Malcolm v24.10.1

[mmguero]

Malcolm v24.10.1 contains some minor improvements, a few component version updates, a fix for a regression bug, and a fair amount of code cleanup.

v24.10.0...v24.10.1

• Features and enhancements
  • Update AWS AMI build scripts and demo setup scripts to use Amazon Linux 2023 instead of Amazon Linux 2 (update AWS AMI build instructions and some demo setup scripts to use Amazon Linux 2023 instead of Amazon Linux 2 idaholab/Malcolm#591)
  • Add support for websocket.log (add support for websocket.log idaholab/Malcolm#593)
  • Add a "readiness" API that can be used to determine if various Malcolm services are ready (add a "readiness" API that can be used to determine if various Malcolm services are ready idaholab/Malcolm#598)
• Component version updates
  • beats to v8.15.3
  • Logstash to v8.15.3
  • supercronic to v0.2.33
• Bug fixes
  • Fixed OpenSearch anomaly detection default detectors not being created (regression, opensearch anomaly detection default detectors are not being created idaholab/Malcolm#596)
• Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
  • Malcolm
    • ZEEK_JA4SSH_PACKET_COUNT (with a default of 200) has been added to ./config/zeek.env, which can be used to set logging interval number of packets for ja4ssh.log (provide configuration option in local.zeek to set number of packets for ja4ssh.log idaholab/Malcolm#508)
  • Hedgehog Linux
    • ZEEK_JA4SSH_PACKET_COUNT has been added to control_vars.conf for the same purpose as described above
• Code and project maintenance
  • Examine distro hardening, fix and update documentation as needed for Malcolm and Hedgehog Linux ISO-installed environments (examine hardening, fix and update documentation as needed idaholab/Malcolm#328)
  • Refactoring and code cleanup in the Logstash Zeek pipeline (some cleanup and improvements of the zeek logstash pipeline idaholab/Malcolm#592)
  • Logstash container initialization code now automatically ensures that the Zeek TSV log parsing filters (dissect and split filters) in these files are looking for TAB characters (i.e., automatically replace spaces with tabs in these filter files in case the author forgot to do so) (some cleanup and improvements of the zeek logstash pipeline idaholab/Malcolm#592)
  • Did some code cleanup in the ./shared/bin directory, mostly moving things that were specific to either the Malcolm or Hedgehog Installer ISO environments out of shared and into their respective locations for the ISO installer build.
  • When doing the aquasecurity/trivy-action action, use TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db to try to fall back to an alternative official location for the vulnerability database if the first one fails. Also, pin this action to the v0.28.0 release rather than setting it to master.
  • As it's used pretty ubiquitously in shared scripts by many of the Malcolm containers, the jq utility is now installed across the board during the container image build.
  • Added a script to gather GitHub API metrics for Malcolm downloads (script to gather GitHub API metrics for Malcolm downloads idaholab/Malcolm#594)

Official ISO installer images for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh) and PowerShell (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

---

This discussion was created from the release Malcolm v24.10.1.