detection rules: YARA + Falco for the 6 highest-rank modules + playbook

Closes the 'rules in the box' gap — the README has claimed YARA +
Falco coverage but detect_yara and detect_falco were NULL on every
module. This commit lights up both formats for the 6 highest-value
modules (covering 10 of 31 registered modules via family-shared
rules), and the existing operational playbook gains the
format-specific deployment recipes + the cross-format correlation
table.

YARA rules (8 rules, 9 module-headers, 152 lines):
- copy_fail_family — etc_passwd_uid_flip + etc_passwd_root_no_password
  (shared across copy_fail / copy_fail_gcm / dirty_frag_esp /
   dirty_frag_esp6 / dirty_frag_rxrpc)
- dirty_pipe — passwd UID flip pattern, dirty-pipe-specific tag
- dirtydecrypt — 28-byte ELF prefix match on tiny_elf[] + setuid+execve
  shellcode tail, detects the page-cache overlay landing
- fragnesia — 28-byte ELF prefix on shell_elf[] + setuid+setgid+seteuid
  cascade, detects the 192-byte page-cache overlay
- pwnkit — gconv-modules cache file format (small text file with
  module UTF-8// X// /tmp/...)
- pack2theroot — malicious .deb (ar archive + SUID-bash postinst) +
  /tmp/.suid_bash artifact scan

Falco rules (13 rules, 9 module-headers, 219 lines):
- pwnkit — pkexec with empty argv + GCONV_PATH/CHARSET env from non-root
- copy_fail_family — AF_ALG socket from non-root + NETLINK_XFRM from
  unprivileged userns + /etc/passwd modified by non-root
- dirty_pipe — splice() of setuid/credential file by non-root
- dirtydecrypt — AF_RXRPC socket + add_key(rxrpc) by non-root
- fragnesia — TCP_ULP=espintcp from non-root + splice of setuid binary
- pack2theroot — SUID bit set on /tmp/.suid_bash + dpkg invoked by
  packagekitd with /tmp/.pk-*.deb + 2x InstallFiles on same transaction

Wiring: each module's .detect_yara and .detect_falco struct fields
now point at the embedded string. The dispatcher dedups by pointer,
so family-shared rules emit once across the 5 sub-modules.

docs/DETECTION_PLAYBOOK.md augmented (302 -> 456 lines):
- New 'YARA artifact scanning' subsection under SIEM integration
  with scheduled-scan cron pattern + per-rule trigger table
- New 'Falco runtime detection' subsection with deploy + per-rule
  trigger table
- New 'Per-module detection coverage' table — 4-format matrix
- New 'Correlation across formats' section — multi-format incident
  signature per exploit (the 3-of-4 signal pattern)
- New 'Worked example: catching DirtyDecrypt end-to-end' walkthrough
  from Falco page through yara confirmation, recovery, hunt + patch

The existing operational lifecycle / SIEM patterns / FP tuning
content is preserved unchanged — this commit only adds.

Final stats:
- auditd: 109 rule statements across 27 modules
- sigma:  16 sigma rules across 19 modules
- yara:    8 yara rules across 9 module headers (5 family + 4 distinct)
- falco:  13 falco rules across 9 module headers

The remaining 21 modules can gain YARA / Falco coverage incrementally
by populating their detect_yara / detect_falco struct fields.

modules/pwnkit_cve_2021_4034/skeletonkey_modules.c

@@ -384,6 +384,59 @@ static const char pwnkit_auditd[] =
     "-a always,exit -F arch=b64 -S execve -F path=/usr/bin/pkexec -k skeletonkey-pwnkit-execve\n"
     "-a always,exit -F arch=b32 -S execve -F path=/usr/bin/pkexec -k skeletonkey-pwnkit-execve\n";
 
