Seth Grover<p><a href="https://github.com/idaholab/Malcolm/releases/tag/v25.04.1" rel="nofollow noopener noreferrer" target="_blank">Malcolm v25.04.1</a> contains new features and improvements, component version updates, bug fixes, and other great stuff.</p><p>For these notes, I'm lumping v25.04.0 and v25.04.1 together, as v25.04.1 was released only two days after v25.04.0 in order to update Arkime to <a href="https://github.com/arkime/arkime/blob/6eaf2ee53a808cece94cec887cf8f058e0441a5c/CHANGELOG#L39-L42" rel="nofollow noopener noreferrer" target="_blank">v5.6.4</a> which mitigates newly-discovered remote code execution (RCE) vulnerabilities.</p><p><a href="https://github.com/idaholab/Malcolm/compare/v25.03.1...v25.04.1" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/idaholab/Malcolm/co</span><span class="invisible">mpare/v25.03.1...v25.04.1</span></a></p><ul><li><p>✨ Features and enhancements</p><ul><li>add option to use external NetBox instance (<a href="https://github.com/cisagov/Malcolm/issues/597" rel="nofollow noopener noreferrer" target="_blank">cisagov/Malcolm#597</a>)</li><li>add <code>-q</code>/<code>--quiet</code> option for <code>start</code>/<code>restart</code> (<a href="https://github.com/cisagov/Malcolm/issues/656" rel="nofollow noopener noreferrer" target="_blank">cisagov/Malcolm#656</a>)</li><li>handle non-HTTPS arkime case (<a href="https://github.com/cisagov/Malcolm/issues/629" rel="nofollow noopener noreferrer" target="_blank">cisagov/Malcolm#629</a>)</li><li><p>lots of improvements to <code>control.py</code> and <code>install.py</code> for Kubernetes deployment</p><ul><li>improved <code>start</code>/<code>stop</code>/<code>wipe</code> control script behavior</li><li>allow providing resource requests in manifests via YML file and command-line argument</li></ul><pre><code>...<br>Kubernetes:<br> -n, --namespace <string><br> Kubernetes namespace<br> --skip-persistent-volume-checks [SKIPPERVOLCHECKS]<br> Skip checks for PersistentVolumes/PersistentVolumeClaims in manifests (only for "start" operation with Kubernetes)<br> --no-capture-pods [NOCAPTUREPODSSTART]<br> Do not deploy pods for traffic live capture/analysis (only for "start" operation with Kubernetes)<br> --no-capabilities [NOCAPABILITIES]<br> Do not specify modifications to container capabilities (only for "start" operation with Kubernetes)<br> --inject-resources [INJECTRESOURCES]<br> Inject container resources from kubernetes-container-resources.yml (only for "start" operation with Kubernetes)<br> --image-source <string><br> Source for container images (e.g., "ghcr.io/idaholab/malcolm"; only for "start" operation with Kubernetes)<br> --image-tag <string> Tag for container images (e.g., "25.04.0"; only for "start" operation with Kubernetes)<br> --delete-namespace [DELETENAMESPACE]<br> Delete Kubernetes namespace (only for "wipe" operation with Kubernetes)<br>...<br></code></pre></li><li><p>improvements to Malcolm's vanilla Kubernetes manifests</p><ul><li>lowered the amount of storage for the persistent volumes in the AWS EFS example</li><li>replaced <code>name</code> label with <code>app</code> label for deployments in accordance with best practices</li></ul></li><li><p>improve links on landing page for NetBox and auth to accurately reflect what Malcolm is using</p></li><li><p>added more smarts to the NGINX startup script to dynamically set up upstreams that may or may not exist based on enabled or disabled Malcolm features</p></li><li><p>fixed a minor issue in the script setting up Zeek intelligence updates where it would remove its own lockfile</p></li></ul></li><li><p>✅ Component version updates</p><ul><li>Alpine Linux <a href="https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.21.0" rel="nofollow noopener noreferrer" target="_blank">v3.21</a></li><li>Arkime <a href="https://github.com/arkime/arkime/blob/6eaf2ee53a808cece94cec887cf8f058e0441a5c/CHANGELOG#L39-L42" rel="nofollow noopener noreferrer" target="_blank">v5.6.4</a> to <a href="https://github.com/arkime/arkime/pull/3188" rel="nofollow noopener noreferrer" target="_blank">resolve</a> RCE vulnerabilities, as described below in the <a href="https://infosec.exchange/tags/announcements" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>announcements</span></a> channel on the <a href="https://arkime.slack.com/" rel="nofollow noopener noreferrer" target="_blank">Arkime slack</a>: * possible to bypass forced expressions for some API calls * direct access to OpenSearch/Elasticsearch could be used to create session documents that hang viewer or have viewer execute code * since Arkime 5.1.0 any arkimeUser user could create OpenSearch/Elasticsearch documents in any index that viewer had access to</li><li>Keycloak <a href="https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-26-2-0" rel="nofollow noopener noreferrer" target="_blank">v26.2</a></li><li>NetBox <a href="https://github.com/netbox-community/netbox/releases/tag/v4.2.8" rel="nofollow noopener noreferrer" target="_blank">v4.2.8</a></li><li>netbox-initializers <a href="https://github.com/tobiasge/netbox-initializers/releases/tag/v4.2.0" rel="nofollow noopener noreferrer" target="_blank">v4.2.0</a></li><li>netbox-topology <a href="https://github.com/netbox-community/netbox-topology-views/releases/tag/v4.2.1" rel="nofollow noopener noreferrer" target="_blank">v4.2.1</a></li><li>Fluent Bit to <a href="https://github.com/fluent/fluent-bit/releases/tag/v4.0.1" rel="nofollow noopener noreferrer" target="_blank">v4.0.1</a></li></ul></li><li><p>🐛 Bug fixes</p><ul><li>API tokens created in NetBox still require authentication through NGINX reverse proxy (<a href="https://github.com/cisagov/Malcolm/issues/383" rel="nofollow noopener noreferrer" target="_blank">cisagov/Malcolm#383</a>)</li><li>adjust