Posts

Hello, my name is Orca: Unprivileged Keylogging on Wayland via D-Bus Accessibility

2026-05-15 · Keith Linneman

KDE KWin and GNOME Mutter trust a claimable Orca D-Bus name for raw Wayland accessibility keyboard events, including password input.

Hello, my name is NOT unconfined: Two Hops and a Shell on Ubuntu

2026-05-13 · Keith Linneman

Ubuntu's userns restriction patch checks a pointer, not a property. After one profile hop, the label is still functionally unconfined but it's not the sentinel the patch is looking for. Two aa-exec calls, chained into host root via dirtyfrag. Exploring SiCk's two-hop AppArmor bypass.

Porting Dirty Frag to arm64: Detection, Prevention and Hardening Notes

2026-05-11 · Keith Linneman

Porting CVE-2026-43284 exploit to aarch64. The rxrpc path kernel oopses on arm64. Ubuntu 24.04's AppArmor blocked exploitation over SSH, transitioning into existing complain-mode profile leads to success. Analysis of chmod o-r as a mitigation for SUID targets, FIM limitations, and page-cache persistence.

Purple Team Engineering: Detection Below the Socket Layer with eBPF and Tetragon

2026-04-24 · Keith Linneman

Creating Tetragon policies to catch malware - AF_INET raw sockets, AF_PACKET with manual Ethernet construction, and the combination-detection patterns that emerge. Working Tetragon policy additions, a custom event parser, and purple-team test binaries to verify detection coverage.

Purple Team Engineering: Covert Channels and the DNF Numbers Station

2026-04-13 · Keith Linneman

Building a C2 channel indistinguishable from package manager traffic, encoding tasking in Apache ETag microseconds, and surveying the surprising state of repository security on Fedora.

Purple Team Engineering: Building and Detecting a Rust C2 Beacon

2026-04-09 · Keith Linneman

Building an offensive tool and the detection rules to catch it. The architecture behind Glimmer's dual-layer encryption, binary hardening from 1.4MB to 388K, and real-time YARA detection through Wazuh.

Modeling the hackerbot-claw Attack Against My Own CI/CD Pipeline

2026-03-20 · Keith Linneman

Reviewing my infrastructure's security posture against recent high-profile supply chain security compromises involving GitHub workflows using pull_request_target.

Running Your Own Transparency Infrastructure with Fulcio, Rekor, TesseraCT and Timestamp-Authority

2026-03-18 · Keith Linneman

From YubiKey CA root to trust bundles to signed artifacts - the architecture, trust decisions, and security implications behind running a self-hosted Sigstore stack.

Building a Self-Hosted Observability Platform with the Grafana LGTM Stack

2026-03-10 · Keith Linneman

A view into the architecture of a 118-node self-hosted observability platform built on Mimir, Loki, Tempo, Pyroscope, and Grafana. All deployed and configured from official documentation with no Helm charts or managed services.

Building an AI-Powered Alert Triage Engine with Go, Claude, and the Grafana LGTM Stack

2026-03-02 · Keith Linneman

How I built Vigil - a Go service that receives Alertmanager webhooks, investigates alerts using Claude's tool-calling API against Mimir and Loki, persists full conversation histories to PostgreSQL, and traces the entire triage lifecycle through Tempo.

2026-02-09 · Keith Linneman

Introducing LinnemanLabs - 20+ years of breaking and building systems, now writing it down.