mirror of
https://github.com/kuhyx/testsAndMisc.git
synced 2026-07-04 15:23:03 +02:00
- Add enforce-resolved.sh: validates ReadEtcHosts=yes, prevents DNSOverTLS bypass, removes drop-in overrides, locks drop-in dir - Add resolved-guard.path/service: watches /etc/systemd/resolved.conf and its drop-in directory for tampering - Update pacman hooks to unlock/relock nsswitch.conf and resolved.conf alongside /etc/hosts during package transactions - Extend setup_hosts_guard.sh with --skip-resolved option, resolved canonical snapshot, drop-in directory locking, and enforcement - Add resolved.conf checks to check_and_enable_services.sh: validates ReadEtcHosts, DNSOverTLS, drop-in overrides, immutable attribute, and resolved-guard.path status with auto-fix capability Fixed on live system: ReadEtcHosts was set to 'no' and nsswitch.conf was missing 'files' in the hosts line, completely bypassing /etc/hosts.
41 lines
1.0 KiB
Bash
Executable File
41 lines
1.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# pacman-post-relock-hosts.sh - Re-apply all guard protections after pacman
|
|
# Re-locks: /etc/hosts, /etc/nsswitch.conf, /etc/systemd/resolved.conf
|
|
set -euo pipefail
|
|
|
|
# Source shared functions
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
# shellcheck source=hosts-guard-common.sh
|
|
source "$SCRIPT_DIR/hosts-guard-common.sh"
|
|
|
|
ENFORCE=/usr/local/sbin/enforce-hosts.sh
|
|
ENFORCE_NSSWITCH=/usr/local/sbin/enforce-nsswitch.sh
|
|
ENFORCE_RESOLVED=/usr/local/sbin/enforce-resolved.sh
|
|
|
|
log_hook "post" "relocking(start)"
|
|
|
|
# Collapse any stacked mounts first
|
|
collapse_mounts
|
|
|
|
# Run enforcement scripts if available
|
|
if [[ -x $ENFORCE ]]; then
|
|
"$ENFORCE" >/dev/null 2>&1 || true
|
|
fi
|
|
if [[ -x $ENFORCE_NSSWITCH ]]; then
|
|
"$ENFORCE_NSSWITCH" >/dev/null 2>&1 || true
|
|
fi
|
|
if [[ -x $ENFORCE_RESOLVED ]]; then
|
|
"$ENFORCE_RESOLVED" >/dev/null 2>&1 || true
|
|
fi
|
|
|
|
# Apply protections (immutable on all guarded files)
|
|
apply_immutable
|
|
apply_ro_bind_mount
|
|
|
|
# Start all path watchers
|
|
start_path_watcher
|
|
|
|
log_hook "post" "relocking(done)"
|
|
|
|
exit 0
|