From 8809771235501e35512c13e69852d05186e819a6 Mon Sep 17 00:00:00 2001
From: Paul Cacheux <paul.cacheux@datadoghq.com>
Date: Fri, 20 Dec 2024 14:59:36 +0100
Subject: [PATCH] add group ID in expanded rule ID

---
 pkg/security/secl/rules/fim_others.go | 2 +-
 pkg/security/secl/rules/fim_test.go   | 2 +-
 pkg/security/secl/rules/fim_unix.go   | 4 ++--
 pkg/security/secl/rules/ruleset.go    | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkg/security/secl/rules/fim_others.go b/pkg/security/secl/rules/fim_others.go
index 5adf39e1de499a..755767c77f7aaa 100644
--- a/pkg/security/secl/rules/fim_others.go
+++ b/pkg/security/secl/rules/fim_others.go
@@ -13,7 +13,7 @@ type expandedRule struct {
 	expr string
 }
 
-func expandFim(baseID, baseExpr string) []expandedRule {
+func expandFim(baseID, groupID, baseExpr string) []expandedRule {
 	return []expandedRule{
 		{
 			id:   baseID,
diff --git a/pkg/security/secl/rules/fim_test.go b/pkg/security/secl/rules/fim_test.go
index 3ecf04983b824e..cd3208153dd906 100644
--- a/pkg/security/secl/rules/fim_test.go
+++ b/pkg/security/secl/rules/fim_test.go
@@ -100,7 +100,7 @@ func TestExpandFIM(t *testing.T) {
 
 	for _, entry := range entries {
 		t.Run(entry.id, func(t *testing.T) {
-			actual := expandFim(entry.id, entry.expr)
+			actual := expandFim(entry.id, "", entry.expr)
 			assert.Equal(t, entry.expected, actual)
 		})
 	}
diff --git a/pkg/security/secl/rules/fim_unix.go b/pkg/security/secl/rules/fim_unix.go
index 50b835bb727f6e..d84f6d2f393f9f 100644
--- a/pkg/security/secl/rules/fim_unix.go
+++ b/pkg/security/secl/rules/fim_unix.go
@@ -18,7 +18,7 @@ type expandedRule struct {
 	expr string
 }
 
-func expandFim(baseID, baseExpr string) []expandedRule {
+func expandFim(baseID, groupID, baseExpr string) []expandedRule {
 	if !strings.Contains(baseExpr, "fim.write.file.") {
 		return []expandedRule{
 			{
@@ -43,7 +43,7 @@ func expandFim(baseID, baseExpr string) []expandedRule {
 
 		if eventType == "rename" {
 			expr := strings.Replace(baseExpr, "fim.write.file.", "rename.file.destination.", -1)
-			id := fmt.Sprintf("__fim_expanded_%s_%s", "rename_destination", baseID)
+			id := fmt.Sprintf("__fim_expanded_%s_%s_%s", "rename_destination", groupdID, baseID)
 			expandedRules = append(expandedRules, expandedRule{
 				id:   id,
 				expr: expr,
diff --git a/pkg/security/secl/rules/ruleset.go b/pkg/security/secl/rules/ruleset.go
index 29f830636d6d22..7a078ea7ba5a79 100644
--- a/pkg/security/secl/rules/ruleset.go
+++ b/pkg/security/secl/rules/ruleset.go
@@ -317,7 +317,7 @@ func (rs *RuleSet) AddRule(parsingContext *ast.ParsingContext, pRule *PolicyRule
 		tags = append(tags, k+":"+v)
 	}
 
-	expandedRules := expandFim(pRule.Def.ID, pRule.Def.Expression)
+	expandedRules := expandFim(pRule.Def.ID, pRule.Def.GroupID, pRule.Def.Expression)
 
 	categories := make([]model.EventCategory, 0)
 	for _, er := range expandedRules {