Enhance runtime monitoring with three new detectors for FIFO files, hardlinks, and expanded permission controls

[kuzyka]

Add new CS_RT_FIFO_FILE_CREATE, CS_RT_HARDLINK_CREATE detectors, enhance CS_RT_BIN_PERM_RAISE with kprobe support, and update tracing policies for improved threat coverage.

Detector Enhancements:

• CS_RT_BIN_PERM_RAISE (v3): Extended to detect chmod operations via kprobe (security_path_chmod), now monitors execution permission grants on boot, dev, home, media, mnt, run, sys, tmp, and var directories
• CS_RT_HARDLINK_CREATE (new): Detects hardlink creation to sensitive system files via security_path_link kprobe
• CS_RT_FIFO_FILE_CREATE (new): Identifies potential reverse shell establishment via named pipe file or audit policy bypass attempts

Monitoring Policy Updates:

• Renamed process-credentials → permissions: Now tracks both commit_creds() privilege escalation and security_path_chmod() with execute permissions
• Renamed dup → io-streams: Monitors do_dup2() calls (STDIN copying) and FIFO pipe creation via security_path_mknod() for reverse shell detection
• Enhanced file-monitoring.yaml: Updated with new hardlink monitoring and refined file access rules