Phase 5: --detect-rules export with dedup
- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco}
fields. NULL = module doesn't ship a rule for that format.
Embedded as C string literals in each module's iamroot_modules.c so
the binary is self-contained (no data-dir install needed).
- iamroot.c: --detect-rules [--format=<f>] command. Walks module
registry, deduplicates by pointer (family-shared rules emit once,
siblings get a 'see family rules above' marker), writes to stdout
for redirect into /etc/audit/rules.d/ or SIEM ingestion.
- Embedded rules for:
- copy_fail_family (shared across 5 modules): auditd watches on
passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt;
Sigma rule covers the file-modification footprint.
- dirty_pipe: auditd watches on same files + splice() syscalls;
Sigma rule for non-root file modification.
- entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall
trace; reliable detection needs perf-counter EDR).
Verified end-to-end on kctf-mgr:
iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped)
iamroot --detect-rules --format=sigma → 2 / 7 rules emit
leviathan
cee368d5a4