Phase 5: --detect-rules export with dedup

- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco} fields. NULL = module doesn't ship a rule for that format. Embedded as C string literals in each module's iamroot_modules.c so the binary is self-contained (no data-dir install needed). - iamroot.c: --detect-rules [--format=<f>] command. Walks module registry, deduplicates by pointer (family-shared rules emit once, siblings get a 'see family rules above' marker), writes to stdout for redirect into /etc/audit/rules.d/ or SIEM ingestion. - Embedded rules for: - copy_fail_family (shared across 5 modules): auditd watches on passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt; Sigma rule covers the file-modification footprint. - dirty_pipe: auditd watches on same files + splice() syscalls; Sigma rule for non-root file modification. - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall trace; reliable detection needs perf-counter EDR). Verified end-to-end on kctf-mgr: iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped) iamroot --detect-rules --format=sigma → 2 / 7 rules emit
2026-05-16 19:58:26 -04:00
parent f03efbff13
commit cee368d5a4
6 changed files with 254 additions and 55 deletions
@@ -90,14 +90,18 @@ primitive** that other modules can chain. Bundled because:
      detect step
 - [ ] Nightly run; failures open issues automatically
-## Phase 5 — Detection signature export
+## Phase 5 — Detection signature export (DONE 2026-05-16)
- [ ] `iamroot --detect-rules --format=sigma` — Sigma rules per CVE
+- [x] `iamroot --detect-rules --format=auditd` — embedded auditd rules
- [ ] `--format=yara` — YARA rules for static detection of exploit
+      across all modules (deduped — family-shared rules emit once)
-      binaries
+- [x] `iamroot --detect-rules --format=sigma` — embedded Sigma rules
- [ ] `--format=auditd` — auditd `.rules` snippets
+- [x] `--format=yara` and `--format=falco` flags accepted; per-module
- [ ] `--format=falco` — Falco rule snippets
+      strings can be added when authors ship them. Currently no module
- [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md`
+      ships YARA or Falco rules (skipped cleanly).
 - [x] `struct iamroot_module` gained `detect_auditd`, `detect_sigma`,
      `detect_yara`, `detect_falco` fields — each NULL or pointer to
      embedded C string. Self-contained binary, no data-dir install needed.
 - [ ] Sample SOC playbook in `docs/DETECTION_PLAYBOOK.md` — followup
 ## Phase 6 — Mitigation mode
@@ -84,6 +84,15 @@ struct iamroot_module {
    /* Undo --exploit (e.g. evict from page cache) or --mitigate side
     * effects. NULL if no cleanup applies. */
    iamroot_result_t (*cleanup)(const struct iamroot_ctx *ctx);
    /* Detection rule corpus — embedded so the binary is self-
     * contained. Each may be NULL if this module ships no rules for
     * that format. Strings are NUL-terminated; concatenated in the
     * order modules register. */
    const char *detect_auditd;   /* auditd .rules content */
    const char *detect_sigma;    /* sigma YAML content */
    const char *detect_yara;     /* yara rules content */
    const char *detect_falco;    /* falco rules content */
 };
 #endif /* IAMROOT_MODULE_H */
@@ -49,6 +49,8 @@ static void usage(const char *prog)
 "  --exploit <name>      run named module's exploit (REQUIRES --i-know)\n"
 "  --mitigate <name>     apply named module's mitigation\n"
 "  --cleanup <name>      undo named module's exploit/mitigate side effects\n"
 "  --detect-rules        dump detection rules for every module\n"
 "                        (combine with --format=auditd|sigma|yara|falco)\n"
 "  --version             print version\n"
 "  --help                this message\n"
 "\n"
@@ -58,6 +60,7 @@ static void usage(const char *prog)
 "  --no-shell            in --exploit modes, prepare but don't drop to shell\n"
 "  --json                machine-readable output (for SIEM/CI)\n"
 "  --no-color            disable ANSI color codes\n"
