leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

Phase 5: --detect-rules export with dedup

Browse Source 
- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco}
  fields. NULL = module doesn't ship a rule for that format.
  Embedded as C string literals in each module's iamroot_modules.c so
  the binary is self-contained (no data-dir install needed).
- iamroot.c: --detect-rules [--format=<f>] command. Walks module
  registry, deduplicates by pointer (family-shared rules emit once,
  siblings get a 'see family rules above' marker), writes to stdout
  for redirect into /etc/audit/rules.d/ or SIEM ingestion.
- Embedded rules for:
  - copy_fail_family (shared across 5 modules): auditd watches on
    passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt;
    Sigma rule covers the file-modification footprint.
  - dirty_pipe: auditd watches on same files + splice() syscalls;
    Sigma rule for non-root file modification.
  - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall
    trace; reliable detection needs perf-counter EDR).

Verified end-to-end on kctf-mgr:
  iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped)
  iamroot --detect-rules --format=sigma  → 2 / 7 rules emit
This commit is contained in:
KaraZajac
2026-05-16 19:58:26 -04:00
parent f03efbff13
commit cee368d5a4
6 changed files with 254 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ROADMAP.md
+11 -7
View File
@@ -90,14 +90,18 @@ primitive** that other modules can chain. Bundled because:
detect step
- [ ] Nightly run; failures open issues automatically
## Phase 5 — Detection signature export
## Phase 5 — Detection signature export (DONE 2026-05-16)
- [ ] `iamroot --detect-rules --format=sigma` — Sigma rules per CVE
- [ ] `--format=yara` — YARA rules for static detection of exploit
binaries
- [ ] `--format=auditd` — auditd `.rules` snippets
- [ ] `--format=falco` — Falco rule snippets
- [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md`
- [x] `iamroot --detect-rules --format=auditd` — embedded auditd rules
across all modules (deduped — family-shared rules emit once)
- [x] `iamroot --detect-rules --format=sigma` — embedded Sigma rules
- [x] `--format=yara` and `--format=falco` flags accepted; per-module
strings can be added when authors ship them. Currently no module
ships YARA or Falco rules (skipped cleanly).
- [x] `struct iamroot_module` gained `detect_auditd`, `detect_sigma`,
`detect_yara`, `detect_falco` fields — each NULL or pointer to
embedded C string. Self-contained binary, no data-dir install needed.
- [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md` — followup
## Phase 6 — Mitigation mode
core/module.h
+9
View File
@@ -84,6 +84,15 @@ struct iamroot_module {
/* Undo --exploit (e.g. evict from page cache) or --mitigate side
* effects. NULL if no cleanup applies. */
iamroot_result_t (*cleanup)(const struct iamroot_ctx *ctx);
/* Detection rule corpus — embedded so the binary is self-
* contained. Each may be NULL if this module ships no rules for
* that format. Strings are NUL-terminated; concatenated in the
* order modules register. */
const char *detect_auditd; /* auditd .rules content */
const char *detect_sigma; /* sigma YAML content */
const char *detect_yara; /* yara rules content */
const char *detect_falco; /* falco rules content */
};
#endif /* IAMROOT_MODULE_H */
iamroot.c
+89 -13
View File
@@ -49,6 +49,8 @@ static void usage(const char *prog)
" --exploit <name> run named module's exploit (REQUIRES --i-know)\n"
" --mitigate <name> apply named module's mitigation\n"
