Added an event for default stable rule Detect release_agent File Container Escapes

[GLVSKiriti]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind documentation

/kind tests

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area commands

/area pkg

/area events

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #193

Special notes for your reviewer:

[GLVSKiriti]

@FedeDP @leogr container with cap_sys_admin capability is required to run this event and user.uid=0 or CAP_DAC_OVERRIDE capability is required as mentioned in the stable rule

And below is the screenshot shows rule is triggering fine on executing echo "hello world" > release_agent

[GLVSKiriti]

For reference followed the steps mentioned in this blog https://sysdig.com/blog/container-escape-capabilities-falco-detection/

[leogr]

cc @Andreagit97 @LucaGuerra

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

[poiana]

LGTM label has been added.

Git tree hash: 51c02757cb185b9bd78df9dec116f2e2fb3eb506

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: GLVSKiriti, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment