Add detection rules for CVE-2026-31431 (CopyFail)#6052
Open
tjs24 wants to merge 2 commits into
Open
Conversation
github-actions
Bot
added
Rules
Review Needed
Contributor
|
Welcome 👋 It looks like this is your first pull request on the Sigma rules repository! Please make sure to read the SigmaHQ conventions to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval. Thanks again, and welcome to the Sigma community! 😃 |
Adds three auditd-based Sigma rules covering the AF_ALG/algif_aead Linux kernel LPE chain: AF_ALG socket creation outside the disk-encryption toolchain, explicit load of the algif_aead module, and splice() against setuid binary paths. Rule 3 (splice) validated against live auditd telemetry on Amazon Linux 2023; description and logsource.definition updated to document the PATH/SYSCALL stitching requirement that the live data confirmed.
tjs24
force-pushed
the
feat/cve-2026-31431-copyfail
branch
from
489ce51 to
5075923
Compare
tjs24
added a commit
to tjs24/ThIOClaw
that referenced
this pull request
Jun 8, 2026
End-to-end replication guide for validating the three CopyFail Sigma rules shipped in SigmaHQ/sigma#6052 against a fresh Amazon Linux 2023 EC2 instance with auditd. Structured so an agent can execute each phase and hand off to a human at decision points. Includes the AL2023-specific gotchas the original validation surfaced (never,task suppression of syscall auditing; splice not emitting PATH records; macOS hypervisor limits).
tjs24
added a commit
to tjs24/ThIOClaw
that referenced
this pull request
Jun 8, 2026
Adds a structural acknowledgement that runtime telemetry can come from either osquery (the existing default and bundled sample format) or Linux auditd via the SigmaHQ rules contributed in SigmaHQ/sigma#6052. - signals/CVE-2026-31431.yaml: link the three Sigma rules, tag each Tier 1 rule with supported_sources reflecting which collectors can observe it (4/6 cross-source; ALGIF_LOADED inventory-only; UID_ESCALATION needs PAM+uid-transition stitching for auditd parity) - harness.yaml: introduce telemetry.event_source (osquery|auditd|both) and local_auditd_path. Orthogonal to the existing local|s3 location axis; clarified in inline comments - README.md: split the Telemetry Sources section into the two axes (location vs collector format); link the validation runbook from the CVE-2026-31431 bundled example - CLAUDE.md: new "Telemetry Source Independence" key concept documenting that the data plane is source-agnostic at the scoring layer; flags the auditd ingester as roadmap (event_source=auditd is a documentation contract today, not a runtime path)
Author
|
hey @swachchhanda000 since this is based on a CVE, let me know how i should provide the log for verification. |
Collaborator
Yeah, logs would be nice to have. |
Author
|
Sure, here's the evidence log captured on Amazon Linux 2023 with the audit rules from each rule's Rule 1: Rule 2: Rule 3 (PATH lives on the preceding |
Author
|
hey @swachchhanda000 added the relevant logs and link to log reproduction steps. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
Adds three high-fidelity auditd-based Sigma rules detecting exploitation of CVE-2026-31431 ("CopyFail") — a Linux kernel local privilege escalation in the
algif_aeaduserspace crypto interface (AF_ALG socket family). The flaw allows an unprivileged caller to perform a controlled 4-byte write into the page cache of any readable file, typically corrupting the in-memory copy of a setuid binary such as/usr/bin/suto inherit root. It affects all mainstream distros shipping a stock kernel since 2017 (Ubuntu, RHEL, Debian, SUSE, AlmaLinux, Amazon Linux).The three rules cover three independent points in the exploit chain so an analyst gets corroborating signals even if one stage is missed in the indexed window:
lnx_auditd_exploit_cve_2026_31431_af_alg_socket.ymllnx_auditd_exploit_cve_2026_31431_algif_aead_module_load.ymlmodprobe/insmod/kmodload ofalgif_aeadlnx_auditd_exploit_cve_2026_31431_splice_to_af_alg.ymlsplice()syscall paired with PATH record for a setuid binary, byauid!=0References used for each rule are embedded in the YAML and span Palo Alto Unit 42, Microsoft, Wiz, Sysdig, secwest.net, Xint, oss-security and the Ubuntu advisory.
Local validation passes for:
yamllint --strict,sigma check --fail-on-error --fail-on-issues(pysigma + pySigma-validators-sigmahq 0.20),tests/test_logsource.py,tests/test_rules.py, and the duplicate-id grep.Changelog
new: AF_ALG Crypto Socket Creation Outside Disk-Encryption Toolchain - Potential CVE-2026-31431 Exploitation
new: algif_aead Kernel Module Load - Potential CVE-2026-31431 Pre-Exploitation
new: Splice Syscall Accessing Setuid Binary Path - Potential CVE-2026-31431 Exploitation
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions