diff --git a/ROADMAP.md b/ROADMAP.md index c61c9bd..559cdb2 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -90,14 +90,18 @@ primitive** that other modules can chain. Bundled because: detect step - [ ] Nightly run; failures open issues automatically -## Phase 5 — Detection signature export +## Phase 5 — Detection signature export (DONE 2026-05-16) -- [ ] `iamroot --detect-rules --format=sigma` — Sigma rules per CVE -- [ ] `--format=yara` — YARA rules for static detection of exploit - binaries -- [ ] `--format=auditd` — auditd `.rules` snippets -- [ ] `--format=falco` — Falco rule snippets -- [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md` +- [x] `iamroot --detect-rules --format=auditd` — embedded auditd rules + across all modules (deduped — family-shared rules emit once) +- [x] `iamroot --detect-rules --format=sigma` — embedded Sigma rules +- [x] `--format=yara` and `--format=falco` flags accepted; per-module + strings can be added when authors ship them. Currently no module + ships YARA or Falco rules (skipped cleanly). +- [x] `struct iamroot_module` gained `detect_auditd`, `detect_sigma`, + `detect_yara`, `detect_falco` fields — each NULL or pointer to + embedded C string. Self-contained binary, no data-dir install needed. +- [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md` — followup ## Phase 6 — Mitigation mode diff --git a/core/module.h b/core/module.h index 1c59e12..82523f3 100644 --- a/core/module.h +++ b/core/module.h @@ -84,6 +84,15 @@ struct iamroot_module { /* Undo --exploit (e.g. evict from page cache) or --mitigate side * effects. NULL if no cleanup applies. */ iamroot_result_t (*cleanup)(const struct iamroot_ctx *ctx); + + /* Detection rule corpus — embedded so the binary is self- + * contained. Each may be NULL if this module ships no rules for + * that format. Strings are NUL-terminated; concatenated in the + * order modules register. */ + const char *detect_auditd; /* auditd .rules content */ + const char *detect_sigma; /* sigma YAML content */ + const char *detect_yara; /* yara rules content */ + const char *detect_falco; /* falco rules content */ }; #endif /* IAMROOT_MODULE_H */ diff --git a/iamroot.c b/iamroot.c index 130b843..933d98e 100644 --- a/iamroot.c +++ b/iamroot.c @@ -49,6 +49,8 @@ static void usage(const char *prog) " --exploit run named module's exploit (REQUIRES --i-know)\n" " --mitigate apply named module's mitigation\n" " --cleanup undo named module's exploit/mitigate side effects\n" +" --detect-rules dump detection rules for every module\n" +" (combine with --format=auditd|sigma|yara|falco)\n" " --version print version\n" " --help this message\n" "\n" @@ -58,6 +60,7 @@ static void usage(const char *prog) " --no-shell in --exploit modes, prepare but don't drop to shell\n" " --json machine-readable output (for SIEM/CI)\n" " --no-color disable ANSI color codes\n" +" --format with --detect-rules: auditd (default), sigma, yara, falco\n" "\n" "Exit codes:\n" " 0 not vulnerable / OK 2 vulnerable 5 exploit succeeded\n" @@ -71,10 +74,18 @@ enum mode { MODE_EXPLOIT, MODE_MITIGATE, MODE_CLEANUP, + MODE_DETECT_RULES, MODE_HELP, MODE_VERSION, }; +enum detect_format { + FMT_AUDITD, + FMT_SIGMA, + FMT_YARA, + FMT_FALCO, +}; + static const char *result_str(iamroot_result_t r) { switch (r) { @@ -132,6 +143,59 @@ static int cmd_scan(const struct iamroot_ctx *ctx) return worst; } +/* Dump detection rules for every registered module in the requested + * format. Modules that don't ship a rule for that format are simply + * skipped (no error). Output goes to stdout so it can be redirected + * straight into /etc/audit/rules.d/, the SIEM, etc. */ +static int cmd_detect_rules(enum detect_format fmt) +{ + static const char *fmt_names[] = { + [FMT_AUDITD] = "auditd", + [FMT_SIGMA] = "sigma", + [FMT_YARA] = "yara", + [FMT_FALCO] = "falco", + }; + size_t n = iamroot_module_count(); + fprintf(stdout, "# IAMROOT detection rules — format: %s\n", fmt_names[fmt]); + fprintf(stdout, "# Generated from %zu registered modules\n", n); + fprintf(stdout, "# AUTHORIZED-TESTING tool; see docs/ETHICS.md\n\n"); + /* Dedup by pointer: family-shared rule strings (e.g. all 5 + * copy_fail_family modules share one auditd rule string) would + * otherwise emit identical blocks once per module. */ + const char *seen[64] = {0}; + size_t n_seen = 0; + int emitted = 0; + for (size_t i = 0; i < n; i++) { + const struct iamroot_module *m = iamroot_module_at(i); + const char *rules = NULL; + switch (fmt) { + case FMT_AUDITD: rules = m->detect_auditd; break; + case FMT_SIGMA: rules = m->detect_sigma; break; + case FMT_YARA: rules = m->detect_yara; break; + case FMT_FALCO: rules = m->detect_falco; break; + } + if (rules == NULL) continue; + /* Already emitted? */ + bool dup = false; + for (size_t k = 0; k < n_seen; k++) { + if (seen[k] == rules) { dup = true; break; } + } + if (dup) { + fprintf(stdout, "# === %s (%s) — see family rules above ===\n\n", + m->name, m->cve); + continue; + } + if (n_seen < sizeof(seen)/sizeof(seen[0])) seen[n_seen++] = rules; + fprintf(stdout, "# === %s (%s) ===\n", m->name, m->cve); + fputs(rules, stdout); + fputc('\n', stdout); + emitted++; + } + fprintf(stderr, "[*] emitted detection rules for %d / %zu module(s) (format: %s)\n", + emitted, n, fmt_names[fmt]); + return 0; +} + static int cmd_one(const struct iamroot_module *m, const char *op, const struct iamroot_ctx *ctx) { @@ -162,27 +226,31 @@ int main(int argc, char **argv) const char *target = NULL; int i_know = 0; + enum detect_format dr_fmt = FMT_AUDITD; static struct option longopts[] = { - {"scan", no_argument, 0, 'S'}, - {"list", no_argument, 0, 'L'}, - {"exploit", required_argument, 0, 'E'}, - {"mitigate", required_argument, 0, 'M'}, - {"cleanup", required_argument, 0, 'C'}, - {"i-know", no_argument, 0, 1 }, - {"active", no_argument, 0, 2 }, - {"no-shell", no_argument, 0, 3 }, - {"json", no_argument, 0, 4 }, - {"no-color", no_argument, 0, 5 }, - {"version", no_argument, 0, 'V'}, - {"help", no_argument, 0, 'h'}, + {"scan", no_argument, 0, 'S'}, + {"list", no_argument, 0, 'L'}, + {"exploit", required_argument, 0, 'E'}, + {"mitigate", required_argument, 0, 'M'}, + {"cleanup", required_argument, 0, 'C'}, + {"detect-rules", no_argument, 0, 'D'}, + {"format", required_argument, 0, 6 }, + {"i-know", no_argument, 0, 1 }, + {"active", no_argument, 0, 2 }, + {"no-shell", no_argument, 0, 3 }, + {"json", no_argument, 0, 4 }, + {"no-color", no_argument, 0, 5 }, + {"version", no_argument, 0, 'V'}, + {"help", no_argument, 0, 'h'}, {0, 0, 0, 0} }; int c, opt_idx; - while ((c = getopt_long(argc, argv, "SLE:M:C:Vh", longopts, &opt_idx)) != -1) { + while ((c = getopt_long(argc, argv, "SLDE:M:C:Vh", longopts, &opt_idx)) != -1) { switch (c) { case 'S': mode = MODE_SCAN; break; case 'L': mode = MODE_LIST; break; + case 'D': mode = MODE_DETECT_RULES; break; case 'E': mode = MODE_EXPLOIT; target = optarg; break; case 'M': mode = MODE_MITIGATE; target = optarg; break; case 'C': mode = MODE_CLEANUP; target = optarg; break; @@ -191,6 +259,13 @@ int main(int argc, char **argv) case 3 : ctx.no_shell = true; break; case 4 : ctx.json = true; break; case 5 : ctx.no_color = true; break; + case 6 : + if (strcmp(optarg, "auditd") == 0) dr_fmt = FMT_AUDITD; + else if (strcmp(optarg, "sigma") == 0) dr_fmt = FMT_SIGMA; + else if (strcmp(optarg, "yara") == 0) dr_fmt = FMT_YARA; + else if (strcmp(optarg, "falco") == 0) dr_fmt = FMT_FALCO; + else { fprintf(stderr, "[-] unknown --format: %s\n", optarg); return 1; } + break; case 'V': printf("iamroot %s\n", IAMROOT_VERSION); return 0; case 'h': mode = MODE_HELP; break; default: usage(argv[0]); return 1; @@ -207,6 +282,7 @@ int main(int argc, char **argv) if (mode == MODE_SCAN) return cmd_scan(&ctx); if (mode == MODE_LIST) return cmd_list(); + if (mode == MODE_DETECT_RULES) return cmd_detect_rules(dr_fmt); /* --exploit / --mitigate / --cleanup all take a target */ if (target == NULL) { diff --git a/modules/copy_fail_family/iamroot_modules.c b/modules/copy_fail_family/iamroot_modules.c index 5a11e52..9abf9ab 100644 --- a/modules/copy_fail_family/iamroot_modules.c +++ b/modules/copy_fail_family/iamroot_modules.c @@ -48,16 +48,55 @@ static iamroot_result_t copy_fail_exploit_wrap(const struct iamroot_ctx *ctx) return (iamroot_result_t)copyfail_exploit(!ctx->no_shell); } +/* Shared detection rules for the copy_fail family — every member of + * this family exploits the same page-cache-write primitive and lands + * in the same files (/etc/passwd or /usr/bin/su). One rule set covers + * all five module entries. Per-module structs alias the same strings. */ +static const char copy_fail_family_auditd[] = + "# Copy Fail family (CVE-2026-31431 + Dirty Frag CVE-2026-43284 + RxRPC CVE-2026-43500)\n" + "# Page-cache writes to passwd/shadow/su/sudoers from non-root.\n" + "-w /etc/passwd -p wa -k iamroot-copy-fail\n" + "-w /etc/shadow -p wa -k iamroot-copy-fail\n" + "-w /etc/sudoers -p wa -k iamroot-copy-fail\n" + "-w /etc/sudoers.d -p wa -k iamroot-copy-fail\n" + "-w /usr/bin/su -p wa -k iamroot-copy-fail\n" + "# AF_ALG socket creation by non-root — heavily used by exploit\n" + "-a always,exit -F arch=b64 -S socket -F a0=38 -k iamroot-copy-fail-afalg\n" + "# xfrm SA setup (Dirty Frag ESP variants)\n" + "-a always,exit -F arch=b64 -S setsockopt -k iamroot-copy-fail-xfrm\n"; + +static const char copy_fail_family_sigma[] = + "title: Copy Fail / Dirty Frag family exploitation\n" + "id: 4d8e6c2a-iamroot-copy-fail-family\n" + "status: experimental\n" + "description: |\n" + " Detects the file-modification footprint of Copy Fail (CVE-2026-31431) and\n" + " Dirty Frag siblings (CVE-2026-43284 v4/v6, CVE-2026-43500). Catches the\n" + " /etc/passwd UID-flip backdoor + the persistent backdoor account install.\n" + "logsource: {product: linux, service: auditd}\n" + "detection:\n" + " modification:\n" + " type: 'PATH'\n" + " name|startswith: ['/etc/passwd', '/etc/shadow', '/etc/sudoers', '/usr/bin/su']\n" + " not_root: {auid|expression: '!= 0'}\n" + " condition: modification and not_root\n" + "level: high\n" + "tags: [attack.privilege_escalation, attack.t1068, cve.2026.31431, cve.2026.43284, cve.2026.43500]\n"; + const struct iamroot_module copy_fail_module = { - .name = "copy_fail", - .cve = "CVE-2026-31431", - .summary = "algif_aead authencesn page-cache write → /etc/passwd UID flip", - .family = "copy_fail_family", - .kernel_range = "≤ 6.12.84, fixed mainline 2026-04-22", - .detect = copy_fail_detect_wrap, - .exploit = copy_fail_exploit_wrap, - .mitigate = NULL, - .cleanup = NULL, + .name = "copy_fail", + .cve = "CVE-2026-31431", + .summary = "algif_aead authencesn page-cache write → /etc/passwd UID flip", + .family = "copy_fail_family", + .kernel_range = "≤ 6.12.84, fixed mainline 2026-04-22", + .detect = copy_fail_detect_wrap, + .exploit = copy_fail_exploit_wrap, + .mitigate = NULL, + .cleanup = NULL, + .detect_auditd = copy_fail_family_auditd, + .detect_sigma = copy_fail_family_sigma, + .detect_yara = NULL, + .detect_falco = NULL, }; /* ----- copy_fail_gcm (variant, no CVE) ----- */ @@ -82,8 +121,12 @@ const struct iamroot_module copy_fail_gcm_module = { .kernel_range = "same as copy_fail; rfc4106(gcm(aes)) not in modprobe blacklist", .detect = copy_fail_gcm_detect_wrap, .exploit = copy_fail_gcm_exploit_wrap, - .mitigate = NULL, - .cleanup = NULL, + .mitigate = NULL, + .cleanup = NULL, + .detect_auditd = copy_fail_family_auditd, + .detect_sigma = copy_fail_family_sigma, + .detect_yara = NULL, + .detect_falco = NULL, }; /* ----- dirty_frag_esp (CVE-2026-43284 v4) ----- */ @@ -108,8 +151,12 @@ const struct iamroot_module dirty_frag_esp_module = { .kernel_range = "same family as copy_fail; xfrm-ESP path", .detect = dirty_frag_esp_detect_wrap, .exploit = dirty_frag_esp_exploit_wrap, - .mitigate = NULL, - .cleanup = NULL, + .mitigate = NULL, + .cleanup = NULL, + .detect_auditd = copy_fail_family_auditd, + .detect_sigma = copy_fail_family_sigma, + .detect_yara = NULL, + .detect_falco = NULL, }; /* ----- dirty_frag_esp6 (CVE-2026-43284 v6) ----- */ @@ -134,8 +181,12 @@ const struct iamroot_module dirty_frag_esp6_module = { .kernel_range = "same family as copy_fail; xfrm-ESP6 path; V6 STORE shift auto-calibrated", .detect = dirty_frag_esp6_detect_wrap, .exploit = dirty_frag_esp6_exploit_wrap, - .mitigate = NULL, - .cleanup = NULL, + .mitigate = NULL, + .cleanup = NULL, + .detect_auditd = copy_fail_family_auditd, + .detect_sigma = copy_fail_family_sigma, + .detect_yara = NULL, + .detect_falco = NULL, }; /* ----- dirty_frag_rxrpc (CVE-2026-43500) ----- */ @@ -160,8 +211,12 @@ const struct iamroot_module dirty_frag_rxrpc_module = { .kernel_range = "kernels exposing AF_RXRPC + rxkad with fcrypt fallback", .detect = dirty_frag_rxrpc_detect_wrap, .exploit = dirty_frag_rxrpc_exploit_wrap, - .mitigate = NULL, - .cleanup = NULL, + .mitigate = NULL, + .cleanup = NULL, + .detect_auditd = copy_fail_family_auditd, + .detect_sigma = copy_fail_family_sigma, + .detect_yara = NULL, + .detect_falco = NULL, }; /* ----- Family registration ----- */ diff --git a/modules/dirty_pipe_cve_2022_0847/iamroot_modules.c b/modules/dirty_pipe_cve_2022_0847/iamroot_modules.c index 9961a63..baa95a1 100644 --- a/modules/dirty_pipe_cve_2022_0847/iamroot_modules.c +++ b/modules/dirty_pipe_cve_2022_0847/iamroot_modules.c @@ -108,16 +108,48 @@ static iamroot_result_t dirty_pipe_exploit(const struct iamroot_ctx *ctx) return IAMROOT_PRECOND_FAIL; } +/* Embedded detection rules — keep the binary self-contained so + * `iamroot --detect-rules --format=auditd` works without a separate + * data-dir install. */ +static const char dirty_pipe_auditd[] = + "# Dirty Pipe (CVE-2022-0847) — auditd detection rules\n" + "# See modules/dirty_pipe_cve_2022_0847/detect/auditd.rules for full version.\n" + "-w /etc/passwd -p wa -k iamroot-dirty-pipe\n" + "-w /etc/shadow -p wa -k iamroot-dirty-pipe\n" + "-w /etc/sudoers -p wa -k iamroot-dirty-pipe\n" + "-w /etc/sudoers.d -p wa -k iamroot-dirty-pipe\n" + "-a always,exit -F arch=b64 -S splice -k iamroot-dirty-pipe-splice\n" + "-a always,exit -F arch=b32 -S splice -k iamroot-dirty-pipe-splice\n"; + +static const char dirty_pipe_sigma[] = + "title: Possible Dirty Pipe exploitation (CVE-2022-0847)\n" + "id: f6b13c08-iamroot-dirty-pipe\n" + "status: experimental\n" + "logsource: {product: linux, service: auditd}\n" + "detection:\n" + " modification:\n" + " type: 'PATH'\n" + " name|startswith: ['/etc/passwd', '/etc/shadow', '/etc/sudoers']\n" + " not_root:\n" + " auid|expression: '!