Malcolm v5.0.1 development (#180)

Malcolm v5.0.1 is a patch release with minor bug and security fixes. * Bugs addressed: * Very large pcaps don't get proccesed idaholab#44 * pcap files with colon (:) in the name don't process correctly idaholab#2 * turning off AUTO_TAG feature disables tagging altogether idaholab#12 * recent debinterfaces release broke configure-interfaces.py idaholab#48 * opensearch indexes in yellow state idaholab#67 * arkime capture gives mlockall_init() warning on startup idaholab#66 * Security vulnerabilities addressed: * mitigations for CVE-2021-44228 (log4shell) idaholab#68 * Other * bumped Arkime from [v3.1.1 to v3.2.0](https://github.com/arkime/arkime/blob/v3.2.0/CHANGELOG#L25-L40) * bumped OpenSearch to [v1.2.1](https://opensearch.org/blog/releases/2021/12/update-to-1-2-1/) * switched from [elasticsearch](https://pypi.org/project/elasticsearch-dsl/) to [opensearch](https://pypi.org/project/opensearch-dsl/) python client libraries * write contributor's guide for source code contributions/modifications idaholab#25 * handle new fields in ethernet/IP logs (cisagov/icsnpp-enip@c4ae505) * use more recognizable dashboards logo for OpenSearch dashboards launcher in Malcolm ISO * include patches used to build Arkime Dockerfile when building Arkime for hedgehog as well * build Zeek spicy analyzers from their various repos rather than the zeek/spicy-analyzer meta-repo
cisagov · Dec 14, 2021 · b59e237 · b59e237
1 parent 359a343
commit b59e237
Show file tree

Hide file tree

Showing 48 changed files with 501 additions and 253 deletions.
diff --git a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml
@@ -83,6 +83,7 @@ jobs:
         name: Build image
         run: |
           cp -r ./shared ./sensor-iso
+          cp -r ./arkime/patch ./sensor-iso/shared/arkime_patch
           pushd ./sensor-iso
           echo "${{ steps.extract_malcolm_version.outputs.mversion }}" > ./shared/version.txt
           echo "${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}" > ./shared/maxmind_license.txt

diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile
@@ -4,7 +4,7 @@ FROM debian:bullseye-slim AS build
 
 ENV DEBIAN_FRONTEND noninteractive
 
-ENV ARKIME_VERSION "3.1.1"
+ENV ARKIME_VERSION "3.2.0"
 ENV ARKIMEDIR "/opt/arkime"
 ENV ARKIME_URL "https://github.com/arkime/arkime.git"
 ENV ARKIME_LOCALELASTICSEARCH no

diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile
@@ -83,7 +83,7 @@ RUN apk --no-cache add bash python3 py3-pip curl procps psmisc npm shadow jq &&
     chown -R ${PUSER}:${PGROUP} /opt/dashboards /opt/maps /data/init /opt/anomaly_detectors && \
     chmod 755 /data/*.sh /data/*.py /data/init && \
     chmod 400 /opt/maps/* && \
-    (echo -e "*/2 * * * * /data/create-arkime-sessions-index.sh\n0 10 * * * /data/index-refresh.py --template malcolm_template\n30 */6 * * * /data/refresh-auxiliary-index-patterns.sh\n*/20 * * * * /data/opensearch_index_size_prune.py" > ${SUPERCRONIC_CRONTAB})
+    (echo -e "*/2 * * * * /data/create-arkime-sessions-index.sh\n0 10 * * * /data/index-refresh.py --template malcolm_template --unassigned\n30 */6 * * * /data/refresh-auxiliary-index-patterns.sh\n*/20 * * * * /data/opensearch_index_size_prune.py" > ${SUPERCRONIC_CRONTAB})
 
 EXPOSE $OFFLINE_REGION_MAPS_PORT
 

diff --git a/Dockerfiles/opensearch.Dockerfile b/Dockerfiles/opensearch.Dockerfile
@@ -1,10 +1,10 @@
-FROM opensearchproject/opensearch:1.2.0
+FROM opensearchproject/opensearch:1.2.1
 
