testsAndMisc/linux_configuration/hosts/guard
Krzysztof Rudnicki 6ec85106b7 Protect nsswitch.conf and resolved.conf from hosts bypass
- Add enforce-resolved.sh: validates ReadEtcHosts=yes, prevents
  DNSOverTLS bypass, removes drop-in overrides, locks drop-in dir
- Add resolved-guard.path/service: watches /etc/systemd/resolved.conf
  and its drop-in directory for tampering
- Update pacman hooks to unlock/relock nsswitch.conf and resolved.conf
  alongside /etc/hosts during package transactions
- Extend setup_hosts_guard.sh with --skip-resolved option, resolved
  canonical snapshot, drop-in directory locking, and enforcement
- Add resolved.conf checks to check_and_enable_services.sh: validates
  ReadEtcHosts, DNSOverTLS, drop-in overrides, immutable attribute,
  and resolved-guard.path status with auto-fix capability

Fixed on live system: ReadEtcHosts was set to 'no' and nsswitch.conf
was missing 'files' in the hosts line, completely bypassing /etc/hosts.
2026-02-20 23:21:25 +01:00
..
pacman-hooks Protect nsswitch.conf and resolved.conf from hosts bypass 2026-02-20 23:21:25 +01:00
psychological Add 'linux_configuration/' from commit '0762e3d07b90bac9256eb272de10bf9f42878094' 2026-02-06 21:43:26 +01:00
enforce-hosts.sh Add 'linux_configuration/' from commit '0762e3d07b90bac9256eb272de10bf9f42878094' 2026-02-06 21:43:26 +01:00
enforce-nsswitch.sh feat: LeechBlock default config, Chrome repo, nsswitch fixes, extended checker 2026-02-20 20:24:13 +01:00
enforce-resolved.sh Protect nsswitch.conf and resolved.conf from hosts bypass 2026-02-20 23:21:25 +01:00
hosts-bind-mount.service Add 'linux_configuration/' from commit '0762e3d07b90bac9256eb272de10bf9f42878094' 2026-02-06 21:43:26 +01:00
hosts-guard.path Add 'linux_configuration/' from commit '0762e3d07b90bac9256eb272de10bf9f42878094' 2026-02-06 21:43:26 +01:00
hosts-guard.service Add 'linux_configuration/' from commit '0762e3d07b90bac9256eb272de10bf9f42878094' 2026-02-06 21:43:26 +01:00
install_pacman_hooks.sh Add 'linux_configuration/' from commit '0762e3d07b90bac9256eb272de10bf9f42878094' 2026-02-06 21:43:26 +01:00
nsswitch-guard.path Add 'linux_configuration/' from commit '0762e3d07b90bac9256eb272de10bf9f42878094' 2026-02-06 21:43:26 +01:00
nsswitch-guard.service Add 'linux_configuration/' from commit '0762e3d07b90bac9256eb272de10bf9f42878094' 2026-02-06 21:43:26 +01:00
README_FOR_LLM.md feat: great beautiful fixes 2026-02-20 01:17:53 +01:00
README.md feat: great beautiful fixes 2026-02-20 01:17:53 +01:00
resolved-guard.path Protect nsswitch.conf and resolved.conf from hosts bypass 2026-02-20 23:21:25 +01:00
resolved-guard.service Protect nsswitch.conf and resolved.conf from hosts bypass 2026-02-20 23:21:25 +01:00
setup_hosts_guard.sh Protect nsswitch.conf and resolved.conf from hosts bypass 2026-02-20 23:21:25 +01:00

Hosts Guard Components

This directory contains templates for hardening /etc/hosts against impulsive tampering by adding friction, NOT providing absolute security against a determined root user.

Components:

  1. enforce-hosts.sh Idempotent script that: compares /etc/hosts with canonical copy at /usr/local/share/locked-hosts and restores if different; reapplies immutable attribute.
  2. systemd units (to be installed under /etc/systemd/system):
    • hosts-guard.service (oneshot enforcement)
    • hosts-guard.path (triggers on PathChanged=/etc/hosts)
    • hosts-bind-mount.service (bind mounts /etc/hosts read-only after boot)
  3. psychological/ directory scripts that add delay + journaling before allowing a maintenance/unlock operation.
  4. pacman hooks automatically unlock/re-lock /etc/hosts around package transactions so pacman never fails due to the read-only bind mount.

Install Flow (suggested):

  1. After generating /etc/hosts via your existing hosts/install.sh, copy it to /usr/local/share/locked-hosts.
  2. Install enforce-hosts.sh to /usr/local/sbin/ (chmod 755).
  3. Place units and enable: systemctl daemon-reload systemctl enable --now hosts-guard.path systemctl enable --now hosts-bind-mount.service
  4. (Optional) Use psychological/unlock-hosts.sh as the ONLY sanctioned way to modify hosts (it removes protections temporarily, launches an editor after a delay, and re-enforces on close).
  5. Make pacman automatic (recommended): ./install_pacman_hooks.sh This installs hooks under /etc/pacman.d/hooks that:
    • PreTransaction: temporarily disable guard and make /etc/hosts writable
    • PostTransaction: re-run enforcement and re-enable guard (bind mount + path watcher)

Limitations:

  • A root user can still disable units, remount, remove attributes.
  • Purpose is to interrupt habit loops and create intentional friction.