Monitor for creation or modification of udev rules files in key directories (/etc/udev/rules.d/, /lib/udev/rules.d/, /usr/lib/udev/rules.d/). Look for RUN+= or IMPORT keys invoking suspicious binaries or scripts. Correlate this with process execution from systemd-udevd context, and file writes near udev reload/restart events. Combine this with unexpected background process spawning from udevd-related forks.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | chmod, write, create, open |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Command Execution (DC0064) | auditd:CONFIG_CHANGE | udev rule reload or trigger command executed |
| Field | Description |
|---|---|
| UdevRulePath | Path to udev rules (may vary by distro or user configuration) |
| SuspiciousRunPattern | Regex or string pattern to flag suspicious command executions in RUN+= |
| TimeWindow | Max interval between rule change and execution to correlate activity |
| ParentProcess | Expected parent of RUN-invoked commands (e.g., systemd-udevd) |