 "  --format <f>          with --detect-rules: auditd (default), sigma, yara, falco\n"
 "\n"
 "Exit codes:\n"
 "  0 not vulnerable / OK    2 vulnerable   5 exploit succeeded\n"
@@ -71,10 +74,18 @@ enum mode {
    MODE_EXPLOIT,
    MODE_MITIGATE,
    MODE_CLEANUP,
    MODE_DETECT_RULES,
    MODE_HELP,
    MODE_VERSION,
 };
 enum detect_format {
    FMT_AUDITD,
    FMT_SIGMA,
    FMT_YARA,
    FMT_FALCO,
 };
 static const char *result_str(iamroot_result_t r)
 {
    switch (r) {
@@ -132,6 +143,59 @@ static int cmd_scan(const struct iamroot_ctx *ctx)
    return worst;
 }
 /* Dump detection rules for every registered module in the requested
 * format. Modules that don't ship a rule for that format are simply
 * skipped (no error). Output goes to stdout so it can be redirected
 * straight into /etc/audit/rules.d/, the SIEM, etc. */
 static int cmd_detect_rules(enum detect_format fmt)
 {
    static const char *fmt_names[] = {
        [FMT_AUDITD] = "auditd",
        [FMT_SIGMA]  = "sigma",
        [FMT_YARA]   = "yara",
        [FMT_FALCO]  = "falco",
    };
    size_t n = iamroot_module_count();
    fprintf(stdout, "# IAMROOT detection rules — format: %s\n", fmt_names[fmt]);
    fprintf(stdout, "# Generated from %zu registered modules\n", n);
    fprintf(stdout, "# AUTHORIZED-TESTING tool; see docs/ETHICS.md\n\n");
    /* Dedup by pointer: family-shared rule strings (e.g. all 5
     * copy_fail_family modules share one auditd rule string) would
     * otherwise emit identical blocks once per module. */
    const char *seen[64] = {0};
    size_t n_seen = 0;
    int emitted = 0;
    for (size_t i = 0; i < n; i++) {
        const struct iamroot_module *m = iamroot_module_at(i);
        const char *rules = NULL;
        switch (fmt) {
        case FMT_AUDITD: rules = m->detect_auditd; break;
        case FMT_SIGMA:  rules = m->detect_sigma;  break;
        case FMT_YARA:   rules = m->detect_yara;   break;
        case FMT_FALCO:  rules = m->detect_falco;  break;
        }
        if (rules == NULL) continue;
        /* Already emitted? */
        bool dup = false;
        for (size_t k = 0; k < n_seen; k++) {
            if (seen[k] == rules) { dup = true; break; }
        }
        if (dup) {
            fprintf(stdout, "# === %s (%s) — see family rules above ===\n\n",
                    m->name, m->cve);
            continue;
        }
        if (n_seen < sizeof(seen)/sizeof(seen[0])) seen[n_seen++] = rules;
        fprintf(stdout, "# === %s (%s) ===\n", m->name, m->cve);
        fputs(rules, stdout);
        fputc('\n', stdout);
        emitted++;
    }
    fprintf(stderr, "[*] emitted detection rules for %d / %zu module(s) (format: %s)\n",
            emitted, n, fmt_names[fmt]);
    return 0;
 }
 static int cmd_one(const struct iamroot_module *m, const char *op,
                   const struct iamroot_ctx *ctx)
 {
@@ -162,27 +226,31 @@ int main(int argc, char **argv)
    const char *target = NULL;
    int i_know = 0;
    enum detect_format dr_fmt = FMT_AUDITD;
    static struct option longopts[] = {
-        {"scan",       no_argument,       0, 'S'},
+        {"scan",          no_argument,       0, 'S'},
-        {"list",       no_argument,       0, 'L'},
+        {"list",          no_argument,       0, 'L'},
-        {"exploit",    required_argument, 0, 'E'},
+        {"exploit",       required_argument, 0, 'E'},
-        {"mitigate",   required_argument, 0, 'M'},
+        {"mitigate",      required_argument, 0, 'M'},
-        {"cleanup",    required_argument, 0, 'C'},
+        {"cleanup",       required_argument, 0, 'C'},
-        {"i-know",     no_argument,       0,  1 },
+        {"detect-rules",  no_argument,       0, 'D'},
-        {"active",     no_argument,       0,  2 },
+        {"format",        required_argument, 0,  6 },
-        {"no-shell",   no_argument,       0,  3 },
+        {"i-know",        no_argument,       0,  1 },
-        {"json",       no_argument,       0,  4 },
+        {"active",        no_argument,       0,  2 },
-        {"no-color",   no_argument,       0,  5 },
+        {"no-shell",      no_argument,       0,  3 },
-        {"version",    no_argument,       0, 'V'},
+        {"json",          no_argument,       0,  4 },
-        {"help",       no_argument,       0, 'h'},
+        {"no-color",      no_argument,       0,  5 },
        {"version",       no_argument,       0, 'V'},
        {"help",          no_argument,       0, 'h'},
        {0, 0, 0, 0}
    };
    int c, opt_idx;
-    while ((c = getopt_long(argc, argv, "SLE:M:C:Vh", longopts, &opt_idx)) != -1) {
+    while ((c = getopt_long(argc, argv, "SLDE:M:C:Vh", longopts, &opt_idx)) != -1) {
        switch (c) {
        case 'S': mode = MODE_SCAN; break;
        case 'L': mode = MODE_LIST; break;
        case 'D': mode = MODE_DETECT_RULES; break;
        case 'E': mode = MODE_EXPLOIT; target = optarg; break;
        case 'M': mode = MODE_MITIGATE; target = optarg; break;
        case 'C': mode = MODE_CLEANUP; target = optarg; break;
@@ -191,6 +259,13 @@ int main(int argc, char **argv)
        case  3 : ctx.no_shell = true; break;
        case  4 : ctx.json = true; break;
        case  5 : ctx.no_color = true; break;
        case  6 :
            if      (strcmp(optarg, "auditd") == 0) dr_fmt = FMT_AUDITD;
            else if (strcmp(optarg, "sigma")  == 0) dr_fmt = FMT_SIGMA;
            else if (strcmp(optarg, "yara")   == 0) dr_fmt = FMT_YARA;
            else if (strcmp(optarg, "falco")  == 0) dr_fmt = FMT_FALCO;
            else { fprintf(stderr, "[-] unknown --format: %s\n", optarg); return 1; }
            break;
        case 'V': printf("iamroot %s\n", IAMROOT_VERSION); return 0;
        case 'h': mode = MODE_HELP; break;
        default: usage(argv[0]); return 1;
@@ -207,6 +282,7 @@ int main(int argc, char **argv)
    if (mode == MODE_SCAN) return cmd_scan(&ctx);
    if (mode == MODE_LIST) return cmd_list();
    if (mode == MODE_DETECT_RULES) return cmd_detect_rules(dr_fmt);
    /* --exploit / --mitigate / --cleanup all take a target */
    if (target == NULL) {
@@ -48,16 +48,55 @@ static iamroot_result_t copy_fail_exploit_wrap(const struct iamroot_ctx *ctx)
    return (iamroot_result_t)copyfail_exploit(!ctx->no_shell);
 }
 /* Shared detection rules for the copy_fail family — every member of
 * this family exploits the same page-cache-write primitive and lands
 * in the same files (/etc/passwd or /usr/bin/su). One rule set covers
 * all five module entries. Per-module structs alias the same strings. */
 static const char copy_fail_family_auditd[] =
    "# Copy Fail family (CVE-2026-31431 + Dirty Frag CVE-2026-43284 + RxRPC CVE-2026-43500)\n"
    "# Page-cache writes to passwd/shadow/su/sudoers from non-root.\n"
    "-w /etc/passwd     -p wa -k iamroot-copy-fail\n"
    "-w /etc/shadow     -p wa -k iamroot-copy-fail\n"
    "-w /etc/sudoers    -p wa -k iamroot-copy-fail\n"
    "-w /etc/sudoers.d  -p wa -k iamroot-copy-fail\n"
    "-w /usr/bin/su     -p wa -k iamroot-copy-fail\n"
    "# AF_ALG socket creation by non-root — heavily used by exploit\n"
    "-a always,exit -F arch=b64 -S socket -F a0=38 -k iamroot-copy-fail-afalg\n"
    "# xfrm SA setup (Dirty Frag ESP variants)\n"
    "-a always,exit -F arch=b64 -S setsockopt -k iamroot-copy-fail-xfrm\n";
 static const char copy_fail_family_sigma[] =
    "title: Copy Fail / Dirty Frag family exploitation\n"
    "id: 4d8e6c2a-iamroot-copy-fail-family\n"
    "status: experimental\n"
    "description: |\n"
    "  Detects the file-modification footprint of Copy Fail (CVE-2026-31431) and\n"
    "  Dirty Frag siblings (CVE-2026-43284 v4/v6, CVE-2026-43500). Catches the\n"
    "  /etc/passwd UID-flip backdoor + the persistent backdoor account install.\n"
    "logsource: {product: linux, service: auditd}\n"
    "detection:\n"
    "  modification:\n"
    "    type: 'PATH'\n"
    "    name|startswith: ['/etc/passwd', '/etc/shadow', '/etc/sudoers', '/usr/bin/su']\n"
    "  not_root: {auid|expression: '!= 0'}\n"
    "  condition: modification and not_root\n"
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2026.31431, cve.2026.43284, cve.2026.43500]\n";
 const struct iamroot_module copy_fail_module = {
-    .name         = "copy_fail",
+    .name           = "copy_fail",
-    .cve          = "CVE-2026-31431",
+    .cve            = "CVE-2026-31431",
-    .summary      = "algif_aead authencesn page-cache write → /etc/passwd UID flip",
+    .summary        = "algif_aead authencesn page-cache write → /etc/passwd UID flip",
-    .family       = "copy_fail_family",
+    .family         = "copy_fail_family",
-    .kernel_range = "≤ 6.12.84, fixed mainline 2026-04-22",
+    .kernel_range   = "≤ 6.12.84, fixed mainline 2026-04-22",
-    .detect       = copy_fail_detect_wrap,
+    .detect         = copy_fail_detect_wrap,
-    .exploit      = copy_fail_exploit_wrap,
+    .exploit        = copy_fail_exploit_wrap,
-    .mitigate     = NULL,
+    .mitigate       = NULL,
-    .cleanup      = NULL,
+    .cleanup        = NULL,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
    .detect_yara    = NULL,
    .detect_falco   = NULL,
 };
 /* ----- copy_fail_gcm (variant, no CVE) ----- */
@@ -82,8 +121,12 @@ const struct iamroot_module copy_fail_gcm_module = {
    .kernel_range = "same as copy_fail; rfc4106(gcm(aes)) not in modprobe blacklist",
    .detect       = copy_fail_gcm_detect_wrap,
    .exploit      = copy_fail_gcm_exploit_wrap,
-    .mitigate     = NULL,
+    .mitigate       = NULL,
-    .cleanup      = NULL,
+    .cleanup        = NULL,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
    .detect_yara    = NULL,
    .detect_falco   = NULL,
 };
 /* ----- dirty_frag_esp (CVE-2026-43284 v4) ----- */
@@ -108,8 +151,12 @@ const struct iamroot_module dirty_frag_esp_module = {
    .kernel_range = "same family as copy_fail; xfrm-ESP path",
    .detect       = dirty_frag_esp_detect_wrap,
    .exploit      = dirty_frag_esp_exploit_wrap,
-    .mitigate     = NULL,
+    .mitigate       = NULL,
-    .cleanup      = NULL,
+    .cleanup        = NULL,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
    .detect_yara    = NULL,
    .detect_falco   = NULL,
 };
 /* ----- dirty_frag_esp6 (CVE-2026-43284 v6) ----- */
@@ -134,8 +181,12 @@ const struct iamroot_module dirty_frag_esp6_module = {
    .kernel_range = "same family as copy_fail; xfrm-ESP6 path; V6 STORE shift auto-calibrated",
    .detect       = dirty_frag_esp6_detect_wrap,
    .exploit      = dirty_frag_esp6_exploit_wrap,
-    .mitigate     = NULL,
+    .mitigate       = NULL,
-    .cleanup      = NULL,
+    .cleanup        = NULL,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
    .detect_yara    = NULL,
    .detect_falco   = NULL,
 };
 /* ----- dirty_frag_rxrpc (CVE-2026-43500) ----- */
@@ -160,8 +211,12 @@ const struct iamroot_module dirty_frag_rxrpc_module = {
    .kernel_range = "kernels exposing AF_RXRPC + rxkad with fcrypt fallback",
    .detect       = dirty_frag_rxrpc_detect_wrap,
    .exploit      = dirty_frag_rxrpc_exploit_wrap,
-    .mitigate     = NULL,
+    .mitigate       = NULL,
-    .cleanup      = NULL,
+    .cleanup        = NULL,
    .detect_auditd  = copy_fail_family_auditd,
    .detect_sigma   = copy_fail_family_sigma,
    .detect_yara    = NULL,
    .detect_falco   = NULL,
 };
 /* ----- Family registration ----- */
@@ -108,16 +108,48 @@ static iamroot_result_t dirty_pipe_exploit(const struct iamroot_ctx *ctx)
    return IAMROOT_PRECOND_FAIL;
 }
 /* Embedded detection rules — keep the binary self-contained so
 * `iamroot --detect-rules --format=auditd` works without a separate
 * data-dir install. */
 static const char dirty_pipe_auditd[] =
    "# Dirty Pipe (CVE-2022-0847) — auditd detection rules\n"
    "# See modules/dirty_pipe_cve_2022_0847/detect/auditd.rules for full version.\n"
    "-w /etc/passwd    -p wa -k iamroot-dirty-pipe\n"
    "-w /etc/shadow    -p wa -k iamroot-dirty-pipe\n"
    "-w /etc/sudoers   -p wa -k iamroot-dirty-pipe\n"
    "-w /etc/sudoers.d -p wa -k iamroot-dirty-pipe\n"
    "-a always,exit -F arch=b64 -S splice -k iamroot-dirty-pipe-splice\n"
    "-a always,exit -F arch=b32 -S splice -k iamroot-dirty-pipe-splice\n";
 static const char dirty_pipe_sigma[] =
    "title: Possible Dirty Pipe exploitation (CVE-2022-0847)\n"
    "id: f6b13c08-iamroot-dirty-pipe\n"
    "status: experimental\n"
    "logsource: {product: linux, service: auditd}\n"
    "detection:\n"
    "  modification:\n"
    "    type: 'PATH'\n"
    "    name|startswith: ['/etc/passwd', '/etc/shadow', '/etc/sudoers']\n"
    "  not_root:\n"
    "    auid|expression: '!= 0'\n"
    "  condition: modification and not_root\n"
    "level: high\n"
    "tags: [attack.privilege_escalation, attack.t1068, cve.2022.0847]\n";
 const struct iamroot_module dirty_pipe_module = {
-    .name         = "dirty_pipe",
+    .name           = "dirty_pipe",
-    .cve          = "CVE-2022-0847",
+    .cve            = "CVE-2022-0847",
-    .summary      = "pipe_buffer CAN_MERGE flag inheritance → page-cache write",
+    .summary        = "pipe_buffer CAN_MERGE flag inheritance → page-cache write",
-    .family       = "dirty_pipe",
+    .family         = "dirty_pipe",
-    .kernel_range = "5.8 ≤ K, fixed mainline 5.17, backports: 5.10.102 / 5.15.25 / 5.16.11",
+    .kernel_range   = "5.8 ≤ K, fixed mainline 5.17, backports: 5.10.102 / 5.15.25 / 5.16.11",
-    .detect       = dirty_pipe_detect,
+    .detect         = dirty_pipe_detect,
-    .exploit      = dirty_pipe_exploit,
+    .exploit        = dirty_pipe_exploit,
-    .mitigate     = NULL,
+    .mitigate       = NULL,
-    .cleanup      = NULL,
+    .cleanup        = NULL,
    .detect_auditd  = dirty_pipe_auditd,
    .detect_sigma   = dirty_pipe_sigma,
    .detect_yara    = NULL,
    .detect_falco   = NULL,
 };
 void iamroot_register_dirty_pipe(void)
@@ -221,16 +221,39 @@ static iamroot_result_t entrybleed_exploit(const struct iamroot_ctx *ctx)
 #endif
 /* EntryBleed is a side-channel; auditd / file-write rules don't catch
 * it (no syscalls of interest fire). The most we can do is flag
 * processes spending unusual time in tight prefetchnta loops, which is
 * detectable via perf-counter-based EDR but not via classic auditd.
 * Ship a Sigma note describing this; auditd rule intentionally omitted. */
 static const char entrybleed_sigma[] =
    "title: EntryBleed-style KPTI timing side-channel (CVE-2023-0458)\n"
    "id: 7b3a48d1-iamroot-entrybleed\n"
    "status: experimental\n"
    "description: |\n"
    "  EntryBleed leaks kbase via prefetchnta timing against entry_SYSCALL_64.\n"
    "  No syscall trace and no filesystem footprint, so this rule is\n"
    "  INFORMATIONAL: it documents the technique for defenders, but reliable\n"
    "  detection requires perf-counter-based EDR. Treat unexplained spikes in\n"
    "  prefetchnta-heavy processes as suspicious.\n"
    "logsource: {product: linux}\n"
    "level: informational\n"
    "tags: [attack.discovery, attack.t1082, cve.2023.0458]\n";
 const struct iamroot_module entrybleed_module = {
-    .name         = "entrybleed",
+    .name           = "entrybleed",
-    .cve          = "CVE-2023-0458",
+    .cve            = "CVE-2023-0458",
-    .summary      = "KPTI prefetchnta timing side-channel → kbase leak (stage-1)",
+    .summary        = "KPTI prefetchnta timing side-channel → kbase leak (stage-1)",
-    .family       = "entrybleed",
+    .family         = "entrybleed",
-    .kernel_range = "any x86_64 KPTI-enabled kernel; only partial mitigations in mainline",
+    .kernel_range   = "any x86_64 KPTI-enabled kernel; only partial mitigations in mainline",
-    .detect       = entrybleed_detect,
+    .detect         = entrybleed_detect,
-    .exploit      = entrybleed_exploit,
+    .exploit        = entrybleed_exploit,
-    .mitigate     = NULL,
+    .mitigate       = NULL,
-    .cleanup      = NULL,
+    .cleanup        = NULL,
    .detect_auditd  = NULL,
    .detect_sigma   = entrybleed_sigma,
    .detect_yara    = NULL,
    .detect_falco   = NULL,
 };
 void iamroot_register_entrybleed(void)