github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-02 17:42:18 +00:00
Code Issues Projects Releases Wiki Activity

Added new rule for CVE-2022-4092

Browse Source 
Signed-off-by: darryk10 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Susini <susinilorenzo1@gmail.com>
This commit is contained in:
Stefano 2022-04-13 12:04:00 +02:00 committed by poiana
parent acbbcf7481
commit 24bd1abc43
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
rules/falco_rules.yaml
View File

@ -3165,6 +3165,17 @@
priority: CRITICAL
tags: [process, mitre_privilege_escalation]
# This rule helps detect CVE-2022-4092:
# A privilege escalation container escaping in cgroup
- rule: Linux Cgroup Container Escape Vulnerability (CVE-2022-4092)
desc: "Detect an attempt to exploit a container escape vulnerability in the Linux Kernel (CVE-2022-0492). By running a container with certains capabilities, a privileged user can modify release_agent file and escape from the container"
condition:
open_write and fd.name endswith release_agent and (user.uid=0 or thread.cap_permitted contains CAP_DAC_OVERRIDE) and excessively_capable_container
output:
"Detect cgroup container escaping attempt (CVE-2022-4092) (user=%user.name user_loginuid=%user.loginuid filename=%fd.name %container.info image=%container.image.repository:%container.image.tag cap_permitted=%thread.cap_permitted)"
priority: CRITICAL
tags: [container, mitre_privilege_escalation, mitre_lateral_movement]
# Application rules have moved to application_rules.yaml. Please look
# there if you want to enable them by adding to
# falco_rules.local.yaml.