 # Copyright (c) 2022 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="[email protected]"
 LABEL org.opencontainers.image.authors='[email protected]'
 LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm'
-LABEL org.opencontainers.image.documentation='https://github.com/cisagov/Malcolm/blob/master/README.md'
+LABEL org.opencontainers.image.documentation='https://github.com/cisagov/Malcolm/blob/main/README.md'
 LABEL org.opencontainers.image.source='https://github.com/cisagov/Malcolm'
 LABEL org.opencontainers.image.vendor='Cybersecurity and Infrastructure Security Agency'
 LABEL org.opencontainers.image.title='malcolmnetsec/opensearch'

diff --git a/Dockerfiles/pcap-monitor.Dockerfile b/Dockerfiles/pcap-monitor.Dockerfile
@@ -53,7 +53,7 @@ RUN apt-get update && \
       vim-tiny && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* && \
-    pip3 install --no-cache-dir elasticsearch==7.10.1 elasticsearch_dsl==7.4.0 pyzmq pyinotify python-magic && \
+    pip3 install --no-cache-dir opensearch-py opensearch-dsl pyzmq pyinotify python-magic && \
     groupadd --gid ${DEFAULT_GID} ${PGROUP} && \
       useradd -M --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} ${PUSER}
 

diff --git a/README.md b/README.md
@@ -93,6 +93,7 @@ In short, Malcolm provides an easily deployable network analysis tool suite for
 * [Known issues](#Issues)
 * [Installation example using Ubuntu 20.04 LTS](#InstallationExample)
 * [Upgrading Malcolm](#UpgradePlan)
+* [Modifying or Contributing to Malcolm](#Contributing)
 * [Copyright](#Footer)
 * [Contact](#Contact)
 
@@ -142,21 +143,21 @@ You can then observe that the images have been retrieved by running `docker imag
 ```
 $ docker images
 REPOSITORY                                                     TAG             IMAGE ID       CREATED      SIZE
-malcolmnetsec/arkime                                           5.0.0           xxxxxxxxxxxx   2 days ago   811MB
-malcolmnetsec/dashboards                                       5.0.0           xxxxxxxxxxxx   2 days ago   970MB
-malcolmnetsec/dashboards-helper                                5.0.0           xxxxxxxxxxxx   2 days ago   154MB
-malcolmnetsec/filebeat-oss                                     5.0.0           xxxxxxxxxxxx   2 days ago   621MB
-malcolmnetsec/file-monitor                                     5.0.0           xxxxxxxxxxxx   2 days ago   586MB
-malcolmnetsec/file-upload                                      5.0.0           xxxxxxxxxxxx   2 days ago   259MB
-malcolmnetsec/freq                                             5.0.0           xxxxxxxxxxxx   2 days ago   132MB
-malcolmnetsec/htadmin                                          5.0.0           xxxxxxxxxxxx   2 days ago   242MB
-malcolmnetsec/logstash-oss                                     5.0.0           xxxxxxxxxxxx   2 days ago   1.27GB
-malcolmnetsec/name-map-ui                                      5.0.0           xxxxxxxxxxxx   2 days ago   142MB
-malcolmnetsec/nginx-proxy                                      5.0.0           xxxxxxxxxxxx   2 days ago   117MB
-malcolmnetsec/opensearch                                       5.0.0           xxxxxxxxxxxx   2 days ago   1.18GB
-malcolmnetsec/pcap-capture                                     5.0.0           xxxxxxxxxxxx   2 days ago   122MB
-malcolmnetsec/pcap-monitor                                     5.0.0           xxxxxxxxxxxx   2 days ago   214MB
-malcolmnetsec/zeek                                             5.0.0           xxxxxxxxxxxx   2 days ago   938MB
+malcolmnetsec/arkime                                           5.0.1           xxxxxxxxxxxx   2 days ago   811MB
+malcolmnetsec/dashboards                                       5.0.1           xxxxxxxxxxxx   2 days ago   970MB
+malcolmnetsec/dashboards-helper                                5.0.1           xxxxxxxxxxxx   2 days ago   154MB
+malcolmnetsec/filebeat-oss                                     5.0.1           xxxxxxxxxxxx   2 days ago   621MB
+malcolmnetsec/file-monitor                                     5.0.1           xxxxxxxxxxxx   2 days ago   586MB
+malcolmnetsec/file-upload                                      5.0.1           xxxxxxxxxxxx   2 days ago   259MB
+malcolmnetsec/freq                                             5.0.1           xxxxxxxxxxxx   2 days ago   132MB
+malcolmnetsec/htadmin                                          5.0.1           xxxxxxxxxxxx   2 days ago   242MB
+malcolmnetsec/logstash-oss                                     5.0.1           xxxxxxxxxxxx   2 days ago   1.27GB
+malcolmnetsec/name-map-ui                                      5.0.1           xxxxxxxxxxxx   2 days ago   142MB
+malcolmnetsec/nginx-proxy                                      5.0.1           xxxxxxxxxxxx   2 days ago   117MB
+malcolmnetsec/opensearch                                       5.0.1           xxxxxxxxxxxx   2 days ago   1.18GB
+malcolmnetsec/pcap-capture                                     5.0.1           xxxxxxxxxxxx   2 days ago   122MB
+malcolmnetsec/pcap-monitor                                     5.0.1           xxxxxxxxxxxx   2 days ago   214MB
+malcolmnetsec/zeek                                             5.0.1           xxxxxxxxxxxx   2 days ago   938MB
 ```
 
