update index template priorities + explicity add datastream config options

.github/workflows/pythontest.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.14"]
+        python-version: ["3.13"]
         python-code-path: ["salt/sensoroni/files/analyzers", "salt/manager/tools/sbin"]
 
     steps:

salt/_modules/needs_restarting.py

@@ -1,14 +1,24 @@
+from os import path
 import subprocess
 
 def check():
 
+  osfam = __grains__['os_family']
   retval = 'False'
 
-  cmd = 'needs-restarting -r > /dev/null 2>&1'
+  if osfam == 'Debian':
+    if path.exists('/var/run/reboot-required'):
+      retval = 'True'
 
-  try:
-    needs_restarting = subprocess.check_call(cmd, shell=True)
-  except subprocess.CalledProcessError:
-    retval = 'True'
+  elif osfam == 'RedHat':
+    cmd = 'needs-restarting -r > /dev/null 2>&1'
+    
+    try:
+      needs_restarting = subprocess.check_call(cmd, shell=True)
+    except subprocess.CalledProcessError:
+      retval = 'True'
+
+  else:
+    retval = 'Unsupported OS: %s' % os
 
   return retval

salt/ca/trustca.sls

@@ -3,6 +3,8 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
 include:
   - docker
 
@@ -16,3 +18,9 @@ trusttheca:
     - show_changes: False
     - makedirs: True
 
+{% if GLOBALS.os_family == 'Debian' %}
+symlinkca:
+  file.symlink:
+    - target: /etc/pki/tls/certs/intca.crt
+    - name: /etc/ssl/certs/intca.crt
+{% endif %}

salt/common/files/daemon.json

@@ -1,4 +1,3 @@
-{% from 'docker/docker.map.jinja' import DOCKER -%}
 {
   "registry-mirrors": [
     "https://:5000"
@@ -9,16 +8,12 @@
       "base": "172.17.0.0/24",
       "size": 24
     }
-  ]
-{%- if DOCKER.default_ulimits %},
+  ],
   "default-ulimits": {
-{%-   for ULIMIT in DOCKER.default_ulimits %}
-    "{{ ULIMIT.name }}": {
-      "Name": "{{ ULIMIT.name }}",
-      "Soft": {{ ULIMIT.soft }},
-      "Hard": {{ ULIMIT.hard }}
-    }{{ "," if not loop.last else "" }}
-{%-   endfor %}
+      "nofile": {
+        "Name": "nofile",
+        "Soft": 1048576,
+        "Hard": 1048576
+      }
   }
-{%- endif %}
 }

salt/common/init.sls

@@ -20,6 +20,11 @@ kernel.printk:
   sysctl.present:
     - value: "3 4 1 3"
 
+# Remove variables.txt from /tmp - This is temp
+rmvariablesfile:
+  file.absent:
+    - name: /tmp/variables.txt
+
 # Add socore Group
 socoregroup:
   group.present:
@@ -144,6 +149,28 @@ common_sbin_jinja:
       - so-import-pcap
 {% endif %}
 
+{% if GLOBALS.role == 'so-heavynode' %}
+remove_so-pcap-import_heavynode:
+  file.absent:
+    - name: /usr/sbin/so-pcap-import
+
+remove_so-import-pcap_heavynode:
+  file.absent:
+    - name: /usr/sbin/so-import-pcap
+{% endif %}
+
+{% if not GLOBALS.is_manager%}
+# prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
+# these two states remove the scripts from non manager nodes
+remove_soup:
+  file.absent:
+    - name: /usr/sbin/soup
+
+remove_so-firewall:
+  file.absent:
+    - name: /usr/sbin/so-firewall
+{% endif %}
+
 so-status_script:
   file.managed:
     - name: /usr/sbin/so-status

salt/common/packages.sls

@@ -1,5 +1,52 @@
 # we cannot import GLOBALS from vars/globals.map.jinja in this state since it is called in setup.virt.init
 # since it is early in setup of a new VM, the pillars imported in GLOBALS are not yet defined
+{% if grains.os_family == 'Debian' %}
+commonpkgs:
+  pkg.installed:
+    - skip_suggestions: True
+    - pkgs:
+      - apache2-utils
+      - wget
+      - ntpdate
+      - jq
+      - curl
+      - ca-certificates
+      - software-properties-common
+      - apt-transport-https
+      - openssl
+      - netcat-openbsd
+      - sqlite3
+      - libssl-dev
+      - procps
+      - python3-dateutil
+      - python3-docker
+      - python3-packaging
+      - python3-lxml
+      - git
+      - rsync
+      - vim
+      - tar
+      - unzip
+      - bc
+      {% if grains.oscodename != 'focal' %}
+      - python3-rich
+      {% endif %}
+
+{%     if grains.oscodename == 'focal' %}
+# since Ubuntu requires and internet connection we can use pip to install modules
+python3-pip:
+  pkg.installed
+
+python-rich:
+  pip.installed:
+    - name: rich
+    - target: /usr/local/lib/python3.8/dist-packages/
+    - require:
+      - pkg: python3-pip
+{%     endif %}
+{% endif %}
+
+{% if grains.os_family == 'RedHat' %}
 
 remove_mariadb:
   pkg.removed:
@@ -37,3 +84,5 @@ commonpkgs:
       - unzip
       - wget
       - yum-utils
+
+{% endif %}

salt/common/soup_scripts.sls

@@ -11,6 +11,14 @@
 {%   endif %}
 {%   set SOVERSION = salt['file.read']('/etc/soversion').strip() %}
 
