Added Rule Sudo Potential Privilege Escalation (CVE-2021-3156)

See #1540

Signed-off-by: darryk5 <stefano.chierici@sysdig.com>
Co-authored-by: Lorenzo Fontana <lo@linux.com>

rules/falco_rules.yaml

@@ -3114,7 +3114,17 @@
   output: Container launched with root user privilege (uid=%user.uid container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
   priority: INFO
   tags: [container, process]
+  
+- rule: Sudo Potential Privilege Escalation (CVE-2021-3156)
+  desc: Privilege escalation vulnerability affected sudo. Executing sudo using sudoedit -s or sudoedit -t command from an unprivileged user it's possible to elevate the user privileges to root.
+  condition: spawned_process and user.uid!= 0 and proc.name=sudoedit and (proc.args contains -s or proc.args contains -i) and (proc.args contains "\ " or proc.args endswith \)
+  output: "Detect Sudo Privilege Escalation Exploit (CVE-2021-3156)  (user=%user.name parent=%proc.pname cmdline=%proc.cmdline %container.info)"
+  priority: CRITICAL
+  tags: [filesystem, mitre_privilege_escalation]
 
 # Application rules have moved to application_rules.yaml. Please look
 # there if you want to enable them by adding to
 # falco_rules.local.yaml.
+
+
+