mirror of
https://github.com/kuhyx/scripts.git
synced 2026-07-04 14:23:08 +02:00
32 lines
979 B
Bash
Executable File
32 lines
979 B
Bash
Executable File
#!/bin/bash
|
||
# Template guard script to enforce canonical /etc/hosts
|
||
# This will be installed into /usr/local/sbin/enforce-hosts.sh by a setup script.
|
||
|
||
set -euo pipefail
|
||
|
||
CANONICAL_SOURCE="/usr/local/share/locked-hosts"
|
||
TARGET="/etc/hosts"
|
||
LOG_FILE="/var/log/hosts-guard.log"
|
||
|
||
log() {
|
||
printf '%s - %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$*" | tee -a "$LOG_FILE" >&2
|
||
}
|
||
|
||
if [[ ! -f "$CANONICAL_SOURCE" ]]; then
|
||
log "Canonical hosts not found at $CANONICAL_SOURCE; aborting enforcement"
|
||
exit 0
|
||
fi
|
||
|
||
if ! cmp -s "$CANONICAL_SOURCE" "$TARGET"; then
|
||
log "Difference detected – restoring $TARGET from canonical copy"
|
||
cp "$CANONICAL_SOURCE" "$TARGET"
|
||
chmod 644 "$TARGET"
|
||
else
|
||
log "No drift detected (contents identical)"
|
||
fi
|
||
|
||
# Re-apply protective attributes: immutable first, then read-only bind mount handled by separate unit
|
||
chattr -i -a "$TARGET" 2>/dev/null || true
|
||
chattr +i "$TARGET" || log "Failed to set immutable attribute"
|
||
|
||
log "Enforcement complete" |