This file is indexed.

/usr/share/doc/samhain/manual.html/winreg.html is in samhain 4.1.4-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>17. Checking the Windows registry</title><link rel="stylesheet" type="text/css" href="docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="The Samhain Host Integrity Monitoring System"><link rel="up" href="file-monitor.html" title="Chapter 5. Configuring samhain, the host integrity monitor"><link rel="prev" href="logmon.html" title="16. Logfile monitoring/analysis"><link rel="next" href="modules.html" title="18. Modules"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/header.html"--><!--#endif--><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">17. Checking the Windows registry</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="logmon.html">Prev</a> </td><th width="60%" align="center">Chapter 5. Configuring 
    <span class="application">samhain</span>, the host
    integrity monitor</th><td width="20%" align="right"> <a accesskey="n" href="modules.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="winreg"></a>17. Checking the Windows registry</h2></div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning: 32bit vs. 64bit views"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="stylesheet-images/warning.png"></td><th align="left">32bit vs. 64bit views</th></tr><tr><td align="left" valign="top"><p>On 64bit Windows, the same key name may get mapped to
        different keys, depending on whether the lookup is done by
        a 32bit or 64bit application. Currently 
        <span class="application">samhain</span> does not
        check the alternate view.</p></td></tr></table></div><p>This option is available with 
      <span class="application">samhain</span> version
      2.8.0 and higher, when compiled on Cygwin/Windows. It enables
      
      <span class="application">samhain</span> to verify
      the integrity of individual keys, or complete
      trees/hierarchies of keys, in the Windows registry.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Be careful what you ask for"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="stylesheet-images/note.png"></td><th align="left">Be careful what you ask for</th></tr><tr><td align="left" valign="top"><p>The Windows registry is huge, i.e. it may contain a
        huge amount of keys, for which baseline data will get
        stored in the 
        <span class="application">samhain</span> baseline
        database if you desire to monitor all of them. There is the
        potential to blow up the size of the baseline database in a
        quite spectacular way.</p></td></tr></table></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="idm46231323068976"></a>17.1. Options</h3></div></div></div><p>All options for this module go into the section 
        <span class="command"><strong>[Registry]</strong></span> .</p><p>
        <span class="command"><strong>RegistryCheckActive=
        <em class="replaceable"><code>boolean</code></em></strong></span> switches this
        module on or off (default: off).</p><p>
        <span class="command"><strong>RegistryCheckInterval=
        <em class="replaceable"><code>seconds</code></em></strong></span> defines the
        interval (in seconds) between consecutive checks. The
        default is 300 seconds.</p><p>
        <span class="command"><strong>SeverityChange=
        <em class="replaceable"><code>severity</code></em></strong></span> defines the
        severity for reports on modifications to the
        registry.</p><p>
        <span class="command"><strong>IgnoreTimestampOnly=
        <em class="replaceable"><code>boolean</code></em></strong></span> to ignore
        changes where only the (write) timestamp has changed
        (default: off).</p><p>
        <span class="command"><strong>SingleKey=
        <em class="replaceable"><code>key</code></em></strong></span> defines a key to be
        monitored (of course it is possible to use this command
        multiple times). Valid key names must start with one of:
        HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE,
        or HKEY_USERS. The Windows path separator ('\') must be
        used.</p><p>
        <span class="command"><strong>Hierarchy=
        <em class="replaceable"><code>key</code></em></strong></span> defines a key
        hierarchy in the registry, beginning at the specified key,
        to be monitored (of course it is possible to use this
        command multiple times). Valid key names must start with
        one of: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER,
        HKEY_LOCAL_MACHINE, or HKEY_USERS. The Windows path
        separator ('\') must be used.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Escaping the path separator"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="stylesheet-images/note.png"></td><th align="left">Escaping the path separator</th></tr><tr><td align="left" valign="top"><p>The following two directives (StopAtKey, IgnoreKey)
          take a (POSIX) regular expression as argument. This
          implies that the path separator must be escaped by
          doubling it, i.e. you need to write '\\' instead of '\',
          because the '\' is a metacharacter in regular expressions
          (see example below).</p></td></tr></table></div><p>
        <span class="command"><strong>StopAtKey=
        <em class="replaceable"><code>regex</code></em></strong></span> means that the
        check of a hierarchy will stop at the specified key, i.e.
        nothing below this key will be checked or monitored (but
        the key itself where the check stops will). 
        <span class="emphasis"><em>It is allowed to use a regular expression for the
        key.</em></span> Valid key names must start with one of:
        HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE,
        or HKEY_USERS. The Windows path separator ('\') must be
        used.</p><p>
        <span class="command"><strong>IgnoreKey=
        <em class="replaceable"><code>regex</code></em></strong></span> differs from the 
        <span class="emphasis"><em>StopAtKey</em></span> option only insofar as the
        key where the check stops is 
        <span class="emphasis"><em>not</em></span> itself checked.</p></div><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="idm46231323051632"></a>17.2. Example configuration</h3></div></div></div><pre class="programlisting">
	  [Registry]
	  
	  #
	  # Switch on the module
	  #
	  RegistryCheckActive = yes
	  
	  # Check every 60 second
	  #
	  RegistryCheckInterval = 1
	  
	  # Check this and everything below
	  #
	  Hierarchy = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
	  
	  # Exclude this and anything below
	  # IgnoreKey and StopAtKey have a regex as argument, hence
	  # the path separator '\' must be escaped by doubling it.
	  #
	  IgnoreKey = HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
	  
	  # Check this key
	  #
	  SingleKey = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters
	</pre></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="logmon.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="file-monitor.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="modules.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">16. Logfile monitoring/analysis </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 18. Modules</td></tr></table></div><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/footer.html"--><!--#endif--></body></html>