Phase 5: --detect-rules export with dedup

- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco}
  fields. NULL = module doesn't ship a rule for that format.
  Embedded as C string literals in each module's iamroot_modules.c so
  the binary is self-contained (no data-dir install needed).
- iamroot.c: --detect-rules [--format=<f>] command. Walks module
  registry, deduplicates by pointer (family-shared rules emit once,
  siblings get a 'see family rules above' marker), writes to stdout
  for redirect into /etc/audit/rules.d/ or SIEM ingestion.
- Embedded rules for:
  - copy_fail_family (shared across 5 modules): auditd watches on
    passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt;
    Sigma rule covers the file-modification footprint.
  - dirty_pipe: auditd watches on same files + splice() syscalls;
    Sigma rule for non-root file modification.
  - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall
    trace; reliable detection needs perf-counter EDR).

Verified end-to-end on kctf-mgr:
  iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped)
  iamroot --detect-rules --format=sigma  → 2 / 7 rules emit

ROADMAP.md

@@ -90,14 +90,18 @@ primitive** that other modules can chain. Bundled because:
       detect step
 - [ ] Nightly run; failures open issues automatically
 
-## Phase 5 — Detection signature export
+## Phase 5 — Detection signature export (DONE 2026-05-16)
 
-- [ ] `iamroot --detect-rules --format=sigma` — Sigma rules per CVE
+- [x] `iamroot --detect-rules --format=auditd` — embedded auditd rules
-- [ ] `--format=yara` — YARA rules for static detection of exploit
+      across all modules (deduped — family-shared rules emit once)
-      binaries
+- [x] `iamroot --detect-rules --format=sigma` — embedded Sigma rules
-- [ ] `--format=auditd` — auditd `.rules` snippets
+- [x] `--format=yara` and `--format=falco` flags accepted; per-module
-- [ ] `--format=falco` — Falco rule snippets
+      strings can be added when authors ship them. Currently no module
-- [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md`
+      ships YARA or Falco rules (skipped cleanly).
+- [x] `struct iamroot_module` gained `detect_auditd`, `detect_sigma`,
+      `detect_yara`, `detect_falco` fields — each NULL or pointer to
+      embedded C string. Self-contained binary, no data-dir install needed.
+- [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md` — followup
 
 ## Phase 6 — Mitigation mode
 

core/module.h

@@ -84,6 +84,15 @@ struct iamroot_module {
     /* Undo --exploit (e.g. evict from page cache) or --mitigate side
      * effects. NULL if no cleanup applies. */
     iamroot_result_t (*cleanup)(const struct iamroot_ctx *ctx);
+
+    /* Detection rule corpus — embedded so the binary is self-
+     * contained. Each may be NULL if this module ships no rules for
+     * that format. Strings are NUL-terminated; concatenated in the
+     * order modules register. */
+    const char *detect_auditd;   /* auditd .rules content */
+    const char *detect_sigma;    /* sigma YAML content */
+    const char *detect_yara;     /* yara rules content */
+    const char *detect_falco;    /* falco rules content */
 };
 
 #endif /* IAMROOT_MODULE_H */

iamroot.c

@@ -49,6 +49,8 @@ static void usage(const char *prog)
 "  --exploit <name>      run named module's exploit (REQUIRES --i-know)\n"
 "  --mitigate <name>     apply named module's mitigation\n"
 "  --cleanup <name>      undo named module's exploit/mitigate side effects\n"
+"  --detect-rules        dump detection rules for every module\n"
+"                        (combine with --format=auditd|sigma|yara|falco)\n"
 "  --version             print version\n"
 "  --help                this message\n"
 "\n"
@@ -58,6 +60,7 @@ static void usage(const char *prog)
 "  --no-shell            in --exploit modes, prepare but don't drop to shell\n"
 "  --json                machine-readable output (for SIEM/CI)\n"
 "  --no-color            disable ANSI color codes\n"
+"  --format <f>          with --detect-rules: auditd (default), sigma, yara, falco\n"
 "\n"
 "Exit codes:\n"
 "  0 not vulnerable / OK    2 vulnerable   5 exploit succeeded\n"
@@ -71,10 +74,18 @@ enum mode {
     MODE_EXPLOIT,
     MODE_MITIGATE,
     MODE_CLEANUP,
+    MODE_DETECT_RULES,
     MODE_HELP,
     MODE_VERSION,
 };
 
