Release v26.06.0

Squashed commit of the following:

commit e0b2e65
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Mon Jun 1 20:23:37 2026 +0000

    fix missing zeek.intel.kill_chain_phases field

commit 1ee11e1
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Mon Jun 1 14:39:38 2026 +0000

    point at dockerhub for redhat images

commit 1a9ed2c
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Mon Jun 1 14:31:55 2026 +0000

    bump uv, logstash, and beats

commit 0e21be1
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Mon Jun 1 14:14:29 2026 +0000

    fix for zeek container continually grows /usr/local/zeek/crontab, causing Malcolm performance to gradually worsen, cisagov#1015

commit c775d8c
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Mon Jun 1 13:13:46 2026 +0000

    return correct HTTP error code for exceptiosn

commit 86fa0f8
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Thu May 28 22:50:24 2026 +0000

    trigger build

commit 33e4c20
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Thu May 28 22:48:26 2026 +0000

    fix(filebeat/zeek): add application/x-rar as additional RAR MIME type alongside application/x-rar-compressed

    - Add application/x-rar to MIME type lists in filebeat-process-zeek-folder.sh,
      filebeat-watch-zeeklogs-uploads-folder.py, watch-pcap-uploads-folder.py,
      and clean-processed-folder.py
    - Add application/x-rar to ScanRar.yaml strelka scanner flavors
    - Add application/x-rar, application/vnd.rar, application/gzip,
      application/x-lzip, application/x-lzma, application/x-tar, application/x-xz
      to zeek extractor configs and logstash severity rules

commit ffe2817
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Thu May 28 21:52:30 2026 +0000

    fix(arkime): fix WISE auth detection in Keycloak mode and handle /wise without trailing slash

    - Add exact-match location = /wise to nginx_arkime_wise.conf to handle
      requests without trailing slash, routing to correct auth path
    - Replace HTTP status-only check in live_capture.sh with body+status check
      against /_ns_/nstest.html; a 200 with non-empty body indicates a Keycloak
      login page redirect rather than a successful WISE response

commit 381a66a
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 21:46:47 2026 +0000

    fix(auth): upgrade SFTP password hash from MD5-crypt to SHA-512 and tighten auth.env permissions

    - Replace openssl passwd -1 (MD5-crypt) with -6 (SHA-512-crypt) for SFTP credential
    - Change auth.env file permissions from 0644 to 0600 (owner read/write only)
    - Update .justfile, docs, and argparse help string to reflect new hash algorithm

commit c2550a7
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 21:14:43 2026 +0000

    don't provide a default for SUPERUSER_PASSWORD in netbox-secret.env

commit 3afb85a
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 21:08:03 2026 +0000

    fix(nginx): deny addtags/removetags to read-only users in nginx_readonly.conf

    - Add sessions?/(add|remove)tags to the Arkime deny-regex
    - Prevents users in read-only configurations from mutating session tags in OpenSearch

commit f2842eb
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 21:05:27 2026 +0000

    fix(upload): remove open redirect via HTTP_REFERER in submit.php

    - Replace Referer-based redirect with fixed /upload path

commit 80e3fa7
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 20:54:25 2026 +0000

    serve static assets for htadmin as it was done prior to mmguero-dev/Malcolm@1ec993d

commit 72bf09f
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 18:10:41 2026 +0000

    fix(nginx): make Keycloak SSL certificate verification configurable

    - Add KEYCLOAK_SSL_VERIFY environment variable (default: false)
    - Wire ssl_verify in nginx_auth_keycloak.conf (lua-resty-openidc, "yes"/"no")
    - Wire ssl_verify in nginx_auth_keycloak_basic.conf (lua-resty-http, boolean)
    - Wire ssl_verify in nginx_auth_helpers.lua refresh_token/introspect_token
    - Document in keycloak.env.example with default false for embedded Keycloak
    - Operators using external Keycloak should set KEYCLOAK_SSL_VERIFY=true

commit 645d7ec
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 17:20:52 2026 +0000

    fix(arkime): remove known default ARKIME_PASSWORD_SECRET to prevent forged auth cookies

    - Replace hardcoded default "Malcolm" with random 32-char secret at container startup
    - Ship empty value in arkime-secret.env.example instead of known default
    - Only prompt for confirmation in auth_setup if a password was actually entered,
      allowing intentional blank to accept the random startup-generated secret

commit a5c2af0
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 17:04:15 2026 +0000

    added /(auth|htadmin|admin_login) to admin rbac-gated check when RBAC is enabled

commit cefc81d
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 16:58:11 2026 +0000

    fix(api): remediate fail-open RBAC defaultdict and enroll missing handlers

    - Change defaultdict default from True to False to fail-closed on unenrolled handlers
    - Explicitly enroll ping and version as available to any authenticated user
    - Enroll redis_keyspace_info with appropriate role restrictions
    - Any future unenrolled route now returns 403 instead of silently passing

commit 9ba80f3
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 16:36:20 2026 +0000

    for nginx_readonly, add limit_except GET HEAD { deny all; } on /mapi

commit 35e537c
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 16:33:06 2026 +0000

    fix(nginx): dispatch WISE auth path on Authorization header type, not User-Agent

    - Replace User-Agent substring match with Authorization header scheme check
    - Prevents clients from selecting service-account auth path by spoofing
      a User-Agent containing "arkime" while presenting Keycloak credentials

commit 2046db2
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 16:26:50 2026 +0000

    return error 400 on invalid template name

commit 3e7a366
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 16:22:25 2026 +0000

    fix(api): remediate OpenSearch path injection via template parameter

    - Validate template_name against allowlist pattern before interpolation
      into OpenSearch URL to prevent path traversal to arbitrary endpoints

commit a6ffe0c
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 16:11:18 2026 +0000

