V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

includes/target/etc/default/ciss-xdg-profile

@@ -0,0 +1,19 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Default toggles for ciss-xdg-profile
+# 1 = enable, 0 = disable
+
+ENABLE_XDG_BASH_HISTORY=1
+ENABLE_XDG_LESS_HISTORY=1
+ENABLE_XDG_ZSH_HISTORY=1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

includes/target/etc/profile.d/ciss-xdg.sh

@@ -0,0 +1,63 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# shellcheck shell=sh
+
+# This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
+
+### XDG variables (do not override if already set).
+export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path.
+# shellcheck disable=SC2312
+if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then
+  # shellcheck disable=SC2155
+  export XDG_RUNTIME_DIR="/run/user/$(id -u)"
+fi
+
+### Create canonical directories idempotently with 0700.
+_xdg_umask="$(umask)"
+umask 077
+[ -d "${XDG_CONFIG_HOME}"     ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
+[ -d "${XDG_DATA_HOME}"       ] || install -d -m 0700 -- "${XDG_DATA_HOME}"
+[ -d "${XDG_CACHE_HOME}"      ] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
+[ -d "${XDG_STATE_HOME}"      ] || install -d -m 0700 -- "${XDG_STATE_HOME}"
+umask "${_xdg_umask}"
+unset _xdg_umask
+
+### Optional migrations (controlled via /'etc/default/ciss-xdg-profile').
+[ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then
+  [ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
+  export HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+### Zsh history -> XDG_STATE_HOME (best-effort; zsh might not read /etc/profile)
+if [ "${ENABLE_XDG_ZSH_HISTORY:-1}" = "1" ] && [ -n "${ZSH_VERSION:-}" ]; then
+  [ -d "${XDG_STATE_HOME}/zsh" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/zsh"
+  export HISTFILE="${XDG_STATE_HOME}/zsh/history"
+fi
+
+### Less history -> XDG_STATE_HOME
+if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then
+  [ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
+  export LESSHISTFILE="${XDG_STATE_HOME}/less/history"
+fi
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/skel/.cache/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.ciss.bashrc

@@ -11,6 +11,9 @@
 
 [[ $- != *i* ]] && return
 
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
 # shellcheck disable=SC2312
 if [[ "$(id -u)" -eq 0 ]]; then
   umask 0022
@@ -27,9 +30,6 @@ trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
 . "${HOME}/.ciss/scan_libwrap"
 . "${HOME}/.ciss/shortcuts"
 
-### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
-set +o errexit +o nounset +o pipefail
-
 ### Preferred editor for local and remote sessions.
 export EDITOR="nano"
 
@@ -40,7 +40,7 @@ export HISTCONTROL='ignoreboth:erasedups'
 
 # The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
 # is not saved when a shell exits.
-export HISTFILE=~/.bash_history
+export HISTFILE="${XDG_STATE_HOME}/bash/history"
 
 # The maximum number of lines contained in the history file.
 export HISTFILESIZE="16384"

includes/target/etc/skel/.ciss.zshrc

@@ -152,7 +152,7 @@ export EDITOR="nano"
 
 ### History
 # The name of the file in which command history is saved.
-export HISTFILE="${HOME}/.zsh_history"
+export HISTFILE="${XDG_STATE_HOME}/zsh/history"
 # The maximum number of lines contained in the history file.
 export HISTSIZE=16384
 # The number of commands to remember in the command history.

includes/target/etc/skel/.ciss/alias

@@ -10,9 +10,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-########################################################################################### Alpha
-alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
-
 ########################################################################################### Bash
 alias clear="printf '\033c'"
 alias c='clear'
@@ -225,12 +222,12 @@ swget() {
 }
 
 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters.
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
 #   None
 #######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/9999_ciss_debian_installer.hardened
   # sleep 1
   # shellcheck disable=SC2312
   sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log

includes/target/etc/skel/.config/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.local/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.local/share/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.local/state/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.local/state/bash/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.local/state/less/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.local/state/zsh/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.physnet.bashrc

