fix: change CVE-2024-3094 to match liblzma contain instead of endswith

[apsega]

What type of PR is this?

/kind bug
/area rules
/area maturity-incubating

What this PR does / why we need it:

Some of the docs in the wild of how to reproduce XZ vulnerability relies on patching liblzma and having the filename with patch suffix, for example - liblzma.so.5.6.1.patch, thus this Falco rule doesn't pick this up. Changing rule to match contains string resolves the issue.

Some examples of who's using liblzma.so.5.6.1.patch name:

• https://github.com/amlweems/xzbot/tree/main/assets
• https://github.com/r0binak/xzk8s/blob/main/Dockerfile#L11

[poiana]

Welcome @apsega! It looks like this is your first PR to falcosecurity/rules 🎉

[darryk10]

Thanks, it looks good to me!

[poiana]

LGTM label has been added.

Git tree hash: 56a2344a6ca08804aecca91738487a2421b8bc0d

[leogr]

/milestone falco-0.38-rules

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: apsega, darryk10, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

Rules files suggestions

falco-incubating_rules.yaml

Comparing 7e46ad5ac85419be3d0ca5a96ce607e89c861565 with latest tag falco-incubating-rules-3.0.1

Minor changes:

• Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

• List falco_privileged_images has some item added or removed