Phase 5: --detect-rules export with dedup

- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco}
  fields. NULL = module doesn't ship a rule for that format.
  Embedded as C string literals in each module's iamroot_modules.c so
  the binary is self-contained (no data-dir install needed).
- iamroot.c: --detect-rules [--format=<f>] command. Walks module
  registry, deduplicates by pointer (family-shared rules emit once,
  siblings get a 'see family rules above' marker), writes to stdout
  for redirect into /etc/audit/rules.d/ or SIEM ingestion.
- Embedded rules for:
  - copy_fail_family (shared across 5 modules): auditd watches on
    passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt;
    Sigma rule covers the file-modification footprint.
  - dirty_pipe: auditd watches on same files + splice() syscalls;
    Sigma rule for non-root file modification.
  - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall
    trace; reliable detection needs perf-counter EDR).

Verified end-to-end on kctf-mgr:
  iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped)
  iamroot --detect-rules --format=sigma  → 2 / 7 rules emit

modules/copy_fail_family/iamroot_modules.c

@@ -48,16 +48,55 @@ static iamroot_result_t copy_fail_exploit_wrap(const struct iamroot_ctx *ctx)
     return (iamroot_result_t)copyfail_exploit(!ctx->no_shell);
 }
 
+/* Shared detection rules for the copy_fail family — every member of
+ * this family exploits the same page-cache-write primitive and lands
+ * in the same files (/etc/passwd or /usr/bin/su). One rule set covers
+ * all five module entries. Per-module structs alias the same strings. */
+static const char copy_fail_family_auditd[] =
+    "# Copy Fail family (CVE-2026-31431 + Dirty Frag CVE-2026-43284 + RxRPC CVE-2026-43500)\n"
+    "# Page-cache writes to passwd/shadow/su/sudoers from non-root.\n"
+    "-w /etc/passwd     -p wa -k iamroot-copy-fail\n"
+    "-w /etc/shadow     -p wa -k iamroot-copy-fail\n"
+    "-w /etc/sudoers    -p wa -k iamroot-copy-fail\n"
+    "-w /etc/sudoers.d  -p wa -k iamroot-copy-fail\n"
+    "-w /usr/bin/su     -p wa -k iamroot-copy-fail\n"
+    "# AF_ALG socket creation by non-root — heavily used by exploit\n"
+    "-a always,exit -F arch=b64 -S socket -F a0=38 -k iamroot-copy-fail-afalg\n"
+    "# xfrm SA setup (Dirty Frag ESP variants)\n"
+    "-a always,exit -F arch=b64 -S setsockopt -k iamroot-copy-fail-xfrm\n";
+
+static const char copy_fail_family_sigma[] =
+    "title: Copy Fail / Dirty Frag family exploitation\n"
+    "id: 4d8e6c2a-iamroot-copy-fail-family\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the file-modification footprint of Copy Fail (CVE-2026-31431) and\n"
+    "  Dirty Frag siblings (CVE-2026-43284 v4/v6, CVE-2026-43500). Catches the\n"
+    "  /etc/passwd UID-flip backdoor + the persistent backdoor account install.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  modification:\n"
+    "    type: 'PATH'\n"
+    "    name|startswith: ['/etc/passwd', '/etc/shadow', '/etc/sudoers', '/usr/bin/su']\n"
+    "  not_root: {auid|expression: '!= 0'}\n"
+    "  condition: modification and not_root\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2026.31431, cve.2026.43284, cve.2026.43500]\n";
+
 const struct iamroot_module copy_fail_module = {
