Malcolm v25.09.0 includes new features and available customizations, improvements to Threat Intelligence, component version updates, and several important bug fixes.

v25.08.1...v25.09.0

• ✨ Features and enhancements
  • improve Modbus register tracking with new modbus_detailed.log (#762)
  • add non-LVM option(s) for Malcolm/Hedgehog Linux ISO installers (#725)
  • allow configuring default search time frame for OpenSearch Dashboards (#724)
  • allow customizing maximum upload file size (#769)
  • add Arkime capture statistics to the Packet Capture Statistics dashboard (#703)
  • integrate Validated Architecture Design Review (VADR) dashboards (#780)
  • Threat Intelligence improvements
    • support Google Threat Intelligence feed for building Zeek intel source (#758)
    • renamed Zeek Intelligence dashboard to Threat Intelligence and improved it
    • links from context menu items in Arkime and Dashboards (like reference URLs for IOCs) now ask the user before navigating to external sites
  • Added icons with links to "ready" and "ingest statistics" APIs to landing page
  • Include tx-rx-secure.sh in files packaged by malcolm_appliance_packager.sh
• ✅ Component version updates
  • Arkime to v5.8.0
  • NetBox to v4.3.7
  • yq to v4.47.2
  • Fluent Bit to v4.0.10
• 🐛 Bug fixes
  • Python code handling X-Forwarded- headers should do case insensitive lookup (#764)
  • uploaded PCAPs that result in no filename-derived tags erroneously end up with internal tags on them (#774)
  • installer option for encrypted storage are not marking secondary data/artifact storage for encryption (#779)
  • Malcolm/Hedgehog Linux ISO-installed environments' auditd service fails to start (#761)
  • Failed shard query error on Overview dashboard (#754)
• 🧹 Code and project maintenance
  • refactor GitHub build actions for Malcolm Docker images to reduce duplication (#717)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • Malcolm
    • PCAP_UPLOAD_MAX_FILE_GB added to upload-common.env to allow configuring maximum PCAP upload size (#769)
    • DASHBOARDS_TIMEPICKER_FROM and DASHBOARDS_TIMEPICKER_TO added to dashboards-helper.env to allow configuring default search time frame for OpenSearch Dashboards (#724)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Malcolm v25.08.1 consists of several major component updates and a few bug fixes.

v25.08.0...v25.08.1

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

• ✨ Features and enhancements
  • Added Redis transport protocol and dashboard
• ✅ Component version updates
  • Beats to v8.19.2
  • Debian to v13 (cisagov/Malcolm#744) for ISO installer images and Debian-based containers
  • Fluent Bit to v4.0.8
  • Logstash to v8.19.2
  • NetBox to v4.3.6
  • OpenSearch and OpenSearch Dashboards to v3.2.0 (cisagov/Malcolm#751)
  • Supervisor to v4.3.0
  • Zeek to v8.0.1 (cisagov/Malcolm#750)
• 🐛 Bug fixes
  • Query workbench (SQL and PPL) is broken due to something to do with network index pattern field aliases (cisagov/Malcolm#746)
  • Zeek containers need to be limited in max number of open files or memory grows very large (cisagov/Malcolm#747)
  • avoid OpenSearch search shard failures by including unspecified roles in indexes during NetBox enrichment #(cisagov/Malcolm#749)
  • differences in MISP object/attribute formatting cause Malcolm to ignore some threat feed indicators (cisagov/Malcolm#753)
  • NetBox sites used for development testing included in release artifacts (cisagov/Malcolm#755)
  • wipe script no longer removes .gitignore files
• 🧹 Code and project maintenance
  • Standardized the way Python scripts in Malcolm (both in the containers and the control scripts) do debug/informational logging (increase logging level with -v, -vv, -vvv, etc.)
  • Removed vagrant-sshfs requirement from vagrant-based ISO builds in favor of Vagrant's builtin rsync mechanism

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Malcolm v25.08.0 is a minor release fixing a regression bug inadvertently introduced in v25.07.0.

