/usr/share/doc/samhain/manual.html/winreg.html is in samhain 4.1.4-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>17. Checking the Windows registry</title><link rel="stylesheet" type="text/css" href="docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="The Samhain Host Integrity Monitoring System"><link rel="up" href="file-monitor.html" title="Chapter 5. Configuring samhain, the host integrity monitor"><link rel="prev" href="logmon.html" title="16. Logfile monitoring/analysis"><link rel="next" href="modules.html" title="18. Modules"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/header.html"--><!--#endif--><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">17. Checking the Windows registry</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="logmon.html">Prev</a> </td><th width="60%" align="center">Chapter 5. Configuring
<span class="application">samhain</span>, the host
integrity monitor</th><td width="20%" align="right"> <a accesskey="n" href="modules.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="winreg"></a>17. Checking the Windows registry</h2></div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning: 32bit vs. 64bit views"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="stylesheet-images/warning.png"></td><th align="left">32bit vs. 64bit views</th></tr><tr><td align="left" valign="top"><p>On 64bit Windows, the same key name may get mapped to
different keys, depending on whether the lookup is done by
a 32bit or 64bit application. Currently
<span class="application">samhain</span> does not
check the alternate view.</p></td></tr></table></div><p>This option is available with
<span class="application">samhain</span> version
2.8.0 and higher, when compiled on Cygwin/Windows. It enables
<span class="application">samhain</span> to verify
the integrity of individual keys, or complete
trees/hierarchies of keys, in the Windows registry.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Be careful what you ask for"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="stylesheet-images/note.png"></td><th align="left">Be careful what you ask for</th></tr><tr><td align="left" valign="top"><p>The Windows registry is huge, i.e. it may contain a
huge amount of keys, for which baseline data will get
stored in the
<span class="application">samhain</span> baseline
database if you desire to monitor all of them. There is the
potential to blow up the size of the baseline database in a
quite spectacular way.</p></td></tr></table></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="idm46231323068976"></a>17.1. Options</h3></div></div></div><p>All options for this module go into the section
<span class="command"><strong>[Registry]</strong></span> .</p><p>
<span class="command"><strong>RegistryCheckActive=
<em class="replaceable"><code>boolean</code></em></strong></span> switches this
module on or off (default: off).</p><p>
<span class="command"><strong>RegistryCheckInterval=
<em class="replaceable"><code>seconds</code></em></strong></span> defines the
interval (in seconds) between consecutive checks. The
default is 300 seconds.</p><p>
<span class="command"><strong>SeverityChange=
<em class="replaceable"><code>severity</code></em></strong></span> defines the
severity for reports on modifications to the
registry.</p><p>
<span class="command"><strong>IgnoreTimestampOnly=
<em class="replaceable"><code>boolean</code></em></strong></span> to ignore
changes where only the (write) timestamp has changed
(default: off).</p><p>
<span class="command"><strong>SingleKey=
<em class="replaceable"><code>key</code></em></strong></span> defines a key to be
monitored (of course it is possible to use this command
multiple times). Valid key names must start with one of:
HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE,
or HKEY_USERS. The Windows path separator ('\') must be
used.</p><p>
<span class="command"><strong>Hierarchy=
<em class="replaceable"><code>key</code></em></strong></span> defines a key
hierarchy in the registry, beginning at the specified key,
to be monitored (of course it is possible to use this
command multiple times). Valid key names must start with
one of: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER,
HKEY_LOCAL_MACHINE, or HKEY_USERS. The Windows path
separator ('\') must be used.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Escaping the path separator"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="stylesheet-images/note.png"></td><th align="left">Escaping the path separator</th></tr><tr><td align="left" valign="top"><p>The following two directives (StopAtKey, IgnoreKey)
take a (POSIX) regular expression as argument. This
implies that the path separator must be escaped by
doubling it, i.e. you need to write '\\' instead of '\',
because the '\' is a metacharacter in regular expressions
(see example below).</p></td></tr></table></div><p>
<span class="command"><strong>StopAtKey=
<em class="replaceable"><code>regex</code></em></strong></span> means that the
check of a hierarchy will stop at the specified key, i.e.
nothing below this key will be checked or monitored (but
the key itself where the check stops will).
<span class="emphasis"><em>It is allowed to use a regular expression for the
key.</em></span> Valid key names must start with one of:
HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE,
or HKEY_USERS. The Windows path separator ('\') must be
used.</p><p>
<span class="command"><strong>IgnoreKey=
<em class="replaceable"><code>regex</code></em></strong></span> differs from the
<span class="emphasis"><em>StopAtKey</em></span> option only insofar as the
key where the check stops is
<span class="emphasis"><em>not</em></span> itself checked.</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="idm46231323051632"></a>17.2. Example configuration</h3></div></div></div><pre class="programlisting">
[Registry]
#
# Switch on the module
#
RegistryCheckActive = yes
# Check every 60 second
#
RegistryCheckInterval = 1
# Check this and everything below
#
Hierarchy = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
# Exclude this and anything below
# IgnoreKey and StopAtKey have a regex as argument, hence
# the path separator '\' must be escaped by doubling it.
#
IgnoreKey = HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
# Check this key
#
SingleKey = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters
</pre></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="logmon.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="file-monitor.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="modules.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">16. Logfile monitoring/analysis </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 18. Modules</td></tr></table></div><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/footer.html"--><!--#endif--></body></html>
|