    Fix readonly conf

commit d940f2f
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 15:35:48 2026 +0000

    be thorough about file extensions supported for archives

commit 81bcb99
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Wed May 27 14:58:32 2026 +0000

    fix(filebeat): remediate zip-slip path traversal in archive extraction

    - Replace pyunpack/patool with libarchive-c for archive extraction
    - Add safe-extract.py with SECURE_NODOTDOT, SECURE_NOABSOLUTEPATHS,
      and SECURE_SYMLINKS flags enforced at C level via libarchive
    - Handle raw single-stream formats (gz, bz2, xz, lzma) via Python stdlib
    - Handle lzip via lzip binary (libarchive has no lzip support in this build)
    - Handle compressed tarballs (tgz, tar.gz, tar.xz, etc.) via libarchive
    - Iterate archive entries manually to handle directory entries correctly
    - Add libarchive and lzip to Dockerfile, add unrar for RAR support
    - Drop xz-devel (no longer needed), drop patool and pyunpack from requirements
    - Add libarchive-c==5.3 to requirements.txt

commit 4668660
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Tue May 26 21:38:59 2026 +0000

    fix(filebeat): remediate command injection via malicious filename in zeek folder processor

    - Replace xargs -I '{}' text substitution with positional argument passing
    - FILENAME and FILEMIME now read from $1 instead of inline {} expansion
    - Prevents command substitution in filenames (e.g. $(cmd)) from executing
      when filebeat-process-zeek-folder.sh processes uploaded archives

commit 1ec993d
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Tue May 26 21:28:22 2026 +0000

    fix(nginx): remediate reflected XSS/open redirect in refred location

    - Add auth guard to /dashboards/app/refred/ (was reachable pre-auth)
    - Fix XSS: HTML-escape decoded_url before injection into HTML output
    - Fix XSS: move URL out of inline JS string literal into data- attribute
    - Fix info leak: stop reflecting invalid URL back in error response
    - Add strict CSP to refred location (default-src 'none', unsafe-inline for confirm script)
    - Add nginx_csp_framing.conf with frame-ancestors/X-Frame-Options for clickjacking defense
    - Apply framing CSP globally to http blocks, cyberchef location, and opensearch 501 handler

    Also:

    - Add auth guard to /auth (was reachable pre-auth)

commit 9286238
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Tue May 26 18:51:19 2026 +0000

    bump supercronic to 0.2.46

commit 3bc378a
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Tue May 26 14:34:08 2026 +0000

    Fix bogus links found by @jsoref in cisagov#988

commit cb85750
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Tue May 26 14:30:09 2026 +0000

    bump fluent bit

commit 5e1f043
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Thu May 21 20:35:50 2026 +0000

    cisagov#978; Fix duplicate VM creation during device-to-VM conversion by calling create_device_interface before lookup_devices, ensuring the new VM has an IP assigned when lookup_devices queries for it and preventing a nil return from netbox_lookup from leaving a stale pre-conversion device entry in cache.

commit e04bb2b
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Thu May 21 14:57:44 2026 +0000

    bump to v26.06.0

commit aa03246
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Thu May 21 14:57:24 2026 +0000

    restore branding links

commit 1a9d307
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Thu May 21 14:56:21 2026 +0000

    restore differences in GitHub workflows

commit 0950d44
Author: Seth Grover <seth.d.grover@gmail.com>
Date:   Thu May 21 14:56:05 2026 +0000

    restore branding links

commit c579a18
Author: Gulden Okur <gulden@trusteed.io>
Date:   Mon May 25 00:59:53 2026 -0700

    Hide NGINX version info and serve custom 401 error page.

    Suppress Server header and OpenResty version strings in auth failures, and replace the default 401 page with a minimal Malcolm page that omits version metadata.

    Co-authored-by: Cursor <cursoragent@cursor.com>

commit 429283f
Author: sercanokur <sercanokur@gmail.com>
Date:   Mon May 25 00:03:45 2026 -0700

    Return HTTP 403 for API authorization failures

    PermissionError was handled by the generic exception handler and returned
    HTTP 200 with exception details. Add a dedicated handler for 403 responses
    and stop leaking internal exception messages to API clients.

    Co-authored-by: Cursor <cursoragent@cursor.com>

restore links

restore links

restore links

Fix image links

Fix image links

Fix image links

restore _config.yml

Merge branch 'staging' of https://github.com/idaholab/Malcolm

Merge branch 'staging' of https://github.com/idaholab/Malcolm