Skip to content

Releases: idaholab/Malcolm

Malcolm v24.12.0

19 Dec 15:28
d8dabe0
Compare
Choose a tag to compare

Malcolm v24.12.0 contains several improvements to the Malcolm configuration script, the Malcolm user interface, and the Malcolm API, as well as component version updates and bug fixes. This release also corresponds with the release of malcolm-test (cisagov#486), a Malcolm system testing framework.

v24.11.0...v24.12.0

  • Features and enhancements
  • Component version updates
  • Bug fixes
    • Zeek DNS records don't open correctly in Arkime sessions (cisagov#509)
      • Fixes to some Zeek dns.log parsing conflicts between ECS's DNS fields and what the Arkime schema is expecting
    • Mandiant threat intel source doesn't get split correctly when using JSON zeek log format (cisagov#494)
    • Set indices.query.bool.max_clause_count to 8192 to reflect maximum number of fields
    • Increase Java stack size (-Xss) for Logstash from 1536k to 2048k
    • Minor fixes for parsing Zeek intel.log (some fields not named correctly with Zeek JSON-formatted logs)
    • Fixed setting the Signature event severity tags
  • Code and project maintenance
    • Replaced hard-coded Malcolm version number in documentation markdown files with variable-based replacer populated during generation
    • Documentation and screenshot updates

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

Malcolm v24.11.0

18 Nov 17:01
2383599
Compare
Choose a tag to compare

Malcolm v24.11.0 contains a new threat intelligence feed integration, a few new API calls, other minor improvements, bug fixes, and component version updates.

v24.10.1...v24.11.0

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

Malcolm v24.10.1

24 Oct 16:04
4104256
Compare
Choose a tag to compare

Malcolm v24.10.1 contains some minor improvements, a few component version updates, a fix for a regression bug, and a fair amount of code cleanup.

v24.10.0...v24.10.1

  • Features and enhancements
  • Component version updates
  • Bug fixes
    • Fixed OpenSearch anomaly detection default detectors not being created (regression, #596)
  • Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
    • Malcolm
      • ZEEK_JA4SSH_PACKET_COUNT (with a default of 200) has been added to ./config/zeek.env, which can be used to set logging interval number of packets for ja4ssh.log (#508)
    • Hedgehog Linux
      • ZEEK_JA4SSH_PACKET_COUNT has been added to control_vars.conf for the same purpose as described above
  • Code and project maintenance
    • Examine distro hardening, fix and update documentation as needed for Malcolm and Hedgehog Linux ISO-installed environments (#328)
    • Refactoring and code cleanup in the Logstash Zeek pipeline (#592)
    • Logstash container initialization code now automatically ensures that the Zeek TSV log parsing filters (dissect and split filters) in these files are looking for TAB characters (i.e., automatically replace spaces with tabs in these filter files in case the author forgot to do so) (#592)
    • Did some code cleanup in the ./shared/bin directory, mostly moving things that were specific to either the Malcolm or Hedgehog Installer ISO environments out of shared and into their respective locations for the ISO installer build.
    • When doing the aquasecurity/trivy-action action, use TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db to try to fall back to an alternative official location for the vulnerability database if the first one fails. Also, pin this action to the v0.28.0 release rather than setting it to master.
    • As it's used pretty ubiquitously in shared scripts by many of the Malcolm containers, the jq utility is now installed across the board during the container image build.
    • Added a script to gather GitHub API metrics for Malcolm downloads (#594)

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

Malcolm v24.10.0

09 Oct 14:57
26d0d66
Compare
Choose a tag to compare

Malcolm v24.10.0 contains fixes for a few regression bugs, minor improvements, and a few component updates.

v24.09.0...v24.10.0

  • Features and enhancements
    • Enable Zeek's parsing of HTTP server and client header names as zeek.http.client_header_names and zeek.http.server_header_names
    • Bumped maximum field limit in OpenSearch templates from 5000 to 6000
    • Some documentation improvements
    • Build improvement: fall back to alternative Zeek .deb download URL (#585)
    • Build improvement: limit threads for spicy build processes during Zeek package installation (#571)
  • Component version updates
  • Bug fixes
    • Fix broken dashboards regression from v24.09.0 (#588)
    • Fix Zeek-extracted files not getting saved to correct location for live Zeek capture (#590)
    • Fix for building Hedgehog Linux for Raspberry Pi 4 on an M2 MacBook

