SKELETONKEY

leviathan/SKELETONKEY

Fork 0

Commit Graph

Author	SHA1	Message	Date
leviathan	9593d90385	rename: IAMROOT → SKELETONKEY across the entire project release / build (arm64) (push) Waiting to run Details release / build (x86_64) (push) Waiting to run Details release / release (push) Blocked by required conditions Details Breaking change. Tool name, binary name, function/type names, constant names, env vars, header guards, file paths, and GitHub repo URL all rebrand IAMROOT → SKELETONKEY. Changes: - All "IAMROOT" → "SKELETONKEY" (constants, env vars, enum values, docs, comments) - All "iamroot" → "skeletonkey" (functions, types, paths, CLI) - iamroot.c → skeletonkey.c - modules//iamroot_modules.{c,h} → modules//skeletonkey_modules.{c,h} - tools/iamroot-fleet-scan.sh → tools/skeletonkey-fleet-scan.sh - Binary "iamroot" → "skeletonkey" - GitHub URL KaraZajac/IAMROOT → KaraZajac/SKELETONKEY - .gitignore now expects build output named "skeletonkey" - /tmp/iamroot-* tmpfiles → /tmp/skeletonkey-* - Env vars IAMROOT_MODPROBE_PATH etc. → SKELETONKEY_* New ASCII skeleton-key banner (horizontal key icon + ANSI Shadow SKELETONKEY block letters) replaces the IAMROOT banner in skeletonkey.c and README.md. VERSION: 0.3.1 → 0.4.0 (breaking). Build clean on Debian 6.12.86. `skeletonkey --version` → 0.4.0. All 24 modules still register; no functional code changes — pure rename + banner refresh.	2026-05-16 22:43:49 -04:00
leviathan	1552a3bfcb	Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range - core/kernel_range.{c,h}: branch-aware patched-version comparison. Every future module needs 'is the host kernel in the affected range?'; centralized here. Models stable-branch backports (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports VULNERABLE while a 5.15.50 host reports OK. - modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs): - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that parses /proc/version and compares against the four known patched branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr hints in human-readable scan mode. - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet implemented' message; landing the actual exploit needs Phase 1.5 extraction of passwd/su helpers into core/. - detect/auditd.rules: splice() syscall + passwd/shadow file watches - detect/sigma.yml: non-root modification of /etc/passwd\|shadow\|sudoers - iamroot.c main() calls iamroot_register_dirty_pipe() alongside the copy_fail_family registration. - Makefile gains the dirty_pipe family as a separate object set. Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6 modules in --list, --scan correctly reports dirty_pipe as patched, JSON output ingest-ready.	2026-05-16 19:51:47 -04:00

Author

SHA1

Message

Date

leviathan

9593d90385

rename: IAMROOT → SKELETONKEY across the entire project

release / build (arm64) (push) Waiting to run

Details

release / build (x86_64) (push) Waiting to run

Details

release / release (push) Blocked by required conditions

Details

Breaking change. Tool name, binary name, function/type names,
constant names, env vars, header guards, file paths, and GitHub
repo URL all rebrand IAMROOT → SKELETONKEY.

Changes:
  - All "IAMROOT" → "SKELETONKEY" (constants, env vars, enum
    values, docs, comments)
  - All "iamroot" → "skeletonkey" (functions, types, paths, CLI)
  - iamroot.c → skeletonkey.c
  - modules/*/iamroot_modules.{c,h} → modules/*/skeletonkey_modules.{c,h}
  - tools/iamroot-fleet-scan.sh → tools/skeletonkey-fleet-scan.sh
  - Binary "iamroot" → "skeletonkey"
  - GitHub URL KaraZajac/IAMROOT → KaraZajac/SKELETONKEY
  - .gitignore now expects build output named "skeletonkey"
  - /tmp/iamroot-* tmpfiles → /tmp/skeletonkey-*
  - Env vars IAMROOT_MODPROBE_PATH etc. → SKELETONKEY_*

New ASCII skeleton-key banner (horizontal key icon + ANSI Shadow
SKELETONKEY block letters) replaces the IAMROOT banner in
skeletonkey.c and README.md.

VERSION: 0.3.1 → 0.4.0 (breaking).

Build clean on Debian 6.12.86. `skeletonkey --version` → 0.4.0.
All 24 modules still register; no functional code changes — pure
rename + banner refresh.

2026-05-16 22:43:49 -04:00

leviathan

1552a3bfcb

Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range

- core/kernel_range.{c,h}: branch-aware patched-version comparison.
  Every future module needs 'is the host kernel in the affected
  range?'; centralized here. Models stable-branch backports
  (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
  VULNERABLE while a 5.15.50 host reports OK.

- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
    parses /proc/version and compares against the four known patched
    branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
    IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
    hints in human-readable scan mode.
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; landing the actual exploit needs Phase 1.5
    extraction of passwd/su helpers into core/.
  - detect/auditd.rules: splice() syscall + passwd/shadow file watches
  - detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers

- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
  the copy_fail_family registration.

- Makefile gains the dirty_pipe family as a separate object set.

Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.

2026-05-16 19:51:47 -04:00

2 Commits