Apply suggestions from code review

Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com> Signed-off-by: Richard Tweed <RichardoC@users.noreply.github.com>
falcosecurity · Oct 6, 2023 · 62a6155 · 62a6155
1 parent 8974236
commit 62a6155
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
@@ -1255,12 +1255,12 @@
 
 # Detection for possible use of CVE-2023-4911
 # Based on https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
-- rule: Program possibly trying to use CVE-2023-4911
+- rule: Potential Local Privilege Escalation via Environment Variables Misuse
   desc: >
     Detect use of GLIBC_TUNABLES environment variable, which could be used for priviledge escalation to root on hosts running vulnerable glibc versions.
   condition: >
     spawned_process
     and proc.env icontains GLIBC_TUNABLES
   output: Process run with GLIBC_TUNABLES environment variable which could be attempting priviledge escalation (env=%proc.env evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
   priority: NOTICE
-  tags: [maturity_incubating, host, users, mitre_privilege_escalation, CVE-2023-4911]
+  tags: [maturity_incubating, host, container, users, mitre_privilege_escalation, TA0111]