{{script}}
     {% endfor %}
-    - require: 
+    - require:
+      - file: trusttheca
+      - x509: telegraf_crt
+      - x509: telegraf_key
       - file: tgrafconf
       - file: node_config
-      {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %}
-      - x509: pki_public_ca_crt
-      {% else %}
-      - x509: trusttheca
-      {% endif %}
-      - x509: influxdb_crt
-      - x509: influxdb_key
 
 delete_so-telegraf_so-status.disabled:
   file.uncomment:

salt/telegraf/ssl.sls

@@ -0,0 +1,66 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
+
+telegraf_key:
+  x509.private_key_managed:
+    - name: /etc/pki/telegraf.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/telegraf.key') -%}
+    - prereq:
+      - x509: /etc/pki/telegraf.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Create a cert for the talking to telegraf
+telegraf_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/telegraf.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: influxdb
+    - private_key: /etc/pki/telegraf.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} 
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+telegraf_key_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/telegraf.key
+    - mode: 640
+    - group: 939
+
+{%   if not GLOBALS.is_manager %}
+{# Prior to 2.4.220, minions used influxdb.crt and key for telegraf #}
+remove_influxdb.crt:
+  file.absent:
+    - name: /etc/pki/influxdb.crt
+
+remove_influxdb.key:
+  file.absent:
+    - name: /etc/pki/influxdb.key
+{%   endif %}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/top.sls

@@ -37,6 +37,7 @@ base:
   'not ( *_manager* or *_eval or *_import or *_standalone ) and G@saltversion:{{saltversion}}':
     - match: compound
     - salt.minion
+    - ca
     - patch.os.schedule
     - motd
     - salt.minion-check
@@ -49,6 +50,7 @@ base:
   '( *_manager* or *_eval or *_import or *_standalone ) and G@saltversion:{{saltversion}} and not I@node_data:False':
     - match: compound
     - salt.minion
+    - ca
     - patch.os.schedule
     - motd
     - salt.minion-check
@@ -61,8 +63,6 @@ base:
     - match: compound
     - salt.master
     - sensor
-    - ca
-    - ssl
     - registry
     - manager
     - backup.config_backup
@@ -91,8 +91,6 @@ base:
     - match: compound
     - salt.master
     - sensor
-    - ca
-    - ssl
     - registry
     - manager
     - backup.config_backup
@@ -124,8 +122,6 @@ base:
   '*_manager or *_managerhype and G@saltversion:{{saltversion}} and not I@node_data:False':
     - match: compound
     - salt.master
-    - ca
-    - ssl
     - registry
     - nginx
     - influxdb
@@ -157,8 +153,6 @@ base:
   '*_managersearch and G@saltversion:{{saltversion}} and not I@node_data:False':
     - match: compound
     - salt.master
-    - ca
-    - ssl
     - registry
     - nginx
     - influxdb
@@ -187,8 +181,6 @@ base:
     - match: compound
     - salt.master
     - sensor
-    - ca
-    - ssl
     - registry
     - manager
     - nginx
@@ -212,7 +204,6 @@ base:
   '*_searchnode and G@saltversion:{{saltversion}}':
     - match: compound
     - firewall
-    - ssl
     - elasticsearch
     - logstash
     - sensoroni
@@ -225,7 +216,6 @@ base:
   '*_sensor and G@saltversion:{{saltversion}}':
     - match: compound
     - sensor
-    - ssl
     - sensoroni
     - telegraf
     - firewall
@@ -241,7 +231,6 @@ base:
   '*_heavynode and G@saltversion:{{saltversion}}':
     - match: compound
     - sensor
-    - ssl
     - sensoroni
     - telegraf
     - nginx
@@ -259,7 +248,6 @@ base:
 
   '*_receiver and G@saltversion:{{saltversion}}':
     - match: compound
-    - ssl
     - sensoroni
     - telegraf
     - firewall
@@ -271,7 +259,6 @@ base:
 