= 0'\n" + " condition: modification and not_root\n" + "level: high\n" + "tags: [attack.privilege_escalation, attack.t1068, cve.2022.0847]\n"; + const struct iamroot_module dirty_pipe_module = { - .name = "dirty_pipe", - .cve = "CVE-2022-0847", - .summary = "pipe_buffer CAN_MERGE flag inheritance → page-cache write", - .family = "dirty_pipe", - .kernel_range = "5.8 ≤ K, fixed mainline 5.17, backports: 5.10.102 / 5.15.25 / 5.16.11", - .detect = dirty_pipe_detect, - .exploit = dirty_pipe_exploit, - .mitigate = NULL, - .cleanup = NULL, + .name = "dirty_pipe", + .cve = "CVE-2022-0847", + .summary = "pipe_buffer CAN_MERGE flag inheritance → page-cache write", + .family = "dirty_pipe", + .kernel_range = "5.8 ≤ K, fixed mainline 5.17, backports: 5.10.102 / 5.15.25 / 5.16.11", + .detect = dirty_pipe_detect, + .exploit = dirty_pipe_exploit, + .mitigate = NULL, + .cleanup = NULL, + .detect_auditd = dirty_pipe_auditd, + .detect_sigma = dirty_pipe_sigma, + .detect_yara = NULL, + .detect_falco = NULL, }; void iamroot_register_dirty_pipe(void) diff --git a/modules/entrybleed_cve_2023_0458/iamroot_modules.c b/modules/entrybleed_cve_2023_0458/iamroot_modules.c index 6cba649..db950c8 100644 --- a/modules/entrybleed_cve_2023_0458/iamroot_modules.c +++ b/modules/entrybleed_cve_2023_0458/iamroot_modules.c @@ -221,16 +221,39 @@ static iamroot_result_t entrybleed_exploit(const struct iamroot_ctx *ctx) #endif +/* EntryBleed is a side-channel; auditd / file-write rules don't catch + * it (no syscalls of interest fire). The most we can do is flag + * processes spending unusual time in tight prefetchnta loops, which is + * detectable via perf-counter-based EDR but not via classic auditd. + * Ship a Sigma note describing this; auditd rule intentionally omitted. */ +static const char entrybleed_sigma[] = + "title: EntryBleed-style KPTI timing side-channel (CVE-2023-0458)\n" + "id: 7b3a48d1-iamroot-entrybleed\n" + "status: experimental\n" + "description: |\n" + " EntryBleed leaks kbase via prefetchnta timing against entry_SYSCALL_64.\n" + " No syscall trace and no filesystem footprint, so this rule is\n" + " INFORMATIONAL: it documents the technique for defenders, but reliable\n" + " detection requires perf-counter-based EDR. Treat unexplained spikes in\n" + " prefetchnta-heavy processes as suspicious.\n" + "logsource: {product: linux}\n" + "level: informational\n" + "tags: [attack.discovery, attack.t1082, cve.2023.0458]\n"; + const struct iamroot_module entrybleed_module = { - .name = "entrybleed", - .cve = "CVE-2023-0458", - .summary = "KPTI prefetchnta timing side-channel → kbase leak (stage-1)", - .family = "entrybleed", - .kernel_range = "any x86_64 KPTI-enabled kernel; only partial mitigations in mainline", - .detect = entrybleed_detect, - .exploit = entrybleed_exploit, - .mitigate = NULL, - .cleanup = NULL, + .name = "entrybleed", + .cve = "CVE-2023-0458", + .summary = "KPTI prefetchnta timing side-channel → kbase leak (stage-1)", + .family = "entrybleed", + .kernel_range = "any x86_64 KPTI-enabled kernel; only partial mitigations in mainline", + .detect = entrybleed_detect, + .exploit = entrybleed_exploit, + .mitigate = NULL, + .cleanup = NULL, + .detect_auditd = NULL, + .detect_sigma = entrybleed_sigma, + .detect_yara = NULL, + .detect_falco = NULL, }; void iamroot_register_entrybleed(void)