v25.07.0...v25.08.0

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

• ✨ Features and enhancements
  • Performance improvements to the clean-processed-folder.py script in the filebeat container responsible for pruning already-processed Zeek and Suricata log files (#736)
• 🐛 Bug fixes
  • Malcolm fields are not created in Arkime (#735)
    • Due to this commit, the order in which the Arkime fields database was initialized and the WISE service started was switched, which resulted in the initial run of capture (responsible for populating Malcolm's custom fields) failing. The order of these operations has been corrected.
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • FILEBEAT_CLEANUP_VERBOSITY and added to filebeat.env to control the verbosity of the clean-processed-folder.py script mentioned above in relation to #736. For example, setting FILEBEAT_CLEANUP_VERBOSITY=-vvvv corresponds to the DEBUG log level, and will produce output like this once per minute:

  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Found 2099 Zeek processed directory files to consider.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Found 135 Zeek live directory files to consider.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Checked 2099 Zeek processed directory files at a rate of 10804 files/second.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Checked 135 Zeek live directory files at a rate of 1411 files/second.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Found 161 Suricata files to consider.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Checked 161 Suricata files at a rate of 18018 files/second.
  filebeat-1  | 2025-08-07T20:23:00Z  /usr/local/bin/clean-processed-folder.py: Finished pruning files.
  

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

NOTE: A regression has been found (#735) in v25.07.0 that can cause the Malcolm fields to not get populated in Arkime's fields database when a new Malcolm instance is initialized. A fix is in the works. It's recommended you wait to upgrade until v25.08.0 (which should be released 2025-08-06).

Malcolm v25.07.0 includes quite a few new features and enhancements, performance improvements, bug fixes, and component version updates.

If you are updating from a version older than v25.06.0, please read those release notes prior to updating to this version.

