cisagov/Malcolm v23.07.0

Malcolm v23.07.0 [see EDIT at the top of the release notes]

on GitHub

EDIT - A bug in how Modbus traffic was parsed was discovered shortly after this release. A v23.07.1 release will be put out in the next day or so, you may want to wait for that.

Malcolm v23.07.0 is a feature release with a number of improvements, bux fixes and component updates.

v23.05.1...v23.07.0

• New features

  • scan docker images built via GitHub actions for vulnerabilities using Trivy (idaholab#218)
  • document building and deplolying Malcolm with an AWS AMI image (idaholab#205)
  • handle Arkime field actions (idaholab#200)
  • kubernetes: document how to get running on Amazon EKS (idaholab#194)
  • Populate NetBox inventory via passively-gathered network traffic metadata (basic functionality, work in progress) (idaholab#135)

• Enhancements

  • use .tar.xz instead of .tar.gz for packaging Malcolm docker images for better compression (and smaller ISO file size)
  • Malcolm documentation edits (idaholab#204)
  • add option to enable SSH via password in hedgehog's configure-interfaces.py script (idaholab#158)
  • updated "Network Traffic Analysis with Malcolm" slides
  • use an init container in Kubernetes container startup to ensure necessary directories get created under PersistentVolume objects before startup
  • improvements to identifying source of third-party logs sent via fluent bit
  • don't do unnecessary clone of Zeek plugins, just install using URL
  • parse bacnet_device_control.log produced by the icsnpp-bacnet parser for Zeek

• Bug fixes

  • maxlogins value includes tmux sessions, can lock user out of SSH (idaholab#214)
  • curl rc file for connecting to external OpenSearch without auth enabled causes logstash startup to fail (idaholab#209)
  • failure to parse some suricata alerts due to integer type which should be indexed as long (idaholab#206)
  • netbox-restore doesn't work in Kubernetes (idaholab#202)
  • PCAP File with no - in pcapng Fails to Upload (#265)
  • disable NetBox telemetry

• Component version updates

  • Alpine (docker container image base) to v3.18.0
  • Arkime to v4.3.2
  • capa to v6.0.0
  • filebeat to v8.8.2
  • NetBox to v3.5.4
  • OpenSearch and OpenSearch Dashboards to v2.8.0
  • Supercronic to v0.2.25
  • YARA to v4.3.2
  • Zeek to v5.2.2

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/.