r/linuxadmin

GuardFall: 10/11 open-source AI coding agents fail a shell trick that's been public since Bash 1.0 (1989)
▲ 11 r/linuxadmin+1 crossposts

GuardFall: 10/11 open-source AI coding agents fail a shell trick that's been public since Bash 1.0 (1989)

Adversa AI just published research on something they're calling GuardFall — not a single CVE, but a structural gap in how AI coding agents (Hermes, OpenCode, Roo-Code, and others) validate shell commands before execution.

The core issue: these agents filter the literal text of a command against regex/wildcard patterns. But Bash rewrites that text at runtime — quote removal, $IFS substitution, command substitution — so a string that passes the filter can still evaluate to the exact dangerous command the filter was supposed to block. Tested against 11 agents, 10 failed in at least one of four bypass classes. Only Continue reportedly closed the majority of the surface.

The worst variant doesn't even need the operator to opt into anything — a malicious repo's config (e.g. an .aider.conf.yml with auto-test: true and a poisoned test command) can fire on first accepted edit.

I previously covered a related failure mode here if you want more background: CISA Confirms Langflow RCE CVE-2026-33017 — different mechanism, same root problem: AI tooling given privileged execution with a safety layer that doesn't actually model what the underlying interpreter will do.

Curious what this sub thinks: is sandboxing/credential isolation the only real fix here, or is there a filtering approach that could actually work against a shell that rewrites its own input?

https://www.techgines.com/post/guardfall-ai-coding-agent-shell-injection-vulnerability

u/Expert_Sort7434 — 5 hours ago
▲ 213 r/linuxadmin+8 crossposts

CISA adds Linux kernel zero-day CVE-2026-43456 to KEV after active exploitation

CISA has added CVE-2026-43456, a Linux kernel local privilege escalation vulnerability, to its Known Exploited Vulnerabilities (KEV) catalog following confirmed in-the-wild exploitation. Here's everything covering the affected kernel versions, the vulnerability itself, which distributions have shipped fixes, and the available mitigations. If you're maintaining Linux systems, it may be worth checking whether your kernel has already been updated by your distro. Patch Now.

thecybersecguru.com
u/KingdomOfAngel — 15 hours ago

Linux L2/L3 Engineers, I Need Your Advice

Hey everyone,

I could really use some advice from experienced Linux admins/engineers.

I'm currently working in IT, and due to company policies I can't disclose the company name. I've been deployed as a vendor resource, and from Monday I'll be working in an L2/L3 Linux support role.

The truth is, I don't have much real-world L2/L3 production experience, and I'm honestly a bit nervous. I don't want to fake it I genuinely want to learn and do a good job.

I'd really appreciate it if you could share:

  • What does a typical day for an L2/L3 Linux engineer look like?
  • What kind of tickets do you usually handle?
  • How do you troubleshoot production issues without making things worse?
  • How do you handle vulnerability remediation (Nessus, Qualys, OpenSCAP, etc.)?
  • What Linux commands or concepts should I absolutely know before Monday?
  • Any tips or mistakes to avoid for someone starting in production?

If you've ever been in this situation, I'd love to hear your experience. Any advice, checklists, YouTube channels, documentation, or even a DM would mean a lot.

I know there's no shortcut to experience, but I'm ready to learn, work hard, and improve every day.

Thanks in advance, and I really appreciate this community. 🙏

reddit.com
u/jaggu26 — 3 days ago
▲ 3 r/linuxadmin+3 crossposts

Rust DNS server with policy controls, Prometheus metrics, and an MCP endpoint

I’ve been working on TitaniumGuard DNS, an open-source Rust DNS server focused on operational control rather than being just a toy resolver.

It currently supports:

- DNS over UDP and TCP

- Optional DoT, DoH, DoQ, and DoH3 builds

- Authoritative zones for internal DNS

- Recursive resolution gated by trusted client CIDRs

- Policy enforcement across authoritative, cache, and recursive paths

- Memory or Redis-backed DNS caching

- Audit logging

- /live, /ready, and /metrics endpoints

- Prometheus-formatted metrics

- Docker

- A local-only MCP endpoint for status, metrics, zones, config summaries, and perform controlled DNS resolution through the same policy path

The MCP part is intentionally loopback-only right now. If someone wants to use it on a cloud host, the intended setup is SSH/VPN/proxy into the local MCP listener, not exposing it directly to the internet.

The project is still early, but the goal is to make DNS operations easier to reason about: explicit recursion authorization, policy-aware responses, scrapeable health/metrics, and container-friendly deployment.

I’m looking for feedback from folks who operate DNS infrastructure or write network services in Rust

github.com
u/munukutla — 2 days ago

Anyone worked at as a Software Engineer?

Hi everyone,

I recently received a job offer for a position titled Software Engineer – Install and Deploy Applications, and I’m trying to better understand what this role is actually like.

