32bit vs. 64bit views | |
---|---|
On 64bit Windows, the same key name may get mapped to different keys, depending on whether the lookup is done by a 32bit or 64bit application. Currently samhain does not check the alternate view. |
This option is available with samhain version 2.8.0 and higher, when compiled on Cygwin/Windows. It enables samhain to verify the integrity of individual keys, or complete trees/hierarchies of keys, in the Windows registry.
Be careful what you ask for | |
---|---|
The Windows registry is huge, i.e. it may contain a huge amount of keys, for which baseline data will get stored in the samhain baseline database if you desire to monitor all of them. There is the potential to blow up the size of the baseline database in a quite spectacular way. |
All options for this module go into the section [Registry] .
RegistryCheckActive=
boolean
switches this
module on or off (default: off).
RegistryCheckInterval=
seconds
defines the
interval (in seconds) between consecutive checks. The
default is 300 seconds.
SeverityChange=
severity
defines the
severity for reports on modifications to the
registry.
IgnoreTimestampOnly=
boolean
to ignore
changes where only the (write) timestamp has changed
(default: off).
SingleKey=
key
defines a key to be
monitored (of course it is possible to use this command
multiple times). Valid key names must start with one of:
HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE,
or HKEY_USERS. The Windows path separator ('\') must be
used.
Hierarchy=
key
defines a key
hierarchy in the registry, beginning at the specified key,
to be monitored (of course it is possible to use this
command multiple times). Valid key names must start with
one of: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER,
HKEY_LOCAL_MACHINE, or HKEY_USERS. The Windows path
separator ('\') must be used.
Escaping the path separator | |
---|---|
The following two directives (StopAtKey, IgnoreKey) take a (POSIX) regular expression as argument. This implies that the path separator must be escaped by doubling it, i.e. you need to write '\\' instead of '\', because the '\' is a metacharacter in regular expressions (see example below). |
StopAtKey=
regex
means that the
check of a hierarchy will stop at the specified key, i.e.
nothing below this key will be checked or monitored (but
the key itself where the check stops will).
It is allowed to use a regular expression for the
key. Valid key names must start with one of:
HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE,
or HKEY_USERS. The Windows path separator ('\') must be
used.
IgnoreKey=
regex
differs from the
StopAtKey option only insofar as the
key where the check stops is
not itself checked.
[Registry] # # Switch on the module # RegistryCheckActive = yes # Check every 60 second # RegistryCheckInterval = 1 # Check this and everything below # Hierarchy = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft # Exclude this and anything below # IgnoreKey and StopAtKey have a regex as argument, hence # the path separator '\' must be escaped by doubling it. # IgnoreKey = HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion # Check this key # SingleKey = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters