SignalForge
Op
Operator priorities
3 ranked actions
01

Upgrade the 60 pending packages now (`apt update && apt full-upgrade`) and reboot WSL if core components changed.

02

Restrict exposure of the wildcard listeners on 9090, 9100, and 5432 to trusted clients only; if remote access is unnecessary, rebind them to loopback.

03

Triage the 1826 recent errors by filtering known WSL noise first, then investigate any remaining persistent application or service errors.

Target host
mogahpc_wsl_01
Hostname snapshot: MogahPC · Ubuntu 24.04.3 LTS
Artifact family
Linux audit log
linux-audit-log
Source
agent
Mar 25, 12:18 AM
Artifact source
agent:4a2d5936-d2d3-4949-8fb9-5c44802a5c93
Collector
signalforge-collectors
Target ID
mogahpc_wsl_01
Recorded at
Mar 25, 12:18 AM
Findings
6
2
medium
4
low
Run status
complete
Analysis completed successfully for this artifact snapshot.
Primary operator signal

Host Pressure Snapshot

Disk, memory, package, and recent-error signals extracted from the host audit so operators can assess system pressure before reading detailed findings.

Watch closely
Peak disk use
81%
C:\ mounted on /mnt/c
Memory use
39.8%
0.8 GiB of 1.9 GiB
Pending upgrades
60
Packages available for update
Recent errors
1859
Recent syslog, journal, or auth errors
Operator summary

Host Storage Watch

The busiest filesystems captured in the audit, shown as compact usage bars rather than buried line items.

Stable context
C:\ (/mnt/c)
C:\ 476G 382G 94G 81% /mnt/c
81%
D:\ (/mnt/d)
D:\ 50G 13G 38G 25% /mnt/d
25%
/dev/sdd (/)
/dev/sdd 1007G 40G 916G 5% /
5%
/dev/sdd (/)
/dev/sdd 67108864 880154 66228710 2% /
2%
Operator summary

Host Attention Points

Short callouts for the host-side items most likely to change operator decisions right away.

Watch closely
60 packages pending upgrade
Pending upgrades often include security fixes and stability corrections. In a long-lived WSL environment, leaving 60 packages behind increases the chance that known issues remain unpatched, especially in user-facing tooling and libraries that may be used for development or local services.
1826 non-trivial errors in recent logs
A high count of non-trivial log errors can mask real faults, service instability, or misconfiguration. In WSL, some errors are benign integration artifacts, but the volume still indicates the environment should be reviewed so genuine issues are not lost in background noise.
Operator summary

Run Health Summary

A compact operator view of severity and signal distribution before you drop into detailed findings.

Watch closely
Critical + high
0
No top-severity findings
Instability & pressure
2
Operational signal count
Identity & access
0
RBAC, tokens, service accounts, secrets
Exposure
3
Public reachability and listener posture
Findings table controls

Filter the findings table by signal or severity while keeping the current visible count in view.

6 of 6 visible·All signal buckets·All severities
Filter by signal
Filter by severity

Detailed review

Findings

6 findings
Analysis narrative
Full narrative summary

Expanded explanation for operators who want the model summary after reviewing the findings table.

  • The host is a WSL2 Ubuntu 24.04 environment with several expected WSL-specific noise items already classified, so the main security signal comes from exposed listeners, pending package updates, and repeated recent errors.
  • There are 60 packages pending upgrade, which increases exposure to known vulnerabilities and missed fixes even though no critical package issue is shown in the excerpts.
  • Two Prometheus-related services are listening on all interfaces (9090 and 9100), which is acceptable only if intentionally exposed and access-restricted; otherwise they broaden the attack surface.
  • A rootlessport process is exposing port 5432 on all interfaces, which should be verified as intended and limited to trusted clients because it is reachable from the network namespace.
  • The loopback-only Node.js listener is low risk from a remote exposure perspective, but the volume of recent non-trivial errors suggests the environment would benefit from log review after the WSL-specific noise is filtered out.

Run Metadata

Identity
Run ID
0ac1ef61
Artifact family
Linux audit log
Host-level audit output from first-audit.sh or an equivalent Linux evidence collector.
Source type
Agent collection
agent
Target ID
mogahpc_wsl_01
Source label
agent:4a2d5936-d2d3-4949-8fb9-5c44802a5c93
Collection
Collector
signalforge-collectors
Recorded at
Mar 25, 12:18 AM
Analysis
Model
gpt-5.4-mini
Analysis time
8.4s
Tokens used
4,636
Suppressed Noise (9)

These observations are classified as expected given the environment context. Excluded from findings to reduce alert fatigue.

SSH service not foundWSL
AppArmor not presentWSL
WSL getaddrinfo failures in syslogWSL
WSL init timeout errorWSL
Apport autoreport condition checks skippedWSL
NVMe-oF or OpenIPMI service failuresWSL
Cannot read /etc/sudoersnon-root
Cannot read failed login recordsnon-root
Cannot query iptables rulesnon-root

Environment Context

Target Host
MogahPCUbuntu 24.04.3 LTS
Kernel
6.6.87.2-microsoft-standard-WSL2
Uptime
up 1 day, 20 hours, 26 minutes
WSL