REGISTRY_AUDIT

This policy item checks if the registry key ACL is correct. The check is performed by calling the function RegGetKeySecurity on the registry key handle.

Note: This check requires remote registry access for the remote Windows system to function properly.

Usage

<custom_item>

type: REGISTRY_AUDIT

description: ["description"]

value_type: [value_type]

value_data: [value]

reg_key: ["regkeyname"]

(optional) acl_option: [acl_option]

</custom_item>

The allowed type is:

value_type: REG_ACL

value_data: "ACLname"

reg_key: "RegistryKeyName"

The following predefined path can be used for the reg_key field:

HKLM (HKEY_LOCAL_MACHINE)

HKU (HKEY_USERS)

HKCR (HKEY_CLASS_ROOT)

When using this audit, please note the following:

The reg_key field must include the full path to the file registry key.
The value_data field is the name of the ACL defined in the policy file.
The acl_option filed can be set to CAN_BE_NULL or CAN_NOT_BE_NULL to force a success/error if the key does not exist.
The acl_allow and acl_deny fields correspond to “Successful” and “Failed” audit events.

Example

Here is an example .audit file that audits the registry key of “HKLM\SOFTWARE\Microsoft” against an access control list named “ACL2” that is not shown:

<custom_item>

type: REGISTRY_AUDIT

description: "Audit for HKLM\SOFTWARE\Microsoft"

value_type: REG_ACL

value_data: "ACL2"

reg_key: "HKLM\SOFTWARE\Microsoft"

</custom_item>