v25.06.0...v25.07.0

• ✨ Features and enhancements
  • Add IANA service name and description enrichment to Zeek's known_services.log (#705)
  • Improve the speed of pruning files (#710)
  • allow multiple instance of Suricata in PCAP processing mode via UNIX socket (#707)
  • expose Arkime WISE tagging features to the user (#377)
  • handle comma- or semicolon-separated directories for PCAP_PROCESSED_DIRECTORY (to support new live PCAP processing method in Malcolm-Helm) (#702)
  • handle new OPCUA Binary summary logs (#709)
  • incorporate new ANSI C12.22 parser and add corresponding dashboard (#708)
  • overhauled instructions for Deploying Malcolm on Amazon Web Services (AWS) including deploying Malcolm on Amazon Elastic Kubernetes Service (EKS) in Auto Mode
  • install.py script is now a bit more robust in trying to help ensure the correct packages and Python libraries are installed
• ✅ Component version updates
  • Fluent Bit to v4.0.5
  • Arkime v5.7.1
  • Supercronic v0.2.34
  • OpenSearch and OpenSearch Dashboards v3.1.0
  • Keycloak v26.2.5
  • yq v4.47.1
  • NetBox v4.3.4
    • NetBox Initializers plugin v4.3.0
    • NetBox Topology Views plugin v4.3.0
  • Zeek v7.2.2
  • Spicy v1.13.2
  • urllib3 Python Library to v2.5.0 (addresses CVE-2025-50181)
  • ICSNPP Zeek network analyzer updates
    • BACnet parser fixes for previously unsupported services (see cisagov/icsnpp-bacnet#50 and cisagov/icsnpp-bacnet#51)
    • Ethernet/IP various fixes (cisagov/icsnpp-enip#34 (partial); cisagov/icsnpp-enip#35; cisagov/icsnpp-enip#36; cisagov/icsnpp-enip#37; cisagov/icsnpp-enip#38)
    • GENISYS minor updates (cisagov/icsnpp-genisys#25)
    • OPCUA Binary summary logs (cisagov/icsnpp-opcua-binary#102)
    • S7comm fixes for ACK message processing (cisagov/icsnpp-s7comm#19; cisagov/icsnpp-s7comm#20)
• 🐛 Bug fixes
  • zeek logs not cleaned by clean-processed-folder.py due to MIME type mismatch (#712)
  • packet capture statistics dashboard not working in Kibana (#704)
  • need to adjust shared object creation script (e.g., dashboards import) for new versions of Kibana (#713)
  • log fingerprinting needs to be examined to avoid unintentional collisions (#715)
  • install.py issues in Rocky Linux, Almalinux (#385)
  • OpenSearch container health check issue when OpenSearch is disabled (#716)
  • investigate NetBox API access via Malcolm's netbox endpoint and mapi endpoint (#701)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • Malcolm
    • VIEWER removed from arkime-live.env as its behavior is handled internally and should not be user-settable
    • VIEWER and WISE removed from arkime-offline.env as its behavior is handled internally and should not be user-settable
    • ARKIME_WISE_CONFIG_PIN_CODE and its default value added to arkime-secret.env, used for making changes to the WISE config in the WISE GUI
    • ARKIME_WISE_SERVICE_URL and its default value added to arkime-secret.env for specifying the connection to the WISE service
    • ARKIME_EXPOSE_WISE_GUI and ARKIME_ALLOW_WISE_GUI_CONFIG added to arkime.env to control the WISE GUI viewer/editor capability
    • LS_JAVA_OPTS in logstash.env changed its default heap size from 2500m to 3g
    • REMOTE_AUTH_HEADER, REMOTE_AUTH_USER_EMAIL, REMOTE_AUTH_USER_FIRST_NAME, and REMOTE_AUTH_USER_LAST_NAME values (not really used) changed in netbox.env as part of some reverse proxy HTTP header standardization
    • SURICATA_AUTO_ANALYZE_PCAP_PROCESSES added with its default, and the meaning and default of SURICATA_AUTO_ANALYZE_PCAP_THREADS changed in suricata-offline.env as part of #707
    • ZEEK_DISABLE_IANA_LOOKUP added to zeek.env as part of #705
    • variables related to ANSI C12.22 added to zeek.env to control analyzer and log output as part of #708
  • Hedgehog Linux
    • ARKIME_WISE_PLUGIN and ARKIME_WISE_URL added as part of #377
    • ZEEK_DISABLE_IANA_LOOKUP added as part of #705
    • variables related to ANSI C12.22 added as part of #708
• 🧹 Code and project maintenance
  • remove duplication and consolidate navigation pane content across all dashboards (#718)
  • standardized X-Forwarded- headers used internally by reverse proxy for RBAC
  • some cleanup/standardization of Ruby code used by Logstash to make it more idiomatic

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 ([release_cleaver.sh](https://github.com/cisagov/Ma...

Malcolm v25.06.0 includes a some new and oft-requested features, bug fixes, and component version bumps.

v25.05.0...v25.06.0

NOTE: As this Malcolm release enables the OpenSearch Security Plugin as described below, even inter-container access to OpenSearch must now be authenticated when using Malcolm's embedded OpenSearch instance. To accomplish this, an internal-use-only account and password is used for connecting to OpenSearch by Malcolm's other components as needed. This credential (saved in .opensearch.primary.curlrc in the Malcolm installation directory) needs to be generated before Malcolm starts up the first time after upgrading. To do so, please run ./scripts/auth_setup and select (Re)generate internal passwords for local primary OpenSearch instance. This credential is only used internally for OpenSearch and cannot be used to remotely access Malcolm.

• ✨ Features and enhancements
  • This release adds role-based access control (RBAC) to Malcolm (#460).
    • Malcolm's RBAC feature is based on Keycloak realm roles and is implemented in to layers:
      1. Whenever possible, Malcolm's backend Keycloak realm roles are mapped to the roles/groups/permissions features provided by the components that make up Malcolm, for example:
         • OpenSearch (provided by the OpenSearch Security plugin)
           • Configuring the Security backend
           • Modifying the YAML files
           • Predefined roles
         • Arkime
           • Note: As per @awick, until Arkime v6.0.0 is out, not all of the Arkime permissions can be set on roles. For now, then, Malcolm's Arkime roles are going to be handled purely based on URI path in the NGINX stuff as described below.
         • NetBox
           • Authentication & Permissions
           • Object-Based Permissions
           • Mastering NetBox User Access with Permission Constraints
      2. For other Malcolm components that don't implement their own permission management systems, Malcolm handles the enforcement roles based on request URIs in its NGINX proxy layer.
    • This is an optional feature. RBAC is only available when the authentication method is keycloak or keycloak_remote. With other authentication methods such as HTTP basic or LDAP, or when RBAC is disabled, all Malcolm users effectively have administrator privileges.
    • Because the OpenSearch Security Plugin requires TLS even internally, Malcolm's internal connections to the embedded OpenSearch instance, when used, are now all performed over HTTPS. However, this is all handled internally and should not behave or appear different to the user than it did in previous versions.
    • See the role-based access control documentation for more information on this feature.
  • Malcolm's embedded KeyCloak instance now automatically creates and configures the default client by ID, if specified in ./config/keycloak.env.
  • Allow user to specify subnet filters for NetBox autopopulation (#634)
    • This feature is especially useful for excluding dynamic address ranges such as those used by DHCP, which should generally not trigger autopopulation in NetBox. Since these addresses can change frequently and aren't tied to specific devices, including them could result in inaccurate or noisy inventory data. By fine-tuning which private subnets are included or excluded, users can ensure that only meaningful, typically static assignments are autopopulated.
  • Expose init arguments for Arkime's db.pl and also use them for Malcolm's creation of its own index templates (#692)
  • Extend Zeek's intel.log with additional fields using corelight/ExtendIntel (part 1) (#502)
    • This integrates the corelight/ExtendIntel plugin into Malcolm internally but does not significantly change how Malcolm presents intel.log to the user. Further work to do so will be continued in #695.
  • Some internal tweaks to the PCAP processing pipeline that are going to be leveraged by the Malcolm-Helm project (idaholab#630)
  • Handle a fix in the ICSNPP OPCUA-Binary plugin that adds a new sec_token_id field (cisagov/icsnpp-opcua-binary#101)
  • Moved the configuration for Zeek's use of the zeek-kafka plugin to its own file (kafka.zeek) to make it easier to override in Docker using a volume bind mount or in K8s using a configMap.
  • Changed some internal objects used for NetBox enrichment caching from Ruby's Concurrent::Hash to Concurrent::Map for better performance
  • Minor improvements to the icons, shortcuts, and convenience bash functions in the ISO-installed Malcolm desktop environment
  • NGINX now generates a robots.txt file to avoid web crawlers
• ✅ Component version updates
  • Alpine base Docker image to v3.22.0
  • Arkime to v5.7.0
  • capa to v9.2.1
  • flask-cors Python library to v6.0.0 to address CVE-2024-6839, CVE-2024-6844, and CVE-2024-6866
  • OpenSearch and OpenSearch Dashboards to v3.0.0
    • What To Expect
    • Announcing OpenSearch 3.0
    • Performance Improvements
  • opensearch-py Python library to v3.0.0
  • osd_transform_vis Dashboards visualization library to v3.0.0
  • requests Python library to v2.32.4 to address CVE-2024-47081
  • YARA to v4.5.3
  • Zeek to v7.2.1
• 🐛 Bug fixes
  • NetBox autodiscovery no longer populating host name from DNS, DHCP, NTLM (regression, #699)
  • documentation served at /readme is trying to pull fonts from use.fontawesome.com (#694)
  • support fractional gigabytes correctly when generating Arkime's config.ini setting maxFileSizeG from PCAP_ROTATE_MEGABYTES
  • Improved logstash filters that calculate unique hashes used as document IDs for Zeek and Suricata logs to better prevent duplicate logs from being written to the document store
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml.
  • arkime.env's OPENSEARCH_MAX_SHARDS_PER_NODE has been moved to opensearch.env and renamed to CLUSTER_MAX_SHARDS_PER_NODE
  • auth-common.env's NGINX_LDAP_TLS_… variables have been moved to nginx.env
  • [auth-common.env](https://github.com/cisagov/Malcolm/b...

