From b268d4d6c331af56d5635b628e699e06c50f9d9f Mon Sep 17 00:00:00 2001
From: Kaizhe Huang <khuang@aurora.tech>
Date: Thu, 3 Jun 2021 22:18:38 -0700
Subject: [PATCH] rule update(Non sudo setuid): check user id as well in case
 user name info is not available

Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 3809a314..97e48432 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -2235,7 +2235,7 @@
   condition: >
     evt.type=setuid and evt.dir=>
     and (known_user_in_container or not container)
-    and not user.name=root
+    and not (user.name=root or user.uid=0)
     and not somebody_becoming_themself
     and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
                           nomachine_binaries)