Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

event on potential local privillege escalation via env var misuse #153

Merged
merged 3 commits into from
Mar 28, 2024

Conversation

h4l0gen
Copy link
Contributor

@h4l0gen h4l0gen commented Mar 19, 2024

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind documentation

/kind tests

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area commands

/area pkg

/area events

What this PR does / why we need it:
this event triggered rule potential local privillege escalation via environment variable misuse
Which issue(s) this PR fixes:

Fixes #146

Special notes for your reviewer:

@h4l0gen
Copy link
Contributor Author

h4l0gen commented Mar 19, 2024

in creating this malicious event i used one use case which is described in rule description as, detecting the use of the GLIBC_TUNABLES environment variable, which could be used for privilege escalation on systems running vulnerable glibc versions

Copy link
Contributor

@GLVSKiriti GLVSKiriti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @h4l0gen I think you forgot to add .go for the file name

…tential_local_privillege_escalation_via_env_var_misuse.go

Signed-off-by: Kapil Sharma <[email protected]>
@h4l0gen
Copy link
Contributor Author

h4l0gen commented Mar 20, 2024

oh i just missed it 😅, Thank you @GLVSKiriti ❤️

@h4l0gen
Copy link
Contributor Author

h4l0gen commented Mar 27, 2024

this event triggers related rule in terminal below

Screenshot from 2024-03-27 17-25-08

…ar_misuse.go

Co-authored-by: Federico Di Pierro <[email protected]>
Signed-off-by: Kapil Sharma <[email protected]>
@h4l0gen h4l0gen requested a review from FedeDP March 28, 2024 11:20
@FedeDP
Copy link
Contributor

FedeDP commented Mar 28, 2024

Is it still triggering the rule? (just to be sure 😆 )

@h4l0gen
Copy link
Contributor Author

h4l0gen commented Mar 28, 2024

@FedeDP Yes I checked it. Rule is triggered successfully.
image

@FedeDP
Copy link
Contributor

FedeDP commented Mar 28, 2024

Let me rebase PR again.

no need to :)

Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link

poiana commented Mar 28, 2024

LGTM label has been added.

Git tree hash: ba89949bfd379e53f7991a591718bafe942e8d8c

@poiana
Copy link

poiana commented Mar 28, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, h4l0gen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit 2f37d9a into falcosecurity:main Mar 28, 2024
4 checks passed
@leogr leogr added this to the v0.12.0 milestone Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

adding event on potential local privillege escalation via environmental variables misuse
5 participants