 #### Import from pre-packaged tarballs
@@ -1497,7 +1498,7 @@ Building the ISO may take 30 minutes or more depending on your system. As the bu
 
 ```
 …
-Finished, created "/malcolm-build/malcolm-iso/malcolm-5.0.0.iso"
+Finished, created "/malcolm-build/malcolm-iso/malcolm-5.0.1.iso"
 …
 ```
 
@@ -1883,21 +1884,21 @@ Pulling zeek              ... done
 
 user@host:~/Malcolm$ docker images
 REPOSITORY                                                     TAG             IMAGE ID       CREATED      SIZE
-malcolmnetsec/arkime                                           5.0.0           xxxxxxxxxxxx   2 days ago   811MB
-malcolmnetsec/dashboards                                       5.0.0           xxxxxxxxxxxx   2 days ago   970MB
-malcolmnetsec/dashboards-helper                                5.0.0           xxxxxxxxxxxx   2 days ago   154MB
-malcolmnetsec/filebeat-oss                                     5.0.0           xxxxxxxxxxxx   2 days ago   621MB
-malcolmnetsec/file-monitor                                     5.0.0           xxxxxxxxxxxx   2 days ago   586MB
-malcolmnetsec/file-upload                                      5.0.0           xxxxxxxxxxxx   2 days ago   259MB
-malcolmnetsec/freq                                             5.0.0           xxxxxxxxxxxx   2 days ago   132MB
-malcolmnetsec/htadmin                                          5.0.0           xxxxxxxxxxxx   2 days ago   242MB
-malcolmnetsec/logstash-oss                                     5.0.0           xxxxxxxxxxxx   2 days ago   1.27GB
-malcolmnetsec/name-map-ui                                      5.0.0           xxxxxxxxxxxx   2 days ago   142MB
-malcolmnetsec/nginx-proxy                                      5.0.0           xxxxxxxxxxxx   2 days ago   117MB
-malcolmnetsec/opensearch                                       5.0.0           xxxxxxxxxxxx   2 days ago   1.18GB
-malcolmnetsec/pcap-capture                                     5.0.0           xxxxxxxxxxxx   2 days ago   122MB
-malcolmnetsec/pcap-monitor                                     5.0.0           xxxxxxxxxxxx   2 days ago   214MB
-malcolmnetsec/zeek                                             5.0.0           xxxxxxxxxxxx   2 days ago   938MB
+malcolmnetsec/arkime                                           5.0.1           xxxxxxxxxxxx   2 days ago   811MB
+malcolmnetsec/dashboards                                       5.0.1           xxxxxxxxxxxx   2 days ago   970MB
+malcolmnetsec/dashboards-helper                                5.0.1           xxxxxxxxxxxx   2 days ago   154MB
+malcolmnetsec/filebeat-oss                                     5.0.1           xxxxxxxxxxxx   2 days ago   621MB
+malcolmnetsec/file-monitor                                     5.0.1           xxxxxxxxxxxx   2 days ago   586MB
+malcolmnetsec/file-upload                                      5.0.1           xxxxxxxxxxxx   2 days ago   259MB
+malcolmnetsec/freq                                             5.0.1           xxxxxxxxxxxx   2 days ago   132MB
+malcolmnetsec/htadmin                                          5.0.1           xxxxxxxxxxxx   2 days ago   242MB
+malcolmnetsec/logstash-oss                                     5.0.1           xxxxxxxxxxxx   2 days ago   1.27GB
+malcolmnetsec/name-map-ui                                      5.0.1           xxxxxxxxxxxx   2 days ago   142MB
