17. Checking the Windows registry
Prev Chapter 5. Configuring samhain, the host integrity monitor Next

17. Checking the Windows registry

[Warning]32bit vs. 64bit views

On 64bit Windows, the same key name may get mapped to different keys, depending on whether the lookup is done by a 32bit or 64bit application. Currently samhain does not check the alternate view.

This option is available with samhain version 2.8.0 and higher, when compiled on Cygwin/Windows. It enables samhain to verify the integrity of individual keys, or complete trees/hierarchies of keys, in the Windows registry.

[Note]Be careful what you ask for

The Windows registry is huge, i.e. it may contain a huge amount of keys, for which baseline data will get stored in the samhain baseline database if you desire to monitor all of them. There is the potential to blow up the size of the baseline database in a quite spectacular way.

17.1. Options

All options for this module go into the section [Registry] .

RegistryCheckActive= boolean switches this module on or off (default: off).

RegistryCheckInterval= seconds defines the interval (in seconds) between consecutive checks. The default is 300 seconds.

SeverityChange= severity defines the severity for reports on modifications to the registry.

IgnoreTimestampOnly= boolean to ignore changes where only the (write) timestamp has changed (default: off).

SingleKey= key defines a key to be monitored (of course it is possible to use this command multiple times). Valid key names must start with one of: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, or HKEY_USERS. The Windows path separator ('\') must be used.

Hierarchy= key defines a key hierarchy in the registry, beginning at the specified key, to be monitored (of course it is possible to use this command multiple times). Valid key names must start with one of: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, or HKEY_USERS. The Windows path separator ('\') must be used.

[Note]Escaping the path separator

The following two directives (StopAtKey, IgnoreKey) take a (POSIX) regular expression as argument. This implies that the path separator must be escaped by doubling it, i.e. you need to write '\\' instead of '\', because the '\' is a metacharacter in regular expressions (see example below).

StopAtKey= regex means that the check of a hierarchy will stop at the specified key, i.e. nothing below this key will be checked or monitored (but the key itself where the check stops will). It is allowed to use a regular expression for the key. Valid key names must start with one of: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, or HKEY_USERS. The Windows path separator ('\') must be used.

IgnoreKey= regex differs from the StopAtKey option only insofar as the key where the check stops is not itself checked.

17.2. Example configuration

	  [Registry]
	  
	  #
	  # Switch on the module
	  #
	  RegistryCheckActive = yes
	  
	  # Check every 60 second
	  #
	  RegistryCheckInterval = 1
	  
	  # Check this and everything below
	  #
	  Hierarchy = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
	  
	  # Exclude this and anything below
	  # IgnoreKey and StopAtKey have a regex as argument, hence
	  # the path separator '\' must be escaped by doubling it.
	  #
	  IgnoreKey = HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
	  
	  # Check this key
	  #
	  SingleKey = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters
Prev Up Next
16. Logfile monitoring/analysis Home 18. Modules