+remove_common_soup:
+  file.absent:
+    - name: /opt/so/saltstack/default/salt/common/tools/sbin/soup
+
+remove_common_so-firewall:
+  file.absent:
+    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall
+
 # This section is used to put the scripts in place in the Salt file system
 # in case a state run tries to overwrite what we do in the next section.
 copy_so-common_common_tools_sbin:

salt/common/tools/sbin/so-common

@@ -349,16 +349,21 @@ get_random_value() {
 }
 
 gpg_rpm_import() {
-	if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-		local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
-	else
-		local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
+	if [[ $is_oracle ]]; then
+	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
+	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
+	    else
+	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
+	    fi
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+		for RPMKEY in "${RPMKEYS[@]}"; do
+    	        rpm --import $RPMKEYSLOC/$RPMKEY
+	        echo "Imported $RPMKEY"
+	    done
+	elif [[ $is_rpm ]]; then
+		echo "Importing the security onion GPG key"
+		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
 	fi
-	RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
-	for RPMKEY in "${RPMKEYS[@]}"; do
-		rpm --import $RPMKEYSLOC/$RPMKEY
-		echo "Imported $RPMKEY"
-	done
 }
 
 header() {
@@ -545,6 +550,22 @@ retry() {
         return $exitcode
 }
 
+rollover_index() {
+  idx=$1
+  exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
+  if [[ $exists -eq 200 ]]; then
+    rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
+
+    if [[ $rollover -eq 200 ]]; then
+      echo "Successfully triggered rollover for $idx..."
+    else
+      echo "Could not trigger rollover for $idx..."
+    fi
+  else
+    echo "Could not find index $idx..."
+  fi
+}
+
 run_check_net_err() {
 	local cmd=$1
 	local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
@@ -610,19 +631,69 @@ salt_minion_count() {
 }
 
 set_os() {
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
-		OS=oracle
-		OSVER=9
-		is_oracle=true
-		is_rpm=true
+	if [ -f /etc/redhat-release ]; then
+		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
+			OS=rocky
+			OSVER=9
+			is_rocky=true
+			is_rpm=true
+		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
+			OS=centos
+			OSVER=9
+			is_centos=true
+			is_rpm=true
+		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
+			OS=alma
+			OSVER=9
+			is_alma=true
+			is_rpm=true
+		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
+			if [ -f /etc/oracle-release ]; then
+				OS=oracle
+				OSVER=9
+				is_oracle=true
+				is_rpm=true
+			else
+				OS=rhel
+				OSVER=9
+				is_rhel=true
+				is_rpm=true
+			fi
+		fi
+		cron_service_name="crond"
+	elif [ -f /etc/os-release ]; then
+		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
+			OSVER=focal
+			UBVER=20.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
+			OSVER=jammy
+			UBVER=22.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
+			OSVER=bookworm
+			DEBVER=12
+			is_debian=true
+			OS=debian
+			is_deb=true
+		fi
+		cron_service_name="cron"
 	fi
-	cron_service_name="crond"
 }
 
 set_minionid() {
 	MINIONID=$(lookup_grain id)
 }
 
+set_palette() {
+	if [[ $is_deb ]]; then
+	    update-alternatives --set newt-palette /etc/newt/palette.original
+    fi
+}
 
 set_version() {
 	CURRENTVERSION=0.0.0

salt/curator/disabled.sls

@@ -0,0 +1,34 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+so-curator:
+  docker_container.absent:
+    - force: True
+
+so-curator_so-status.disabled:
+  file.line:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - match: ^so-curator$
+    - mode: delete
+
+so-curator-cluster-close:
+  cron.absent:
+    - identifier: so-curator-cluster-close
+
+so-curator-cluster-delete:
+  cron.absent:
+    - identifier: so-curator-cluster-delete
+
+delete_curator_configuration:
+  file.absent:
+    - name: /opt/so/conf/curator
+    - recurse: True
+
+{% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
+{% if files|length > 0 %}
+delete_curator_scripts:
+  file.absent:
+    - names: {{files|yaml}}
+{% endif %}

salt/docker/defaults.yaml

@@ -1,10 +1,6 @@
 docker:
   range: '172.17.1.0/24'
   gateway: '172.17.1.1'
-  default_ulimits:
-    - name: nofile
-      soft: 1048576
-      hard: 1048576
   containers:
     'so-dockerregistry':
       final_octet: 20
@@ -13,7 +9,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-elastic-fleet':
       final_octet: 21
       port_bindings:
@@ -21,7 +16,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-elasticsearch':
       final_octet: 22
       port_bindings:
@@ -30,16 +24,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits:
-        - name: memlock
-          soft: -1
-          hard: -1
-        - name: nofile
-          soft: 65536
-          hard: 65536
-        - name: nproc
-          soft: 4096
-          hard: 4096
     'so-influxdb':
       final_octet: 26
       port_bindings:
@@ -47,7 +31,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-kibana':
       final_octet: 27
       port_bindings:
@@ -55,7 +38,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-kratos':
       final_octet: 28
       port_bindings:
@@ -64,7 +46,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-hydra':
       final_octet: 30
       port_bindings:
@@ -73,7 +54,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-logstash':
       final_octet: 29
       port_bindings:
@@ -90,7 +70,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-nginx':
       final_octet: 31
       port_bindings:
@@ -102,7 +81,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-nginx-fleet-node':
       final_octet: 31
       port_bindings:
@@ -110,7 +88,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-redis':
       final_octet: 33
       port_bindings:
@@ -119,13 +96,11 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-sensoroni':
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-soc':
       final_octet: 34
       port_bindings:
@@ -133,19 +108,16 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-strelka-backend':
       final_octet: 36
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-strelka-filestream':
       final_octet: 37
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-strelka-frontend':
       final_octet: 38
       port_bindings:
@@ -153,13 +125,11 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-strelka-manager':
       final_octet: 39
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-strelka-gatekeeper':
       final_octet: 40
       port_bindings:
@@ -167,7 +137,6 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-strelka-coordinator':
       final_octet: 41
       port_bindings:
@@ -175,13 +144,11 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-elastalert':
       final_octet: 42
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-elastic-fleet-package-registry':
       final_octet: 44
       port_bindings:
@@ -189,13 +156,11 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-idh':
       final_octet: 45
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-elastic-agent':
       final_octet: 46
       port_bindings:
@@ -204,34 +169,23 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-telegraf':
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []
     'so-suricata':
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
       ulimits:
-        - name: memlock
-          soft: 524288000
-          hard: 524288000
+        - memlock=524288000
     'so-zeek':
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits:
-        - name: core
-          soft: 0
-          hard: 0
-        - name: nofile
-          soft: 1048576
-          hard: 1048576
     'so-kafka':
       final_octet: 88
       port_bindings:
@@ -242,4 +196,3 @@ docker:
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []
-      ulimits: []

