Skip to content

Releases: cisagov/Malcolm

Malcolm v24.05.0

30 May 02:38
f54cfd8
Compare
Choose a tag to compare

Malcolm v24.05.0 contains new features, improvements, bug fixes and component version updates.

v24.04.0...v24.05.0

  • Features and enhancements
    • Added ARM64/AArch64 support. Malcolm can now run natively on ARM64 hardware. The ./scripts/configure script should detect the architecture and automatically adjust the image: names in the docker-compose.yml files in Docker deployments, or this can be changed manually by appending -arm64 to the tag for Malcolm's Docker images, e.g., ghcr.io/idaholab/malcolm/zeek:24.05.0-arm64. (idaholab#369)
    • Support for new environment variables added to Hedgehog Linux's control_vars.conf for tuning capture-related settings for Arkime on the sensor, bringing them into parity with those that were available in the arkime-live container in Malcolm. (idaholab#476)
    • Tweaked some of the default resource-related live capture settings for Suricata and Arkime.
    • Reworked the environment variables used for tuning Zeek live capture resource and performance on both Malcolm and Hedgehog Linux. An in-depth discussion of these tuning parameters can be found in the documentation. (idaholab#475)
    • Allow setting the spiDataMaxIndexes variable for Arkime's config.ini file via the ARKIME_SPI_DATA_MAX_INDICES environment variable. (idaholab#471)
    • Allow custom tags to be specified at the point of log file ingestion (i.e., FileBeat) on Malcolm and Hedgehog Linux. This makes it easier to specify custom tags used to group network traffic by sensor. (idaholab#463)
    • Handle invalid URLs made to the Malcolm web-based UIs better (with a custom 404/502 page). (idaholab#461)
    • Switched to official .deb packages for Arkime rather than building from source, reducing build times significantly. (Thanks @awick.)
  • Component version updates
    • Suricata to v7.0.5
      • Also, going forward Malcolm will track the latest Suricata release (from the Debian Stable Backports APT repository) rather than what's in the Debian Stable APT repository. (idaholab#462)
    • Arkime to v5.2.0
    • OpenSearch and OpenSearch Dashboards to v2.14.0
    • YARA to v4.5.1
    • Beats to v8.13.4
    • Logstash to v8.13.4
    • YQ to v4.44.1
    • Zeek to v6.2.1
    • Fluent Bit to v3.0.6
    • requests Python library to v2.32.0 for CVE-2024-35195
    • flask-cors Python library on Hedgehog Linux to v4.0.1 for CVE-2024-1681
    • Jinja Python library on Hedgehog Linux to v3.1.4 for CVE-2024-34064
    • Werkzeug Python library on Hedgehog linux to v3.0.3 for CVE-2024-34069
  • Bug fixes
    • The code that cleans up already-processed Zeek and Suricata logs after a defined period of time was out of date for the current FileBeat registry behavior and would potentially leave log files around longer than they needed to be. This has been remedied. (idaholab#479)
    • Fixed issue where the BPF capture filter was not passed to Zeek correctly. (idaholab#474)
    • The process which queries threat intelligence feeds and generates the corresponding Zeek intel files will no longer relpace existing intel definitions unless it succeeds in pulling definitions from at least one of the specified feeds. (idaholab#472)
    • Fixed calculation of memory and CPU resources used in ./scripts/status for Kubernetes deployment. (idaholab#467)
  • Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
    • Malcolm
      • Added ARKIME_SPI_DATA_MAX_INDICES to arkime.env with a default value of 7, which manifests as spiDataMaxIndexes in Arkime's config.ini. If you are changing the Arkime index period from daily to weekly, hourly, etc., you may wish to adjust this value. (idaholab#471)
      • Added EXTRA_TAGS to upload-common.env for specifying custom tags to be associated with logs forwarded to Logstash by FileBeat. (idaholab#463)
      • A number of new and modified environment variables are available and can be added to zeek-live.env for tuning the resource utilization and performance of Zeek's live capture, see the documentation for details. (idaholab#475)
    • Hedgehog Linux

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

Malcolm v24.04.0

30 Apr 18:42
8467930
Compare
Choose a tag to compare

Malcolm v24.04.0 contains new features, improvements, bug fixes and component version updates.

v24.03.1...v24.04.0

Because some of the environment variables used for configuring Malcolm have been reorganized in the .env files found in the ./config directory, it is recommended you re-run ./scripts/configure for this release.

  • Features and enhancements
    • Zeek-extracted files scanned and preserved on a Hedgehog Linux sensor can now be accessed via the extracted files download user interface (idaholab#331).
    • Improvements to creation of index templates, dashboards, and other saved objects on startup (idaholab#208) to ensure that saved objects get created correctly upon upgrade (see this comment for more details on this feature).
    • Populating the NetBox inventory via passively-gathered network traffic metadata now uses network traffic logs for DNS, NTLM, and DHCP to identify assets' host names when possible for use when populating device and VM names (idaholab#415). Autopopulated devices now have their status field set to Active rather than Stage, and uses tags instead to indicated that they were created through autopopulation.
    • Users can now specify pruning thresholds for carved files so that old files are deleted in order to avoid filling available storage (idaholab#453). See a new section of documentation on Managing disk usage for more information about this and similar settings.
    • Users can now specify a prefix that will be prepended to dashboards as they are imported into OpenSearch Dashboards or Kibana, allowing users who have dashboards from other sources to differentiate between those and Malcolm's (idaholab#455).
    • The default anomaly detectors created for the OpenSearch Anomaly Detection plugin are now created with category fields for high cardinality to allow for better breakdown of contributing values to anomalies discovered (idaholab#464).
    • Include JA4+ plugin in Arkime. See idaholab#419 for status on upcoming full JA4+ support in Malcolm.
    • Hedgehog Linux sensors can now periodically refresh their Zeek inteligence files.
      • NOTE: Due to an oversight, a value is missing from the default Hedgehog Linux configuration in this release, preventing the intel refresh cron job from executing. As a workaround, appending the line export INTEL_DIR=/opt/sensor/sensor_ctl/zeek/intel to /opt/sensor/sensor_ctl/control_vars.conf and restarting the sensor services will remedy the situation. This will be corrected in the next Malcolm release.
    • Assorted documentation improvements.
  • Component version updates
  • Bug fixes
    • The documentation for Windows host system configuration was out of date and has been updated for the latest version of Microsoft Windows Subsystem for Linux (idaholab#421).
    • An issue was fixed in which Malcolm's list of users and their password hashes could become corrupted if the file did not initially end with a newline character (idaholab#426).
    • The manner in which Zeek intel files are generated has been changed to avoid problems found in Kubernetes deployments when scaling out the number of zeek-live containers (idaholab#456). See this comment for more details.
    • Removed the version top-level element from docker-compose.yml files as it is now obsolete and caused a warning message that sometimes was not handled correctly.
    • Fix Malcolm ISO not correctly detecting if it's in a live boot ISO environment or installed mode.
    • Restart live Zeek instances with zeekctl deploy instead of zeekctl restart.
  • Configuration changes (in environment variables in ./config/)
    • ARKIME_QUERY_ALL_INDICES in arkime.env can be set to control the queryAllIndices setting in Arkime's config.ini.
    • DASHBOARDS_PREFIX in dashboards-helper.env has been added for idaholab#455 (see above in Features and Enhancements).
    • LOGSTASH_NETBOX_ENRICHMENT_DATASETS in logstash.env has been changed to include zeek.dhcp, zeek.dns, and zeek.ntlm to support idaholab#415 (see above in Features and Enhancements).
    • LOGSTASH_ZEEK_IGNORED_LOGS in logstash.env has been changed to remove capture_loss and stats so that those diagnostic Zeek logs can be parsed without the user having to manually change this variable.
    • ZEEK_CRON has been removed from zeek-live.env and ZEEK_INTEL_REFRESH_CRON_EXPRESSION was removed from zeek.env and moved to the "offline" version of the container in zeek-offline.env for idaholab#456.
    • EXTRACTED_FILE_PRUNE_THRESHOLD_MAX_SIZE, EXTRACTED_FILE_PRUNE_THRESHOLD_TOTAL_DISK_USAGE_PERCENT, and EXTRACTED_FILE_PRUNE_INTERVAL_SECONDS were added to zeek.env for idaholab#453. See a new section of documentation on Managing disk usage for more information about these and similar settings.

