SignalForge
Op
Operator priorities
3 ranked actions
01

Restrict the wildcard-exposed monitoring and database-related listeners: bind Prometheus (9090), node_exporter (9100), and the rootlessport-backed service (5432) to localhost or a trusted management network, then verify WSL port forwarding does not make them reachable beyond the intended scope.

02

Install pending package updates and reboot/restart WSL if needed so the updated packages are active.

03

Review the recent error logs for non-WSL issues, confirming the 3167-error volume is dominated by expected WSL integration noise rather than service failures or misconfigurations.

Target host
mogahpc_wsl_01
Hostname snapshot: MogahPC · Ubuntu 24.04.4 LTS
Artifact family
Linux audit log
linux-audit-log
Source
agent
Mar 25, 10:09 AM
Artifact source
agent:4a2d5936-d2d3-4949-8fb9-5c44802a5c93
Collector
signalforge-collectors
Target ID
mogahpc_wsl_01
Recorded at
Mar 25, 10:09 AM
Findings
6
2
medium
4
low
Run status
complete
Analysis completed successfully for this artifact snapshot.
Primary operator signal

Host Pressure Snapshot

Disk, memory, package, and recent-error signals extracted from the host audit so operators can assess system pressure before reading detailed findings.

Watch closely
Peak disk use
81%
C:\ mounted on /mnt/c
Memory use
29.7%
0.6 GiB of 1.9 GiB
Pending upgrades
2
Packages available for update
Recent errors
3200
Recent syslog, journal, or auth errors
Operator summary

Host Storage Watch

The busiest filesystems captured in the audit, shown as compact usage bars rather than buried line items.

Stable context
C:\ (/mnt/c)
C:\ 476G 383G 94G 81% /mnt/c
81%
D:\ (/mnt/d)
D:\ 50G 13G 38G 25% /mnt/d
25%
/dev/sdd (/)
/dev/sdd 1007G 40G 916G 5% /
5%
/dev/sdd (/)
/dev/sdd 67108864 880245 66228619 2% /
2%
Operator summary

Host Attention Points

Short callouts for the host-side items most likely to change operator decisions right away.

Watch closely
2 packages pending upgrade
Pending upgrades mean the system is not fully current, which can leave known bugs or security fixes unapplied. On a WSL workstation this is usually lower risk than on an internet-facing server, but it still affects stability and patch hygiene.
3167 non-trivial errors in recent logs
A high error count can hide real issues such as broken services, misconfigurations, or failed integrations. In this case, the cited entries are WSL session/vsock errors that often stem from WSL integration behavior, but the volume still warrants checking for non-WSL errors mixed into the log stream.
Operator summary

Run Health Summary

A compact operator view of severity and signal distribution before you drop into detailed findings.

Watch closely
Critical + high
0
No top-severity findings
Instability & pressure
2
Operational signal count
Identity & access
0
RBAC, tokens, service accounts, secrets
Exposure
3
Public reachability and listener posture
Findings table controls

Filter the findings table by signal or severity while keeping the current visible count in view.

6 of 6 visible·All signal buckets·All severities
Filter by signal
Filter by severity

Detailed review

Findings

6 findings
Analysis narrative
Full narrative summary

Expanded explanation for operators who want the model summary after reviewing the findings table.

  • The host is a WSL2 Ubuntu environment with several expected WSL/non-root limitations already accounted for, so the main posture is mixed but not obviously compromised.
  • There are 3 wildcard-exposed network listeners of note: Prometheus on 9090 and node_exporter on 9100, plus a rootlessport listener on 5432; these should be access-restricted because they are reachable on all interfaces.
  • One Node.js process is bound only to 127.0.0.1:39613, which is lower risk because it is loopback-only and not remotely reachable.
  • Package hygiene is slightly behind with 2 upgrades pending, and recent logs show a large volume of non-trivial errors; the WSL-specific entries in that log volume are likely benign noise but still merit review for any non-WSL issues.
  • No high/critical findings were identified in the pre-identified set, and several audit gaps are explained by WSL or non-root execution rather than a security problem.

Run Metadata

Identity
Run ID
2b641cdc
Artifact family
Linux audit log
Host-level audit output from first-audit.sh or an equivalent Linux evidence collector.
Source type
Agent collection
agent
Target ID
mogahpc_wsl_01
Source label
agent:4a2d5936-d2d3-4949-8fb9-5c44802a5c93
Collection
Collector
signalforge-collectors
Recorded at
Mar 25, 10:09 AM
Analysis
Model
gpt-5.4-mini
Analysis time
9.6s
Tokens used
4,603
Suppressed Noise (9)

These observations are classified as expected given the environment context. Excluded from findings to reduce alert fatigue.

SSH service not foundWSL
AppArmor not presentWSL
WSL getaddrinfo failures in syslogWSL
WSL init timeout errorWSL
Apport autoreport condition checks skippedWSL
NVMe-oF or OpenIPMI service failuresWSL
Cannot read /etc/sudoersnon-root
Cannot read failed login recordsnon-root
Cannot query iptables rulesnon-root

Environment Context

Target Host
MogahPCUbuntu 24.04.4 LTS
Kernel
6.6.87.2-microsoft-standard-WSL2
Uptime
up 2 days, 6 hours, 41 minutes
WSL