leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

Phase 5: --detect-rules export with dedup

Browse Source 
- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco}
  fields. NULL = module doesn't ship a rule for that format.
  Embedded as C string literals in each module's iamroot_modules.c so
  the binary is self-contained (no data-dir install needed).
- iamroot.c: --detect-rules [--format=<f>] command. Walks module
  registry, deduplicates by pointer (family-shared rules emit once,
  siblings get a 'see family rules above' marker), writes to stdout
  for redirect into /etc/audit/rules.d/ or SIEM ingestion.
- Embedded rules for:
  - copy_fail_family (shared across 5 modules): auditd watches on
    passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt;
    Sigma rule covers the file-modification footprint.
  - dirty_pipe: auditd watches on same files + splice() syscalls;
    Sigma rule for non-root file modification.
  - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall
    trace; reliable detection needs perf-counter EDR).

Verified end-to-end on kctf-mgr:
  iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped)
  iamroot --detect-rules --format=sigma  → 2 / 7 rules emit
This commit is contained in:
KaraZajac
2026-05-16 19:58:26 -04:00
parent f03efbff13
commit cee368d5a4
6 changed files with 254 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ROADMAP.md
+11 -7
View File
@@ -90,14 +90,18 @@ primitive** that other modules can chain. Bundled because:
detect step
- [ ] Nightly run; failures open issues automatically
## Phase 5 — Detection signature export
## Phase 5 — Detection signature export (DONE 2026-05-16)
- [ ] `iamroot --detect-rules --format=sigma` — Sigma rules per CVE
- [ ] `--format=yara` — YARA rules for static detection of exploit
binaries
- [ ] `--format=auditd` — auditd `.rules` snippets
- [ ] `--format=falco` — Falco rule snippets
- [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md`
- [x] `iamroot --detect-rules --format=auditd` — embedded auditd rules
across all modules (deduped — family-shared rules emit once)
- [x] `iamroot --detect-rules --format=sigma` — embedded Sigma rules
- [x] `--format=yara` and `--format=falco` flags accepted; per-module
strings can be added when authors ship them. Currently no module
ships YARA or Falco rules (skipped cleanly).
- [x] `struct iamroot_module` gained `detect_auditd`, `detect_sigma`,
`detect_yara`, `detect_falco` fields — each NULL or pointer to
embedded C string. Self-contained binary, no data-dir install needed.
- [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md` — followup
## Phase 6 — Mitigation mode