-    .name         = "copy_fail",
-    .cve          = "CVE-2026-31431",
-    .summary      = "algif_aead authencesn page-cache write → /etc/passwd UID flip",
-    .family       = "copy_fail_family",
-    .kernel_range = "≤ 6.12.84, fixed mainline 2026-04-22",
-    .detect       = copy_fail_detect_wrap,
-    .exploit      = copy_fail_exploit_wrap,
-    .mitigate     = NULL,
-    .cleanup      = NULL,
+    .name           = "copy_fail",
+    .cve            = "CVE-2026-31431",
+    .summary        = "algif_aead authencesn page-cache write → /etc/passwd UID flip",
+    .family         = "copy_fail_family",
+    .kernel_range   = "≤ 6.12.84, fixed mainline 2026-04-22",
+    .detect         = copy_fail_detect_wrap,
+    .exploit        = copy_fail_exploit_wrap,
+    .mitigate       = NULL,
+    .cleanup        = NULL,
+    .detect_auditd  = copy_fail_family_auditd,
+    .detect_sigma   = copy_fail_family_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 /* ----- copy_fail_gcm (variant, no CVE) ----- */
@@ -82,8 +121,12 @@ const struct iamroot_module copy_fail_gcm_module = {
     .kernel_range = "same as copy_fail; rfc4106(gcm(aes)) not in modprobe blacklist",
     .detect       = copy_fail_gcm_detect_wrap,
     .exploit      = copy_fail_gcm_exploit_wrap,
-    .mitigate     = NULL,
-    .cleanup      = NULL,
+    .mitigate       = NULL,
+    .cleanup        = NULL,
+    .detect_auditd  = copy_fail_family_auditd,
+    .detect_sigma   = copy_fail_family_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 /* ----- dirty_frag_esp (CVE-2026-43284 v4) ----- */
@@ -108,8 +151,12 @@ const struct iamroot_module dirty_frag_esp_module = {
     .kernel_range = "same family as copy_fail; xfrm-ESP path",
     .detect       = dirty_frag_esp_detect_wrap,
     .exploit      = dirty_frag_esp_exploit_wrap,
-    .mitigate     = NULL,
-    .cleanup      = NULL,
+    .mitigate       = NULL,
+    .cleanup        = NULL,
+    .detect_auditd  = copy_fail_family_auditd,
+    .detect_sigma   = copy_fail_family_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 /* ----- dirty_frag_esp6 (CVE-2026-43284 v6) ----- */
@@ -134,8 +181,12 @@ const struct iamroot_module dirty_frag_esp6_module = {
     .kernel_range = "same family as copy_fail; xfrm-ESP6 path; V6 STORE shift auto-calibrated",
     .detect       = dirty_frag_esp6_detect_wrap,
     .exploit      = dirty_frag_esp6_exploit_wrap,
-    .mitigate     = NULL,
-    .cleanup      = NULL,
+    .mitigate       = NULL,
+    .cleanup        = NULL,
+    .detect_auditd  = copy_fail_family_auditd,
+    .detect_sigma   = copy_fail_family_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 /* ----- dirty_frag_rxrpc (CVE-2026-43500) ----- */
@@ -160,8 +211,12 @@ const struct iamroot_module dirty_frag_rxrpc_module = {
     .kernel_range = "kernels exposing AF_RXRPC + rxkad with fcrypt fallback",
     .detect       = dirty_frag_rxrpc_detect_wrap,
     .exploit      = dirty_frag_rxrpc_exploit_wrap,
-    .mitigate     = NULL,
-    .cleanup      = NULL,
+    .mitigate       = NULL,
+    .cleanup        = NULL,
+    .detect_auditd  = copy_fail_family_auditd,
+    .detect_sigma   = copy_fail_family_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 /* ----- Family registration ----- */

modules/dirty_pipe_cve_2022_0847/iamroot_modules.c

@@ -108,16 +108,48 @@ static iamroot_result_t dirty_pipe_exploit(const struct iamroot_ctx *ctx)
     return IAMROOT_PRECOND_FAIL;
 }
 
+/* Embedded detection rules — keep the binary self-contained so
+ * `iamroot --detect-rules --format=auditd` works without a separate
+ * data-dir install. */
+static const char dirty_pipe_auditd[] =
+    "# Dirty Pipe (CVE-2022-0847) — auditd detection rules\n"
+    "# See modules/dirty_pipe_cve_2022_0847/detect/auditd.rules for full version.\n"
+    "-w /etc/passwd    -p wa -k iamroot-dirty-pipe\n"
+    "-w /etc/shadow    -p wa -k iamroot-dirty-pipe\n"
+    "-w /etc/sudoers   -p wa -k iamroot-dirty-pipe\n"
+    "-w /etc/sudoers.d -p wa -k iamroot-dirty-pipe\n"
+    "-a always,exit -F arch=b64 -S splice -k iamroot-dirty-pipe-splice\n"
+    "-a always,exit -F arch=b32 -S splice -k iamroot-dirty-pipe-splice\n";
+
+static const char dirty_pipe_sigma[] =
+    "title: Possible Dirty Pipe exploitation (CVE-2022-0847)\n"
+    "id: f6b13c08-iamroot-dirty-pipe\n"
+    "status: experimental\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  modification:\n"
+    "    type: 'PATH'\n"
+    "    name|startswith: ['/etc/passwd', '/etc/shadow', '/etc/sudoers']\n"
+    "  not_root:\n"
+    "    auid|expression: '!= 0'\n"
+    "  condition: modification and not_root\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2022.0847]\n";
+
 const struct iamroot_module dirty_pipe_module = {
-    .name         = "dirty_pipe",
-    .cve          = "CVE-2022-0847",
-    .summary      = "pipe_buffer CAN_MERGE flag inheritance → page-cache write",
-    .family       = "dirty_pipe",
-    .kernel_range = "5.8 ≤ K, fixed mainline 5.17, backports: 5.10.102 / 5.15.25 / 5.16.11",
-    .detect       = dirty_pipe_detect,
-    .exploit      = dirty_pipe_exploit,
-    .mitigate     = NULL,
-    .cleanup      = NULL,
+    .name           = "dirty_pipe",
+    .cve            = "CVE-2022-0847",
+    .summary        = "pipe_buffer CAN_MERGE flag inheritance → page-cache write",
+    .family         = "dirty_pipe",
+    .kernel_range   = "5.8 ≤ K, fixed mainline 5.17, backports: 5.10.102 / 5.15.25 / 5.16.11",
+    .detect         = dirty_pipe_detect,
+    .exploit        = dirty_pipe_exploit,
+    .mitigate       = NULL,
+    .cleanup        = NULL,
+    .detect_auditd  = dirty_pipe_auditd,
+    .detect_sigma   = dirty_pipe_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 void iamroot_register_dirty_pipe(void)

modules/entrybleed_cve_2023_0458/iamroot_modules.c

@@ -221,16 +221,39 @@ static iamroot_result_t entrybleed_exploit(const struct iamroot_ctx *ctx)
 
 #endif
 
+/* EntryBleed is a side-channel; auditd / file-write rules don't catch
+ * it (no syscalls of interest fire). The most we can do is flag
+ * processes spending unusual time in tight prefetchnta loops, which is
+ * detectable via perf-counter-based EDR but not via classic auditd.
+ * Ship a Sigma note describing this; auditd rule intentionally omitted. */
+static const char entrybleed_sigma[] =
+    "title: EntryBleed-style KPTI timing side-channel (CVE-2023-0458)\n"
+    "id: 7b3a48d1-iamroot-entrybleed\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  EntryBleed leaks kbase via prefetchnta timing against entry_SYSCALL_64.\n"
+    "  No syscall trace and no filesystem footprint, so this rule is\n"
+    "  INFORMATIONAL: it documents the technique for defenders, but reliable\n"
+    "  detection requires perf-counter-based EDR. Treat unexplained spikes in\n"
+    "  prefetchnta-heavy processes as suspicious.\n"
+    "logsource: {product: linux}\n"
+    "level: informational\n"
+    "tags: [attack.discovery, attack.t1082, cve.2023.0458]\n";
+
 const struct iamroot_module entrybleed_module = {
-    .name         = "entrybleed",
-    .cve          = "CVE-2023-0458",
-    .summary      = "KPTI prefetchnta timing side-channel → kbase leak (stage-1)",
-    .family       = "entrybleed",
-    .kernel_range = "any x86_64 KPTI-enabled kernel; only partial mitigations in mainline",
-    .detect       = entrybleed_detect,
-    .exploit      = entrybleed_exploit,
-    .mitigate     = NULL,
-    .cleanup      = NULL,
+    .name           = "entrybleed",
+    .cve            = "CVE-2023-0458",
+    .summary        = "KPTI prefetchnta timing side-channel → kbase leak (stage-1)",
+    .family         = "entrybleed",
+    .kernel_range   = "any x86_64 KPTI-enabled kernel; only partial mitigations in mainline",
+    .detect         = entrybleed_detect,
+    .exploit        = entrybleed_exploit,
+    .mitigate       = NULL,
+    .cleanup        = NULL,
+    .detect_auditd  = NULL,
+    .detect_sigma   = entrybleed_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 void iamroot_register_entrybleed(void)