add group ID in expanded rule ID

pkg/security/secl/rules/fim_others.go

@@ -13,7 +13,7 @@ type expandedRule struct {
 	expr string
 }
 
-func expandFim(baseID, baseExpr string) []expandedRule {
+func expandFim(baseID, groupID, baseExpr string) []expandedRule {
 	return []expandedRule{
 		{
 			id:   baseID,

pkg/security/secl/rules/fim_test.go

@@ -100,7 +100,7 @@ func TestExpandFIM(t *testing.T) {
 
 	for _, entry := range entries {
 		t.Run(entry.id, func(t *testing.T) {
-			actual := expandFim(entry.id, entry.expr)
+			actual := expandFim(entry.id, "", entry.expr)
 			assert.Equal(t, entry.expected, actual)
 		})
 	}

pkg/security/secl/rules/fim_unix.go

@@ -18,7 +18,7 @@ type expandedRule struct {
 	expr string
 }
 
-func expandFim(baseID, baseExpr string) []expandedRule {
+func expandFim(baseID, groupID, baseExpr string) []expandedRule {
 	if !strings.Contains(baseExpr, "fim.write.file.") {
 		return []expandedRule{
 			{
@@ -43,7 +43,7 @@ func expandFim(baseID, baseExpr string) []expandedRule {
 
 		if eventType == "rename" {
 			expr := strings.Replace(baseExpr, "fim.write.file.", "rename.file.destination.", -1)
-			id := fmt.Sprintf("__fim_expanded_%s_%s", "rename_destination", baseID)
+			id := fmt.Sprintf("__fim_expanded_%s_%s_%s", "rename_destination", groupdID, baseID)
 			expandedRules = append(expandedRules, expandedRule{
 				id:   id,
 				expr: expr,

pkg/security/secl/rules/ruleset.go

@@ -317,7 +317,7 @@ func (rs *RuleSet) AddRule(parsingContext *ast.ParsingContext, pRule *PolicyRule
 		tags = append(tags, k+":"+v)
 	}
 
-	expandedRules := expandFim(pRule.Def.ID, pRule.Def.Expression)
+	expandedRules := expandFim(pRule.Def.ID, pRule.Def.GroupID, pRule.Def.Expression)
 
 	categories := make([]model.EventCategory, 0)
 	for _, er := range expandedRules {