From b9925577ef1e43ad770fa593a91bd3e98c033310 Mon Sep 17 00:00:00 2001
From: schie <77834235+darryk10@users.noreply.github.com>
Date: Wed, 2 Feb 2022 15:59:12 +0100
Subject: [PATCH] Update rules/falco_rules.yaml

Signed-off-by: darryk10 stefano.chierici@sysdig.com

Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 3f199d87..d257dc39 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -3131,7 +3131,7 @@
   condition:
     spawned_process and user.uid != 0 and proc.name=pkexec and proc.args = ''
   output:
-    "Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) (user=%user.loginname uid=%user.loginuid command=%proc.cmdline args=%evt.args)"
+    "Detect Polkit pkexec Local Privilege Escalation Exploit (CVE-2021-4034) (user=%user.loginname uid=%user.loginuid command=%proc.cmdline args=%proc.args)"
   priority: CRITICAL
   tags: [process, mitre_privilege_escalation]