   '*_idh and G@saltversion:{{saltversion}}':
     - match: compound
-    - ssl
     - sensoroni
     - telegraf
     - firewall
@@ -280,7 +267,6 @@ base:
 
   '*_fleet and G@saltversion:{{saltversion}}':
     - match: compound
-    - ssl
     - sensoroni
     - telegraf
     - firewall
@@ -293,7 +279,6 @@ base:
 
   '*_hypervisor and I@features:vrt and G@saltversion:{{saltversion}}':
     - match: compound
-    - ssl
     - sensoroni
     - telegraf
     - firewall
@@ -304,7 +289,6 @@ base:
     - stig
   
   '*_desktop and G@saltversion:{{saltversion}}':
-    - ssl
     - sensoroni
     - telegraf
     - elasticfleet.install_agent_grid

setup/so-functions

@@ -1121,16 +1121,6 @@ generate_ca() {
 	logCmd "openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates"
 }
 
-generate_ssl() {
-	# if the install type is a manager then we need to wait for the minion to be ready before trying
-	# to run the ssl state since we need the minion to sign the certs
-	if [[ $waitforstate ]]; then
-		(wait_for_salt_minion "$MINION_ID" "5" '/dev/stdout' || fail_setup) 2>&1 | tee -a "$setup_log"
-	fi
-	info "Applying SSL state"
-	logCmd "salt-call state.apply ssl -l info"
-}
-
 generate_passwords(){
   title "Generate Random Passwords"
   INFLUXPASS=$(get_random_value)
@@ -1644,7 +1634,7 @@ reinstall_init() {
 
 	{
 		# remove all of root's cronjobs
-		logCmd "crontab -r -u root"
+		crontab -r -u root
 
 		if command -v salt-call &> /dev/null && grep -q "master:" /etc/salt/minion 2> /dev/null; then
 			# Disable schedule so highstate doesn't start running during the install
@@ -1654,8 +1644,7 @@ reinstall_init() {
 			salt-call -l info saltutil.kill_all_jobs --local
 		fi
 
-		logCmd "salt-call state.apply ca.remove -linfo --local --file-root=../salt"
-		logCmd "salt-call state.apply ssl.remove -linfo --local --file-root=../salt"
+		salt-call state.apply ca.remove -linfo --local --file-root=../salt
 
 		# Kill any salt processes (safely)
 		for service in "${salt_services[@]}"; do
@@ -1668,7 +1657,7 @@ reinstall_init() {
 			local count=0
 			while check_service_status "$service"; do
 				if [[ $count -gt $service_retry_count ]]; then
-					info "Could not stop $service after 1 minute, exiting setup."
+					echo "Could not stop $service after 1 minute, exiting setup."
 
 					# Stop the systemctl process trying to kill the service, show user a message, then exit setup
 					kill -9 $pid
@@ -1706,10 +1695,10 @@ reinstall_init() {
 		backup_dir /nsm/influxdb "$date_string"
 
 		# Uninstall local Elastic Agent, if installed
-		logCmd "elastic-agent uninstall -f"
+		elastic-agent uninstall -f
 
 		if [[ $is_deb ]]; then
-			info "Unholding previously held packages."
+			echo "Unholding previously held packages."
 			apt-mark unhold $(apt-mark showhold)
 		fi
 

setup/so-setup

@@ -773,12 +773,9 @@ if ! [[ -f $install_opt_file ]]; then
 		# wait here until we get a response from the salt-master since it may have just restarted
 		# exit setup after 5-6 minutes of trying
 		check_salt_master_status || fail  "Can't access salt master or it is not ready"
-		# apply the ca state to create the ca and put it in the mine early in the install
+		# apply the ca state to create the ca and symlink to local/salt/ca/files/ca.crt
 		# the minion ip will already be in the mine from configure_minion function in so-functions
 		generate_ca
-		# this will also call the ssl state since docker requires the intca
-		# the salt-minion service will need to be up on the manager to sign requests
-		generate_ssl
 		logCmd "salt-call state.apply docker"
 		firewall_generate_templates
 		set_initial_firewall_policy