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

Malcolm v24.09.0

19 Sep 19:53
2f94ef9
Compare
Choose a tag to compare

Malcolm v24.09.0 contains new features and enhancements, component version updates, and bug fixes.

v24.08.0...v24.09.0

  • Features and enhancements
    • When building Docker images and the Hedgehog Linux ISO, allow specifying alternate download URL for MaxMind GeoIP database files (#565)
    • Allow total index size-based pruning for opensearch-remote and elasticsearch-remote database modes (#446)
    • Allow splitting out indexes by other field values (#450)
    • Allow users to use the Arkime Lua plugin without having to create new bind volume mounts manually (#533)
    • Automatically create empty document on startup to avoid "no data" message spamming by Dashboards (#527 and #567)
    • Improvements to documentation and install.py for Linux performance tweaks (#495)
    • Include netbox-topology-views plugin by default (#553)
    • Integrate HART-IP parser (#561)
    • Add option to go backwards in Malcolm's dialog-based install.py installation and configuration script (#487)
    • Added Podman support (#407)
    • Update EtherNet/IP and CIP to account for new packet correlation ID (#558)
    • Update Network Traffic Analysis with Malcolm slides
  • Component version updates
  • Bug fixes
    • Filtering on hunt ID in Arkime not working (#554)
    • Hedgehog with OOB/VPN connection sets ARKIME_NODE_HOST incorrectly (#560 and #559, thanks @divinehawk)
    • Offline suricata Docker container does not initialize suricata.yml config file (#564)
  • Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
    • Malcolm
      • The MALCOLM_NETWORK_INDEX_SUFFIX and MALCOLM_OTHER_INDEX_SUFFIX variables in ./config/opensearch.env now also support expanding dot-delimited field names in {{ }} (e.g., {{event.provider}}%{%y%m%d}).
      • MALCOLM_CONTAINER_RUNTIME has been added to ./config/process.env to indicate docker, podman, or kubernetes. This value only currently used in the install, configuration, and control scripts, not inside the containers themselves.
      • ZEEK_DISABLE_ICS_HART_IP has been added to ./config/zeek.env and can be set to true to disable the new HART-IP protocol parser.
    • Hedgehog Linux
      • ZEEK_DISABLE_ICS_HART_IP has been added to control_vars.conf and can be set to true to disable the new HART-IP protocol parser.

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

Malcolm v24.08.0

27 Aug 19:38
2bacdae
Compare
Choose a tag to compare

Malcolm v24.08.0 contains minor improvements, some component version updates, and bug fixes.

v24.07.0...v24.08.0

  • Features and enhancements
    • in ISO installer, prompt to format other drives for artifact storage rather than just doing it automatically (#529)
    • allow users to more easily add NetBox plugins (#530)
    • run netbox-initializers plugin on startup even if we're doing a netbox database backup preload (#531)
    • during auth_setup "all" operation, do required operations without prompting if the files don't already exist (#536)
    • some containers need resource request specified for Kubernetes (#539)
    • add "public" pseudo-segments for public IP addresses (#542)
    • reworked Windows Event dashboard
    • some documentation updates
    • added netbox tag to any logs that are passed into the netbox_enrich.rb script in the Logstash enrichment pipeline
  • Component version updates
  • Bug fixes
    • dashboards-helper container's use of curl fails internal container name resolution when host has invalid DNS settings, prevents Malcolm initialization (#499)
    • Netbox service templates not populating (#522)
    • kubernetes manifest for netbox refers to netbox-netmap-json configmap which no longer exists (#540)
    • don't try to expose the OpenSearch port 9200 in docker-compose.yml when the database mode is not opensearch-local
    • improved the liveness check for the offline Zeek container so that it returns "healthy" if the intel thread feeds are still pulling before the monitoring processes start up
    • missing cracklib-runtime package prevents ISO service account password from being updated by non-root user (#548)

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

Malcolm v24.07.0

30 Jul 21:38
7b7f401
Compare
Choose a tag to compare

Malcolm v24.07.0 contains minor improvements, some component version updates, and a few bug fixes.

v24.06.0...v24.07.0

  • Features and enhancements
    • integrated the ICSNPP GE SRTP network analyzer (#516)
    • Changed the way docker compose does bind mounts of files and directories to avoid creating empty directories when the source is missing, returning an error instead (#473)
      • This changed necessitated a switch from Python's built-in YAML library to ruamel.yaml
    • code to pull from MISP feeds should specify JSON as preferred format in HTTP headers (#520)
    • add optional service argument to restart script (#521)
    • replace API link on landing page with extracted-files (#524)
    • exclude private IP space Intel::ADDR items when populating Zeek intel (#528)
    • updated some screenshots for the documentation
  • Component version updates
  • Bug fixes
    • tarball-based installation should not depend on UID inside of tarball, prevents installation if UID with which tarball's contents were created don't match installing user's (#519)
    • bacnet discovery log not parsed correctly (#523)
    • resolved issue with the build.sh helper script when building non-AMD64 Docker images
  • Configuration changes (in environment variables in ./config/)
    • The variable ZEEK_DISABLE_ICS_GE_SRTP has been added to zeek.env and control_vars.conf to control enabling the network analyzer for the GE SRTP protocol. It's default value is true (indicating that the analyzer is disabled) as it is a somewhat uncommon OT protocol that likely won't be needed by most Malcolm users.
  • Other
    • Removed long-deprecated net-map.json file support (#517)

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

Malcolm v24.06.0

27 Jun 01:18
75fe54b
Compare
Choose a tag to compare

Malcolm v24.06.0 contains new features, improvements, component version updates, and a few bug fixes.

v24.05.0...v24.06.0

NetBox: backwards compatibility-breaking change: This release of Malcolm updates NetBox from v3.6.7 to v4.0.6, for bug fixes, security updates, and requirements for Malcolm to support enrichment with multiple NetBox sites. However, NetBox's built-in migrations do not appear to work handle going from v3.6.7 to v4.0.6. It is likely that if you are using NetBox that you will encounter errors upon updating to this release of Malcolm. Prior to upgrading it is recommended that you navigate to Sites, IPAM > Prefixes, DCIM > Devices, and anywhere else you've populated NetBox data and click Export > All Data (CSV) and save those in case you need to recreate your NetBox inventory after upgrading. Malcolm's NetBox backup and restore will not work in this case. If you find NetBox has data errors after upgrading Malcolm, stop Malcolm and clear the NetBox inventory from your Malcolm installation directory (e.g., rm -rf ./netbox/postgres/* ./netbox/redis/*), then start Malcolm and recreate your NetBox inventory.

  • Features and enhancements
    • Support for multiple NetBox sites (#449)
      • Malcolm now supports enrichment from a NetBox inventory for asset interaction analysis across multiple sites. The NetBox site can be specified for uploaded PCAP, for a Hedgehog Linux sensor, and for Malcolm live capture.
    • JA4+ replaces the JA3 TLS fingerprinting standard from 2017 (see also this blog post) (#419)
    • Support uploading Windows Event Log evtx files (#465) and update associated dashboard
    • Document using GitHub runners to build Malcolm images (for contributors' guide, #491)
    • Generate new forwarder SSL keys on-the-fly when transferring between Malcolm and Hedgehog Linux (#492)
    • Incorporate ATT&CK-based Control-system Indicator Detection for Zeek (ACID) (#489), a collection of Operational Techonology (OT) protocol indicators developed to alert on specific ATT&CK for ICS behaviors
    • Add platform architecture and machine boot time to Malcolm version API
    • Add links to the navigation pane of most dashboards to "other" dashboards for non-network log data (e.g., resource monitoring, Windows Event logs, etc.)
  • Component version updates
  • Bug fixes
    • Arkime viewer not rolling PCAPs (#484)
    • Free up space in GitHub runner environment building ISO images to avoid errors due to exhausted disk space
  • Configuration changes in environment variables
    • There are no significant changes or additions to the ./config/*.env environment variable files in Malcolm v24.06.0

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

Malcolm v24.05.0

30 May 02:38
6bc5128
Compare
Choose a tag to compare

Malcolm v24.05.0 contains new features, improvements, bug fixes and component version updates.

v24.04.0...v24.05.0

  • Features and enhancements
    • Added ARM64/AArch64 support. Malcolm can now run natively on ARM64 hardware. The ./scripts/configure script should detect the architecture and automatically adjust the image: names in the docker-compose.yml files in Docker deployments, or this can be changed manually by appending -arm64 to the tag for Malcolm's Docker images, e.g., ghcr.io/idaholab/malcolm/zeek:24.05.0-arm64. (#369)
    • Support for new environment variables added to Hedgehog Linux's control_vars.conf for tuning capture-related settings for Arkime on the sensor, bringing them into parity with those that were available in the arkime-live container in Malcolm. (#476)
    • Tweaked some of the default resource-related live capture settings for Suricata and Arkime.
    • Reworked the environment variables used for tuning Zeek live capture resource and performance on both Malcolm and Hedgehog Linux. An in-depth discussion of these tuning parameters can be found in the documentation. (#475)
    • Allow setting the spiDataMaxIndexes variable for Arkime's config.ini file via the ARKIME_SPI_DATA_MAX_INDICES environment variable. (#471)
    • Allow custom tags to be specified at the point of log file ingestion (i.e., FileBeat) on Malcolm and Hedgehog Linux. This makes it easier to specify custom tags used to group network traffic by sensor. (#463)
    • Handle invalid URLs made to the Malcolm web-based UIs better (with a custom 404/502 page). (#461)
    • Switched to official .deb packages for Arkime rather than building from source, reducing build times significantly. (Thanks @awick.)
  • Component version updates
    • Suricata to v7.0.5
      • Also, going forward Malcolm will track the latest Suricata release (from the Debian Stable Backports APT repository) rather than what's in the Debian Stable APT repository. (#462)
    • Arkime to v5.2.0
    • OpenSearch and OpenSearch Dashboards to v2.14.0
    • YARA to v4.5.1
    • Beats to v8.13.4
    • Logstash to v8.13.4
    • YQ to v4.44.1
    • Zeek to v6.2.1
    • Fluent Bit to v3.0.6
    • requests Python library to v2.32.0 for CVE-2024-35195
    • flask-cors Python library on Hedgehog Linux to v4.0.1 for CVE-2024-1681
    • Jinja Python library on Hedgehog Linux to v3.1.4 for CVE-2024-34064
    • Werkzeug Python library on Hedgehog linux to v3.0.3 for CVE-2024-34069
  • Bug fixes
    • The code that cleans up already-processed Zeek and Suricata logs after a defined period of time was out of date for the current FileBeat registry behavior and would potentially leave log files around longer than they needed to be. This has been remedied. (#479)
    • Fixed issue where the BPF capture filter was not passed to Zeek correctly. (#474)
    • The process which queries threat intelligence feeds and generates the corresponding Zeek intel files will no longer relpace existing intel definitions unless it succeeds in pulling definitions from at least one of the specified feeds. (#472)
    • Fixed calculation of memory and CPU resources used in ./scripts/status for Kubernetes deployment. (#467)
  • Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
    • Malcolm
      • Added ARKIME_SPI_DATA_MAX_INDICES to arkime.env with a default value of 7, which manifests as spiDataMaxIndexes in Arkime's config.ini. If you are changing the Arkime index period from daily to weekly, hourly, etc., you may wish to adjust this value. (#471)
      • Added EXTRA_TAGS to upload-common.env for specifying custom tags to be associated with logs forwarded to Logstash by FileBeat. (#463)
      • A number of new and modified environment variables are available and can be added to zeek-live.env for tuning the resource utilization and performance of Zeek's live capture, see the documentation for details. (#475)
    • Hedgehog Linux
      • A number of new and modified environment variables are available for control_vars.conf for tuning the resource utilization and performance of Zeek's live capture, see the documentation for details. (#475)
      • Added support for new environment variables added to Hedgehog Linux's control_vars.conf for tuning capture-related settings for Arkime on the sensor, bringing them into parity with those that were available in the arkime-live container in Malcolm. (#476)

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

Malcolm v24.04.0

30 Apr 18:42
a6248b6
Compare
Choose a tag to compare

Malcolm v24.04.0 contains new features, improvements, bug fixes and component version updates.

v24.03.1...v24.04.0

Because some of the environment variables used for configuring Malcolm have been reorganized in the .env files found in the ./config directory, it is recommended you re-run ./scripts/configure for this release.

