Seth Grover2d ago

Malcolm v25.06.0 includes a some new and oft-requested features, bug fixes, and component version bumps.

Compare v25.05.0 to v25.06.0

NOTE: As this Malcolm release enables the OpenSearch Security Plugin as described below, even inter-container access to OpenSearch must now be authenticated when using Malcolm's embedded OpenSearch instance. To accomplish this, an internal-use-only account and password is used for connecting to OpenSearch by Malcolm's other components as needed. This credential (saved in .opensearch.primary.curlrc in the Malcolm installation directory) needs to be generated before Malcolm starts up the first time after upgrading. To do so, please run ./scripts/auth_setup and select (Re)generate internal passwords for local primary OpenSearch instance. This credential is only used internally for OpenSearch and cannot be used to remotely access Malcolm.

  • ✨ Features and enhancements
    • This release adds role-based access control (RBAC) to Malcolm (cisagov/Malcolm#460).
      • Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
      • Whenever possible, Malcolm's backend Keycloak realm roles are mapped to the roles/groups/permissions features provided by the components that make up Malcolm (see release notes for details)
      • For other Malcolm components that don't implement their own permission management systems, Malcolm handles the enforcement roles based on request URIs in its NGINX proxy layer.
      • This is an optional feature. RBAC is only available when the authentication method is keycloak or keycloak_remote. With other authentication methods such as HTTP basic or LDAP, or when RBAC is disabled, all Malcolm users effectively have administrator privileges.
      • Because the OpenSearch Security Plugin requires TLS even internally, Malcolm's internal connections to the embedded OpenSearch instance, when used, are now all performed over HTTPS. However, this is all handled internally and should not behave or appear different to the user than it did in previous versions.
      • See the role-based access control documentation for more information on this feature.
    • Malcolm's embedded KeyCloak instance now automatically creates and configures the default client by ID, if specified in ./config/keycloak.env.
    • Allow user to specify subnet filters for NetBox autopopulation (cisagov/Malcolm#634)
      • This feature is especially useful for excluding dynamic address ranges such as those used by DHCP, which should generally not trigger autopopulation in NetBox. Since these addresses can change frequently and aren't tied to specific devices, including them could result in inaccurate or noisy inventory data. By fine-tuning which private subnets are included or excluded, users can ensure that only meaningful, typically static assignments are autopopulated.
    • Expose init arguments for Arkime's db.pl and also use them for Malcolm's creation of its own index templates (cisagov/Malcolm#692)
    • Extend Zeek's intel.log with additional fields using corelight/ExtendIntel (part 1) (cisagov/Malcolm#502)
      • This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents intel.log to the user. Further work to do so will be continued in cisagov/Malcolm#695.
    • Some internal tweaks to the PCAP processing pipeline that are going to be leveraged by the Malcolm-Helm project (idaholab/Malcolm#630)
    • Handle a fix in the ICSNPP OPCUA-Binary plugin that adds a new sec_token_id field (cisagov/icsnpp-opcua-binary#101)
    • Moved the configuration for Zeek's use of the zeek-kafka plugin to its own file (kafka.zeek) to make it easier to override in Docker using a volume bind mount or in K8s using a configMap.
    • Changed some internal objects used for NetBox enrichment caching from Ruby's Concurrent::Hash to Concurrent::Map for better performance
    • Minor improvements to the icons, shortcuts, and convenience bash functions in the ISO-installed Malcolm desktop environment
    • NGINX now generates a robots.txt file to avoid web crawlers
  • βœ… Component version updates
  • πŸ› Bug fixes
    • NetBox autodiscovery no longer populating host name from DNS, DHCP, NTLM (regression, cisagov/Malcolm#699)
    • documentation served at /readme is trying to pull fonts from use.fontawesome.com (cisagov/Malcolm#694)
    • support fractional gigabytes correctly when generating Arkime's config.ini setting maxFileSizeG from PCAP_ROTATE_MEGABYTES
    • Improved logstash filters that calculate unique hashes used as document IDs for Zeek and Suricata logs to better prevent duplicate logs from being written to the document store
  • 🧹 Code and project maintenance
    • Tweaked some code comments and documentation to bring the cisagov and idaholab repos into harmony.
    • Documentation improvements
    • Removed some unused files and outdated comments

Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

#Malcolm #HedgehogLinux #rbac #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Seth GroverMay 6

Malcolm v25.04.1 contains new features and improvements, component version updates, bug fixes, and other great stuff.

