Which THREE of the following are capabilities required for a Falco rule to detect privilege escalation via setuid binary execution? (Choose three.)
Common setuid binaries for privilege escalation.
Why this answer
Falco detects privilege escalation by monitoring the 'execve' syscall, the process name (e.g., 'su', 'sudo'), and the user ID changes (e.g., 'proc.uid'). Options A, B, and E are relevant. Option C (network) is not directly related.
Option D (file modification) is not directly about execution.