" --cleanup <name> undo named module's exploit/mitigate side effects\n"
" --detect-rules dump detection rules for every module\n"
" (combine with --format=auditd|sigma|yara|falco)\n"
" --version print version\n"
" --help this message\n"
"\n"
@@ -58,6 +60,7 @@ static void usage(const char *prog)
" --no-shell in --exploit modes, prepare but don't drop to shell\n"
" --json machine-readable output (for SIEM/CI)\n"
" --no-color disable ANSI color codes\n"
" --format <f> with --detect-rules: auditd (default), sigma, yara, falco\n"
"\n"
"Exit codes:\n"
" 0 not vulnerable / OK 2 vulnerable 5 exploit succeeded\n"
@@ -71,10 +74,18 @@ enum mode {
MODE_EXPLOIT,
MODE_MITIGATE,
MODE_CLEANUP,
MODE_DETECT_RULES,
MODE_HELP,
MODE_VERSION,
};
enum detect_format {
FMT_AUDITD,
FMT_SIGMA,
FMT_YARA,
FMT_FALCO,
};
static const char *result_str(iamroot_result_t r)
{
switch (r) {
@@ -132,6 +143,59 @@ static int cmd_scan(const struct iamroot_ctx *ctx)
return worst;
}
/* Dump detection rules for every registered module in the requested
* format. Modules that don't ship a rule for that format are simply
* skipped (no error). Output goes to stdout so it can be redirected
* straight into /etc/audit/rules.d/, the SIEM, etc. */
static int cmd_detect_rules(enum detect_format fmt)
{
static const char *fmt_names[] = {
[FMT_AUDITD] = "auditd",
[FMT_SIGMA] = "sigma",
[FMT_YARA] = "yara",
[FMT_FALCO] = "falco",
};
size_t n = iamroot_module_count();
fprintf(stdout, "# IAMROOT detection rules — format: %s\n", fmt_names[fmt]);
fprintf(stdout, "# Generated from %zu registered modules\n", n);
fprintf(stdout, "# AUTHORIZED-TESTING tool; see docs/ETHICS.md\n\n");
/* Dedup by pointer: family-shared rule strings (e.g. all 5
* copy_fail_family modules share one auditd rule string) would
* otherwise emit identical blocks once per module. */
const char *seen[64] = {0};
size_t n_seen = 0;
int emitted = 0;
for (size_t i = 0; i < n; i++) {
const struct iamroot_module *m = iamroot_module_at(i);
const char *rules = NULL;
switch (fmt) {
case FMT_AUDITD: rules = m->detect_auditd; break;
case FMT_SIGMA: rules = m->detect_sigma; break;
case FMT_YARA: rules = m->detect_yara; break;
case FMT_FALCO: rules = m->detect_falco; break;
}
if (rules == NULL) continue;
/* Already emitted? */
bool dup = false;
for (size_t k = 0; k < n_seen; k++) {
if (seen[k] == rules) { dup = true; break; }
}
if (dup) {
fprintf(stdout, "# === %s (%s) — see family rules above ===\n\n",
m->name, m->cve);
continue;
}
if (n_seen < sizeof(seen)/sizeof(seen[0])) seen[n_seen++] = rules;
fprintf(stdout, "# === %s (%s) ===\n", m->name, m->cve);
fputs(rules, stdout);
fputc('\n', stdout);
emitted++;
}
fprintf(stderr, "[*] emitted detection rules for %d / %zu module(s) (format: %s)\n",
emitted, n, fmt_names[fmt]);
return 0;
}
static int cmd_one(const struct iamroot_module *m, const char *op,
const struct iamroot_ctx *ctx)
{
@@ -162,27 +226,31 @@ int main(int argc, char **argv)
const char *target = NULL;
int i_know = 0;
enum detect_format dr_fmt = FMT_AUDITD;
static struct option longopts[] = {
{"scan", no_argument, 0, 'S'},
{"list", no_argument, 0, 'L'},
{"exploit", required_argument, 0, 'E'},
{"mitigate", required_argument, 0, 'M'},
{"cleanup", required_argument, 0, 'C'},
{"i-know", no_argument, 0, 1 },
{"active", no_argument, 0, 2 },
{"no-shell", no_argument, 0, 3 },
{"json", no_argument, 0, 4 },
{"no-color", no_argument, 0, 5 },
{"version", no_argument, 0, 'V'},
{"help", no_argument, 0, 'h'},
{"scan", no_argument, 0, 'S'},
{"list", no_argument, 0, 'L'},
{"exploit", required_argument, 0, 'E'},
{"mitigate", required_argument, 0, 'M'},