From the title, it seems this may be more related to deployment, delivery, DevOps, or support rather than traditional software development, but I’m not sure.

I’d appreciate insight from anyone who has worked in a similar role.

I have a few questions:

  • What are the actual day-to-day responsibilities?
  • How much of the job is software development vs installation/configuration/troubleshooting?
  • Is this role closer to Software Engineering, DevOps, System Administration, or Technical Support?
  • What technologies/tools are commonly used (Linux, scripting, cloud, Kubernetes, databases, etc.)?

Any honest experiences or advice would be really helpful.

Thanks

reddit.com
u/Acceptable_Look_4870 — 3 days ago
▲ 4 r/linuxadmin+4 crossposts

Blueberry Linux - Looking for contributors

Blueberry is a self-hosted, source-built Linux distribution: a minimal, rolling CLI server system in the BSD tradition. A single source tree produces the base (a pinned prebuilt kernel, glibc, the bpm package manager, the build system) and every package is a recipe in packages/, built from source and served from the project's own signed repository. There are no upstream binary mirrors.

Here is the repo: https://github.com/zsigisti/blueberry

Here is the discord: https://discord.gg/GPfBnbDPHE

u/Healthy_Swimming5175 — 3 days ago
▲ 27 r/linuxadmin+2 crossposts

DskDitto v0.5.3 Release

Hey All. I just released latest the dskDitto. dskDitto aims to be a simple, blazing fast duplicate file finder and manager. It's written in Go so its quite portable. It has many useful features:

  1. Very fast. Can crawl SSDs with millions of files in under a minute.
  2. Display results in a sleek TUI (default) or a Raylib based GUI (pass --gui). Of coursel you can dump in various text formats (JSON, etc).
  3. It can perform similarity hashing to determine if files are “nearly duplicates" i.e fuzzy mode.
  4. Safely handles deletion and sym-link conversion
  5. UNIX hard-link aware
  6. Hashing algorithms currently Blake3 and Sha256 which are optimized for MacOS and Linux
  7. Support for file restore if yo accidentally blow away a bunch of dups.

More features and performance improvements are coming. Check out the README.md

u/jdefr — 3 days ago

7 YOE Linux Support Engineer from India: How can I find remote Linux administration opportunities?

Hi everyone,

I have around 7 years of experience in:

- Linux administration (RHCSA)

- SQL and application support

- Python scripting

- DevOps tools (Docker, Terraform, GitHub Actions)

I'm currently based in India and finding it difficult to get responses from LinkedIn and Naukri.

How do experienced Linux admins here find legitimate opportunities, especially remote or international ones?

Any advice would be appreciated.

reddit.com
u/Alert-Jacket-1573 — 4 days ago
▲ 7 r/linuxadmin+3 crossposts

NEC M series big issue

NEC M310 was outage 3 times last 7 days ago

Now it is not responding by ping float ip for managent

All disk arrays is green, i can access it using ip of controller but it refused any iSM command "iSM returns SM11153".

Note: Bbu was fault before power outage .

I have DAC and 2 expansion enclosures connected SAS.

Hosts are disconncted now.

reddit.com
u/Right_Ad_9315 — 3 days ago
▲ 4 r/linuxadmin+1 crossposts

efivars partition got full!! How to clean thing?? Firmware update failed.

efivarfs 148K 144K 0 100% /sys/firmware/efi/efivars

Oh, I have read the wiki : https://wiki.gentoo.org/wiki/Efivarfs and the kernel docs : https://docs.kernel.org/6.1/filesystems/efivarfs.html and this GITHUB post too : https://github.com/FrameworkComputer/SoftwareFirmwareIssueTracker/issues/90

But not sure how to clean or decreased the store. And it seems DBX update is failing for lack of space.

And the damn thing has showellen considerably ....irks ...

-rw-r--r-- 1 root root 20720 Jul 2 02:58 dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f

Now here is failed part when trying to update the firmware via fwupdmgr ...

Summary: UEFI revocation database

│ Current version: 20250902

│ Minimum Version: 20250902

│ Vendor: Microsoft (UEFI:Microsoft)

│ Install Duration: 1 second

│ Update Error: Not enough efivarfs space, requested 30.7 kB and got 4.1 kB

There are other keys failure on the chain too. Wondering .

Not sure what to do????

reddit.com
u/unixbhaskar — 4 days ago
▲ 8 r/linuxadmin+2 crossposts

Vigil – Lightweight Linux server monitoring that runs on Cloudflare Workers

I got tired of either paying per-host for hosted monitoring or standing up a Prometheus/Grafana/node_exporter stack just to watch a handful of small servers. So I built Vigil.

The idea: you don't run any monitoring infrastructure yourself. The backend is a Cloudflare Worker with D1 for storage and KV for state, plus a 1-minute cron for alerting. So it scales to zero and costs nothing on the free tier for a small fleet. The agent is a single Python file using only the stdlib (no pip install), managed by systemd. The dashboard is a React SPA on Cloudflare Pages.

github.com
u/vehbiemiroglu — 4 days ago
▲ 28 r/linuxadmin+1 crossposts

In search of ancient sauce

Hi folks,

I recall couple years back a thread about someone who wanted to get started in Linux sysadmin stuff and there was this extremely informative comment that was along the lines of:

“Grab Centos ISO, make VM, install Centos, configure web server, re-do everything again with foreman / katello (?)” and it goes from here until you have several machines.

The idea is that if you are able to do the tasks described with minimal help then you are pretty much qualified.

Any clues would be appreciated.

reddit.com
u/AgentWizz — 5 days ago
▲ 61 r/linuxadmin+1 crossposts

RHCSA Mock Exam Simulator. Practice real exam questions in a VM environment.

Hey everyone. I'm currently studying for my RHCSAv10 exam and I've been annoyed that I couldn't find an actual simulator that gives me different examples for similar tasks. I wanted to make it as real world as possible.

Here's my repo: https://github.com/justbest23/rhcsa-simulator

NOTE: This is very much a work in progress. PLEASE add comments with issues to this post and/or open issues on Github. The goal is to make this as comprehensive as possible, so any and all feedback is appreciated!

It's built almost completely by Claude Code (I am NOT this good at Python) but I think it's a genuinely good resource for practicing.

I started trying to build a simulator from scratch and it didn't go very well. Looking around I found this repo at https://github.com/AustinNicely and forked it and built on it.

Here's a short summary of features:

  • It sets up the task for you.
    • A "kill the runaway apache processes" task actually spawns processes; an "extend the logical volume" task actually creates a volume to extend. When the exam ends it tears it all back down.
  • No spare disks needed.
    • It auto-creates loop devices for LVM/partitioning/swap practice, and hands every whole-disk task its own device so tasks never collide.
  • Read-only grading.
    • Validation uses whitelisted, timeout-protected commands (id, lsblk, getenforce, systemctl is-active…). Partial credit per check, then a reboot-persistence simulation to catch stuff that won't survive a reboot (fstab, enabled services).
  • Adaptive mode.
    • Uses SM-2 spaced repetition to drill your weakest/overdue categories.
  • Real NFS testing.
    • Point it at a second RHEL box over SSH and it provisions actual seeded NFS exports for the network-storage tasks.
  • Full System Reset.
    • Strips the box back to a basic RHEL install between sessions (removes extra repos, flatpaks, practice users, stale mounts) while preserving your SSH/GitHub access and the OS.
  • Grading Disputes.
    • If you think a check marked you wrong during review, press d. It captures read-only evidence of your system state + your argument and opens a GitHub issue. A GitHub Action then runs an AI reviewer that inspects the exact validator, posts a verdict, and if the checker is wrong, opens a fix PR automatically. The grader improves from user disputes.

     

  • ~188 tasks across 25 categories / 8 domains. Pure Python stdlib, runs as root on a throwaway VM.
  • Feedback and bug reports very welcome! This repo is under active development.
u/justbest23 — 5 days ago

Do ya??? NO....please NO....use your damn two hands and fingers. Also, use the damn thing between the ears for thinking.

u/unixbhaskar — 4 days ago

Audit Rules Exclusions

Hey guys, trying to find out how to correctly exclude/ not collect audit events for a specific path to a .sh script but struggling to get it to work. My audit.rules file contains the following:

-a never,exit -F arch=b64 -S execve -F dir=/usr/bin/local/<name of file>.sh

But it is still being logged and forwarded to a SIEM. Is there an issue with excluding .sh?

reddit.com
u/Tini_tot — 4 days ago

nftables wrapper, gui or any other way to make it user friendly.

Hello Everyone,

I hope this is the right place to ask the question. I am a Network Admin, and I run containers (incus) in my home pc ( void linux ) to do some labs. I prefer nftables over iptables. For now , I use AI to create the firewall rules if I need any. but it would be great if I could have them user friendly and I can troubleshoot and push the neccessary configs.

I am open to advices.

reddit.com
u/Additional_Gap1057 — 7 days ago

How does Network Time Protocol provides the accurate time?

What I already know?

- NTP uses atomic clock to provide accurate time.

- NTP minimizes clock skew and drift.

where

Clock skew: is the instantaneous difference between the reading of any two clocks.

Clock drift: is the difference in the rates at which the clocks count time.

Currently reading:

- Distributed Systems concepts and design by George coulouris et al(This is my primary textbook, other I am following when confused)

- Think distributed systems Manning

- DDIA

- Distributed Operating Systems by PK Sinha

Have to do this in the age of AI to be a better system Administrator. Otherwise, AI will eat me up...Really scared.

My concern is author described the synchronization problem as a really big deal but a simple master worker architecture solved it. I do not find that satisfying.

reddit.com
u/Heavy_Budget6077 — 8 days ago