testsAndMisc/linux_configuration/hosts/guard/pacman-hooks/pacman-post-relock-hosts.sh
Krzysztof Rudnicki 6ec85106b7 Protect nsswitch.conf and resolved.conf from hosts bypass
- Add enforce-resolved.sh: validates ReadEtcHosts=yes, prevents
  DNSOverTLS bypass, removes drop-in overrides, locks drop-in dir
- Add resolved-guard.path/service: watches /etc/systemd/resolved.conf
  and its drop-in directory for tampering
- Update pacman hooks to unlock/relock nsswitch.conf and resolved.conf
  alongside /etc/hosts during package transactions
- Extend setup_hosts_guard.sh with --skip-resolved option, resolved
  canonical snapshot, drop-in directory locking, and enforcement
- Add resolved.conf checks to check_and_enable_services.sh: validates
  ReadEtcHosts, DNSOverTLS, drop-in overrides, immutable attribute,
  and resolved-guard.path status with auto-fix capability

Fixed on live system: ReadEtcHosts was set to 'no' and nsswitch.conf
was missing 'files' in the hosts line, completely bypassing /etc/hosts.
2026-02-20 23:21:25 +01:00

41 lines
1.0 KiB
Bash
Executable File

#!/usr/bin/env bash
# pacman-post-relock-hosts.sh - Re-apply all guard protections after pacman
# Re-locks: /etc/hosts, /etc/nsswitch.conf, /etc/systemd/resolved.conf
set -euo pipefail
# Source shared functions
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=hosts-guard-common.sh
source "$SCRIPT_DIR/hosts-guard-common.sh"
ENFORCE=/usr/local/sbin/enforce-hosts.sh
ENFORCE_NSSWITCH=/usr/local/sbin/enforce-nsswitch.sh
ENFORCE_RESOLVED=/usr/local/sbin/enforce-resolved.sh
log_hook "post" "relocking(start)"
# Collapse any stacked mounts first
collapse_mounts
# Run enforcement scripts if available
if [[ -x $ENFORCE ]]; then
"$ENFORCE" >/dev/null 2>&1 || true
fi
if [[ -x $ENFORCE_NSSWITCH ]]; then
"$ENFORCE_NSSWITCH" >/dev/null 2>&1 || true
fi
if [[ -x $ENFORCE_RESOLVED ]]; then
"$ENFORCE_RESOLVED" >/dev/null 2>&1 || true
fi
# Apply protections (immutable on all guarded files)
apply_immutable
apply_ro_bind_mount
# Start all path watchers
start_path_watcher
log_hook "post" "relocking(done)"
exit 0