salt/docker/init.sls

@@ -15,6 +15,39 @@ dockergroup:
     - name: docker
     - gid: 920
 
+{% if GLOBALS.os_family == 'Debian' %}
+{%    if grains.oscodename == 'bookworm' %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 2.2.1-1~debian.12~bookworm
+      - docker-ce: 5:29.2.1-1~debian.12~bookworm
+      - docker-ce-cli: 5:29.2.1-1~debian.12~bookworm
+      - docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm
+    - hold: True
+    - update_holds: True
+{%    elif grains.oscodename == 'jammy' %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 2.2.1-1~ubuntu.22.04~jammy
+      - docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy
+      - docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy
+      - docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy
+    - hold: True
+    - update_holds: True
+{%    else %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 1.7.21-1
+      - docker-ce: 5:27.2.0-1~ubuntu.20.04~focal
+      - docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal
+      - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal
+    - hold: True
+    - update_holds: True
+{%   endif %}
+{% else %}
 dockerheldpackages:
   pkg.installed:
     - pkgs:
@@ -24,6 +57,7 @@ dockerheldpackages:
       - docker-ce-rootless-extras: 29.2.1-1.el9
     - hold: True
     - update_holds: True
+{% endif %}
 
 #disable docker from managing iptables
 iptables_disabled:

salt/docker/soc_docker.yaml

@@ -7,22 +7,6 @@ docker:
     description: Default docker IP range for containers.
     helpLink: docker.html
     advanced: True
-  default_ulimits:
-    description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults.
-    advanced: True
-    helpLink: docker.html
-    forcedType: "[]{}"
-    syntax: json
-    uiElements:
-    - field: name
-      label: Resource Name
-      required: True
-    - field: soft
-      label: Soft Limit
-      forcedType: int
-    - field: hard
-      label: Hard Limit
-      forcedType: int
   containers:
     so-dockerregistry: &dockerOptions
       final_octet:
@@ -55,22 +39,6 @@ docker:
         helpLink: docker.html
         multiline: True
         forcedType: "[]string"
-      ulimits:
-        description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits.
-        advanced: True
-        helpLink: docker.html
-        forcedType: "[]{}"
-        syntax: json
-        uiElements:
-        - field: name
-          label: Resource Name
-          required: True
-        - field: soft
-          label: Soft Limit
-          forcedType: int
-        - field: hard
-          label: Hard Limit
-          forcedType: int
     so-elastic-fleet: *dockerOptions
     so-elasticsearch: *dockerOptions
     so-influxdb: *dockerOptions
@@ -94,6 +62,42 @@ docker:
     so-idh: *dockerOptions
     so-elastic-agent: *dockerOptions
     so-telegraf: *dockerOptions
-    so-suricata: *dockerOptions
+    so-suricata:
+      final_octet:
+        description: Last octet of the container IP address.
+        helpLink: docker.html
+        readonly: True
+        advanced: True
+        global: True
+      port_bindings:
+        description: List of port bindings for the container.
+        helpLink: docker.html
+        advanced: True
+        multiline: True
+        forcedType: "[]string"
+      custom_bind_mounts:
+        description: List of custom local volume bindings.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
+      extra_hosts:
+        description: List of additional host entries for the container.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
+      extra_env:
+        description: List of additional ENV entries for the container.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
+      ulimits:
+        description: Ulimits for the container, in bytes.
+        advanced: True
+        helpLink: docker.html
+        multiline: True
+        forcedType: "[]string"
     so-zeek: *dockerOptions
     so-kafka: *dockerOptions

salt/elastalert/enabled.sls

@@ -51,12 +51,6 @@ so-elastalert:
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-elastalert'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - require:
       - cmd: wait_for_elasticsearch
       - file: elastarules

salt/elastalert/files/custom/placeholder

@@ -0,0 +1 @@
+THIS IS A PLACEHOLDER FILE

salt/elastic-fleet-package-registry/enabled.sls

@@ -45,12 +45,6 @@ so-elastic-fleet-package-registry:
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
 delete_so-elastic-fleet-package-registry_so-status.disabled:
   file.uncomment:
     - name: /opt/so/conf/so-status/so-status.conf

salt/elasticagent/enabled.sls

@@ -54,12 +54,6 @@ so-elastic-agent:
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-elastic-agent'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - require:
       - file: create-elastic-agent-config
       - file: trusttheca

salt/elasticfleet/enabled.sls

@@ -133,12 +133,6 @@ so-elastic-fleet:
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-elastic-fleet'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - watch:
       - file: trusttheca
       - x509: etc_elasticfleet_key

salt/elasticsearch/config.map.jinja

@@ -6,6 +6,8 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
 
+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
+
 {# this is a list of dicts containing hostname:ip for elasticsearch nodes that need to know about each other for cluster #}
 {% set ELASTICSEARCH_SEED_HOSTS = [] %}
 {% set node_data = salt['pillar.get']('elasticsearch:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
@@ -34,8 +36,14 @@
       {% endfor %}
     {% endif %}
 {% elif grains.id.split('_') | last == 'searchnode' %}
+  {% if HIGHLANDER %}
+        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
+  {% endif %}
   {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
 {% endif %}
+{% if HIGHLANDER %}
+      {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
+{% endif %}
 
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}

salt/elasticsearch/config.sls

@@ -98,6 +98,10 @@ esrolesdir:
     - group: 939
     - makedirs: True
 
+eslibdir:
+  file.absent:
+    - name: /opt/so/conf/elasticsearch/lib
+
 esingestdynamicconf:
   file.recurse:
     - name: /opt/so/conf/elasticsearch/ingest
@@ -115,6 +119,11 @@ esingestconf:
     - group: 939
     - show_changes: False
 