  • Features and enhancements
    • Zeek-extracted files scanned and preserved on a Hedgehog Linux sensor can now be accessed via the extracted files download user interface (#331).
    • Improvements to creation of index templates, dashboards, and other saved objects on startup (#208) to ensure that saved objects get created correctly upon upgrade (see this comment for more details on this feature).
    • Populating the NetBox inventory via passively-gathered network traffic metadata now uses network traffic logs for DNS, NTLM, and DHCP to identify assets' host names when possible for use when populating device and VM names (#415). Autopopulated devices now have their status field set to Active rather than Stage, and uses tags instead to indicated that they were created through autopopulation.
    • Users can now specify pruning thresholds for carved files so that old files are deleted in order to avoid filling available storage (#453). See a new section of documentation on Managing disk usage for more information about this and similar settings.
    • Users can now specify a prefix that will be prepended to dashboards as they are imported into OpenSearch Dashboards or Kibana, allowing users who have dashboards from other sources to differentiate between those and Malcolm's (#455).
    • The default anomaly detectors created for the OpenSearch Anomaly Detection plugin are now created with category fields for high cardinality to allow for better breakdown of contributing values to anomalies discovered (#464).
    • Include JA4+ plugin in Arkime. See #419 for status on upcoming full JA4+ support in Malcolm.
    • Hedgehog Linux sensors can now periodically refresh their Zeek inteligence files.
      • NOTE: Due to an oversight, a value is missing from the default Hedgehog Linux configuration in this release, preventing the intel refresh cron job from executing. As a workaround, appending the line export INTEL_DIR=/opt/sensor/sensor_ctl/zeek/intel to /opt/sensor/sensor_ctl/control_vars.conf and restarting the sensor services will remedy the situation. This will be corrected in the next Malcolm release.
    • Assorted documentation improvements.
  • Component version updates
  • Bug fixes
    • The documentation for Windows host system configuration was out of date and has been updated for the latest version of Microsoft Windows Subsystem for Linux (#421).
    • An issue was fixed in which Malcolm's list of users and their password hashes could become corrupted if the file did not initially end with a newline character (#426).
    • The manner in which Zeek intel files are generated has been changed to avoid problems found in Kubernetes deployments when scaling out the number of zeek-live containers (#456). See this comment for more details.
    • Removed the version top-level element from docker-compose.yml files as it is now obsolete and caused a warning message that sometimes was not handled correctly.
    • Fix Malcolm ISO not correctly detecting if it's in a live boot ISO environment or installed mode.
    • Restart live Zeek instances with zeekctl deploy instead of zeekctl restart.
  • Configuration changes (in environment variables in ./config/)
    • ARKIME_QUERY_ALL_INDICES in arkime.env can be set to control the queryAllIndices setting in Arkime's config.ini.
    • DASHBOARDS_PREFIX in dashboards-helper.env has been added for #455 (see above in Features and Enhancements).
    • LOGSTASH_NETBOX_ENRICHMENT_DATASETS in logstash.env has been changed to include zeek.dhcp, zeek.dns, and zeek.ntlm to support #415 (see above in Features and Enhancements).
    • LOGSTASH_ZEEK_IGNORED_LOGS in logstash.env has been changed to remove capture_loss and stats so that those diagnostic Zeek logs can be parsed without the user having to manually change this variable.
    • ZEEK_CRON has been removed from zeek-live.env and ZEEK_INTEL_REFRESH_CRON_EXPRESSION was removed from zeek.env and moved to the "offline" version of the container in zeek-offline.env for #456.
    • EXTRACTED_FILE_PRUNE_THRESHOLD_MAX_SIZE, EXTRACTED_FILE_PRUNE_THRESHOLD_TOTAL_DISK_USAGE_PERCENT, and EXTRACTED_FILE_PRUNE_INTERVAL_SECONDS were added to zeek.env for #453. See a new section of documentation on Managing disk usage for more information about these and similar settings.

Official ISO installer images for Malcolm and Hedgehog Linux can now be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.