rule(falco_rules): Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)

[darryk10]

Polkit pkexec Local Privilege Escalation Vulnerability (CVE-2021-4034)

Co-authored-by: javery-sysdig jason.avery@sysdig.com

Signed-off-by: darryk10 stefano.chierici@sysdig.com

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

What this PR does / why we need it:
This rule detects an attempt to exploit a privilege escalation vulnerability in Polkit's pkexec. By running specially crafted code, a local user can leverage this flaw to gain root privileges on a compromised system. Reference: https://seclists.org/oss-sec/2022/q1/80
Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

rule(Polkit Local Privilege Escalation Vulnerability): new rule created to detect CVE-2021-4034

[leogr]

/milestone 0.32.0

[poiana]

LGTM label has been added.

Git tree hash: 43f41078cdec781081e9f4c261960312c7f29619

[leogr]

I've found an issue in the output, otherwise SGMT.

I'm also a bit concerned about false positives since this rule triggers just every time pkexec is called without args.

[Kaizhe]

I've found an issue in the output, otherwise SGMT.

I'm also a bit concerned about false positives since this rule triggers just every time pkexec is called without args.

According to the fix, the pkexe will return error if runs without argument. With that said, executing it without argument is a suspicious thing. (of course, people who first time run pkexe may trigger the alert)

[leogr]

/approve

[poiana]

LGTM label has been added.

Git tree hash: 9930421d1be81c2d9611a39c028c2d34a4d05f12

[jasondellaluce]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: darryk10, jasondellaluce, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• rules/OWNERS [jasondellaluce,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment