mirror of
https://github.com/kuhyx/testsAndMisc.git
synced 2026-07-04 15:03:01 +02:00
- Add enforce-resolved.sh: validates ReadEtcHosts=yes, prevents DNSOverTLS bypass, removes drop-in overrides, locks drop-in dir - Add resolved-guard.path/service: watches /etc/systemd/resolved.conf and its drop-in directory for tampering - Update pacman hooks to unlock/relock nsswitch.conf and resolved.conf alongside /etc/hosts during package transactions - Extend setup_hosts_guard.sh with --skip-resolved option, resolved canonical snapshot, drop-in directory locking, and enforcement - Add resolved.conf checks to check_and_enable_services.sh: validates ReadEtcHosts, DNSOverTLS, drop-in overrides, immutable attribute, and resolved-guard.path status with auto-fix capability Fixed on live system: ReadEtcHosts was set to 'no' and nsswitch.conf was missing 'files' in the hosts line, completely bypassing /etc/hosts.
11 lines
246 B
SYSTEMD
11 lines
246 B
SYSTEMD
[Unit]
|
|
Description=Watch /etc/systemd/resolved.conf for tampering (hosts bypass protection)
|
|
|
|
[Path]
|
|
PathChanged=/etc/systemd/resolved.conf
|
|
PathChanged=/etc/systemd/resolved.conf.d
|
|
Unit=resolved-guard.service
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|