SignalForge
Op
Operator priorities
3 ranked actions
01

Update the system now: run `apt update && apt upgrade`, then restart any affected services so the 60 pending package upgrades are applied.

02

Restrict or disable externally reachable wildcard listeners on ports 9090, 9100, and 5432; confirm whether each service must be exposed beyond localhost and add access controls if it must be.

03

Triage the 1585 log errors by correlating the WSL session-leader/vsock failures with affected workloads; if they are benign WSL noise, document them, otherwise restart or reconfigure the failing service.

Target host
mogahpc_wsl_01
Hostname snapshot: MogahPC · Ubuntu 24.04.3 LTS
Artifact family
Linux audit log
linux-audit-log
Source
agent
Mar 24, 11:00 PM
Artifact source
agent:4a2d5936-d2d3-4949-8fb9-5c44802a5c93
Collector
signalforge-collectors
Target ID
mogahpc_wsl_01
Recorded at
Mar 24, 11:00 PM
Findings
6
2
medium
4
low
Run status
complete
Analysis completed successfully for this artifact snapshot.
Primary operator signal

Host Pressure Snapshot

Disk, memory, package, and recent-error signals extracted from the host audit so operators can assess system pressure before reading detailed findings.

Watch closely
Peak disk use
81%
C:\ mounted on /mnt/c
Memory use
43.0%
0.8 GiB of 1.9 GiB
Pending upgrades
60
Packages available for update
Recent errors
1618
Recent syslog, journal, or auth errors
Operator summary

Host Storage Watch

The busiest filesystems captured in the audit, shown as compact usage bars rather than buried line items.

Stable context
C:\ (/mnt/c)
C:\ 476G 382G 94G 81% /mnt/c
81%
D:\ (/mnt/d)
D:\ 50G 13G 38G 25% /mnt/d
25%
/dev/sdd (/)
/dev/sdd 1007G 40G 916G 5% /
5%
/dev/sdd (/)
/dev/sdd 67108864 879623 66229241 2% /
2%
Operator summary

Host Attention Points

Short callouts for the host-side items most likely to change operator decisions right away.

Watch closely
60 packages pending upgrade
Pending upgrades mean the system is missing security fixes, bug fixes, and stability improvements. On a WSL host used for development or administration, stale packages can leave commonly used libraries, tools, and base system components exposed to known issues.
1585 non-trivial errors in recent logs
A high error count indicates repeated operational issues and can hide real faults if left untriaged. In this case, the sample evidence points to WSL transport/session-leader failures, which are often environmental rather than malicious, but the volume still warrants review to ensure no persistent service breakage is being missed.
Operator summary

Run Health Summary

A compact operator view of severity and signal distribution before you drop into detailed findings.

Watch closely
Critical + high
0
No top-severity findings
Instability & pressure
2
Operational signal count
Identity & access
0
RBAC, tokens, service accounts, secrets
Exposure
4
Public reachability and listener posture
Findings table controls

Filter the findings table by signal or severity while keeping the current visible count in view.

6 of 6 visible·All signal buckets·All severities
Filter by signal
Filter by severity

Detailed review

Findings

6 findings
Analysis narrative
Full narrative summary

Expanded explanation for operators who want the model summary after reviewing the findings table.

  • The main actionable exposure is network-facing monitoring and database-related listeners bound to all interfaces inside WSL, which may be reachable from the host/network path depending on port forwarding and local policy.
  • The system is generally serviceable, but it is behind on updates with 60 packages pending upgrade, so patch hygiene needs attention.
  • Recent logs contain a large number of non-trivial errors, but the sample evidence is dominated by expected WSL transport noise rather than a clear compromise indicator.
  • A Node.js process is only bound to loopback, which is lower risk and appears consistent with local development or tooling.
  • Several expected WSL/non-root limitations were observed (SSH absent, AppArmor absent, iptables/sudoers inaccessible), and these should not be treated as incidents.

Run Metadata

Identity
Run ID
5569fd93
Artifact family
Linux audit log
Host-level audit output from first-audit.sh or an equivalent Linux evidence collector.
Source type
Agent collection
agent
Target ID
mogahpc_wsl_01
Source label
agent:4a2d5936-d2d3-4949-8fb9-5c44802a5c93
Collection
Collector
signalforge-collectors
Recorded at
Mar 24, 11:00 PM
Analysis
Model
gpt-5.4-mini
Analysis time
13.9s
Tokens used
4,719
Suppressed Noise (10)

These observations are classified as expected given the environment context. Excluded from findings to reduce alert fatigue.

SSH service not foundWSL
AppArmor not presentWSL
WSL getaddrinfo failures in syslogWSL
WSL init timeout errorWSL
Apport autoreport condition checks skippedWSL
NVMe-oF or OpenIPMI service failuresWSL
rpm command failed with exec format errorcross-platform
Cannot read /etc/sudoersnon-root
Cannot read failed login recordsnon-root
Cannot query iptables rulesnon-root

Environment Context

Target Host
MogahPCUbuntu 24.04.3 LTS
Kernel
6.6.87.2-microsoft-standard-WSL2
Uptime
up 1 day, 19 hours, 1 minute
WSL