+# Remove .fleet_final_pipeline-1 because we are using global@custom now
+so-fleet-final-pipeline-remove:
+  file.absent:
+    - name: /opt/so/conf/elasticsearch/ingest/.fleet_final_pipeline-1
+
 # Auto-generate Elasticsearch ingest node pipelines from pillar
 {% for pipeline, config in ELASTICSEARCHMERGED.pipelines.items() %}
 es_ingest_conf_{{pipeline}}:

salt/elasticsearch/defaults.yaml

@@ -117,7 +117,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - so-case*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -129,8 +129,6 @@ elasticsearch:
                 match_mapping_type: string
           settings:
             index:
-              lifecycle:
-                name: so-case-logs
               mapping:
                 total_fields:
                   limit: 1500
@@ -141,14 +139,7 @@ elasticsearch:
               sort:
                 field: '@timestamp'
                 order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
     so-common:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -212,7 +203,9 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - winlog-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-*-so*
@@ -272,7 +265,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - so-detection*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -284,8 +277,6 @@ elasticsearch:
                 match_mapping_type: string
           settings:
             index:
-              lifecycle:
-                name: so-detection-logs
               mapping:
                 total_fields:
                   limit: 1500
@@ -296,11 +287,6 @@ elasticsearch:
               sort:
                 field: '@timestamp'
                 order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
     sos-backup:
       index_sorting: false
       index_template:
@@ -460,7 +446,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - endgame*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -508,8 +494,6 @@ elasticsearch:
                 priority: 50
             min_age: 30d
     so-idh:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -566,8 +550,8 @@ elasticsearch:
         - common-dynamic-mappings
         ignore_missing_component_templates: []
         index_patterns:
-        - so-idh-*
-        priority: 500
+        - logs-idh-so*
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -677,11 +661,13 @@ elasticsearch:
         - common-dynamic-mappings
         - winlog-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-import-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -736,7 +722,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - so-ip*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -751,19 +737,12 @@ elasticsearch:
               mapping:
                 total_fields:
                   limit: 1500
-              lifecycle:
-                name: so-ip-mappings-logs
               number_of_replicas: 0
               number_of_shards: 1
               refresh_interval: 30s
               sort:
                 field: '@timestamp'
                 order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
     so-items:
       index_sorting: false
       index_template:
@@ -772,7 +751,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - .items-default-**
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -851,8 +830,6 @@ elasticsearch:
                 priority: 50
             min_age: 30d
     so-kratos:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -873,7 +850,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - logs-kratos-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -921,8 +898,6 @@ elasticsearch:
                 priority: 50
             min_age: 30d
     so-hydra:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -983,7 +958,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - logs-hydra-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -1038,7 +1013,7 @@ elasticsearch:
         ignore_missing_component_templates: []
         index_patterns:
         - .lists-default-**
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -1524,6 +1499,9 @@ elasticsearch:
         - so-fleet_integrations.ip_mappings-1
         - so-fleet_globals-1
         - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates:
         - logs-elastic_agent.cloudbeat@custom
         index_patterns:
@@ -1759,6 +1737,9 @@ elasticsearch:
         - so-fleet_integrations.ip_mappings-1
         - so-fleet_globals-1
         - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates:
         - logs-elastic_agent.heartbeat@custom
         index_patterns:
@@ -3018,8 +2999,6 @@ elasticsearch:
                 priority: 50
             min_age: 30d
     so-logs-soc:
-      close: 30
-      delete: 365
       index_sorting: false
       index_template:
         composed_of:
@@ -3074,11 +3053,13 @@ elasticsearch:
         - dtc-user_agent-mappings
         - common-settings
         - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-soc-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -3668,10 +3649,13 @@ elasticsearch:
         - vulnerability-mappings
         - common-settings
         - common-dynamic-mappings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-logstash-default*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -3971,8 +3955,8 @@ elasticsearch:
         - common-dynamic-mappings
         ignore_missing_component_templates: []
         index_patterns:
-        - logs-redis-default*
-        priority: 500
+        - logs-redis.log*
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4083,11 +4067,13 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-strelka-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4197,11 +4183,13 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-suricata-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4311,11 +4299,13 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-suricata.alerts-*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4425,11 +4415,13 @@ elasticsearch:
         - vulnerability-mappings
         - common-settings
         - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-syslog-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false
@@ -4541,11 +4533,13 @@ elasticsearch:
         - common-settings
         - common-dynamic-mappings
         - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
         ignore_missing_component_templates: []
         index_patterns:
         - logs-zeek-so*
-        priority: 500
+        priority: 501
         template:
           mappings:
             date_detection: false

salt/elasticsearch/enabled.sls

@@ -45,17 +45,15 @@ so-elasticsearch:
       - discovery.type=single-node
       {% endif %}
       - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
+      ulimits:
+      - memlock=-1:-1
+      - nofile=65536:65536
+      - nproc=4096
       {% if DOCKER.containers['so-elasticsearch'].extra_env %}
         {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-elasticsearch'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - port_bindings:
       {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
       - {{ BINDING }}

salt/elasticsearch/files/ingest-dynamic/common

@@ -1,3 +1,5 @@
+{%- set HIGHLANDER = salt['pillar.get']('global:highlander', False) -%}
+{%- raw -%}
 {
   "description" : "common",
   "processors" : [
@@ -65,7 +67,19 @@
     { "append":          { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  } },
     { "grok":            { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]} },
     { "set":             { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
-    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } },
+    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
+{%- endraw %}
+{%- if HIGHLANDER %}
+    ,
+    {
+      "pipeline": {
+        "name": "ecs"
+      }
+    }
+{%- endif %}
+{%- raw %}
+    ,
     { "pipeline": { "name": "global@custom", "ignore_missing_pipeline": true, "description": "[Fleet] Global pipeline for all data streams" } }
   ]
 }
+{% endraw %}

salt/firewall/init.sls

@@ -27,12 +27,14 @@ iptables_config:
     - source: salt://firewall/iptables.jinja
     - template: jinja
 
+{%   if grains.os_family == 'RedHat' %}
 disable_firewalld:
   service.dead:
     - name: firewalld
     - enable: False
     - require:
       - file: iptables_config
+{%   endif %}
 
 iptables_restore:
   cmd.run:
@@ -42,6 +44,7 @@ iptables_restore:
     - onlyif:
       - iptables-restore --test {{ iptmap.configfile }}
 
+{%   if grains.os_family == 'RedHat' %}
 enable_firewalld:
   service.running:
     - name: firewalld
@@ -49,6 +52,7 @@ enable_firewalld:
     - onfail:
       - file: iptables_config
       - cmd: iptables_restore
+{%   endif %}
 
