event on potential local privillege escalation via env var misuse #153
Conversation
Signed-off-by: h4l0gen <[email protected]>
|
in creating this malicious event i used one use case which is described in rule description as, detecting the use of the GLIBC_TUNABLES environment variable, which could be used for privilege escalation on systems running vulnerable glibc versions |
There was a problem hiding this comment.
Hey @h4l0gen I think you forgot to add .go for the file name
…tential_local_privillege_escalation_via_env_var_misuse.go Signed-off-by: Kapil Sharma <[email protected]>
|
oh i just missed it 😅, Thank you @GLVSKiriti ❤️ |
|
this event triggers related rule in terminal below
|
events/syscall/potential_local_privillege_escalation_via_env_var_misuse.go
Outdated
Show resolved
Hide resolved
…ar_misuse.go Co-authored-by: Federico Di Pierro <[email protected]> Signed-off-by: Kapil Sharma <[email protected]>
|
Is it still triggering the rule? (just to be sure 😆 ) |
|
@FedeDP Yes I checked it. Rule is triggered successfully. |
no need to :) |
|
LGTM label has been added. Git tree hash: ba89949bfd379e53f7991a591718bafe942e8d8c
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP, h4l0gen The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area events
What this PR does / why we need it:
this event triggered rule
potential local privillege escalation via environment variable misuseWhich issue(s) this PR fixes:
Fixes #146
Special notes for your reviewer: