mirror of
https://github.com/kuhyx/testsAndMisc.git
synced 2026-07-04 15:23:03 +02:00
- Add enforce-resolved.sh: validates ReadEtcHosts=yes, prevents DNSOverTLS bypass, removes drop-in overrides, locks drop-in dir - Add resolved-guard.path/service: watches /etc/systemd/resolved.conf and its drop-in directory for tampering - Update pacman hooks to unlock/relock nsswitch.conf and resolved.conf alongside /etc/hosts during package transactions - Extend setup_hosts_guard.sh with --skip-resolved option, resolved canonical snapshot, drop-in directory locking, and enforcement - Add resolved.conf checks to check_and_enable_services.sh: validates ReadEtcHosts, DNSOverTLS, drop-in overrides, immutable attribute, and resolved-guard.path status with auto-fix capability Fixed on live system: ReadEtcHosts was set to 'no' and nsswitch.conf was missing 'files' in the hosts line, completely bypassing /etc/hosts.
13 lines
249 B
Desktop File
13 lines
249 B
Desktop File
[Unit]
|
|
Description=Enforce canonical /etc/systemd/resolved.conf (prevents hosts bypass)
|
|
After=local-fs.target
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/local/sbin/enforce-resolved.sh
|
|
Nice=10
|
|
IOSchedulingClass=idle
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|