General rules clean up

[mikegcoleman]

What type of PR is this?

Uncomment one (or more) /kind <> lines: /kind cleanup

/area plugins

There were some grammatical errors in the rules themselves. Also some rules output messages were wrong (e.g. it would say "an object was created" when the rule was for deletion). I also separated some rules into two rules - in particular I tried to create "delete" and "modify" rules separately since I think admins would prefer to have more specificity in their output.

Which issue(s) this PR fixes: Fixes #391

Special notes for your reviewer:

[poiana]

Welcome @mikegcoleman! It looks like this is your first PR to falcosecurity/plugins 🎉

[leogr]

Hey @mikegcoleman

It looks like there're some yaml validation issues. Could you take a look at the failing tests and fix them, please?

For example https://github.com/falcosecurity/plugins/actions/runs/7414200888/job/20294145856?pr=392

[mikegcoleman]

@leogr fixed the formatting issues. took a note to run the yaml validator before submitting a PR next time :)

[github-actions[bot]]

Rules files suggestions

gcp_auditlog_rules.yaml

Comparing 77d72e0768f297e5a896ecf8678e1abeebfa15a9 with latest tag gcpaudit-0.2.2

Major changes:

• Rule GCP IAM serviceAccount key deleted has been removed
• Rule GCP IAM serviceAccount deleted has been removed
• Rule GCP IAM serviceAccount modified has been removed
• Rule GCP backendService deleted has been removed
• Rule GCP IAM serviceAccount created has been removed
• Rule GCP IAM serviceAccount key created has been removed
• Rule GCP IAM principle modified has been removed
• Rule GCP cloud function updated or deleted has been removed
• Rule GCP KMS updated or deleted has been removed
• Rule GCP Pub/Sub Subscriber modified has been removed

Minor changes:

• Version dependency to plugin gcpaudit has been incremented
• Rule GCP IAM service account created has been added
• Rule GCP cloud function modified has been added
• Rule GCP KMS deleted has been added
• Rule GCP IAM service account deleted has been added
• Rule GCP IAM policy modified has been added
• Rule GCP logging sink deleted has been added
• Rule GCP Pub/Sub subscription deleted has been added
• Rule GCP IAM service account modified has been added
• Rule GCP cloud function deleted has been added
• Rule GCP backend service deleted has been added
• Rule GCP IAM service account key deleted has been added
• Rule GCP KMS updated has been added
• Rule GCP Pub/Sub subscription modified has been added
• Rule GCP IAM service account key created has been added

[leogr]

Major changes:

• Rule GCP IAM serviceAccount key deleted has been removed
• Rule GCP IAM serviceAccount deleted has been removed
• Rule GCP IAM serviceAccount modified has been removed
• Rule GCP backendService deleted has been removed
• Rule GCP IAM serviceAccount created has been removed
• Rule GCP IAM serviceAccount key created has been removed
• Rule GCP IAM principle modified has been removed
• Rule GCP cloud function updated or deleted has been removed
• Rule GCP KMS updated or deleted has been removed
• Rule GCP Pub/Sub Subscriber modified has been removed

Note for releasers: we can just bump the minor since the major is still 0 cc @LucaGuerra @Andreagit97 @jasondellaluce

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: leogr, mikegcoleman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[plugins/gcpaudit/OWNERS](https://github.com/falcosecurity/plugins/blob/master/plugins/gcpaudit/OWNERS)~~ [leogr] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[poiana]

LGTM label has been added.

Git tree hash: c1ddb2d29737afa468576f67647a128c16193e90