testsAndMisc/linux_configuration/hosts/guard/README.md

34 lines
1.8 KiB
Markdown
Raw Normal View History

2026-02-20 01:17:53 +01:00
# Hosts Guard Components
2025-10-01 20:50:56 +02:00
This directory contains templates for hardening /etc/hosts against impulsive tampering by adding friction, NOT providing absolute security against a determined root user.
Components:
2026-02-20 01:17:53 +01:00
2025-10-01 20:50:56 +02:00
1. enforce-hosts.sh Idempotent script that: compares /etc/hosts with canonical copy at /usr/local/share/locked-hosts and restores if different; reapplies immutable attribute.
2. systemd units (to be installed under /etc/systemd/system):
- hosts-guard.service (oneshot enforcement)
- hosts-guard.path (triggers on PathChanged=/etc/hosts)
- hosts-bind-mount.service (bind mounts /etc/hosts read-only after boot)
3. psychological/ directory scripts that add delay + journaling before allowing a maintenance/unlock operation.
2025-10-13 10:21:35 +02:00
4. pacman hooks automatically unlock/re-lock /etc/hosts around package transactions so pacman never fails due to the read-only bind mount.
2025-10-01 20:50:56 +02:00
Install Flow (suggested):
2026-02-20 01:17:53 +01:00
2025-10-01 20:50:56 +02:00
1. After generating /etc/hosts via your existing hosts/install.sh, copy it to /usr/local/share/locked-hosts.
2. Install enforce-hosts.sh to /usr/local/sbin/ (chmod 755).
3. Place units and enable:
2026-02-20 01:17:53 +01:00
systemctl daemon-reload
systemctl enable --now hosts-guard.path
systemctl enable --now hosts-bind-mount.service
2025-10-01 20:50:56 +02:00
4. (Optional) Use psychological/unlock-hosts.sh as the ONLY sanctioned way to modify hosts (it removes protections temporarily, launches an editor after a delay, and re-enforces on close).
2025-10-13 10:21:35 +02:00
5. Make pacman automatic (recommended):
2026-02-20 01:17:53 +01:00
./install_pacman_hooks.sh
2025-10-13 10:21:35 +02:00
This installs hooks under /etc/pacman.d/hooks that:
2026-02-20 01:17:53 +01:00
- PreTransaction: temporarily disable guard and make /etc/hosts writable
- PostTransaction: re-run enforcement and re-enable guard (bind mount + path watcher)
2025-10-01 20:50:56 +02:00
Limitations:
2026-02-20 01:17:53 +01:00
2025-10-01 20:50:56 +02:00
- A root user can still disable units, remount, remove attributes.
- Purpose is to interrupt habit loops and create intentional friction.