+static const char pwnkit_yara[] =
+    "rule pwnkit_gconv_modules_cache : cve_2021_4034 lpe\n"
+    "{\n"
+    "    meta:\n"
+    "        cve         = \"CVE-2021-4034\"\n"
+    "        description = \"Pwnkit gconv-modules cache: redefines UTF-8 to load an attacker .so via iconv when pkexec is invoked with argc==0.\"\n"
+    "        author      = \"SKELETONKEY\"\n"
+    "        reference   = \"https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt\"\n"
+    "    strings:\n"
+    "        // gconv-modules text format: \"module FROM// TO// SHARED-OBJECT COST\".\n"
+    "        // Published PoCs redefine UTF-8 and point it at a .so dropped in /tmp.\n"
+    "        $line  = /module\\s+UTF-8\\/\\/\\s+\\S+\\/\\/\\s+\\S+\\s+\\d/\n"
+    "        $alias = /alias\\s+\\S+\\s+UTF-8/\n"
+    "        // Hint: PoC workdirs frequently include 'pwnkit' or 'GCONV' in path strings the .so carries.\n"
+    "        $marker_pwn  = \"pwnkit\" nocase\n"
+    "        $marker_gcv  = \"GCONV_PATH\"\n"
+    "    condition:\n"
+    "        // Small text-format file (gconv-modules caches are tiny) with the module redefinition.\n"
+    "        // Pair with -w /tmp -p wa auditd to catch the drop in real time.\n"
+    "        filesize < 4KB and $line and 1 of ($alias, $marker_pwn, $marker_gcv)\n"
+    "}\n";
+
+static const char pwnkit_falco[] =
+    "- rule: Pwnkit-style pkexec invocation (NULL argv)\n"
+    "  desc: |\n"
+    "    pkexec executed without argv (argc == 0). The Qualys PoC for\n"
+    "    CVE-2021-4034 invokes pkexec via execve with NULL argv so the\n"
+    "    out-of-bounds argv read picks up envp as if it were argv[1].\n"
+    "  condition: >\n"
+    "    spawned_process and proc.name = pkexec and\n"
+    "    (proc.cmdline = \"pkexec\" or proc.args = \"\")\n"
+    "  output: >\n"
+    "    Possible Pwnkit (CVE-2021-4034): pkexec spawned with no argv\n"
+    "    (user=%user.name uid=%user.uid pid=%proc.pid ppid=%proc.ppid\n"
+    "     parent=%proc.pname cmdline=\"%proc.cmdline\")\n"
+    "  priority: CRITICAL\n"
+    "  tags: [process, mitre_privilege_escalation, T1068, cve.2021.4034]\n"
+    "\n"
+    "- rule: Pwnkit-style GCONV_PATH injection\n"
+    "  desc: |\n"
+    "    A non-root process sets GCONV_PATH in env before spawning a\n"
+    "    setuid binary. Combined with a controlled .so + gconv-modules\n"
+    "    cache, this is the Qualys exploit shape.\n"
+    "  condition: >\n"
+    "    spawned_process and not user.uid = 0 and\n"
+    "    (proc.env contains \"GCONV_PATH=\" or proc.env contains \"CHARSET=\") and\n"
+    "    proc.name in (pkexec, su, sudo, mount, chsh, passwd)\n"
+    "  output: >\n"
+    "    GCONV_PATH/CHARSET set by non-root before setuid spawn\n"
+    "    (user=%user.name target=%proc.name env=\"%proc.env\")\n"
+    "  priority: WARNING\n"
+    "  tags: [process, env_injection, cve.2021.4034]\n";
+
 static const char pwnkit_sigma[] =
     "title: Possible Pwnkit exploitation (CVE-2021-4034)\n"
     "id: 9e1d4f2c-skeletonkey-pwnkit\n"
@@ -417,8 +470,8 @@ const struct skeletonkey_module pwnkit_module = {
     .cleanup        = pwnkit_cleanup,
     .detect_auditd  = pwnkit_auditd,
     .detect_sigma   = pwnkit_sigma,
-    .detect_yara    = NULL,
-    .detect_falco   = NULL,
+    .detect_yara    = pwnkit_yara,
+    .detect_falco   = pwnkit_falco,
 };
 
 void skeletonkey_register_pwnkit(void)