Official ISO installer images for Malcolm and Hedgehog Linux can now be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

Malcolm v24.03.1

27 Mar 20:17
618fc30
Compare
Choose a tag to compare

Malcolm v24.03.1 contains new features, improvements, bug fixes and component version updates.

v24.03.0...v24.03.1

Because some of the environment variables used for configuring Malcolm have been reorganized in the .env files found in the ./config directory, it is strongly recommended you re-run ./scripts/configure for this release.

  • Features and enhancements
    • Malcolm instances created using the installer ISO will now detect and format any large (>100GB) storage devices and automatically set them up for use for storing the OpenSearch data store, PCAP files, and/or log storage, similar to what Hedgehog Linux does. (idaholab#266)
    • Since v24.01.0, Malcolm has allowed users to specify custom index patterns for Zeek and Suricata logs (see issue 313). This release now also provides the capability for Arkime to know about those indexes so that those documents also appear in Arkime search results. (idaholab#313, arkime/arkime#2705) As this is not released in Arkime yet, Malcolm is using a local patch with these changes, to be released upstream in Arkime v5.0.2.
    • A new setting for Logstash has been added to allow autocreation and assignment of NetBox subnets during enrichment. If "Should Malcolm automatically create missing NetBox subnet prefixes based on observed network traffic?" is answered to the affirmative during configuration, observed traffic that does not fall into any existing NetBox prefix will cause one to automatically be created, creating them one level down (e.g., 8 additional masked bits) from the RFC1918 address space definitions. This replaces an earlier feature (controlled by the NETBOX_PRELOAD_PREFIXES variable, which no longer has any effect) in which three giant buckets (one for each block in the RFC1918 private address definitions) could be created once at startup. (idaholab#436). So, for example:
      • 10./16 (255.255.0.0)
        • the IP address 10.9.0.215 would cause us to create and assign it to a 10.9.0.0/16 subnet
      • 192.168./24 (255.255.255.0)
        • the IP address 192.168.100.123 would cause us to create and assign it to a 192.168.100.0/24 subnet
      • 172.16./20 (255.255.240.0)
        • the IP address 172.16.29.10 would cause us to create and assign it to a 172.16.29.10/20 subnet
    • New configuration settings have been added to specify creation and rotation of Suricata's EVE JSON log files, including controls for threaded file output and file rotation. See this comment for a full description of the changes (idaholab#445). Most noteworthy are:
    • Table visualizations in Malcolm's prebuilt OpenSearch Dashboards were not consistent in the number of rows returned. This has been standardized to 100 and otherBucket: true has been set for all of these table visualizations to ensure that the end user knows that Other rows may also exist outside of the rows shown. (idaholab#447)
    • Some some field mappings were moved from malcolm_template.json to the composable template malcolm_common.json
    • Documentation improvements
    • Minor update to slides
    • Some directories named like bro_logs were renamed to zeek_logs on Hedgehog Linux
    • The Community ID field is now being added to Zeek's notice.log
    • Attempt to install necessary Python 3 packages at the beginning of install.py instead of just failing
  • Component version updates
  • Bug fixes
    • AF_PACKET was not being utilized for capturing traffic on Malcolm in the zeek-live container. This did not affect Suricata, Arkime capture, or any of the Hedgehog Linux processes. (idaholab#437)
    • The Packet Capture Statistics dashboard was not correctly computing seen and dropped packets for Suricata. (idaholab#442)
    • A STDERR warning from the new Docker Compose v2.25 was messing up the creation of the OpenSearch keystore file. (idaholab#452)
    • Fixed an issue in which the Dashboards for non-network data (e.g., temperatures, resource usage, etc.) would not see the correct data if the MALCOLM_OTHER_INDEX_PATTERN variable had been set to something other than the default.
    • Ensure that index names created for use by Logstash sending to OpenSearch/Elasticsearch are lowercase
    • Major cleanup and refactoring of the NetBox enrichment code used by Logstash
  • Configuration changes (in environment variables in ./config/)
    • ARKIME_DEBUG_LEVEL=0 has been added to arkime.env to control the debug level for Arkime's config.ini.
    • Additions/deletions in netbox-common.env (also, see below for some existing variables that were moved from logstash.env):
      • NETBOX_PRELOAD_PREFIXES has been removed and replaced with NETBOX_AUTO_CREATE_PREFIX for idaholab#436
      • NETBOX_ENRICHMENT_LOOKUP_SERVICE=true has been added to indicate whether or not services (i.e., destination IP/port) should be looked up during NetBox enrichment
    • Comments were added to opensearch.env to give examples of how to set the time bucketing for OpenSearch/Elasticsearch indexes
    • In addition to the new variables mentioned above, some cleanup and organization was done in the environment variable files used for configuring Malcolm:
      • LOG_CLEANUP_MINUTES and ZIP_CLEANUP_MINUTES are now in filebeat.env, moved from upload-common.env
      • Some NetBox related variables have been moved from logstash.env to netbox-common.env and renamed:
        • LOGSTASH_NETBOX_ENRICHMENT is now NETBOX_ENRICHMENT
        • LOGSTASH_NETBOX_AUTO_POPULATE is now NETBOX_AUTO_POPULATE
        • LOGSTASH_NETBOX_CACHE_SIZE is now NETBOX_CACHE_SIZE
        • LOGSTASH_NETBOX_CACHE_TTL is now NETBOX_CACHE_TTL