+malcolmnetsec/nginx-proxy                                      5.0.1           xxxxxxxxxxxx   2 days ago   117MB
+malcolmnetsec/opensearch                                       5.0.1           xxxxxxxxxxxx   2 days ago   1.18GB
+malcolmnetsec/pcap-capture                                     5.0.1           xxxxxxxxxxxx   2 days ago   122MB
+malcolmnetsec/pcap-monitor                                     5.0.1           xxxxxxxxxxxx   2 days ago   214MB
+malcolmnetsec/zeek                                             5.0.1           xxxxxxxxxxxx   2 days ago   938MB
 ```
 
 Finally, we can start Malcolm. When Malcolm starts it will stream informational and debug messages to the console. If you wish, you can safely close the console or use `Ctrl+C` to stop these messages; Malcolm will continue running in the background.
@@ -2002,6 +2003,10 @@ Once the upgraded instance Malcolm has started up, you'll probably want to impor
 
 The Malcolm project uses [semantic versioning](https://semver.org/) when choosing version numbers. If you are moving between major releases (e.g., from v4.0.1 to v5.0.0), you're likely to find that there are enough major backwards compatibility-breaking changes that upgrading may not be worth the time and trouble. A fresh install is strongly recommended between major releases.
 
+## <a name="Contributing"></a>Modifying or Contributing to Malcolm
+
+If you are interested in contributing to the Malcolm project, please read the [Malcolm Contributor Guide](./docs/contributing/README.md).
+
 ## <a name="Footer"></a>Copyright
 
 [Malcolm](https://github.com/cisagov/Malcolm) is Copyright 2022 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the [Cybersecurity and Infrastructure Security Agency](https://www.cisa.gov/) of the [U.S. Department of Homeland Security](https://www.dhs.gov/).

diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
@@ -220,6 +220,7 @@ zeek.bsap_serial_unknown.data=db:zeek.bsap_serial_unknown.data;group:zeek_bsap;k
 zeek.cip.cip_sequence_count=db:zeek.cip.cip_sequence_count;group:zeek_cip;kind:integer;friendly:CIP Sequence Number;help:CIP Sequence Number
 zeek.cip.direction=db:zeek.cip.direction;group:zeek_cip;kind:termfield;friendly:Direction;help:Direction
 zeek.cip.cip_service=db:zeek.cip.cip_service;group:zeek_cip;kind:termfield;friendly:CIP Service;help:CIP Service
+zeek.cip.cip_service_code=db:zeek.cip.cip_service_code;group:zeek_cip;kind:termfield;friendly:CIP Service Code;help:CIP Service Code
 zeek.cip.cip_status=db:zeek.cip.cip_status;group:zeek_cip;kind:termfield;friendly:CIP Status;help:CIP Status
 zeek.cip.class_id=db:zeek.cip.class_id;group:zeek_cip;kind:termfield;friendly:Class ID;help:Class ID
 zeek.cip.class_name=db:zeek.cip.class_name;group:zeek_cip;kind:termfield;friendly:Class Name;help:Class Name
@@ -333,6 +334,7 @@ zeek.dpd.failure_reason=db:zeek.dpd.failure_reason;group:zeek_dpd;kind:termfield
 # enip.log
 # https://github.com/cisagov/ICSNPP
 zeek.enip.enip_command=db:zeek.enip.enip_command;group:zeek_enip;kind:termfield;friendly:EthernetIP Command;help:EthernetIP Command
+zeek.enip.enip_command_code=db:zeek.enip.enip_command_code;group:zeek_enip;kind:termfield;friendly:EthernetIP Command Code;help:EthernetIP Command Code
 zeek.enip.length=db:zeek.enip.length;group:zeek_enip;kind:integer;friendly:Packet Length;help:Packet Length
