Detects Linux Copy Fail privilege escalation attempts leveraging CVE-2026-31431. The rule ingests Linux auditd SYSCALL events and looks for activity indicative of the Copy Fail exploitation path, notably AF_ALG socket creation and the splice syscall, which together enable a local, unprivileged user to write a deterministic 4-byte value into the page cache of a readable file. To trigger, the detector analyzes process and execution context against a curated list of binaries commonly involved in privilege escalation (e.g., chfn, chsh, fusermount3, gpasswd, mount, newgrp, passwd, su, sudo, umount, dbus-daemon-launch-helper, landscape apt-update, ssh-keysign, polkit-agent-helper-1). If the log shows either a relevant name or executable (name or exe) matching this setuid_binary list, or an AF_ALG/splice indication, an indicator is created (setuid_binary or setuid_exec:<binary> or AF_ALG/splice). The rule aggregates per user (auid) and requires at least three unique signals to be observed (unique_signals >= 3) before triggering. The risk score is computed as risk_score_factor = unique_signals * 25, and results include destination host, process IDs, user IDs, command names, and the observed indicators and binaries. The detection relies on a standard, correctly configured auditd setup (including key names) and CIM normalization; it is designed to be complemented with Splunk dashboards and risk analytics. The rule is linked to MITRE ATT&CK technique T1068 (Privilege Escalation) and CVE-2026-31431 in its metadata and references a true-positive test dataset for validation. Note that accurate detection depends on the auditd configuration and the exact key naming used in your environment.