 {% else %}
 

salt/firewall/ipt.map.jinja

@@ -1,6 +1,14 @@
-{% set iptmap = {
-    'service': 'iptables',
-    'iptpkg': 'iptables-nft',
-    'persistpkg': 'iptables-nft-services',
-    'configfile': '/etc/sysconfig/iptables'
-} %}
+{% set iptmap = salt['grains.filter_by']({
+    'Debian': {
+        'service': 'netfilter-persistent',
+        'iptpkg': 'iptables',
+        'persistpkg': 'iptables-persistent',
+        'configfile': '/etc/iptables/rules.v4'
+    },
+    'RedHat': {
+        'service': 'iptables',
+        'iptpkg': 'iptables-nft',
+        'persistpkg': 'iptables-nft-services',
+        'configfile': '/etc/sysconfig/iptables'
+    },
+}) %}

salt/hydra/enabled.sls

@@ -52,12 +52,6 @@ so-hydra:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-hydra'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-hydra'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - restart_policy: unless-stopped
     - watch:
       - file: hydraconfig
@@ -73,7 +67,7 @@ delete_so-hydra_so-status.disabled:
 
 wait_for_hydra:
   http.wait_for_successful_query:
-    - name: 'http://{{ GLOBALS.manager }}:4444/health/alive'
+    - name: 'http://{{ GLOBALS.manager }}:4444/'
     - ssl: True
     - verify_ssl: False
     - status:

salt/idh/enabled.sls

@@ -39,12 +39,6 @@ so-idh:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-idh'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-idh'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - watch:
       - file: opencanary_config
     - require:

salt/idh/openssh/config.sls

@@ -3,6 +3,7 @@
 include:
   - idh.openssh
 
+{% if grains.os_family == 'RedHat' %}
 idh_sshd_selinux:
   selinux.port_policy_present:
     - port: {{ openssh_map.config.port }}
@@ -12,6 +13,7 @@ idh_sshd_selinux:
       - file: openssh_config
     - require:
       - pkg: python_selinux_mgmt_tools
+{% endif %}
 
 openssh_config:
   file.replace:

salt/idh/openssh/init.sls

@@ -16,6 +16,8 @@ openssh:
     - name: {{ openssh_map.service }}
   {% endif %}
 
+{% if grains.os_family == 'RedHat' %}
 python_selinux_mgmt_tools:
   pkg.installed:
     - name: policycoreutils-python-utils
+{% endif %}

salt/influxdb/enabled.sls

@@ -58,12 +58,6 @@ so-influxdb:
       - {{ XTRAHOST }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-influxdb'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - watch:
       - file: influxdbconf
       - x509: influxdb_key

salt/kafka/enabled.sls

@@ -60,12 +60,6 @@ so-kafka:
       {% if KAFKA_EXTERNAL_ACCESS %}
       - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
       {% endif %}
-    {% if DOCKER.containers['so-kafka'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-kafka'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - watch:
       {% for sc in ['server', 'client'] %}
       - file: kafka_kraft_{{sc}}_properties

salt/kibana/enabled.sls

@@ -51,12 +51,6 @@ so-kibana:
       {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
       - {{ BINDING }}
       {% endfor %}
-    {% if DOCKER.containers['so-kibana'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-kibana'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - watch:
       - file: kibanaconfig
 

salt/kibana/map.jinja

@@ -5,6 +5,7 @@
 
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'kibana/defaults.yaml' as KIBANADEFAULTS with context %}
+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 
 {% do KIBANADEFAULTS.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
 {% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}

salt/kibana/so_dashboard_load.sls

@@ -3,6 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 include:
   - kibana.enabled
 
@@ -28,3 +29,27 @@ so-kibana-dashboard-load:
     - require:
       - sls: kibana.enabled
       - file: dashboard_saved_objects_template
+{%- if HIGHLANDER %}
+dashboard_saved_objects_template_hl:
+  file.managed:
+    - name: /opt/so/conf/kibana/hl.ndjson.template
+    - source: salt://kibana/files/hl.ndjson
+    - user: 932
+    - group: 939
+    - show_changes: False
+
+dashboard_saved_objects_hl_changes:
+  file.absent:
+    - names:
+      - /opt/so/state/kibana_hl.txt
+    - onchanges:
+      - file: dashboard_saved_objects_template_hl
+
+so-kibana-dashboard-load_hl:
+  cmd.run:
+    - name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/hl.ndjson.template
+    - cwd: /opt/so
+    - require:
+      - sls: kibana.enabled
+      - file: dashboard_saved_objects_template_hl
+{%- endif %}

salt/kibana/tools/sbin_jinja/so-kibana-space-defaults

@@ -1,5 +1,6 @@
 #!/bin/bash
 . /usr/sbin/so-common
+{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
 ## This hackery will be removed if using Elastic Auth ##
 
@@ -8,6 +9,10 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http:
 
 # Disable certain Features from showing up in the Kibana UI
 echo
-echo "Setting up default Kibana Space:"
+echo "Setting up default Space:"
+{% if HIGHLANDER %}
+curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log
+{% else %}
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV3","inventory","dataQuality","searchSynonyms","enterpriseSearchApplications","enterpriseSearchAnalytics","securitySolutionTimeline","securitySolutionNotes","entityManager"]} ' >> /opt/so/log/kibana/misc.log
+{% endif %}
 echo

salt/kratos/enabled.sls

@@ -45,12 +45,6 @@ so-kratos:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-kratos'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-kratos'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - restart_policy: unless-stopped
     - watch:
       - file: kratosschema

salt/logstash/config.sls

@@ -36,6 +36,10 @@ logstash:
     - gid: 931
     - home: /opt/so/conf/logstash
 
+lslibdir:
+  file.absent:
+    - name: /opt/so/conf/logstash/lib
+
 logstash_sbin:
   file.recurse:
     - name: /usr/sbin

salt/logstash/enabled.sls

@@ -96,12 +96,6 @@ so-logstash:
       - {{ BIND }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-logstash'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-logstash'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - watch:
       - file: lsetcsync
       - file: trusttheca

salt/manager/init.sls

@@ -63,9 +63,11 @@ yara_log_dir:
       - user
       - group
 
+{% if GLOBALS.os_family == 'RedHat' %}
 install_createrepo:
   pkg.installed:
     - name: createrepo_c
+{% endif %}
 
 repo_conf_dir:
   file.directory:

salt/manager/tools/sbin/so-client

@@ -134,8 +134,8 @@ function require() {
 function verifyEnvironment() {
   require "jq"
   require "curl"
-  response=$(curl -Ss -L ${hydraUrl}/health/alive)
-  [[ "$response" != '{"status":"ok"}' ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
+  response=$(curl -Ss -L ${hydraUrl}/)
+  [[ "$response" != *"Error 404"* ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
 }
 
 function createFile() {

salt/manager/tools/sbin/so-yaml.py

@@ -22,7 +22,7 @@ def showUsage(args):
     print('    removelistitem   - Remove a list item from a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr)
     print('    replacelistobject  - Replace a list object based on a condition. Requires KEY, CONDITION_FIELD, CONDITION_VALUE, and JSON_OBJECT args.', file=sys.stderr)
     print('    add              - Add a new key and set its value. Fails if key already exists. Requires KEY and VALUE args.', file=sys.stderr)
-    print('    get [-r]         - Displays (to stdout) the value stored in the given key. Requires KEY arg. Use -r for raw output without YAML formatting.', file=sys.stderr)
+    print('    get              - Displays (to stdout) the value stored in the given key. Requires KEY arg.', file=sys.stderr)
     print('    remove           - Removes a yaml key, if it exists. Requires KEY arg.', file=sys.stderr)
     print('    replace          - Replaces (or adds) a new key and set its value. Requires KEY and VALUE args.', file=sys.stderr)
     print('    help             - Prints this usage information.', file=sys.stderr)
@@ -332,11 +332,6 @@ def getKeyValue(content, key):
 
 
 def get(args):
-    raw = False
-    if len(args) > 0 and args[0] == '-r':
-        raw = True
-        args = args[1:]
-
     if len(args) != 2:
         print('Missing filename or key arg', file=sys.stderr)
         showUsage(None)
@@ -351,15 +346,12 @@ def get(args):
         print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr)
         return 2
 
-    if raw:
-        if isinstance(output, bool):
-            print(str(output).lower())
-        elif isinstance(output, (dict, list)):
-            print(yaml.safe_dump(output).strip())
-        else:
-            print(output)
+    if isinstance(output, bool):
+        print(str(output).lower())
+    elif isinstance(output, (dict, list)):
+        print(yaml.safe_dump(output).strip())
     else:
-        print(yaml.safe_dump(output))
+        print(output)
     return 0
 
 

salt/manager/tools/sbin/so-yaml_test.py

@@ -393,17 +393,6 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key1.child2.deep1"])
             self.assertEqual(result, 0)
-            self.assertIn("45\n...", mock_stdout.getvalue())
-
-    def test_get_int_raw(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
-            self.assertEqual(result, 0)
             self.assertEqual("45\n", mock_stdout.getvalue())
 
     def test_get_str(self):
@@ -415,17 +404,6 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key1.child2.deep1"])
             self.assertEqual(result, 0)
-            self.assertIn("hello\n...", mock_stdout.getvalue())
-
-    def test_get_str_raw(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: \"hello\" } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get(["-r", filename, "key1.child2.deep1"])
-            self.assertEqual(result, 0)
             self.assertEqual("hello\n", mock_stdout.getvalue())
 
     def test_get_bool(self):
@@ -437,31 +415,8 @@ class TestRemove(unittest.TestCase):
 
             result = soyaml.get([filename, "key2"])
             self.assertEqual(result, 0)
-            self.assertIn("false\n...", mock_stdout.getvalue())
-
-    def test_get_bool_raw(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get(["-r", filename, "key2"])
-            self.assertEqual(result, 0)
             self.assertEqual("false\n", mock_stdout.getvalue())
 
-    def test_get_dict_raw(self):
-        with patch('sys.stdout', new=StringIO()) as mock_stdout:
-            filename = "/tmp/so-yaml_test-get.yaml"
-            file = open(filename, "w")
-            file.write("{key1: { child1: 123, child2: { deep1: 45 } }, key2: false, key3: [e,f,g]}")
-            file.close()
-
-            result = soyaml.get(["-r", filename, "key1"])
-            self.assertEqual(result, 0)
-            self.assertIn("child1: 123", mock_stdout.getvalue())
-            self.assertNotIn("...", mock_stdout.getvalue())
-
     def test_get_list(self):
         with patch('sys.stdout', new=StringIO()) as mock_stdout:
             filename = "/tmp/so-yaml_test-get.yaml"

salt/manager/tools/sbin/soup

@@ -396,14 +396,22 @@ migrate_pcap_to_suricata() {
 
   for pillar_file in "$PCAPFILE" "$MINIONDIR"/*.sls; do
     [[ -f "$pillar_file" ]] || continue
-    pcap_enabled=$(so-yaml.py get -r "$pillar_file" pcap.enabled 2>/dev/null) || continue
+    pcap_enabled=$(so-yaml.py get "$pillar_file" pcap.enabled 2>/dev/null) || continue
     so-yaml.py add "$pillar_file" suricata.pcap.enabled "$pcap_enabled"
     so-yaml.py remove "$pillar_file" pcap
   done
 }
 
 post_to_3.0.0() {
-  echo "Nothing to apply"
+  for idx in "logs-idh-so" "logs-redis.log-default"; do
+    rollover_index "$idx"
+  done
+
+  # Remove ILM for so-case and so-detection indices
+  for idx in "so-case" "so-casehistory" "so-detection" "so-detectionhistory"; do
+    so-elasticsearch-query $idx/_ilm/remove -XPOST
+  done
+
   POSTVERSION=3.0.0
 }
 
