Add filter on event result field in `spawned_process` macro

[Biagio-Dipalma]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

What this PR does / why we need it: This is a possible improvement of the spawned_process macro: basically I'm adding a filter to consider only the successful spawns, not all of them. This will make the detections more precise and avoid useless events.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

[poiana]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Biagio-Dipalma Once this PR has been reviewed and has the lgtm label, please assign fededp for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/falcosecurity/rules/blob/main/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[poiana]

Welcome @Biagio-Dipalma! It looks like this is your first PR to falcosecurity/rules 🎉

[Kaizhe]

This is going to impact all the rules using spawn_process macro which may cause unexpected results. E.g. some may expect to see the spawn process with errors. I would recommend to create a new macro :)

[loresuso]

Agreed with @Kaizhe, this can be really impactful but I do agree that most of the time we are interested in successful execves. I'd create a new macro too, since we still don't have a way to test each rule and we don't know how these changes will affect them. We can start writing new rules with the new macro, and as soon as we introduce some testing, gradually switch to the new one :)

[github-actions[bot]]

rules/falco_rules.yaml

Comparing 0aeda02b57055f7fb402c9b9878927fd73b14c82 with latest tag falco-rules-1.0.1

No changes detected

[Biagio-Dipalma]

@loresuso / @Kaizhe you're right, I've just added a new macro. TY! :)

[loresuso]

Perfect, can you sign-off your commit? So that we can let this in :) You can squash them and then push just one commit. Moreover, commit messages should follow conventional commits

[Kaizhe]

@loresuso / @Kaizhe you're right, I've just added a new macro. TY! :)

Thanks for your contribution :) We really need it!

[incertum]

@Kaizhe and @loresuso do we have a status update? Are we ok with having unused macros? Perhaps we could comment it, so it serves as example and inspiration? We have done it that way on other places.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[leogr]

I believe this needs to be rebased to make the more recent CI jobs run on it. /assing @LucaGuerra

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

[poiana]

@poiana: Closed this PR.

In response to [this](https://github.com/falcosecurity/rules/pull/90#issuecomment-1950240773): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.