Official ISO installer images for Malcolm and Hedgehog Linux can now be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

Malcolm v24.03.0

05 Mar 21:42
762c7ed
Compare
Choose a tag to compare

Malcolm v24.03.0 contains new features, improvements, bug fixes and component version updates.

v24.02.0...v24.03.0

  • Features and enhancements
  • Component version updates
  • Bug fixes
    • fix the way we do environment variables in local.zeek (idaholab#413)
    • a few issues with the install.py script when installing from GitHub releases (idaholab#416)
    • htadmin creating entries without a newline between them in the htpasswd file (idaholab#426)
    • hard-coded date value in Kibana pivot links (idaholab#428)
    • unencrypted, unzipped extracted file download not working (idaholab#431)
  • Configuration changes (in environment variables in ./config/)
    # Set to true to indicate that Zeek should output logs in JSON format
    ZEEK_JSON=
    # Whether or not to require SSL certificate verification when querying a TAXII or MISP feed
    ZEEK_INTEL_FEED_SSL_CERTIFICATE_VERIFICATION=false
    # Whether or not to disable the ICSNPP Profinet IO CM parser
    ZEEK_DISABLE_ICS_PROFINET_IO_CM=
    

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.

Malcolm v24.02.1

20 Feb 03:46
Compare
Choose a tag to compare

Malcolm v24.02.1 is identical to v24.02.0 except for a minor fix to the code that builds the Hedgehog Linux Raspberry Pi image.

The usual build artifacts are not included in this release, and new docker images for Malcolm have not been published.

Malcolm v24.02.0

15 Feb 20:23
98ac2fb
Compare
Choose a tag to compare

Malcolm v24.02.0 contains new features, improvements, bug fixes and component version updates.

v24.01.0...v24.02.0

  • Features and enhancements
    • Hedgehog Linux SD card image for Raspberry Pi (idaholab#250; special thanks to @aut0exec for his work on this)
    • allow configuration of Arkime's ILM/ISM settings (idaholab#300)
    • add option for customizing which log types get NetBox enrichment (idaholab#316)
    • improve the extracted_files download page (idaholab#329)
    • include missing aggregations in API bucket queries (idaholab#386)
    • more intelligent .env file checking on startup (idaholab#387)
    • Malcolm report to itself on capture statistics (idaholab#395)
    • link to Dashboards/Arkime from NetBox devices view (idaholab#410)
    • changed default PCAP storage format to zstd(3) for new installations
    • various documentation updates and improvements
    • changed back to using official Zeek .deb files rather than building from source to reduce build times
  • Component version updates
  • Bug fixes
    • pivot links from Arkime to Kibana in external elasticsearch are not working (idaholab#335)
    • redirect /dashboards/ link to Kibana in NGINX proxy in elasticsearch/kibana-based deployment (idaholab#403)
    • allow netbox-restore and netbox-backup to specify container name (idaholab#337)
    • fuzzy matching for manufacturers based on OUI to NetBox list is not very good (idaholab#393) (and updated documentation)
    • source.ip and destination.ip not set for parsed files.log entries for uploaded PCAP (idaholab#401)
    • event.severity_tags is not being assigned correctly based on rule.category (idaholab#402)
    • basic authentication breaks with special characters (idaholab#404)
    • changed some Logstash Ruby variables from global ($) to instance (@) (see "avoiding concurrency issues")
  • Configuration changes (in environment variables in ./config/)
    # These variables manage setting for Arkime's ILM/ISM features (https://arkime.com/faq#ilm)
    # Whether or not Arkime should perform index management
    INDEX_MANAGEMENT_ENABLED=false
    # Time in hours/days before moving to warm and force merge (number followed by h or d)
    INDEX_MANAGEMENT_OPTIMIZATION_PERIOD=30d
    # Time in hours/days before deleting index (number followed by h or d)
    INDEX_MANAGEMENT_RETENTION_TIME=90d
    # Number of replicas for older sessions indices
    INDEX_MANAGEMENT_OLDER_SESSION_REPLICAS=0
    # Number of weeks of history to retain
    INDEX_MANAGEMENT_HISTORY_RETENTION_WEEKS=13
    # Number of segments to optimize sessions for
    INDEX_MANAGEMENT_SEGMENTS=1
    # Whether or not Arkime should use a hot/warm design (storing non-session data in a warm index)
    INDEX_MANAGEMENT_HOT_WARM_ENABLED=false
    
    # These values are used to handle the Arkime value actions to pivot from Arkime
    #   to Dashboards. The nginx-proxy container's entrypoint will try to formulate
    #   them automatically, but they may be specified explicitly here.
    NGINX_DASHBOARDS_PREFIX=
    NGINX_DASHBOARDS_PROXY_PASS=
    
    • these variables in logstash.env for customizing which log types get NetBox enrichment (idaholab#316) and customizing which types of Zeek logs will be ignored (dropped) by LogStash
    # Which types of logs will be enriched via NetBox (comma-separated list of provider.dataset, or the string all to enrich all logs)
    LOGSTASH_NETBOX_ENRICHMENT_DATASETS=suricata.alert,zeek.conn,zeek.known_hosts,zeek.known_services,zeek.notice,zeek.signatures,zeek.software,zeek.weird
    
    # Zeek log types that will be ignored (dropped) by LogStash
    LOGSTASH_ZEEK_IGNORED_LOGS=analyzer,broker,bsap_ip_unknown,bsap_serial_unknown,capture_loss,cluster,config,ecat_arp_info,loaded_scripts,packet_filter,png,print,prof,reporter,stats,stderr,stdout
    
    # Customize manufacturer matching/creation with LOGSTASH_NETBOX_AUTO_POPULATE (see logstash.env)
    NETBOX_DEFAULT_AUTOCREATE_MANUFACTURER=true
    NETBOX_DEFAULT_FUZZY_THRESHOLD=0.95
    
    # Whether or not enable capture statistics and include them in eve.json
    SURICATA_STATS_ENABLED=false
    SURICATA_STATS_EVE_ENABLED=false
    SURICATA_STATS_INTERVAL=30
    SURICATA_STATS_DECODER_EVENTS=false
    
    # Set ZEEK_DISABLE_STATS to blank to generate stats.log and capture_loss.log
    ZEEK_DISABLE_STATS=true
    
    • this variable in zeek.env related to the improvements to the extracted_files download page (idaholab#329)
    # Whether or not to use libmagic to show MIME types for Zeek-extracted files served
    EXTRACTED_FILE_HTTP_SERVER_MAGIC=false
    

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.

Malcolm v24.01.0

17 Jan 17:47
2862d43
Compare
Choose a tag to compare

Malcolm v24.01.0 contains new features, improvements, bug fixes and component version updates.

v23.12.1...v24.01.0

  • Features and enhancements
    • new Malcolm instance landing page (idaholab#252)
    • file carve download with password-protected .zip file (idaholab#288)
    • new "all files exept common plain text files" option for Malcolm's file carving to match Hedgehog capability (idaholab#290)
    • allow customizing indexes for logs written to OpenSearch/Elasticsearch (idaholab#313)
    • more consistently differentiate between uploaded and live-captured traffic (idaholab#321)
    • make download extracted file context item from Arkime smarter (idaholab#330)
    • improve netbox device type library import by using "official" import script (idaholab#384)
  • Component version updates
  • Bug fixes
    • Suricata Alerts dashboard "Alerts - Tags" visualization is useless (idaholab#314)
    • third party logs are not parsed correctly from fluentbit -> fluentd aggregator -> Malcolm (idaholab#318)
    • update document lookup APIs to search either network or host data (idaholab#322)
    • suricata rule update is broken (idaholab#323)
    • time sync from hedgehog to Malcolm opensearch instance not working (idaholab#324)
    • fix issue specifying database mode via command-line
    • have pruning of OpenSearch indices (based on size) include "other" Malcolm indices as well (e.g., nginx logs, system resources, third-party logs, etc.)
  • Configuration changes (in environment variables in ./config/)
    • added the following variables with relation to idaholab#313
      # OpenSearch index patterns and timestamp fields
      # Index pattern for network traffic logs written via Logstash (e.g., Zeek logs, Suricata alerts)
      MALCOLM_NETWORK_INDEX_PATTERN=arkime_sessions3-*
      # Default time field to use for network traffic logs in Logstash and Dashboards
      MALCOLM_NETWORK_INDEX_TIME_FIELD=firstPacket
      # Suffix used to create index to which network traffic logs are written (supports Ruby strftime strings in %{})
      MALCOLM_NETWORK_INDEX_SUFFIX=%{%y%m%d}
      # Index pattern for other logs written via Logstash (e.g., nginx, beats, fluent-bit, etc.)
      MALCOLM_OTHER_INDEX_PATTERN=malcolm_beats_*
      # Default time field to use for other logs in Logstash and Dashboards
      MALCOLM_OTHER_INDEX_TIME_FIELD=@timestamp
      # Suffix used to create index to which other logs are written (supports Ruby strftime strings in %{})
      MALCOLM_OTHER_INDEX_SUFFIX=%{%y%m%d}
      # Index pattern used specifically by Arkime (will probably match MALCOLM_NETWORK_INDEX_PATTERN, should probably be arkime_sessions3-*)
      ARKIME_NETWORK_INDEX_PATTERN=arkime_sessions3-*
      # Default time field used by for sessions in Arkime viewer
      ARKIME_NETWORK_INDEX_TIME_FIELD=firstPacket
      
    • changed default for EXTRACTED_FILE_HTTP_SERVER_KEY to infected in zeek-secret.env
    • added EXTRACTED_FILE_HTTP_SERVER_ZIP with default value of false in zeek.env, see (idaholab#288)

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.

Malcolm v23.12.1

20 Dec 19:07
e2d4e1f
Compare
Choose a tag to compare

Malcolm v23.12.0 is a minor release with a few updates and bug fixes

v23.12.0...v23.12.1

  • Features and enhancements
    • have install.py offer to pull the docker images (idaholab#310)
    • only overwrite Arkime's config.ini with config.orig.ini if config.ini doesn't already exist (idaholab#311)
    • create Suricata rules for Zyxel vulnerabilities from KEV (idaholab#312)
    • provide alternate configuration for Arkime capture to listen on the interface directly rather than post-processing PCAPs (idaholab#281)
    • added SURICATA_DISABLE_ICS_ALL environment variable to disable OT/ICS analysis in Suricata
    • added ZEEK_INTEL_REFRESH_THREADS to allow setting the number of threads for intel feed pulls
    • documented the different run profiles (hedgehog vs. malcolm profiles) and generally improved documentation of live capture options
    • route /mapi/opensearch/, /mapi/logstash/ and /mapi/netbox/ from the Malcolm API endpoint to their respective component APIs
    • minor improvements to how the user supplies custom rules/config for Suricata, Zeek, and Arkime
  • Component version updates
  • Bug fixes
    • review and fix capabilities granted to containers (idaholab#282)
    • change URL for downloading manuf list to new wireshark.org URL / wireshark no longer publishes raw manuf (OUI) list (idaholab#230 and idaholab#306)
    • directory hierarchies not being created as Kubernetes configmap correctly (idaholab#308)
    • rsyslog no longer in Debian bookworm (idaholab#309)
    • removed unused Arkime log and raw directories

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.

Malcolm v23.12.0

05 Dec 04:29
c097f1c
Compare
Choose a tag to compare

Malcolm v23.12.0 is a feature release with many improvements, updates and fixes

v23.10.0...v23.12.0

  • Features and enhancements
    • replace kbn_sankey_vis with vega or transform (idaholab#147)
    • address issues with NetBox database and Logstash's NetBox cache (idaholab#259)
    • integrate nsacyber/ELITEWOLF signatures into default rule set CISA (idaholab#275)
    • improve error messages for PCAP/artifact processing beyond just icons (idaholab#276)
    • option to auto-create "catch-all" NetBox IPAM prefixes for private IP space (idaholab#279)
    • use prefix.description instead of VRF for identifying subnets in NetBox (idaholab#280)
    • allow customizing Arkime's freeSpaceG setting (for PCAP deletion) in an environment variable (idaholab#285)
    • replace master/slave with client/server when parsing modbus logs (idaholab#291)
    • put netbox restore database functionality inside container (idaholab#294)
    • provide way to customize zeek Site::local_nets (idaholab#295)
    • allow configuration of docker's logging driver to prevent disk-exhaustion (idaholab#301)
    • allow user to include other suricata config YML files (idaholab#302)
    • allow user to be able to provide custom zeek config (idaholab#303)
    • allow tuning Suricata's max-pending-packets via environment variable (idaholab#304)
    • enable OpenSearch dashboards condensed header
  • Component version updates
  • Bug fixes
    • Malcolm Sensor Temperature dashboard issue (idaholab#265)
    • strip out broken Arkime and NetBox links from dashboards for Kibana import (idaholab#286)
    • have netbox-restore script restart necessary services or set necessary permissions (idaholab#287)
    • file type validation not working for upload from (some?) windows browsers (idaholab#292)
    • go through list of Qualys image scan results (idaholab#299)

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.

Malcolm v23.10.0

26 Oct 02:27
72cb1d1
Compare
Choose a tag to compare

Malcolm v23.10.0 is a feature release.

v23.09.0...v23.10.0

  • Features and enhancements
    • support both OpenSearch and Elasticsearch output (idaholab#258)
    • "capture-only" Malcolm configuration (AKA "dockerized Hedgehog") (idaholab#254)
    • don't run kiosk mode on Hedgehog first boot (idaholab#263)
    • let Arkime check its own database to see if it needs to be upgraded
    • allow specifying Arkime password hash secret for Viewer clusters
    • documentation improvements
    • minor updates to slide decks
    • allow specifying ports for EtherNet/IP parser via environment variable
  • Component version updates
  • Bug fixes
    • set "autorestart" to true for all started services (idaholab#267)
    • changed toolchain for building Zeek and Zeek plugins to clang/libc++ to address some build issues with Spicy plugins using GCC
    • ensure Arkime is started before creating OpenSearch artifacts
    • ensure Arkime and OpenSearch artifacts are populated before starting LogStash
    • don't log "0.0" temperatures from Fluent Bit thermal forwarders

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.