From 3e603188d439e40d40767ec7dde7a7a0303c1647 Mon Sep 17 00:00:00 2001
From: Stefano <stefano.chierici@sysdig.com>
Date: Fri, 15 Apr 2022 12:08:28 +0200
Subject: [PATCH] Changed field in thread.cap_effective Signed-off-by: darryk10
 <stefano.chierici@sysdig.com> Co-authored-by: Lorenzo Susini
 <susinilorenzo1@gmail.com>

---
 rules/falco_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 938264fd79d..9d312e315d7 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -3169,7 +3169,7 @@
 - rule: Detect release_agent File Container Escapes
   desc: "This rule detect an attempt to exploit a container escape using release_agent file. By running a container with certains capabilities, a privileged user can modify release_agent file and escape from the container"
   condition:
-    open_write and container and fd.name endswith release_agent and (user.uid=0 or thread.cap_permitted contains CAP_DAC_OVERRIDE) and thread.cap_effective contains CAP_SYS_ADMIN
+    open_write and container and fd.name endswith release_agent and (user.uid=0 or thread.cap_effective contains CAP_DAC_OVERRIDE) and thread.cap_effective contains CAP_SYS_ADMIN
   output:
     "Detect an attempt to exploit a container escape using release_agent file (user=%user.name user_loginuid=%user.loginuid filename=%fd.name %container.info image=%container.image.repository:%container.image.tag cap_effective=%thread.cap_effective)"
   priority: CRITICAL