Auditd Manager

Detects suspicious chroot execution within a Linux container context, potentially indicating a container escape attempt by pivoting to an alternate root filesystem.

This rule identifies process execution events where the effective user is root while the real user is not, the process arguments include the privileged shell flag commonly associated with setuid-capable shells, and the executable path is outside standard system binary directories, indicating potential privilege escalation.

This rule detects potential exploitation of CVE-2026-31431, a Copy Fail vulnerability in the Linux kernel, via AF_ALG socket abuse, by correlating non-root AF_ALG-class socket or splice events with a subsequent process execution where the effective user is root but the login user remains non-root, indicating a privilege escalation attempt.

This rule detects the execution of curl or wget from within runc-backed containers on Linux systems monitored by Auditd Manager, indicating potential ingress tool transfer or data exfiltration by attackers who have compromised the container.

An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.