@@ -576,46 +584,78 @@ upgrade_check_salt() {
 upgrade_salt() {
   echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
   echo ""
-  # Check if salt-cloud is installed
-  if rpm -q salt-cloud &>/dev/null; then
-    SALT_CLOUD_INSTALLED=true
-  fi
-  # Check if salt-cloud is configured
-  if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
-    SALT_CLOUD_CONFIGURED=true
-  fi
-
-  echo "Removing yum versionlock for Salt."
-  echo ""
-  yum versionlock delete "salt"
-  yum versionlock delete "salt-minion"
-  yum versionlock delete "salt-master"
-  # Remove salt-cloud versionlock if installed
-  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
-    yum versionlock delete "salt-cloud"
-  fi
-  echo "Updating Salt packages."
-  echo ""
-  set +e
-  # Run with -r to ignore repos set by bootstrap
-  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+  # If rhel family
+  if [[ $is_rpm ]]; then
+    # Check if salt-cloud is installed
+    if rpm -q salt-cloud &>/dev/null; then
+      SALT_CLOUD_INSTALLED=true
+    fi
+    # Check if salt-cloud is configured
+    if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
+      SALT_CLOUD_CONFIGURED=true
+    fi
+    
+    echo "Removing yum versionlock for Salt."
+    echo ""
+    yum versionlock delete "salt"
+    yum versionlock delete "salt-minion"
+    yum versionlock delete "salt-master"
+    # Remove salt-cloud versionlock if installed
+    if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+      yum versionlock delete "salt-cloud"
+    fi
+    echo "Updating Salt packages."
+    echo ""
+    set +e
+    # if oracle run with -r to ignore repos set by bootstrap
+    if [[ $OS == 'oracle' ]]; then
+      # Add -L flag only if salt-cloud is already installed
+      if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+        run_check_net_err \
+        "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
+        "Could not update salt, please check $SOUP_LOG for details."
+      else
+        run_check_net_err \
+        "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
+        "Could not update salt, please check $SOUP_LOG for details."
+      fi
+    # if another rhel family variant we want to run without -r to allow the bootstrap script to manage repos
+    else
+      run_check_net_err \
+      "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
+      "Could not update salt, please check $SOUP_LOG for details."
+    fi
+    set -e
+    echo "Applying yum versionlock for Salt."
+    echo ""
+    yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
+    yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
+    yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
+    # Add salt-cloud versionlock if installed
+    if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+      yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
+    fi
+  # Else do Ubuntu things
+  elif [[ $is_deb ]]; then
+    # ensure these files don't exist when upgrading from 3006.9 to 3006.16
+    rm -f /etc/apt/keyrings/salt-archive-keyring-2023.pgp /etc/apt/sources.list.d/salt.list
+    echo "Removing apt hold for Salt."
+    echo ""
+    apt-mark unhold "salt-common"
+    apt-mark unhold "salt-master"
+    apt-mark unhold "salt-minion"
+    echo "Updating Salt packages."
+    echo ""
+    set +e
     run_check_net_err \
-    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
+    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
     "Could not update salt, please check $SOUP_LOG for details."
-  else
-    run_check_net_err \
-    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
-    "Could not update salt, please check $SOUP_LOG for details."
-  fi
-  set -e
-  echo "Applying yum versionlock for Salt."
-  echo ""
-  yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
-  yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
-  yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
-  # Add salt-cloud versionlock if installed
-  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
-    yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
+    set -e
+    echo "Applying apt hold for Salt."
+    echo ""
+    apt-mark hold "salt-common"
+    apt-mark hold "salt-master"
+    apt-mark hold "salt-minion"
   fi
 
   echo "Checking if Salt was upgraded."
@@ -1052,10 +1092,6 @@ main() {
   echo ""
   set_os
 
-  if [[ ! $is_oracle ]]; then
-    fail "This OS is not supported. Security Onion requires Oracle Linux 9."
-  fi
-
   check_salt_master_status 1 || fail  "Could not talk to salt master: Please run 'systemctl status salt-master' to ensure the salt-master service is running and check the log at /opt/so/log/salt/master."
 
   echo "Checking to see if this is a manager."
@@ -1165,6 +1201,14 @@ main() {
       echo "Upgrading Salt"
       # Update the repo files so it can actually upgrade
       upgrade_salt
+
+      # for Debian based distro, we need to stop salt again after upgrade output below is from bootstrap-salt
+      # *  WARN: Not starting daemons on Debian based distributions
+      #    is not working mostly because starting them is the default behaviour.
+      if [[ $is_deb ]]; then
+        stop_salt_minion
+        stop_salt_master
+      fi
     fi
 
     preupgrade_changes

salt/nginx/enabled.sls

@@ -75,12 +75,6 @@ so-nginx:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers[container_config].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers[container_config].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - cap_add: NET_BIND_SERVICE
     - port_bindings:
       {% for BINDING in DOCKER.containers[container_config].port_bindings %}

salt/ntp/init.sls

@@ -2,6 +2,7 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
+{% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'ntp/config.map.jinja' import NTPCONFIG %}
 
 chrony_pkg:
@@ -16,7 +17,11 @@ chronyconf:
     - defaults:
         NTPCONFIG: {{ NTPCONFIG }}
 
+{% if GLOBALS.os_family == 'RedHat' %}
 chronyd:
+{% else %}
+chrony:
+{% endif %}
   service.running:
     - enable: True
     - watch: 

salt/podman/files/podman.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Podman API Service
+Requires=podman.socket
+After=podman.socket
+Documentation=man:podman-api(1)
+StartLimitIntervalSec=0
+
+[Service]
+Type=oneshot
+Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
+ExecStart=/usr/bin/podman system service
+TimeoutStopSec=30
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
+Also=podman.socket

salt/podman/files/podman.socket

@@ -0,0 +1,10 @@
+[Unit]
+Description=Podman API Socket
+Documentation=man:podman-api(1)
+
+[Socket]
+ListenStream=%t/podman/podman.sock
+SocketMode=0660
+
+[Install]
+WantedBy=sockets.target

salt/podman/files/sobridge.conflist

@@ -0,0 +1,48 @@
+{
+   "args": {
+      "podman_options": {
+         "isolate": "true",
+         "mtu": "1500"
+      }
+   },
+   "cniVersion": "0.4.0",
+   "name": "sobridge",
+   "plugins": [
+      {
+         "type": "bridge",
+         "bridge": "sobridge",
+         "isGateway": true,
+         "ipMasq": false,
+         "mtu": 1500,
+         "hairpinMode": false,
+         "ipam": {
+            "type": "host-local",
+            "routes": [
+               {
+                  "dst": "0.0.0.0/0"
+               }
+            ],
+            "ranges": [
+               [
+                  {
+                     "subnet": "172.17.1.0/24",
+                     "gateway": "172.17.1.1"
+                  }
+               ]
+            ]
+         },
+         "capabilities": {
+            "ips": true
+         }
+      },
+      {
+         "type": "portmap",
+         "capabilities": {
+            "portMappings": false
+         }
+      },
+      {
+         "type": "tuning"
+      }
+   ]
+}