{"cleanup", required_argument, 0, 'C'},
{"detect-rules", no_argument, 0, 'D'},
{"format", required_argument, 0, 6 },
{"i-know", no_argument, 0, 1 },
{"active", no_argument, 0, 2 },
{"no-shell", no_argument, 0, 3 },
{"json", no_argument, 0, 4 },
{"no-color", no_argument, 0, 5 },
{"version", no_argument, 0, 'V'},
{"help", no_argument, 0, 'h'},
{0, 0, 0, 0}
};
int c, opt_idx;
while ((c = getopt_long(argc, argv, "SLE:M:C:Vh", longopts, &opt_idx)) != -1) {
while ((c = getopt_long(argc, argv, "SLDE:M:C:Vh", longopts, &opt_idx)) != -1) {
switch (c) {
case 'S': mode = MODE_SCAN; break;
case 'L': mode = MODE_LIST; break;
case 'D': mode = MODE_DETECT_RULES; break;
case 'E': mode = MODE_EXPLOIT; target = optarg; break;
case 'M': mode = MODE_MITIGATE; target = optarg; break;
case 'C': mode = MODE_CLEANUP; target = optarg; break;
@@ -191,6 +259,13 @@ int main(int argc, char **argv)
case 3 : ctx.no_shell = true; break;
case 4 : ctx.json = true; break;
case 5 : ctx.no_color = true; break;
case 6 :
if (strcmp(optarg, "auditd") == 0) dr_fmt = FMT_AUDITD;
else if (strcmp(optarg, "sigma") == 0) dr_fmt = FMT_SIGMA;
else if (strcmp(optarg, "yara") == 0) dr_fmt = FMT_YARA;
else if (strcmp(optarg, "falco") == 0) dr_fmt = FMT_FALCO;
else { fprintf(stderr, "[-] unknown --format: %s\n", optarg); return 1; }
break;
case 'V': printf("iamroot %s\n", IAMROOT_VERSION); return 0;
case 'h': mode = MODE_HELP; break;
default: usage(argv[0]); return 1;
@@ -207,6 +282,7 @@ int main(int argc, char **argv)
if (mode == MODE_SCAN) return cmd_scan(&ctx);
if (mode == MODE_LIST) return cmd_list();
if (mode == MODE_DETECT_RULES) return cmd_detect_rules(dr_fmt);
/* --exploit / --mitigate / --cleanup all take a target */
if (target == NULL) {
modules/copy_fail_family/iamroot_modules.c
+72 -17
View File
@@ -48,16 +48,55 @@ static iamroot_result_t copy_fail_exploit_wrap(const struct iamroot_ctx *ctx)
return (iamroot_result_t)copyfail_exploit(!ctx->no_shell);
}
/* Shared detection rules for the copy_fail family — every member of
* this family exploits the same page-cache-write primitive and lands
* in the same files (/etc/passwd or /usr/bin/su). One rule set covers
* all five module entries. Per-module structs alias the same strings. */
static const char copy_fail_family_auditd[] =
"# Copy Fail family (CVE-2026-31431 + Dirty Frag CVE-2026-43284 + RxRPC CVE-2026-43500)\n"
"# Page-cache writes to passwd/shadow/su/sudoers from non-root.\n"
"-w /etc/passwd -p wa -k iamroot-copy-fail\n"
"-w /etc/shadow -p wa -k iamroot-copy-fail\n"
"-w /etc/sudoers -p wa -k iamroot-copy-fail\n"
"-w /etc/sudoers.d -p wa -k iamroot-copy-fail\n"
"-w /usr/bin/su -p wa -k iamroot-copy-fail\n"
"# AF_ALG socket creation by non-root — heavily used by exploit\n"
"-a always,exit -F arch=b64 -S socket -F a0=38 -k iamroot-copy-fail-afalg\n"
"# xfrm SA setup (Dirty Frag ESP variants)\n"
"-a always,exit -F arch=b64 -S setsockopt -k iamroot-copy-fail-xfrm\n";
static const char copy_fail_family_sigma[] =
"title: Copy Fail / Dirty Frag family exploitation\n"
"id: 4d8e6c2a-iamroot-copy-fail-family\n"
"status: experimental\n"
"description: |\n"
" Detects the file-modification footprint of Copy Fail (CVE-2026-31431) and\n"
" Dirty Frag siblings (CVE-2026-43284 v4/v6, CVE-2026-43500). Catches the\n"
" /etc/passwd UID-flip backdoor + the persistent backdoor account install.\n"
"logsource: {product: linux, service: auditd}\n"
"detection:\n"
" modification:\n"
" type: 'PATH'\n"
" name|startswith: ['/etc/passwd', '/etc/shadow', '/etc/sudoers', '/usr/bin/su']\n"
" not_root: {auid|expression: '!= 0'}\n"