+enum detect_format {
+    FMT_AUDITD,
+    FMT_SIGMA,
+    FMT_YARA,
+    FMT_FALCO,
+};
+
 static const char *result_str(iamroot_result_t r)
 {
     switch (r) {
@@ -132,6 +143,59 @@ static int cmd_scan(const struct iamroot_ctx *ctx)
     return worst;
 }
 
+/* Dump detection rules for every registered module in the requested
+ * format. Modules that don't ship a rule for that format are simply
+ * skipped (no error). Output goes to stdout so it can be redirected
+ * straight into /etc/audit/rules.d/, the SIEM, etc. */
+static int cmd_detect_rules(enum detect_format fmt)
+{
+    static const char *fmt_names[] = {
+        [FMT_AUDITD] = "auditd",
+        [FMT_SIGMA]  = "sigma",
+        [FMT_YARA]   = "yara",
+        [FMT_FALCO]  = "falco",
+    };
+    size_t n = iamroot_module_count();
+    fprintf(stdout, "# IAMROOT detection rules — format: %s\n", fmt_names[fmt]);
+    fprintf(stdout, "# Generated from %zu registered modules\n", n);
+    fprintf(stdout, "# AUTHORIZED-TESTING tool; see docs/ETHICS.md\n\n");
+    /* Dedup by pointer: family-shared rule strings (e.g. all 5
+     * copy_fail_family modules share one auditd rule string) would
+     * otherwise emit identical blocks once per module. */
+    const char *seen[64] = {0};
+    size_t n_seen = 0;
+    int emitted = 0;
+    for (size_t i = 0; i < n; i++) {
+        const struct iamroot_module *m = iamroot_module_at(i);
+        const char *rules = NULL;
+        switch (fmt) {
+        case FMT_AUDITD: rules = m->detect_auditd; break;
+        case FMT_SIGMA:  rules = m->detect_sigma;  break;
+        case FMT_YARA:   rules = m->detect_yara;   break;
+        case FMT_FALCO:  rules = m->detect_falco;  break;
+        }
+        if (rules == NULL) continue;
+        /* Already emitted? */
+        bool dup = false;
+        for (size_t k = 0; k < n_seen; k++) {
+            if (seen[k] == rules) { dup = true; break; }
+        }
+        if (dup) {
+            fprintf(stdout, "# === %s (%s) — see family rules above ===\n\n",
+                    m->name, m->cve);
+            continue;
+        }
+        if (n_seen < sizeof(seen)/sizeof(seen[0])) seen[n_seen++] = rules;
+        fprintf(stdout, "# === %s (%s) ===\n", m->name, m->cve);
+        fputs(rules, stdout);
+        fputc('\n', stdout);
+        emitted++;
+    }
+    fprintf(stderr, "[*] emitted detection rules for %d / %zu module(s) (format: %s)\n",
+            emitted, n, fmt_names[fmt]);
+    return 0;
+}
+
 static int cmd_one(const struct iamroot_module *m, const char *op,
                    const struct iamroot_ctx *ctx)
 {
@@ -162,12 +226,15 @@ int main(int argc, char **argv)
     const char *target = NULL;
     int i_know = 0;
 
+    enum detect_format dr_fmt = FMT_AUDITD;
     static struct option longopts[] = {
         {"scan",          no_argument,       0, 'S'},
         {"list",          no_argument,       0, 'L'},
         {"exploit",       required_argument, 0, 'E'},
         {"mitigate",      required_argument, 0, 'M'},
         {"cleanup",       required_argument, 0, 'C'},
+        {"detect-rules",  no_argument,       0, 'D'},
+        {"format",        required_argument, 0,  6 },
         {"i-know",        no_argument,       0,  1 },
         {"active",        no_argument,       0,  2 },
         {"no-shell",      no_argument,       0,  3 },
@@ -179,10 +246,11 @@ int main(int argc, char **argv)
     };
 
     int c, opt_idx;
-    while ((c = getopt_long(argc, argv, "SLE:M:C:Vh", longopts, &opt_idx)) != -1) {
+    while ((c = getopt_long(argc, argv, "SLDE:M:C:Vh", longopts, &opt_idx)) != -1) {
         switch (c) {
         case 'S': mode = MODE_SCAN; break;
         case 'L': mode = MODE_LIST; break;
+        case 'D': mode = MODE_DETECT_RULES; break;
         case 'E': mode = MODE_EXPLOIT; target = optarg; break;
         case 'M': mode = MODE_MITIGATE; target = optarg; break;
         case 'C': mode = MODE_CLEANUP; target = optarg; break;
@@ -191,6 +259,13 @@ int main(int argc, char **argv)
         case  3 : ctx.no_shell = true; break;
         case  4 : ctx.json = true; break;
         case  5 : ctx.no_color = true; break;
+        case  6 :
+            if      (strcmp(optarg, "auditd") == 0) dr_fmt = FMT_AUDITD;
+            else if (strcmp(optarg, "sigma")  == 0) dr_fmt = FMT_SIGMA;
+            else if (strcmp(optarg, "yara")   == 0) dr_fmt = FMT_YARA;
+            else if (strcmp(optarg, "falco")  == 0) dr_fmt = FMT_FALCO;
+            else { fprintf(stderr, "[-] unknown --format: %s\n", optarg); return 1; }
+            break;
         case 'V': printf("iamroot %s\n", IAMROOT_VERSION); return 0;
         case 'h': mode = MODE_HELP; break;
         default: usage(argv[0]); return 1;
@@ -207,6 +282,7 @@ int main(int argc, char **argv)
 
     if (mode == MODE_SCAN) return cmd_scan(&ctx);
     if (mode == MODE_LIST) return cmd_list();
+    if (mode == MODE_DETECT_RULES) return cmd_detect_rules(dr_fmt);
 
     /* --exploit / --mitigate / --cleanup all take a target */
     if (target == NULL) {

modules/copy_fail_family/iamroot_modules.c

@@ -48,6 +48,41 @@ static iamroot_result_t copy_fail_exploit_wrap(const struct iamroot_ctx *ctx)
     return (iamroot_result_t)copyfail_exploit(!ctx->no_shell);
 }
 
+/* Shared detection rules for the copy_fail family — every member of
+ * this family exploits the same page-cache-write primitive and lands
+ * in the same files (/etc/passwd or /usr/bin/su). One rule set covers
+ * all five module entries. Per-module structs alias the same strings. */
+static const char copy_fail_family_auditd[] =
+    "# Copy Fail family (CVE-2026-31431 + Dirty Frag CVE-2026-43284 + RxRPC CVE-2026-43500)\n"
+    "# Page-cache writes to passwd/shadow/su/sudoers from non-root.\n"
+    "-w /etc/passwd     -p wa -k iamroot-copy-fail\n"
+    "-w /etc/shadow     -p wa -k iamroot-copy-fail\n"
+    "-w /etc/sudoers    -p wa -k iamroot-copy-fail\n"
+    "-w /etc/sudoers.d  -p wa -k iamroot-copy-fail\n"
+    "-w /usr/bin/su     -p wa -k iamroot-copy-fail\n"
+    "# AF_ALG socket creation by non-root — heavily used by exploit\n"
+    "-a always,exit -F arch=b64 -S socket -F a0=38 -k iamroot-copy-fail-afalg\n"
+    "# xfrm SA setup (Dirty Frag ESP variants)\n"
+    "-a always,exit -F arch=b64 -S setsockopt -k iamroot-copy-fail-xfrm\n";
+
+static const char copy_fail_family_sigma[] =
+    "title: Copy Fail / Dirty Frag family exploitation\n"
+    "id: 4d8e6c2a-iamroot-copy-fail-family\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  Detects the file-modification footprint of Copy Fail (CVE-2026-31431) and\n"
+    "  Dirty Frag siblings (CVE-2026-43284 v4/v6, CVE-2026-43500). Catches the\n"
+    "  /etc/passwd UID-flip backdoor + the persistent backdoor account install.\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  modification:\n"
+    "    type: 'PATH'\n"
+    "    name|startswith: ['/etc/passwd', '/etc/shadow', '/etc/sudoers', '/usr/bin/su']\n"
+    "  not_root: {auid|expression: '!= 0'}\n"
+    "  condition: modification and not_root\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2026.31431, cve.2026.43284, cve.2026.43500]\n";
+
 const struct iamroot_module copy_fail_module = {
     .name           = "copy_fail",
     .cve            = "CVE-2026-31431",
@@ -58,6 +93,10 @@ const struct iamroot_module copy_fail_module = {
     .exploit        = copy_fail_exploit_wrap,
     .mitigate       = NULL,
     .cleanup        = NULL,
+    .detect_auditd  = copy_fail_family_auditd,
+    .detect_sigma   = copy_fail_family_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 /* ----- copy_fail_gcm (variant, no CVE) ----- */
@@ -84,6 +123,10 @@ const struct iamroot_module copy_fail_gcm_module = {
     .exploit      = copy_fail_gcm_exploit_wrap,
     .mitigate       = NULL,
     .cleanup        = NULL,
+    .detect_auditd  = copy_fail_family_auditd,
+    .detect_sigma   = copy_fail_family_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 /* ----- dirty_frag_esp (CVE-2026-43284 v4) ----- */
@@ -110,6 +153,10 @@ const struct iamroot_module dirty_frag_esp_module = {
     .exploit      = dirty_frag_esp_exploit_wrap,
     .mitigate       = NULL,
     .cleanup        = NULL,
+    .detect_auditd  = copy_fail_family_auditd,
+    .detect_sigma   = copy_fail_family_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 /* ----- dirty_frag_esp6 (CVE-2026-43284 v6) ----- */
@@ -136,6 +183,10 @@ const struct iamroot_module dirty_frag_esp6_module = {
     .exploit      = dirty_frag_esp6_exploit_wrap,
     .mitigate       = NULL,
     .cleanup        = NULL,
+    .detect_auditd  = copy_fail_family_auditd,
+    .detect_sigma   = copy_fail_family_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 /* ----- dirty_frag_rxrpc (CVE-2026-43500) ----- */
@@ -162,6 +213,10 @@ const struct iamroot_module dirty_frag_rxrpc_module = {
     .exploit      = dirty_frag_rxrpc_exploit_wrap,
     .mitigate       = NULL,
     .cleanup        = NULL,
+    .detect_auditd  = copy_fail_family_auditd,
+    .detect_sigma   = copy_fail_family_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 /* ----- Family registration ----- */

modules/dirty_pipe_cve_2022_0847/iamroot_modules.c

@@ -108,6 +108,34 @@ static iamroot_result_t dirty_pipe_exploit(const struct iamroot_ctx *ctx)
     return IAMROOT_PRECOND_FAIL;
 }
 
+/* Embedded detection rules — keep the binary self-contained so
+ * `iamroot --detect-rules --format=auditd` works without a separate
+ * data-dir install. */
+static const char dirty_pipe_auditd[] =
+    "# Dirty Pipe (CVE-2022-0847) — auditd detection rules\n"
+    "# See modules/dirty_pipe_cve_2022_0847/detect/auditd.rules for full version.\n"
+    "-w /etc/passwd    -p wa -k iamroot-dirty-pipe\n"
+    "-w /etc/shadow    -p wa -k iamroot-dirty-pipe\n"
+    "-w /etc/sudoers   -p wa -k iamroot-dirty-pipe\n"
+    "-w /etc/sudoers.d -p wa -k iamroot-dirty-pipe\n"
+    "-a always,exit -F arch=b64 -S splice -k iamroot-dirty-pipe-splice\n"
+    "-a always,exit -F arch=b32 -S splice -k iamroot-dirty-pipe-splice\n";
+
+static const char dirty_pipe_sigma[] =
+    "title: Possible Dirty Pipe exploitation (CVE-2022-0847)\n"
+    "id: f6b13c08-iamroot-dirty-pipe\n"
+    "status: experimental\n"
+    "logsource: {product: linux, service: auditd}\n"
+    "detection:\n"
+    "  modification:\n"
+    "    type: 'PATH'\n"
+    "    name|startswith: ['/etc/passwd', '/etc/shadow', '/etc/sudoers']\n"
+    "  not_root:\n"
+    "    auid|expression: '!= 0'\n"
+    "  condition: modification and not_root\n"
+    "level: high\n"
+    "tags: [attack.privilege_escalation, attack.t1068, cve.2022.0847]\n";
+
 const struct iamroot_module dirty_pipe_module = {
     .name           = "dirty_pipe",
     .cve            = "CVE-2022-0847",
@@ -118,6 +146,10 @@ const struct iamroot_module dirty_pipe_module = {
     .exploit        = dirty_pipe_exploit,
     .mitigate       = NULL,
     .cleanup        = NULL,
+    .detect_auditd  = dirty_pipe_auditd,
+    .detect_sigma   = dirty_pipe_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 void iamroot_register_dirty_pipe(void)

modules/entrybleed_cve_2023_0458/iamroot_modules.c

@@ -221,6 +221,25 @@ static iamroot_result_t entrybleed_exploit(const struct iamroot_ctx *ctx)
 
 #endif
 
+/* EntryBleed is a side-channel; auditd / file-write rules don't catch
+ * it (no syscalls of interest fire). The most we can do is flag
+ * processes spending unusual time in tight prefetchnta loops, which is
+ * detectable via perf-counter-based EDR but not via classic auditd.
+ * Ship a Sigma note describing this; auditd rule intentionally omitted. */
+static const char entrybleed_sigma[] =
+    "title: EntryBleed-style KPTI timing side-channel (CVE-2023-0458)\n"
+    "id: 7b3a48d1-iamroot-entrybleed\n"
+    "status: experimental\n"
+    "description: |\n"
+    "  EntryBleed leaks kbase via prefetchnta timing against entry_SYSCALL_64.\n"
+    "  No syscall trace and no filesystem footprint, so this rule is\n"
+    "  INFORMATIONAL: it documents the technique for defenders, but reliable\n"
+    "  detection requires perf-counter-based EDR. Treat unexplained spikes in\n"
+    "  prefetchnta-heavy processes as suspicious.\n"
+    "logsource: {product: linux}\n"
+    "level: informational\n"
+    "tags: [attack.discovery, attack.t1082, cve.2023.0458]\n";
+
 const struct iamroot_module entrybleed_module = {
     .name           = "entrybleed",
     .cve            = "CVE-2023-0458",
@@ -231,6 +250,10 @@ const struct iamroot_module entrybleed_module = {
     .exploit        = entrybleed_exploit,
     .mitigate       = NULL,
     .cleanup        = NULL,
+    .detect_auditd  = NULL,
+    .detect_sigma   = entrybleed_sigma,
+    .detect_yara    = NULL,
+    .detect_falco   = NULL,
 };
 
 void iamroot_register_entrybleed(void)