[CWS] make windows self test run from outside of system-probe (#31128)

DataDog · Nov 26, 2024 · c1ac65c · c1ac65c
1 parent 8cd4352
commit c1ac65c
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 11 deletions.
diff --git a/pkg/security/probe/selftests/create_file_windows.go b/pkg/security/probe/selftests/create_file_windows.go
@@ -9,6 +9,7 @@ package selftests
 import (
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 
 	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
@@ -37,7 +38,7 @@ func (o *WindowsCreateFileSelfTest) GetRuleDefinition() *rules.RuleDefinition {
 
 	return &rules.RuleDefinition{
 		ID:         o.ruleID,
-		Expression: fmt.Sprintf(`create.file.name == "%s" && create.file.device_path =~ "%s" && process.pid == %d`, basename, filepath.ToSlash(devicePath), os.Getpid()),
+		Expression: fmt.Sprintf(`create.file.name == "%s" && create.file.device_path =~ "%s"`, basename, filepath.ToSlash(devicePath)),
 		Silent:     true,
 	}
 }
@@ -46,12 +47,21 @@ func (o *WindowsCreateFileSelfTest) GetRuleDefinition() *rules.RuleDefinition {
 func (o *WindowsCreateFileSelfTest) GenerateEvent() error {
 	o.isSuccess = false
 
-	file, err := os.Create(o.filename)
-	if err != nil {
+	cmd := exec.Command(
+		"powershell",
+		"-c",
+		"New-Item",
+		"-Path",
+		o.filename,
+		"-ItemType",
+		"file",
+	)
+	if err := cmd.Run(); err != nil {
 		log.Debugf("error creating file: %v", err)
 		return err
 	}
-	return file.Close()
+
+	return os.Remove(o.filename)
 }
 
 // HandleEvent handles self test events

diff --git a/pkg/security/probe/selftests/open_registry_key_windows.go b/pkg/security/probe/selftests/open_registry_key_windows.go
@@ -10,14 +10,12 @@ package selftests
 
 import (
 	"fmt"
-	"os"
+	"os/exec"
 	"path/filepath"
 
 	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
 	"github.com/DataDog/datadog-agent/pkg/security/secl/rules"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
-
-	"golang.org/x/sys/windows/registry"
 )
 
 // WindowsOpenRegistryKeyTest defines a windows open registry key self test
@@ -33,7 +31,7 @@ func (o *WindowsOpenRegistryKeyTest) GetRuleDefinition() *rules.RuleDefinition {
 
 	return &rules.RuleDefinition{
 		ID:         o.ruleID,
-		Expression: fmt.Sprintf(`open.registry.key_name == "%s" && process.pid == %d`, filepath.Base(o.keyPath), os.Getpid()),
+		Expression: fmt.Sprintf(`open.registry.key_name == "%s"`, filepath.Base(o.keyPath)),
 		Silent:     true,
 	}
 }
@@ -42,12 +40,20 @@ func (o *WindowsOpenRegistryKeyTest) GetRuleDefinition() *rules.RuleDefinition {
 func (o *WindowsOpenRegistryKeyTest) GenerateEvent() error {
 	o.isSuccess = false
 
-	key, err := registry.OpenKey(registry.LOCAL_MACHINE, o.keyPath, registry.READ)
-	if err != nil {
+	path := fmt.Sprintf("Registry::HKEY_LOCAL_MACHINE:\\%s", o.keyPath)
+
+	cmd := exec.Command(
+		"powershell",
+		"-c",
+		"Get-ItemProperty",
+		"-Path",
+		path,
+	)
+	if err := cmd.Run(); err != nil {
 		log.Debugf("error opening registry key: %v", err)
 		return err
 	}
-	defer key.Close()
+
 	return nil
 }