Malcolm v25.05.0 adds support for the Emerson ROC Plus protocol (including a Zeek analyzer and corresponding dashboard), component updates, and bug fixes.

v25.04.1...v25.05.0

• ✨ Features and enhancements
  • Added support for ROC Plus (#661)
  • Make Zeek metrics port configurable (thanks to @divinehawk) (cherry-picked from #668)
  • Improve ability to upload PCAP files via cURL
  • Minor UI improvements to desktop environment for Malcolm and Hedgehg Linux ISO-installed instances
• ✅ Component version updates
  • Fluent Bit to v4.0.2
  • yq v4.45.4
  • Zeek v7.2.0
• 🐛 Bug fixes
  • race condition in suricata offline container between pcap processing and suricata socket (#667)
  • NetBox autopopulation not working with prefixes correctly (#670) (regression)
  • ensure Arkime's queryExtraIndices config.ini setting is only set when Zeek/Suricata logs are using a different index pattern
  • set number_of_replicas cluster setting to 0 for embedded single-node OpenSearch instance to avoid yellow state
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
  • added ZEEK_METRICS_PORT (default blank, meaning use the default port) in zeek.env and control_vars.conf for #668
  • added ZEEK_DISABLE_ICS_ROC_PLUS (default blank, meaning not disabled) in zeek.env and control_vars.conf for #661
• 🧹 Code and project maintenance
  • minor slides and documentation updates
  • Replace AWS Fargate documentation with AWS EKS Auto documentation

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Malcolm v25.04.1 contains only one change: updating Arkime to v5.6.4 which mitigates newly-discovered remote code execution (RCE) vulnerabilities.

v25.04.0...v25.04.1

• ✅ Component version updates
  • Arkime v5.6.4 to resolve RCE vulnerabilities, as described below in the #announcements channel on the Arkime slack:
    • possible to bypass forced expressions for some API calls
    • direct access to OpenSearch/Elasticsearch could be used to create session documents that hang viewer or have viewer execute code
    • since Arkime 5.1.0 any arkimeUser user could create OpenSearch/Elasticsearch documents in any index that viewer had access to

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Malcolm v25.04.0 contains new features and improvements, component version updates, bug fixes, and other great stuff.

v25.03.1...v25.04.0

• ✨ Features and enhancements

  • add option to use external NetBox instance (#597)

  • add -q/--quiet option for start/restart (#656)

  • handle non-HTTPS arkime case (#629)

  • lots of improvements to control.py and install.py for Kubernetes deployment

    • improved start/stop/wipe control script behavior
    • allow providing resource requests in manifests via YML file and command-line argument

    ...
    Kubernetes:
      -n, --namespace <string>
                            Kubernetes namespace
      --skip-persistent-volume-checks [SKIPPERVOLCHECKS]
                            Skip checks for PersistentVolumes/PersistentVolumeClaims in manifests (only for "start" operation with Kubernetes)
      --no-capture-pods [NOCAPTUREPODSSTART]
                            Do not deploy pods for traffic live capture/analysis (only for "start" operation with Kubernetes)
      --no-capabilities [NOCAPABILITIES]
                            Do not specify modifications to container capabilities (only for "start" operation with Kubernetes)
      --inject-resources [INJECTRESOURCES]
                            Inject container resources from kubernetes-container-resources.yml (only for "start" operation with Kubernetes)
      --image-source <string>
                            Source for container images (e.g., "ghcr.io/idaholab/malcolm"; only for "start" operation with Kubernetes)
      --image-tag <string>  Tag for container images (e.g., "25.04.0"; only for "start" operation with Kubernetes)
      --delete-namespace [DELETENAMESPACE]
                            Delete Kubernetes namespace (only for "wipe" operation with Kubernetes)
    ...
    

  • improvements to Malcolm's vanilla Kubernetes manifests

    • lowered the amount of storage for the persistent volumes in the AWS EFS example
    • replaced name label with app label for deployments in accordance with best practices

  • improve links on landing page for NetBox and auth to accurately reflect what Malcolm is using

  • added more smarts to the NGINX startup script to dynamically set up upstreams that may or may not exist based on enabled or disabled Malcolm features

  • fixed a minor issue in the script setting up Zeek intelligence updates where it would remove its own lockfile

• ✅ Component version updates
  • Alpine Linux v3.21
  • Arkime v5.6.3
  • Keycloak v26.2
  • NetBox v4.2.8
  • netbox-initializers v4.2.0
  • netbox-topology v4.2.1
  • Fluent Bit to v4.0.1
• 🐛 Bug fixes
  • API tokens created in NetBox still require authentication through NGINX reverse proxy (#383)
  • adjust Logstash health check so K8s liveness probe doesn't kill it (#630)
  • be more resilient in zeekctl status checks in zeekdeploy.sh (#652)
  • in deployments with multiple zeek-live containers, each container's restarting causes the others to restart zeek (#651)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
  • replaced NETBOX_DISABLED with NETBOX_MODE in netbox-common.env for #597
  • added NETBOX_URL in netbox-common.env for #597
  • added NETBOX_TOKEN in netbox-secret.env for #597
  • removed unused NETBOX_CRON variable from netbox-common.env
  • added LOGIN_REQUIRED, LOGIN_PERSISTENCE, and ISOLATED_DEPLOYMENT in netbox.env
  • added MALCOLM_NETWORK_INDEX_DEFAULT_PIPELINE, MALCOLM_NETWORK_INDEX_LIFECYCLE_NAME, MALCOLM_NETWORK_INDEX_LIFECYCLE_ROLLOVER_ALIAS, MALCOLM_OTHER_INDEX_DEFAULT_PIPELINE, MALCOLM_OTHER_INDEX_LIFECYCLE_NAME, MALCOLM_OTHER_INDEX_LIFECYCLE_ROLLOVER_ALIAS in opensearch.env for #642; these are used to support customizations in the index templates, primarily for when using a remote Elasticsearch instance as the backing document store
  • added EXTRACTED_FILE_ENABLE_VTOT in zeek.env rather than just relying on the presence of VTOT_API2_KEY in zeek-secret.env
• 🧹 Code and project maintenance
  • various minor documenation improvements
  • improvements to build and appliance packaging scripts (#640)
  • document customizing Malcolm with an additional output pipeline (#643)
  • overhaul "deploying Malcolm on AWS" documentation (#655)
  • integrate customizations from Malcolm-Helm as options in vanilla Malcolm (part 1) (#642)
  • put in version pinning for Python packages (#644)
  • remove redundant storage of URLs in documents as artifact of NetBox enrichment
  • removed references to AWS client access and secret keys from packer_vars.json.example and documentation for building AWS AMIs (for security, these variables are now passed in via environment variables on the command line in the examples)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

This has been a busy month for Malcolm! We pushed hard to get v25.03.0 out earlier this month, as it contained pretty much just the Keycloak integration one of our partners (and major funding sources) was waiting for. Rather than wait until April for the other stuff that would have gone into the regular end-of-the-month release, I decided to pull those items into this smaller release just a week and a half after the last one.

Malcolm v25.03.1 contains a few enhancements, bug fixes, and several component version updates, including one that addresses a CVE that may affect Hedgehog Linux Kiosk mode and Malcolm's API container.

v25.03.0...v25.03.1

NOTE: If you have not already upgraded to v25.03.0, read the notes for v25.02.0 and v25.03.0 and follow the Read Before Upgrading instructions on those releases.

• ✨ Features and enhancements
  • Incorporate new S7comm device identification log, s7comm_known_devices.log (#622)
  • Display current PCAP, Zeek, and Suricata capture results in Hedgehog Linux Kiosk mode (#566)
  • Keycloak authentication: configurable group or role membership restrictions for login (#633) (see Requiring user groups and realm roles)
  • Mark newly-discovered and uninventoried devices in logs during NetBox enrichment (#573)
  • Added "Apply recommended system tweaks automatically without asking for confirmation?" question to install.py to allow the user to accept changes to sysctl.conf, grub kernel parameters, etc., without having to answer "yes" to each one.
• ✅ Component version updates
  • Arkime to v5.6.2
  • evtx to v0.9.0
  • Fluent Bit to v3.2.10
  • gunicorn to v23.0.0 to address CVE-2024-6827, "Gunicorn HTTP Request/Response Smuggling vulnerability"
  • Zeek to v7.1.1
• 🐛 Bug fixes
  • Fix install.py error when answering yes to "Pull Malcolm images?" with podman (#604)
  • Order of user-provided tags from PCAP upload interface not preserved (#624)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
  • added NGINX_REQUIRE_GROUP and NGINX_REQUIRE_ROLE to auth-common.env to support Requiring user groups and realm roles for Keycloak authentication
• 🧹 Code and project maintenance
  • Ensure Malcolm's NetBox configuration Python scripts are baked into the image in addition to bind-mounting them in docker-compose.yml at runtime.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