salt/podman/init.sls

@@ -0,0 +1,56 @@
+{% from 'docker/docker.map.jinja' import DOCKER %}
+
+Podman pkg:
+  pkg.installed:
+    - name: podman
+
+cnipkg:
+  pkg.installed:
+    - name: containernetworking-plugins
+
+{#
+Podman service:
+  file.managed:
+    - name: /usr/lib/systemd/system/podman.service
+    - source: salt://podman/podman.service
+#}
+
+sobridgeconf:
+  file.managed:
+    - name: /etc/cni/net.d/sobridge.conflist
+    - source: salt://podman/files/sobridge.conflist
+
+Podman_socket_service:
+  service.running:
+    - name: podman.socket
+    - enable: true
+
+Podman_service:
+  service.running:
+    - name: podman.service
+    - enable: true
+
+Docker socket:
+  file.symlink:
+    - name: /var/run/docker.sock
+    - target: /var/run/podman/podman.sock
+
+podman_docker_symlink:
+  file.symlink:
+    - name: /usr/bin/docker
+    - target: /usr/bin/podman
+
+{#
+sos_docker_net:
+  docker_network.present:
+    - name: sobridge
+    - subnet: {{ DOCKER.range }}
+    - gateway: {{ DOCKER.bip }}
+    - options:
+        com.docker.network.bridge.name: 'sobridge'
+        com.docker.network.driver.mtu: '1500'
+        com.docker.network.bridge.enable_ip_masquerade: 'true'
+        com.docker.network.bridge.enable_icc: 'true'
+        com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
+    - unless: 'docker network ls | grep sobridge'
+#}

salt/redis/enabled.sls

@@ -51,12 +51,6 @@ so-redis:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-redis'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-redis'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
     - watch:
       - file: trusttheca

salt/registry/enabled.sls

@@ -51,12 +51,6 @@ so-dockerregistry:
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-dockerregistry'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - retry:
         attempts: 5
         interval: 30

salt/repo/client/map.jinja

@@ -1,29 +1,43 @@
-{% set REPOPATH = '/etc/yum.repos.d/' %}
-{% set ABSENTFILES = [
-       'centos-addons.repo',
-       'centos-devel.repo',
-       'centos-extras.repo',
-       'centos.repo',
-       'docker-ce.repo',
-       'epel.repo',
-       'epel-testing.repo',
-       'saltstack.repo',
-       'salt-latest.repo',
-       'wazuh.repo'
-       'Rocky-Base.repo',
-       'Rocky-CR.repo',
-       'Rocky-Debuginfo.repo',
-       'Rocky-fasttrack.repo',
-       'Rocky-Media.repo',
-       'Rocky-Sources.repo',
-       'Rocky-Vault.repo',
-       'Rocky-x86_64-kernel.repo',
-       'rocky-addons.repo',
-       'rocky-devel.repo',
-       'rocky-extras.repo',
-       'rocky.repo',
-       'oracle-linux-ol9.repo',
-       'uek-ol9.repo',
-       'virt-ol9.repo'
-     ]
-%}
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+{% if GLOBALS.os_family == 'RedHat' %}
+  {% set REPOPATH = '/etc/yum.repos.d/' %}
+{%     if GLOBALS.os == 'OEL' %}
+  {% set ABSENTFILES = [
+         'centos-addons.repo',
+         'centos-devel.repo',
+         'centos-extras.repo',
+         'centos.repo',
+         'docker-ce.repo',
+         'epel.repo',
+         'epel-testing.repo',
+         'saltstack.repo',
+         'salt-latest.repo',
+         'wazuh.repo'
+         'Rocky-Base.repo',
+         'Rocky-CR.repo',
+         'Rocky-Debuginfo.repo',
+         'Rocky-fasttrack.repo',
+         'Rocky-Media.repo',
+         'Rocky-Sources.repo',
+         'Rocky-Vault.repo',
+         'Rocky-x86_64-kernel.repo',
+         'rocky-addons.repo',
+         'rocky-devel.repo',
+         'rocky-extras.repo',
+         'rocky.repo',
+         'oracle-linux-ol9.repo',
+         'uek-ol9.repo',
+         'virt-ol9.repo'
+       ]
+  %}
+{%     else %}
+  {% set ABSENTFILES = [] %}
+{%    endif %}
+
+{% else %}
+
+  {% set REPOPATH = '/etc/apt/sources.list.d/' %}
+  {% set ABSENTFILES = [] %}
+
+{% endif %}

salt/salt/init.sls

@@ -1,3 +1,10 @@
+{% if grains.oscodename == 'focal' %}
+saltpymodules:
+  pkg.installed:
+    - pkgs:
+      - python3-docker
+{% endif %}
+
 # distribute to minions for salt upgrades
 salt_bootstrap:
   file.managed:

salt/salt/map.jinja

@@ -17,12 +17,22 @@
 {% set SALTVERSION = saltminion.salt.minion.version | string %}
 {% set INSTALLEDSALTVERSION = grains.saltversion | string %}
 
-{% set SPLITCHAR = '-' %}
-{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
-{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
+{% if grains.os_family == 'Debian' %}
+  {% set SPLITCHAR = '+' %}
+  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %}
+  {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
+{% else %}
+  {% set SPLITCHAR = '-' %}
+  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
+  {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
+{% endif %}
 
 {% if INSTALLEDSALTVERSION != SALTVERSION %}
-  {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
+  {% if grains.os_family|lower == 'redhat' %}
+      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
+  {% elif grains.os_family|lower == 'debian' %}
+    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -F stable ' ~ SALTVERSION %}
+  {% endif %}
 {% else %}
   {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
 {% endif %}

salt/salt/master.sls

@@ -23,6 +23,15 @@ sync_runners:
     - name: saltutil.sync_runners
 {% endif %}
 
+# prior to 2.4.30 this engine ran on the manager with salt-minion
+# this has changed to running with the salt-master in 2.4.30
+remove_engines_config:
+  file.absent:
+    - name: /etc/salt/minion.d/engines.conf
+    - source: salt://salt/files/engines.conf
+    - watch_in:
+      - service: salt_minion_service
+
 checkmine_engine:
   file.managed:
     - name: /etc/salt/engines/checkmine.py

salt/sensoroni/enabled.sls

@@ -40,12 +40,6 @@ so-sensoroni:
       - {{ XTRAENV }}
       {% endfor %}
     {% endif %}
-    {% if DOCKER.containers['so-sensoroni'].ulimits %}
-    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %}
-      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
-    {%   endfor %}
-    {% endif %}
     - watch:
       - file: /opt/so/conf/sensoroni/sensoroni.json
     - require: