Add detection for attempts to use CVE-2023-4911

rules/falco-incubating_rules.yaml

@@ -1252,3 +1252,22 @@
   output: Adding ssh keys to authorized_keys (file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags)
   priority: WARNING
   tags: [maturity_incubating, host, filesystem, mitre_persistence, T1098.004]
+
+# possible use of CVE-2023-4911
+- macro: glibc_tunables_env
+  condition: (proc.env icontains GLIBC_TUNABLES)
+
+- rule: Potential Local Privilege Escalation via Environment Variables Misuse
+  desc: >
+    Process run with suspect environment variable that could be attempting privilege escalation. One use case is 
+    detecting the use of the GLIBC_TUNABLES environment variable, which could be used for privilege escalation 
+    on systems running vulnerable glibc versions. Only known and carefully profiled processes that legitimately 
+    exhibit this behavior should be excluded from this rule. This rule is expected to trigger on every attempt, 
+    even failed ones.
+  condition: >
+    spawned_process 
+    and glibc_tunables_env
+  enabled: true
+  output: Process run with suspect environment variable which could be attempting privilege escalation (env=%proc.env evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
+  priority: NOTICE
+  tags: [maturity_incubating, host, container, users, mitre_privilege_escalation, TA0004]