" condition: modification and not_root\n"
"level: high\n"
"tags: [attack.privilege_escalation, attack.t1068, cve.2026.31431, cve.2026.43284, cve.2026.43500]\n";
const struct iamroot_module copy_fail_module = {
.name = "copy_fail",
.cve = "CVE-2026-31431",
.summary = "algif_aead authencesn page-cache write → /etc/passwd UID flip",
.family = "copy_fail_family",
.kernel_range = "≤ 6.12.84, fixed mainline 2026-04-22",
.detect = copy_fail_detect_wrap,
.exploit = copy_fail_exploit_wrap,
.mitigate = NULL,
.cleanup = NULL,
.name = "copy_fail",
.cve = "CVE-2026-31431",
.summary = "algif_aead authencesn page-cache write → /etc/passwd UID flip",
.family = "copy_fail_family",
.kernel_range = "≤ 6.12.84, fixed mainline 2026-04-22",
.detect = copy_fail_detect_wrap,
.exploit = copy_fail_exploit_wrap,
.mitigate = NULL,
.cleanup = NULL,
.detect_auditd = copy_fail_family_auditd,
.detect_sigma = copy_fail_family_sigma,
.detect_yara = NULL,
.detect_falco = NULL,
};
/* ----- copy_fail_gcm (variant, no CVE) ----- */
@@ -82,8 +121,12 @@ const struct iamroot_module copy_fail_gcm_module = {
.kernel_range = "same as copy_fail; rfc4106(gcm(aes)) not in modprobe blacklist",
.detect = copy_fail_gcm_detect_wrap,
.exploit = copy_fail_gcm_exploit_wrap,
.mitigate = NULL,
.cleanup = NULL,
.mitigate = NULL,
.cleanup = NULL,
.detect_auditd = copy_fail_family_auditd,
.detect_sigma = copy_fail_family_sigma,
.detect_yara = NULL,
.detect_falco = NULL,
};
/* ----- dirty_frag_esp (CVE-2026-43284 v4) ----- */
@@ -108,8 +151,12 @@ const struct iamroot_module dirty_frag_esp_module = {
.kernel_range = "same family as copy_fail; xfrm-ESP path",
.detect = dirty_frag_esp_detect_wrap,
.exploit = dirty_frag_esp_exploit_wrap,
.mitigate = NULL,
.cleanup = NULL,
.mitigate = NULL,
.cleanup = NULL,
.detect_auditd = copy_fail_family_auditd,
.detect_sigma = copy_fail_family_sigma,
.detect_yara = NULL,
.detect_falco = NULL,
};
/* ----- dirty_frag_esp6 (CVE-2026-43284 v6) ----- */
@@ -134,8 +181,12 @@ const struct iamroot_module dirty_frag_esp6_module = {
.kernel_range = "same family as copy_fail; xfrm-ESP6 path; V6 STORE shift auto-calibrated",
.detect = dirty_frag_esp6_detect_wrap,
.exploit = dirty_frag_esp6_exploit_wrap,
.mitigate = NULL,
.cleanup = NULL,
.mitigate = NULL,
.cleanup = NULL,
.detect_auditd = copy_fail_family_auditd,
.detect_sigma = copy_fail_family_sigma,
.detect_yara = NULL,
.detect_falco = NULL,
};
/* ----- dirty_frag_rxrpc (CVE-2026-43500) ----- */
@@ -160,8 +211,12 @@ const struct iamroot_module dirty_frag_rxrpc_module = {
.kernel_range = "kernels exposing AF_RXRPC + rxkad with fcrypt fallback",
.detect = dirty_frag_rxrpc_detect_wrap,
.exploit = dirty_frag_rxrpc_exploit_wrap,
.mitigate = NULL,
.cleanup = NULL,
.mitigate = NULL,
.cleanup = NULL,
.detect_auditd = copy_fail_family_auditd,
.detect_sigma = copy_fail_family_sigma,
.detect_yara = NULL,
.detect_falco = NULL,
};
/* ----- Family registration ----- */
modules/dirty_pipe_cve_2022_0847/iamroot_modules.c
+41 -9
View File
@@ -108,16 +108,48 @@ static iamroot_result_t dirty_pipe_exploit(const struct iamroot_ctx *ctx)
return IAMROOT_PRECOND_FAIL;
}
/* Embedded detection rules — keep the binary self-contained so
* `iamroot --detect-rules --format=auditd` works without a separate
* data-dir install. */
static const char dirty_pipe_auditd[] =
"# Dirty Pipe (CVE-2022-0847) — auditd detection rules\n"
"# See modules/dirty_pipe_cve_2022_0847/detect/auditd.rules for full version.\n"
"-w /etc/passwd -p wa -k iamroot-dirty-pipe\n"
"-w /etc/shadow -p wa -k iamroot-dirty-pipe\n"
"-w /etc/sudoers -p wa -k iamroot-dirty-pipe\n"