For these notes, I'm lumping v25.04.0 and v25.04.1 together, as v25.04.1 was released only two days after v25.04.0 in order to update Arkime to v5.6.4 which mitigates newly-discovered remote code execution (RCE) vulnerabilities.

https://github.com/idaholab/Malcolm/compare/v25.03.1...v25.04.1

  • ✨ Features and enhancements

    • add option to use external NetBox instance (cisagov/Malcolm#597)
    • add -q/--quiet option for start/restart (cisagov/Malcolm#656)
    • handle non-HTTPS arkime case (cisagov/Malcolm#629)

    • lots of improvements to control.py and install.py for Kubernetes deployment

      • improved start/stop/wipe control script behavior
      • allow providing resource requests in manifests via YML file and command-line argument
      ...
      Kubernetes:
      -n, --namespace <string>
      Kubernetes namespace
      --skip-persistent-volume-checks [SKIPPERVOLCHECKS]
      Skip checks for PersistentVolumes/PersistentVolumeClaims in manifests (only for "start" operation with Kubernetes)
      --no-capture-pods [NOCAPTUREPODSSTART]
      Do not deploy pods for traffic live capture/analysis (only for "start" operation with Kubernetes)
      --no-capabilities [NOCAPABILITIES]
      Do not specify modifications to container capabilities (only for "start" operation with Kubernetes)
      --inject-resources [INJECTRESOURCES]
      Inject container resources from kubernetes-container-resources.yml (only for "start" operation with Kubernetes)
      --image-source <string>
      Source for container images (e.g., "ghcr.io/idaholab/malcolm"; only for "start" operation with Kubernetes)
      --image-tag <string> Tag for container images (e.g., "25.04.0"; only for "start" operation with Kubernetes)
      --delete-namespace [DELETENAMESPACE]
      Delete Kubernetes namespace (only for "wipe" operation with Kubernetes)
      ...

    • improvements to Malcolm's vanilla Kubernetes manifests

      • lowered the amount of storage for the persistent volumes in the AWS EFS example
      • replaced name label with app label for deployments in accordance with best practices

    • improve links on landing page for NetBox and auth to accurately reflect what Malcolm is using

    • added more smarts to the NGINX startup script to dynamically set up upstreams that may or may not exist based on enabled or disabled Malcolm features

    • fixed a minor issue in the script setting up Zeek intelligence updates where it would remove its own lockfile

  • βœ… Component version updates

    • Alpine Linux v3.21
    • Arkime v5.6.4 to resolve RCE vulnerabilities, as described below in the #announcements channel on the Arkime slack: * possible to bypass forced expressions for some API calls * direct access to OpenSearch/Elasticsearch could be used to create session documents that hang viewer or have viewer execute code * since Arkime 5.1.0 any arkimeUser user could create OpenSearch/Elasticsearch documents in any index that viewer had access to
    • Keycloak v26.2
    • NetBox v4.2.8
    • netbox-initializers v4.2.0
    • netbox-topology v4.2.1
    • Fluent Bit to v4.0.1

  • πŸ› Bug fixes

    • API tokens created in NetBox still require authentication through NGINX reverse proxy (cisagov/Malcolm#383)
    • adjust Logstash health check so K8s liveness probe doesn't kill it (cisagov/Malcolm#630)
    • be more resilient in zeekctl status checks in zeekdeploy.sh (cisagov/Malcolm#652)
    • in deployments with multiple zeek-live containers, each container's restarting causes the others to restart zeek (cisagov/Malcolm#651)

  • 🧹 Code and project maintenance

Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Release v25.04.1 Β· idaholab/Malcolm

Malcolm v25.04.1 contains only one change: updating Arkime to v5.6.4 which mitigates newly-discovered remote code execution (RCE) vulnerabilities. v25.04.0...v25.04.1 βœ… Component version updates ...

GitHub
WetHatπŸ’¦Apr 4

How to Use Wireshark Filters to Analyze Your Network Traffic

This tutorial covers both foundational and advanced skills in using Wireshark:
➑️ Wireshark is a leading network protocol analyzer for capturing and dissecting packets.
➑️Wireshark filters dramatically reduce analysis time by isolating relevant packets.
➑️Mastering filter syntax enables identification of unusual traffic patterns and security threats.

https://www.freecodecamp.org/news/use-wireshark-filters-to-analyze-network-traffic/

#Cybersecurity #NetworkTrafficAnalysis #Wireshark

How to Use Wireshark Filters to Analyze Your Network Traffic

Wireshark is an open-source tool widely regarded as the gold standard for network packet analysis. It allows you to capture live network traffic or inspect pre-recorded capture files, breaking down the data into individual packets for detailed examin...

freeCodeCamp.org
Seth GroverMar 28

This has been a busy month for Malcolm! I pushed hard to get v25.03.0 out earlier this month, as it contained pretty much just the Keycloak integration one of our partners (and major funding sources) was waiting for. Rather than wait until April for the other stuff that would have gone into the regular end-of-the-month release, I decided to pull those items into this smaller release just a week and a half after the last one.

Malcolm v25.03.1 contains a few enhancements, bug fixes, and several component version updates, including one that addresses a CVE that may affect Hedgehog Linux Kiosk mode and Malcolm's API container.

NOTE: If you have not already upgraded to v25.03.0, read the notes for v25.02.0 and v25.03.0 and follow the Read Before Upgrading instructions on those releases.

