rule update(Non sudo setuid): check user id as well in case user name…

… info is not available Signed-off-by: Kaizhe Huang <khuang@aurora.tech>
falcosecurity · Jun 10, 2021 · b268d4d · b268d4d
1 parent 684a5d8
commit b268d4d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -2235,7 +2235,7 @@
   condition: >
     evt.type=setuid and evt.dir=>
     and (known_user_in_container or not container)
-    and not user.name=root
+    and not (user.name=root or user.uid=0)
     and not somebody_becoming_themself
     and not proc.name in (known_setuid_binaries, userexec_binaries, mail_binaries, docker_binaries,
                           nomachine_binaries)