"-w /etc/sudoers.d -p wa -k iamroot-dirty-pipe\n"
"-a always,exit -F arch=b64 -S splice -k iamroot-dirty-pipe-splice\n"
"-a always,exit -F arch=b32 -S splice -k iamroot-dirty-pipe-splice\n";
static const char dirty_pipe_sigma[] =
"title: Possible Dirty Pipe exploitation (CVE-2022-0847)\n"
"id: f6b13c08-iamroot-dirty-pipe\n"
"status: experimental\n"
"logsource: {product: linux, service: auditd}\n"
"detection:\n"
" modification:\n"
" type: 'PATH'\n"
" name|startswith: ['/etc/passwd', '/etc/shadow', '/etc/sudoers']\n"
" not_root:\n"
" auid|expression: '!= 0'\n"
" condition: modification and not_root\n"
"level: high\n"
"tags: [attack.privilege_escalation, attack.t1068, cve.2022.0847]\n";
const struct iamroot_module dirty_pipe_module = {
.name = "dirty_pipe",
.cve = "CVE-2022-0847",
.summary = "pipe_buffer CAN_MERGE flag inheritance → page-cache write",
.family = "dirty_pipe",
.kernel_range = "5.8 ≤ K, fixed mainline 5.17, backports: 5.10.102 / 5.15.25 / 5.16.11",
.detect = dirty_pipe_detect,
.exploit = dirty_pipe_exploit,
.mitigate = NULL,
.cleanup = NULL,
.name = "dirty_pipe",
.cve = "CVE-2022-0847",
.summary = "pipe_buffer CAN_MERGE flag inheritance → page-cache write",
.family = "dirty_pipe",
.kernel_range = "5.8 ≤ K, fixed mainline 5.17, backports: 5.10.102 / 5.15.25 / 5.16.11",
.detect = dirty_pipe_detect,
.exploit = dirty_pipe_exploit,
.mitigate = NULL,
.cleanup = NULL,
.detect_auditd = dirty_pipe_auditd,
.detect_sigma = dirty_pipe_sigma,
.detect_yara = NULL,
.detect_falco = NULL,
};
void iamroot_register_dirty_pipe(void)
modules/entrybleed_cve_2023_0458/iamroot_modules.c
+32 -9
View File
@@ -221,16 +221,39 @@ static iamroot_result_t entrybleed_exploit(const struct iamroot_ctx *ctx)
#endif
/* EntryBleed is a side-channel; auditd / file-write rules don't catch
* it (no syscalls of interest fire). The most we can do is flag
* processes spending unusual time in tight prefetchnta loops, which is
* detectable via perf-counter-based EDR but not via classic auditd.
* Ship a Sigma note describing this; auditd rule intentionally omitted. */
static const char entrybleed_sigma[] =
"title: EntryBleed-style KPTI timing side-channel (CVE-2023-0458)\n"
"id: 7b3a48d1-iamroot-entrybleed\n"
"status: experimental\n"
"description: |\n"
" EntryBleed leaks kbase via prefetchnta timing against entry_SYSCALL_64.\n"
" No syscall trace and no filesystem footprint, so this rule is\n"
" INFORMATIONAL: it documents the technique for defenders, but reliable\n"
" detection requires perf-counter-based EDR. Treat unexplained spikes in\n"
" prefetchnta-heavy processes as suspicious.\n"
"logsource: {product: linux}\n"
"level: informational\n"
"tags: [attack.discovery, attack.t1082, cve.2023.0458]\n";
const struct iamroot_module entrybleed_module = {
.name = "entrybleed",
.cve = "CVE-2023-0458",
.summary = "KPTI prefetchnta timing side-channel → kbase leak (stage-1)",
.family = "entrybleed",
.kernel_range = "any x86_64 KPTI-enabled kernel; only partial mitigations in mainline",
.detect = entrybleed_detect,
.exploit = entrybleed_exploit,
.mitigate = NULL,
.cleanup = NULL,
.name = "entrybleed",
.cve = "CVE-2023-0458",
.summary = "KPTI prefetchnta timing side-channel → kbase leak (stage-1)",
.family = "entrybleed",
.kernel_range = "any x86_64 KPTI-enabled kernel; only partial mitigations in mainline",
.detect = entrybleed_detect,
.exploit = entrybleed_exploit,
.mitigate = NULL,
.cleanup = NULL,
.detect_auditd = NULL,
.detect_sigma = entrybleed_sigma,
.detect_yara = NULL,
.detect_falco = NULL,
};
void iamroot_register_entrybleed(void)