Copy fail writes to page cache without touching disk, so inotify, AIDE, and Tripwire are all blind to it. I put together a layered detection approach: auditd rules for AF_ALG socket creation (family 38). an eBPF monitor that correlates the full exploit chain per-PID, a page-cache vs. on-disk divergence checker for setuid binaries and /etc/passwd. plus Sigma and YARA rules. Everything is stdlib Python or shell, no exotic dependencies outside bcc for the eBPF piece.
Copy fail writes to page cache without touching disk, so inotify, AIDE, and Tripwire are all blind to it. I put together a layered detection approach: auditd rules for AF_ALG socket creation (family 38). an eBPF monitor that correlates the full exploit chain per-PID, a page-cache vs. on-disk divergence checker for setuid binaries and /etc/passwd. plus Sigma and YARA rules. Everything is stdlib Python or shell, no exotic dependencies outside bcc for the eBPF piece.