From ae5342c54b2a5698a8ee66d3e53327bbbac07db4 Mon Sep 17 00:00:00 2001
From: Stefano <stefano.chierici@sysdig.com>
Date: Mon, 31 Jan 2022 11:01:58 +0100
Subject: [PATCH] Fixed rule condition Signed-off-by: darryk10
 <stefano.chierici@sysdig.com>

---
 rules/falco_rules.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index b500c9aa..3f199d87 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -3129,9 +3129,9 @@
 - rule: Polkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
   desc: "This rule detects an attempt to exploit a privilege escalation vulnerability in Polkit's pkexec. By running specially crafted code, a local user can leverage this flaw to gain root privileges on a compromised system"
   condition:
-    spawned_process and user.uid != 0 and proc.name=pkexec and proc.args = '' and proc.env icontains 'GCONV_PATH'
+    spawned_process and user.uid != 0 and proc.name=pkexec and proc.args = ''
   output:
-    "Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) (user=%user.loginname uid=%user.loginuid command=%proc.cmdline access_args=%evt.args)"
+    "Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) (user=%user.loginname uid=%user.loginuid command=%proc.cmdline args=%evt.args)"
   priority: CRITICAL
   tags: [process, mitre_privilege_escalation]