Skip to content

Commit

Permalink
Apply suggestions from code review
Browse files Browse the repository at this point in the history
Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Richard Tweed <RichardoC@users.noreply.github.com>
  • Loading branch information
2 people authored and poiana committed Oct 11, 2023
1 parent af9f206 commit 177db2d
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions rules/falco-incubating_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1256,12 +1256,12 @@

# Detection for possible use of CVE-2023-4911
# Based on https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
- rule: Program possibly trying to use CVE-2023-4911
- rule: Potential Local Privilege Escalation via Environment Variables Misuse
desc: >
Detect use of GLIBC_TUNABLES environment variable, which could be used for priviledge escalation to root on hosts running vulnerable glibc versions.
condition: >
spawned_process
and proc.env icontains GLIBC_TUNABLES
output: Process run with GLIBC_TUNABLES environment variable which could be attempting priviledge escalation (env=%proc.env evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
priority: NOTICE
tags: [maturity_incubating, host, users, mitre_privilege_escalation, CVE-2023-4911]
tags: [maturity_incubating, host, container, users, mitre_privilege_escalation, TA0111]

0 comments on commit 177db2d

Please sign in to comment.