Skip to content

Malcolm v24.06.0

Compare
Choose a tag to compare
@mmguero mmguero released this 27 Jun 01:18
· 382 commits to main since this release
d745e24

Malcolm v24.06.0 contains new features, improvements, component version updates, and a few bug fixes.

v24.05.0...v24.06.0

NetBox: backwards compatibility-breaking change: This release of Malcolm updates NetBox from v3.6.7 to v4.0.6, for bug fixes, security updates, and requirements for Malcolm to support enrichment with multiple NetBox sites. However, NetBox's built-in migrations do not appear to work handle going from v3.6.7 to v4.0.6. It is likely that if you are using NetBox that you will encounter errors upon updating to this release of Malcolm. Prior to upgrading it is recommended that you navigate to Sites, IPAM > Prefixes, DCIM > Devices, and anywhere else you've populated NetBox data and click Export > All Data (CSV) and save those in case you need to recreate your NetBox inventory after upgrading. Malcolm's NetBox backup and restore will not work in this case. If you find NetBox has data errors after upgrading Malcolm, stop Malcolm and clear the NetBox inventory from your Malcolm installation directory (e.g., rm -rf ./netbox/postgres/* ./netbox/redis/*), then start Malcolm and recreate your NetBox inventory.

  • Features and enhancements
    • Support for multiple NetBox sites (idaholab#449)
      • Malcolm now supports enrichment from a NetBox inventory for asset interaction analysis across multiple sites. The NetBox site can be specified for uploaded PCAP, for a Hedgehog Linux sensor, and for Malcolm live capture.
    • JA4+ replaces the JA3 TLS fingerprinting standard from 2017 (see also this blog post) (idaholab#419)
    • Support uploading Windows Event Log evtx files (idaholab#465) and update associated dashboard
    • Document using GitHub runners to build Malcolm images (for contributors' guide, idaholab#491)
    • Generate new forwarder SSL keys on-the-fly when transferring between Malcolm and Hedgehog Linux (idaholab#492)
    • Incorporate ATT&CK-based Control-system Indicator Detection for Zeek (ACID) (idaholab#489), a collection of Operational Techonology (OT) protocol indicators developed to alert on specific ATT&CK for ICS behaviors
    • Add platform architecture and machine boot time to Malcolm version API
    • Add links to the navigation pane of most dashboards to "other" dashboards for non-network log data (e.g., resource monitoring, Windows Event logs, etc.)
  • Component version updates
  • Bug fixes
    • Arkime viewer not rolling PCAPs (idaholab#484)
    • Free up space in GitHub runner environment building ISO images to avoid errors due to exhausted disk space
  • Configuration changes in environment variables
    • There are no significant changes or additions to the ./config/*.env environment variable files in Malcolm v24.06.0

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.