Phase 5: --detect-rules export with dedup

- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco}
  fields. NULL = module doesn't ship a rule for that format.
  Embedded as C string literals in each module's iamroot_modules.c so
  the binary is self-contained (no data-dir install needed).
- iamroot.c: --detect-rules [--format=<f>] command. Walks module
  registry, deduplicates by pointer (family-shared rules emit once,
  siblings get a 'see family rules above' marker), writes to stdout
  for redirect into /etc/audit/rules.d/ or SIEM ingestion.
- Embedded rules for:
  - copy_fail_family (shared across 5 modules): auditd watches on
    passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt;
    Sigma rule covers the file-modification footprint.
  - dirty_pipe: auditd watches on same files + splice() syscalls;
    Sigma rule for non-root file modification.
  - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall
    trace; reliable detection needs perf-counter EDR).

Verified end-to-end on kctf-mgr:
  iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped)
  iamroot --detect-rules --format=sigma  → 2 / 7 rules emit

modules/entrybleed_cve_2023_0458/iamroot_modules.c

@@ -221,16 +221,39 @@ static iamroot_result_t entrybleed_exploit(const struct iamroot_ctx *ctx)
 
 #endif
 
+/* EntryBleed is a side-channel; auditd / file-write rules don't catch
+ * it (no syscalls of interest fire). The most we can do is flag
+ * processes spending unusual time in tight prefetchnta loops, which is
+ * detectable via perf-counter-based EDR but not via classic auditd.
+ * Ship a Sigma note describing this; auditd rule intentionally omitted. */
+static const char entrybleed_sigma[] =
+    "title: EntryBleed-style KPTI timing side-channel (CVE-2023-0458)\n"
+    "id: 7b3a48d1-iamroot-entrybleed\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  EntryBleed leaks kbase via prefetchnta timing against entry_SYSCALL_64.\n"
+    "  No syscall trace and no filesystem footprint, so this rule is\n"
+    "  INFORMATIONAL: it documents the technique for defenders, but reliable\n"
+    "  detection requires perf-counter-based EDR. Treat unexplained spikes in\n"
+    "  prefetchnta-heavy processes as suspicious.\n"
+    "logsource: {product: linux}\n"
+    "level: informational\n"
+    "tags: [attack.discovery, attack.t1082, cve.2023.0458]\n";
+
 const struct iamroot_module entrybleed_module = {
-    .name         = "entrybleed",
-    .cve          = "CVE-2023-0458",
-    .summary      = "KPTI prefetchnta timing side-channel → kbase leak (stage-1)",
-    .family       = "entrybleed",
-    .kernel_range = "any x86_64 KPTI-enabled kernel; only partial mitigations in mainline",
-    .detect       = entrybleed_detect,
-    .exploit      = entrybleed_exploit,
-    .mitigate     = NULL,
-    .cleanup      = NULL,
+    .name           = "entrybleed",
+    .cve            = "CVE-2023-0458",
+    .summary        = "KPTI prefetchnta timing side-channel → kbase leak (stage-1)",
+    .family         = "entrybleed",
+    .kernel_range   = "any x86_64 KPTI-enabled kernel; only partial mitigations in mainline",
+    .detect         = entrybleed_detect,
+    .exploit        = entrybleed_exploit,
+    .mitigate       = NULL,
+    .cleanup        = NULL,
+    .detect_auditd  = NULL,
+    .detect_sigma   = entrybleed_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 void iamroot_register_entrybleed(void)