SIEM × Platform · Elastic · Linux auditd

Elastic detections for Linux auditd

Last reviewed:

Sigma rule outputs from CloudSigma rendered into Elastic queries against the Linux auditd schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.

01 Coverage at a glance
7
Production rules
6
ATT&CK techniques
4
ATT&CK tactics
Elastic
Output dialect
02 Rule index
Technique Rule Severity Log source
T1059 Command and Scripting Interpreter on Linux auditd medium Linux auditd
T1068 Exploitation for Privilege Escalation on Linux auditd medium Linux auditd
T1068 Exploitation for Privilege Escalation on Linux auditd medium Linux auditd
T1078 Valid Accounts on Linux auditd medium Linux auditd
T1098 Account Manipulation on Linux auditd medium Linux auditd
T1548 Abuse Elevation Control Mechanism on Linux auditd medium Linux auditd
T1611 Escape to Host on Linux auditd medium Linux auditd
03 Example rule

AF_ALG Socket Creation by Non-Crypto Tooling (CVE-2026-31431 Copy Fail), generated by CloudSigma and validated against the Elastic dialect.

L1 · production verified 2026-06-06 · sha256:c54d98ac96791786 Verify in CloudSigma →
Sigma rule · CloudSigma Elastic · Linux auditd · 2026-05-03 
title: AF_ALG Socket Creation by Non-Crypto Tooling (CVE-2026-31431 Copy Fail)
id: cd627699-056b-48e4-97c5-641fa7a2d832
status: stable
description: >
    Detects user-space creation of an AF_ALG socket by a process that
    is not part of the small set of legitimate kernel-crypto-API
    consumers (libkcapi, cryptsetup, strongSwan/charon, ipsec). AF_ALG
    sockets expose the kernel crypto subsystem to user space; the
    family is rarely used outside the listed tools, and the
    CVE-2026-31431 "Copy Fail" exploit chain begins with
    socket(AF_ALG, SOCK_SEQPACKET, 0) followed by bind() of an
    algif_aead transform such as authencesn(...) and a splice() that
    triggers the 4-byte arbitrary page-cache write against readable
    files (typically setuid binaries). Catching the unusual AF_ALG
    socket creation upstream of bind/splice gives the earliest
    auditd-visible signal of the exploit path. Pair this with
    `-a always,exit -F arch=b64 -S socket -F a0=38 -k af_alg` in
    audit.rules so SYSCALL records carry the AF_ALG family value.
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-31431
    - https://www.kernel.org/doc/html/latest/crypto/userspace-if.html
    - https://attack.mitre.org/techniques/T1068/
author: CloudSigma
date: 2026-05-03
tags:
    - attack.privilege-escalation
    - attack.t1068
logsource:
    product: linux
    service: auditd
detection:
    selection_af_alg_socket:
        type: SYSCALL
        syscall: socket
        a0: '38'
    filter_known_crypto_tools:
        exe|endswith:
            - /cryptsetup
            - /veritysetup
            - /integritysetup
            - /kcapi-enc
            - /kcapi-dgst
            - /kcapi-hasher
            - /kcapi-rng
            - /kcapi-rsa-test
            - /charon
            - /charon-systemd
            - /swanctl
            - /ipsec
            - /strongswan
            - /chronyd
    condition: selection_af_alg_socket and not filter_known_crypto_tools
falsepositives:
    - Bespoke applications that use the kernel crypto API directly via
      AF_ALG (rare). Baseline by exe path and parent process; if a new
      legitimate consumer appears, extend filter_known_crypto_tools.
    - Distribution-specific crypto helpers not present in the filter
      list. Verify the exe path matches the distro package and add it
      to the filter rather than suppressing the alert.
level: high
← Back to Sigma library
Sources
  • Sigma project, https://github.com/SigmaHQ/sigma
  • Elastic documentation, https://docs.elastic.com/
Last verified: 2026-06-06