From c1ac65cb14d75ba75c9bdf39431ac8d124092adf Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Tue, 26 Nov 2024 15:05:34 +0100 Subject: [PATCH] [CWS] make windows self test run from outside of system-probe (#31128) --- .../probe/selftests/create_file_windows.go | 18 +++++++++++++---- .../selftests/open_registry_key_windows.go | 20 ++++++++++++------- 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/pkg/security/probe/selftests/create_file_windows.go b/pkg/security/probe/selftests/create_file_windows.go index eebc878f61b24..806ef251044e5 100644 --- a/pkg/security/probe/selftests/create_file_windows.go +++ b/pkg/security/probe/selftests/create_file_windows.go @@ -9,6 +9,7 @@ package selftests import ( "fmt" "os" + "os/exec" "path/filepath" "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval" @@ -37,7 +38,7 @@ func (o *WindowsCreateFileSelfTest) GetRuleDefinition() *rules.RuleDefinition { return &rules.RuleDefinition{ ID: o.ruleID, - Expression: fmt.Sprintf(`create.file.name == "%s" && create.file.device_path =~ "%s" && process.pid == %d`, basename, filepath.ToSlash(devicePath), os.Getpid()), + Expression: fmt.Sprintf(`create.file.name == "%s" && create.file.device_path =~ "%s"`, basename, filepath.ToSlash(devicePath)), Silent: true, } } @@ -46,12 +47,21 @@ func (o *WindowsCreateFileSelfTest) GetRuleDefinition() *rules.RuleDefinition { func (o *WindowsCreateFileSelfTest) GenerateEvent() error { o.isSuccess = false - file, err := os.Create(o.filename) - if err != nil { + cmd := exec.Command( + "powershell", + "-c", + "New-Item", + "-Path", + o.filename, + "-ItemType", + "file", + ) + if err := cmd.Run(); err != nil { log.Debugf("error creating file: %v", err) return err } - return file.Close() + + return os.Remove(o.filename) } // HandleEvent handles self test events diff --git a/pkg/security/probe/selftests/open_registry_key_windows.go b/pkg/security/probe/selftests/open_registry_key_windows.go index f405e0ace0e0f..4767e729d587e 100644 --- a/pkg/security/probe/selftests/open_registry_key_windows.go +++ b/pkg/security/probe/selftests/open_registry_key_windows.go @@ -10,14 +10,12 @@ package selftests import ( "fmt" - "os" + "os/exec" "path/filepath" "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval" "github.com/DataDog/datadog-agent/pkg/security/secl/rules" "github.com/DataDog/datadog-agent/pkg/util/log" - - "golang.org/x/sys/windows/registry" ) // WindowsOpenRegistryKeyTest defines a windows open registry key self test @@ -33,7 +31,7 @@ func (o *WindowsOpenRegistryKeyTest) GetRuleDefinition() *rules.RuleDefinition { return &rules.RuleDefinition{ ID: o.ruleID, - Expression: fmt.Sprintf(`open.registry.key_name == "%s" && process.pid == %d`, filepath.Base(o.keyPath), os.Getpid()), + Expression: fmt.Sprintf(`open.registry.key_name == "%s"`, filepath.Base(o.keyPath)), Silent: true, } } @@ -42,12 +40,20 @@ func (o *WindowsOpenRegistryKeyTest) GetRuleDefinition() *rules.RuleDefinition { func (o *WindowsOpenRegistryKeyTest) GenerateEvent() error { o.isSuccess = false - key, err := registry.OpenKey(registry.LOCAL_MACHINE, o.keyPath, registry.READ) - if err != nil { + path := fmt.Sprintf("Registry::HKEY_LOCAL_MACHINE:\\%s", o.keyPath) + + cmd := exec.Command( + "powershell", + "-c", + "Get-ItemProperty", + "-Path", + path, + ) + if err := cmd.Run(); err != nil { log.Debugf("error opening registry key: %v", err) return err } - defer key.Close() + return nil }