I just completed adding support for monitoring the Windows registry on ossec. It seems to be fairly stable right now and hopefully a beta version will be available soon (lots of tests will be required).
The configuration will have the following options available: (inside the syscheck area):
<windows_registry>HKEY_LOCAL_MACHINE</windows_registry> <registry_ignore>HKEY_LOCAL_MACHINESoftwareMicrosoft<registry_ignore>
Where the first option is a list (comma separated) of registry entries to monitor and the second is a list of entries to ignore.
A question now for the Windows users out there:Which registry entries should we monitor by default?
I was thinking on everything at HKEY_LOCAL_MACHINESYSTEM, HKEY_LOCAL_MACHINESECURITY and HKEY_LOCAL_MACHINESAM. Is there anything else worth checking too?
Comments are more than welcome..