Malcolm v25.11.0

Malcolm v25.11.0 includes an overhaul of the install.py installation/configuration script, a few bug fixes, and some component version updates.

v25.09.0...v25.11.0

• ✨ Features and enhancements
  • We're in the process of majorly overhauling our install.py script (#395) used for setting up a Linux or MacOS system to run Malcolm and for configuring Malcolm's runtime options. There are future updates still to come (#766) but for now the command-line and dialog-based interfaces' functionality and backend are in place. The step-by-step wizard has been replaced with a menu-based interface that allows for changing individual values without having to step through the whole set of questions. The Docker-based Malcolm installation example on Ubuntu and end-to-end installation example have useful information about this change, as does the command-line arguments document. We've done a lot of testing on what's a complete rewrite of this, but there is a possibility we missed something; if you find an issue with the new install/configure script, please open a discussion or log a bug and let us know. For the next release or so, we're leaving the legacy installer in place as scripts/legacy_install.py which could be used in a pinch (e.g., run scripts/legacy_install.py --configure for the old configuration menu).
  • We've incorporated a new "Connections Tree" visualization. This visualization tracks the potential of lateral movement based on the observed communications between all devices that reach a root node, identified by IP address. It gives a high-level view showing both direct and indirect connetions between the root IP and all of its destinations, regardless of time, along with enriched data for each endpoint and connection.
  • Updates to the Validated Design Architecture Review (VADR) dashboards.
  • The OpenSearch container now includes the repository-s3 plugin, useful for those who wish to configure OpenSearch's snapshots to save to S3-compatible buckets.
• ✅ Component version updates
  • Arkime to v5.8.2
  • Fluent Bit to v4.1.1
  • Keycloak to v26.4.2
  • OpenResty to v1.27.1.2
  • OpenSearch Dashboards to v3.3.0
  • OpenSearch to v3.3.2
  • supercronic to v0.2.38
  • yq to v4.48.1
  • Zeek to v8.0.3
• 🐛 Bug fixes
  • Double imports when restarting Malcolm (#588) (thanks @KchChr)
• 🧹 Code and project maintenance
  • Refactored a number of Python functions to reduce cyclomatic complexity (#765, work ongoing)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux. The Malcolm control script (e.g., ./scripts/status, ./scripts/start, etc.) should take care of creating new variables and migrating existing ones as needed based on the rules in ./config/env-var-actions.yml without intervention on the user's part.
  • Malcolm
    • NGINX_RESOLVER_IPV4_OFF and NGINX_RESOLVER_IPV6_OFF have been renamed to NGINX_RESOLVER_IPV4 and NGINX_RESOLVER_IPV6, respectively, and their logic reversed, in nginx.env.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.