 zeek.enip.session_handle=db:zeek.enip.session_handle;group:zeek_enip;kind:termfield;friendly:Session Number;help:Session Number
 zeek.enip.enip_status=db:zeek.enip.enipstatus;group:zeek_enip;kind:termfield;friendly:EthernetIP Status;help:EthernetIP Status
@@ -1208,7 +1210,7 @@ zeek_bsap_serial_header=require:zeek.bsap_serial_header;title:Zeek bsap_serial_h
 zeek_bsap_serial_rdb=require:zeek.bsap_serial_rdb;title:Zeek bsap_serial_rdb.log;fields:zeek.bsap_serial_rdb.data,zeek.bsap_serial_rdb.func_code
 zeek_bsap_serial_rdb_ext=require:zeek.bsap_serial_rdb_ext;title:Zeek bsap_serial_rdb_ext.log;fields:zeek.bsap_serial_rdb_ext.data,zeek.bsap_serial_rdb_ext.dfun,zeek.bsap_serial_rdb_ext.extfun,zeek.bsap_serial_rdb_ext.nsb,zeek.bsap_serial_rdb_ext.seq,zeek.bsap_serial_rdb_ext.sfun
 zeek_bsap_serial_unknown=require:zeek.bsap_serial_unknown;title:Zeek bsap_serial_unknown.log;fields:zeek.bsap_serial_unknown.data
-zeek_cip=require:zeek.cip;title:Zeek cip.log;fields:zeek.cip.cip_sequence_count,zeek.cip.direction,zeek.cip.cip_service,zeek.cip.cip_status,zeek.cip.class_id,zeek.cip.class_name,zeek.cip.instance_id,zeek.cip.attribute_id,zeek.cip.data_id,zeek.cip.other_id
+zeek_cip=require:zeek.cip;title:Zeek cip.log;fields:zeek.cip.cip_sequence_count,zeek.cip.direction,zeek.cip.cip_service,zeek.cip.cip_service_code,zeek.cip.cip_status,zeek.cip.class_id,zeek.cip.class_name,zeek.cip.instance_id,zeek.cip.attribute_id,zeek.cip.data_id,zeek.cip.other_id
 zeek_cip_identity=require:zeek.cip_identity;title:Zeek cip_identity.log;fields:zeek.cip_identity.encapsulation_version,zeek.cip_identity.socket_address,zeek.cip_identity.socket_address_geo.city_name,zeek.cip_identity.socket_address_geo.country_name,zeek.cip_identity.socket_address_asn,zeek.cip_identity.socket_port,zeek.cip_identity.vendor_id,zeek.cip_identity.vendor_name,zeek.cip_identity.device_type_id,zeek.cip_identity.device_type_name,zeek.cip_identity.product_code,zeek.cip_identity.revision,zeek.cip_identity.device_status,zeek.cip_identity.serial_number,zeek.cip_identity.product_name,zeek.cip_identity.device_state
 zeek_cip_io=require:zeek.cip_io;title:Zeek cip_io.log;fields:zeek.cip_io.connection_id,zeek.cip_io.sequence_number,zeek.cip_io.data_length,zeek.cip_io.io_data
 zeek_conn=require:zeek.conn;title:Zeek conn.log;fields:zeek.conn.duration,zeek.conn.orig_bytes,zeek.conn.resp_bytes,zeek.conn.conn_state,zeek.conn.conn_state_description,zeek.conn.local_orig,zeek.conn.local_resp,zeek.conn.missed_bytes,zeek.conn.history,zeek.conn.orig_pkts,zeek.conn.orig_ip_bytes,zeek.conn.resp_pkts,zeek.conn.resp_ip_bytes,zeek.conn.tunnel_parents,zeek.conn.vlan,zeek.conn.inner_vlan
@@ -1227,7 +1229,7 @@ zeek_ecat_coe_info=require:zeek.ecat_coe_info;title:Zeek ecat_coe_info.log;field
 zeek_ecat_foe_info=require:zeek.ecat_foe_info;title:Zeek ecat_foe_info.log;fields:zeek.ecat_foe_info.opcode,zeek.ecat_foe_info.reserved,zeek.ecat_foe_info.packet_num,zeek.ecat_foe_info.error_code,zeek.ecat_foe_info.filename,zeek.ecat_foe_info.data
 zeek_ecat_soe_info=require:zeek.ecat_soe_info;title:Zeek ecat_soe_info.log;fields:zeek.ecat_soe_info.opcode,zeek.ecat_soe_info.incomplete,zeek.ecat_soe_info.error,zeek.ecat_soe_info.drive_num,zeek.ecat_soe_info.element,zeek.ecat_soe_info.index
 zeek_ecat_arp_info=require:zeek.ecat_arp_info;title:Zeek ecat_arp_info.log;fields:zeek.ecat_arp_info.arp_type,zeek.ecat_arp_info.orig_proto_addr,zeek.ecat_arp_info.orig_hw_addr,zeek.ecat_arp_info.resp_proto_addr,zeek.ecat_arp_info.resp_hw_addr