Changes in this release

  • ✨ Features and enhancements
    • Incorporate new S7comm device identification log, s7comm_known_devices.log (#622)
    • Display current PCAP, Zeek, and Suricata capture results in Hedgehog Linux Kiosk mode (#566)
    • Keycloak authentication: configurable group or role membership restrictions for login (#633) (see Requiring user groups and realm roles)
    • Mark newly-discovered and uninventoried devices in logs during NetBox enrichment (#573)
    • Added "Apply recommended system tweaks automatically without asking for confirmation?" question to install.py to allow the user to accept changes to sysctl.conf, grub kernel parameters, etc., without having to answer "yes" to each one.
  • βœ… Component version updates
  • πŸ› Bug fixes
    • Fix install.py error when answering yes to "Pull Malcolm images?" with podman (#604)
    • Order of user-provided tags from PCAP upload interface not preserved (#624)
  • πŸ“„ Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
  • 🧹 Code and project maintenance
    • Ensure Malcolm's NetBox configuration Python scripts are baked into the image in addition to bind-mounting them in docker-compose.yml at runtime.

Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #SSO #OIDC #Keycloak #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Release Malcolm v25.03.0 Β· cisagov/Malcolm

Malcolm v25.03.0 adds authentication via Keycloak and includes a few component version updates. v25.02.0...v25.03.0 Read Before Upgrading As described below, a number of changes were made to envir...

GitHub
Seth GroverMar 19
#Malcolm (malcolm.fyi) v25.03.0 brings πŸ” auth via #Keycloak and with it #SSO, identity providers, and more! See the release notes github.com/cisagov/Malc... for more info! Malcolm is a powerful tool suite for NSM. #Zeek #Arkime #NetBox #Suricata #NetworkTrafficAnalysis #networksecuritymonitoring
Bluesky

Bluesky Social
Seth GroverMar 19

Malcolm v25.03.0 adds πŸ” authentication via Keycloak and all that entails: single sign-on (SSO), identity providers, federation of LDAP/Kerberos servers, and more! Malcolm can connect to an existing Keycloak server or it can use its own embedded Keycloak instance. This release also includes a few component version updates.

Please read the release notes from this release and from v25.02.0 for some things to check prior to updating.

Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ. Check out the Quick Start guide for examples on how to get up and running.

As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #SSO #OIDC #Keycloak #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Release Malcolm v25.03.0 Β· cisagov/Malcolm

Malcolm v25.03.0 adds authentication via Keycloak and includes a few component version updates. v25.02.0...v25.03.0 Read Before Upgrading As described below, a number of changes were made to envir...

GitHub
Seth GroverMar 18

#DHS #CISA is big on the building community aspect of #Malcolm right now, so as part of that we'll be having our first "Malcolm Office Hours" this Thursday. The plan is to have this monthly, every third Thursday, at 12pm Eastern time for 30 minutes. Details for the office hours can be found here. We'll be figuring out what works with this as we go and adjusting the format as needed. We hope to see any of you who might be interested there!

Malcolm is a powerful, easily deployable network traffic analysis tool suite for network security monitoring.

#HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #CISAgov

🏒 Malcolm "Office Hours" · cisagov Malcolm · Discussion #615

The Cybersecurity and Infrastructure Security Agency (CISA) invites you to join Malcolm External Office Hours. The virtual office hours will take place every third Thursday of the month at 12:00 p....

GitHub
Seth GroverFeb 27

Malcolm v25.02.0 contains some major performance improvements, a few smaller new features and enhancements, several component version updates, bug fixes, and documentation updates. See the release notes for more details.

  • ✨ Features and enhancements
    • performance improvements (4x faster) for NetBox enrichment (#547) and autopopulation
    • performance improvements (18x faster) for Suricata's processing of uploaded PCAP files (#457)
    • include corelight/zeek-long-connections plugin to log long connections (#585)
    • significant work-in-progress towards support for Sigma rules via OpenSearch Security Analytics (still incomplete due to some blocking issues upstream, see #475 for details)
  • βœ… Component version updates

Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Seth GroverJan 17
Malcolm v25.01.0 is out! See the release notes for details! malcolm.fyi github.com/cisagov/Malc... #Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec

Malcolm
Malcolm

A powerful, easily deployable network traffic analysis tool suite for network security monitoring

Malcolm
Seth GroverJan 17

Malcolm v25.01.0 contains quite a few UI/UX improvements; new parsers; a bevy of component version updates including to Arkime, Zeek, NetBox; and several bug fixes.

Malcolm is a powerful, easily deployable network πŸ–§ traffic analysis tool suite for network security monitoring πŸ•΅πŸ»β€β™€οΈ.

Malcolm operates as a cluster of containers πŸ“¦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker πŸ‹, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images πŸ’Ώ for Malcolm and Hedgehog Linux πŸ¦” can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split πŸͺ“ into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell πŸͺŸ (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board πŸ’¬ to engage with the community, or pop some corn 🍿 and watch a video πŸ“Ό.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Release Malcolm v25.01.0 Β· cisagov/Malcolm

Malcolm v25.01.0 contains quite a few UI/UX improvements; new parsers; a bevy of component version updates including to Arkime, Zeek, NetBox; and several bug fixes. v24.12.0...v25.01.0 ✨ Features ...

GitHub