Logstash health check so K8s liveness probe doesn't kill it (<a href="https://github.com/cisagov/Malcolm/issues/630" rel="nofollow noopener noreferrer" target="_blank">cisagov/Malcolm#630</a>)</li><li>be more resilient in <code>zeekctl</code> status checks in <code>zeekdeploy.sh</code> (<a href="https://github.com/cisagov/Malcolm/issues/652" rel="nofollow noopener noreferrer" target="_blank">cisagov/Malcolm#652</a>)</li><li>in deployments with multiple zeek-live containers, each container's restarting causes the others to restart zeek (<a href="https://github.com/cisagov/Malcolm/issues/651" rel="nofollow noopener noreferrer" target="_blank">cisagov/Malcolm#651</a>)</li></ul></li><li><p>🧹 Code and project maintenance</p><ul><li><a href="https://malcolm.fyi/docs/custom-rules.html#Logstash" rel="nofollow noopener noreferrer" target="_blank">document</a> customizing Malcolm with an additional output pipeline (<a href="https://github.com/cisagov/Malcolm/issues/643" rel="nofollow noopener noreferrer" target="_blank">cisagov/Malcolm#643</a>)</li><li>overhaul <a href="https://malcolm.fyi/docs/aws.html#AWS" rel="nofollow noopener noreferrer" target="_blank">"deploying Malcolm on AWS"</a> documentation (<a href="https://github.com/cisagov/Malcolm/issues/655" rel="nofollow noopener noreferrer" target="_blank">cisagov/Malcolm#655</a>)</li></ul></li></ul><p><a href="https://malcolm.fyi/" rel="nofollow noopener noreferrer" target="_blank">Malcolm</a> is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻♀️.</p><p>Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, <a href="https://malcolm.fyi/docs/quickstart.html#DockerVPodman" rel="nofollow noopener noreferrer" target="_blank">Podman</a> 🦭, and <a href="https://malcolm.fyi/docs/kubernetes.html#Kubernetes" rel="nofollow noopener noreferrer" target="_blank">Kubernetes</a> ⎈. Check out the <a href="https://malcolm.fyi/docs/quickstart.html" rel="nofollow noopener noreferrer" target="_blank">Quick Start</a> guide for examples on how to get up and running.</p><p>Alternatively, dedicated official <a href="https://malcolm.fyi/docs/malcolm-hedgehog-e2e-iso-install.html#InstallationExample" rel="nofollow noopener noreferrer" target="_blank">ISO installer images</a> 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's <a href="https://github.com/idaholab/Malcolm/releases" rel="nofollow noopener noreferrer" target="_blank">releases page</a> on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (<a href="https://github.com/idaholab/Malcolm/blob/main/scripts/release_cleaver.sh" rel="nofollow noopener noreferrer" target="_blank"><code>release_cleaver.sh</code></a>) and PowerShell 🪟 (<a href="https://github.com/idaholab/Malcolm/blob/main/scripts/release_cleaver.ps1" rel="nofollow noopener noreferrer" target="_blank"><code>release_cleaver.ps1</code></a>). See <a href="https://malcolm.fyi/docs/download.html#DownloadISOs" rel="nofollow noopener noreferrer" target="_blank"><strong>Downloading Malcolm - Installer ISOs</strong></a> for instructions.</p><p>As always, join us on the <a href="https://github.com/cisagov/Malcolm/discussions" rel="nofollow noopener noreferrer" target="_blank">Malcolm discussions board</a> 💬 to engage with the community, or pop some corn 🍿 and <a href="https://www.youtube.com/@malcolmnetworktrafficanalysis/playlists" rel="nofollow noopener noreferrer" target="_blank">watch a video</a> 📼.</p><p><a href="https://infosec.exchange/tags/Malcolm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malcolm</span></a> <a href="https://infosec.exchange/tags/HedgehogLinux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HedgehogLinux</span></a> <a href="https://infosec.exchange/tags/Zeek" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Zeek</span></a> <a href="https://infosec.exchange/tags/Arkime" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Arkime</span></a> <a href="https://infosec.exchange/tags/NetBox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NetBox</span></a> <a href="https://infosec.exchange/tags/OpenSearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenSearch</span></a> <a href="https://infosec.exchange/tags/Elasticsearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Elasticsearch</span></a> <a href="https://infosec.exchange/tags/Suricata" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Suricata</span></a> <a href="https://infosec.exchange/tags/PCAP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PCAP</span></a> <a href="https://infosec.exchange/tags/NetworkTrafficAnalysis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NetworkTrafficAnalysis</span></a> <a href="https://infosec.exchange/tags/networksecuritymonitoring" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>networksecuritymonitoring</span></a> <a href="https://infosec.exchange/tags/OT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OT</span></a> <a href="https://infosec.exchange/tags/ICS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ICS</span></a> <a href="https://infosec.exchange/tags/icssecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>icssecurity</span></a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://infosec.exchange/tags/Cyber" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cyber</span></a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Infosec</span></a> <a href="https://infosec.exchange/tags/INL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>INL</span></a> <a href="https://infosec.exchange/tags/DHS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DHS</span></a> <a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CISA</span></a> <a href="https://infosec.exchange/tags/CISAgov" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CISAgov</span></a></p>