-zeek_enip=require:zeek.enip;title:Zeek enip.log;fields:zeek.enip.enip_command,zeek.enip.length,zeek.enip.session_handle,zeek.enip.enip_status,zeek.enip.sender_context,zeek.enip.options
+zeek_enip=require:zeek.enip;title:Zeek enip.log;fields:zeek.enip.enip_command,zeek.enip.enip_command_code,zeek.enip.length,zeek.enip.session_handle,zeek.enip.enip_status,zeek.enip.sender_context,zeek.enip.options
 zeek_files=require:zeek.files;title:Zeek files.log;fields:zeek.files.tx_hosts,zeek.files.rx_hosts,zeek.files.conn_uids,zeek.files.source,zeek.files.depth,zeek.files.analyzers,zeek.files.mime_type,zeek.files.filename,zeek.files.duration,zeek.files.local_orig,zeek.files.is_orig,zeek.files.seen_bytes,zeek.files.total_bytes,zeek.files.missing_bytes,zeek.files.overflow_bytes,zeek.files.timedout,zeek.files.parent_fuid,zeek.files.md5,zeek.files.sha1,zeek.files.sha256,zeek.files.extracted,zeek.files.extracted_cutoff,zeek.files.extracted_size
 zeek_ftp=require:zeek.ftp;title:Zeek ftp.log;fields:zeek.ftp.command,zeek.ftp.arg,zeek.ftp.mime_type,zeek.ftp.file_size,zeek.ftp.reply_code,zeek.ftp.reply_msg,zeek.ftp.data_channel_passive,zeek.ftp.data_channel_orig_h,zeek.ftp.data_channel_resp_h,zeek.ftp.data_channel_resp_p
 zeek_gquic=require:zeek.gquic;title:Zeek gquic.log;fields:zeek.gquic.version,zeek.gquic.server_name,zeek.gquic.user_agent,zeek.gquic.tag_count,zeek.gquic.cyu,zeek.gquic.cyutags

diff --git a/arkime/patch/fix_self_signed_ssl.patch b/arkime/patch/fix_self_signed_ssl.patch
@@ -0,0 +1,51 @@
+diff --git a/CHANGELOG b/CHANGELOG
+index b758055d..ee4be26c 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -22,6 +22,10 @@ Node Versions:
+ NOTICE: Restart wiseService before capture when upgrading
+ NOTICE: Cross-cluster Shortcuts require you to not restart all your viewers at once after upgrading
+
++=======
++3.2.1 2022/01/xx
++  - viewer - fix --insecure which broke in 3.2.0
++
+ 3.2.0 2021/12/07
+   - release - node 14.18.2
+   - release - remove daily.sh, setup a cron directly now
+diff --git a/viewer/db.js b/viewer/db.js
+index 3a937c03..4c471331 100644
+--- a/viewer/db.js
++++ b/viewer/db.js
+@@ -133,6 +133,9 @@ exports.initialize = async (info, cb) => {
+
+   if (info.usersHost) {
+     User.initialize({
++      insecure: info.insecure,
++      ca: info.ca,
++      requestTimeout: info.requestTimeout,
+       node: info.usersHost,
+       clientKey: info.esClientKey,
+       clientCert: info.esClientCert,
+@@ -144,6 +147,9 @@ exports.initialize = async (info, cb) => {
+     });
+   } else {
+     User.initialize({
++      insecure: info.insecure,
++      ca: info.ca,
++      requestTimeout: info.requestTimeout,
+       node: info.host,
+       clientKey: info.esClientKey,
+       clientCert: info.esClientCert,
+diff --git a/wiseService/wiseService.js b/wiseService/wiseService.js
+index 6faa3228..9f9ef783 100644
+--- a/wiseService/wiseService.js
++++ b/wiseService/wiseService.js
+@@ -224,6 +224,7 @@ function setupAuth () {
+   const es = getConfig('wiseService', 'usersElasticsearch', 'http://localhost:9200');
+
+   User.initialize({
++    insecure: internals.insecure,
+     node: es,
+     prefix: getConfig('wiseService', 'usersPrefix', ''),
+     apiKey: getConfig('wiseService', 'usersElasticsearchAPIKey'),