Hedgehog Linux

Network Traffic Capture Appliance

Hedgehog Linux is a Debian-based operating system built to

• monitor network interfaces
• capture packets to PCAP files
• detect file transfers in network traffic and extract and scan those files for threats
• generate and forward Zeek logs, Arkime sessions and other information to Malcolm

• Sensor installation
  • Image boot options
  • Installer
• Boot
  • Kiosk mode
• Configuration
  • Interfaces, hostname, and time synchronization
    • Hostname
    • Interfaces
    • Time synchronization
  • Capture, forwarding, and autostart services
    • Capture
      • Automatic file extraction and scanning
    • Forwarding
      • arkime-capture: Arkime session forwarding
      • filebeat: Zeek and Suricata log forwarding
      • miscbeat: System metrics forwarding
    • Autostart services
• Zeek Intelligence Framework
• Appendix A - Generating the ISO
• Appendix B - Configuring SSH access
• Appendix C - Troubleshooting
• Appendix D - Hardening
  • Compliance exceptions
• Appendix E - Upgrades