Malcolm v25.03.0 adds authentication via Keycloak and includes a few component version updates.

v25.02.0...v25.03.0

Read Before Upgrading

• As described below, a number of changes were made to environment variables in this release. The Malcolm control script should automatically migrate environment variables between Malcolm versions (e.g., moving environment variables from one .env file to another, removing deprecated/unused environment variables from .env files, etc.) as these actions are specified in config/env-var-actions.yml. However, these actions should be taking when migrating from a previous version of Malcolm to v25.03.0:
  • Before upgrading, while Malcolm is up, execute ./scripts/netbox-backup to backup the NetBox database and save the resulting .gz file(s) in case something goes wrong with the migration of the location of the PostgreSQL database or the environment variables associated with it. Should this happen, ./scripts/netbox-restore could be executed afterwards to restore the contents of the NetBox database.
  • If you have not already upgraded to v25.02.0, read the notes for that release and manually update the redis-related environment variables as described there.
  • Once updating to v25.03.0, but before starting Malcolm, run ./scripts/status to automatically migrate the other environment variables as described above.

Release Notes

• ✨ Features and enhancements
  • Support authentication via Keycloak (#459)
    • In addition to local account management and LDAP authentication, Malcolm can now utilize Keycloak, an identity and access management (IAM) tool, to provide a more robust authentication and authorization experience, including single sign-on (SSO) functionality.
    • Malcolm can connect to an existing Keycloak server or it can use its own embedded Keycloak instance.
    • While this feature has been developed and tested with Keycloak in mind, the lua-resty-openidc library used to implement the OpenID connection functionality may work with other OpenID providers as well. If you find this does work, let us know on the discussions board; if not, please log an issue with details.
    • This feature will pave the way for fine-grained access controls to be implemented in a future Malcolm version.
    • To support this feature, the postgres container has been decoupled from NetBox and now runs independent of that service. This is similar to what was done with the redis container in v25.02.0.
    • To support this feature, the vanilla NGINX web server used internally has been replaced with OpenResty, a version of NGINX extended with Lua.
    • New functionality was added to the authentication setup tool.
    • Refer to the new documentation on this feature for details, including a known limitation when using this authentication method with Hedgehog Linux.
  • Change to ./wipe command behavior
    • Prior to this release, running ./wipe also cleared the contents of the directory of the PostgreSQL database containing the NetBox inventory. PostgreSQL is now used to store both the NetBox inventory and the embedded Keycloak instance data. For this reason, and because it was probably not users' intention to blow away their network inventory with ./wipe, that script no longer deletes this data.
• ✅ Component version updates
  • OpenSearch and OpenSearch Dashboards to v2.19.1
  • Jinja2 to v3.1.6 to fix "Jinja2 vulnerable to sandbox breakout through attr filter selecting format method" vulnerability (CVE-2025-27516)
  • Fluent Bit to v3.2.8
  • Capa to v9.1.0
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
  • the following are all to support authentication via Keycloak (#459)
    • renamed NGINX_BASIC_AUTH with NGINX_AUTH_MODE in auth-commmon.env; the new code handling this variable should be backwards-compatible with the previously-accepted values
    • added keycloak.env
    • renamed nginx-postgres to postgres.env and completely overhauled the variables in that file
    • added several new environment variables to nginx.env (see the comments in that file for details)
    • removed NETBOX_POSTGRES_DISABLED from in netbox-common.env

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.