@@ -0,0 +1,127 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[[ $- != *i* ]] && return
+
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  PATH="/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
+. "${HOME}/.ciss/alias"
+. "${HOME}/.ciss/f2bchk"
+. "${HOME}/.ciss/scan_libwrap"
+. "${HOME}/.ciss/shortcuts"
+
+### Preferred editor for local and remote sessions.
+export EDITOR="nano"
+
+### History-Settings
+# -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
+# -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
+export HISTCONTROL='ignoreboth:erasedups'
+
+# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
+# is not saved when a shell exits.
+export HISTFILE="${XDG_STATE_HOME}/bash/history"
+
+# The maximum number of lines contained in the history file.
+export HISTFILESIZE="16384"
+
+# The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
+# Numeric values less than zero result in every command being saved on the history list (there is no limit).
+export HISTSIZE="16384"
+
+# If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
+export HISTTIMEFORMAT='%F %T %z  '
+
+# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
+export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*'
+
+# With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
+# "-a": Appends new entries from RAM to the file.
+# "-c": Then empties only the RAM buffer. Not used here for performance reasons.
+# "-r": Loads the file back into RAM.
+__ciss_hist_pc__='history -a; history -n'
+if [[ ${PROMPT_COMMAND-} != *"history -a; history -n"* ]]; then
+  PROMPT_COMMAND="${PROMPT_COMMAND:+${PROMPT_COMMAND}; }${__ciss_hist_pc__}"
+fi
+unset __ciss_hist_pc__
+export PROMPT_COMMAND
+
+# Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
+shopt -s checkwinsize
+
+# Append to the history file, don't overwrite it.
+shopt -s histappend
+
+# If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
+shopt -s globstar
+
+# Multi-line entries (line breaks using \ or via PS2) are stored in the history as a single entry.
+shopt -s cmdhist
+
+# Works in addition to cmdhist: Multi-line commands are stored in the history with real newlines, i.e., in their original format.
+shopt -s lithist
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
+### Define colors for bash prompt.
+export CRED='\033[1;91m'
+export CGRE='\033[1;92m'
+export CYEL='\033[1;93m'
+export CBLU='\033[1;94m'
+export CMAG='\033[1;95m'
+export CCYA='\033[1;96m'
+export CWHI='\033[1;97m'
+export CRES='\033[0m'
+export NL='\n'
+
+### Define color prompt incl. 'Exit Code' feedback.
+export PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\
+\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;95m\]\h\[\033[0m\]:\
+\[\033[1;96m\]\w\[\033[0m\]/>>\
+\$(if [[ \$? -eq 0 ]]; then \
+    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
+  else \
+    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
+  fi)\
+\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
+
+### Overwrite Protection.
+set -o noclobber
+alias cp='cp -iv'
+alias mv='mv -iv'
+alias rm='rm -iv'
+
+printf "\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
+printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "\n"
+printf "\n"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/skel/.physnet.zshrc

@@ -0,0 +1,200 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[[ -o interactive ]] || return
+
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  # If you come from bash, you might have to change your $PATH.
+  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  # If you come from bash, you might have to change your $PATH.
+  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
+### Path to your Oh My Zsh installation.
+export ZSH="${HOME}/.oh-my-zsh"
+
+# Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
+# case, to know what specific theme was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
+export ZSH_THEME="robbyrussell"
+
+# Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
+# a theme from this variable instead of looking in $ZSH/themes/. If set to an empty array, this variable will have no effect.
+# ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
+
+# Uncomment the following line to use case-sensitive completion.
+# CASE_SENSITIVE="true"
+
+# Uncomment the following line to use hyphen-insensitive completion. Case-sensitive completion must be off. _ and - will be
+# interchangeable.
+# HYPHEN_INSENSITIVE="true"
+
+# Uncomment one of the following lines to change the auto-update behavior
+# zstyle ':omz:update' mode disabled  # disable automatic updates
+# zstyle ':omz:update' mode auto      # update automatically without asking
+# zstyle ':omz:update' mode reminder  # just remind me to update when it's time
+
+# Uncomment the following line to change how often to auto-update (in days).
+# zstyle ':omz:update' frequency 13
+
+# Uncomment the following line if pasting URLs and other text is messed up.
+# DISABLE_MAGIC_FUNCTIONS="true"
+
+# Uncomment the following line to disable colors in ls.
+# DISABLE_LS_COLORS="true"
+
+# Uncomment the following line to disable auto-setting terminal title.
+# DISABLE_AUTO_TITLE="true"
+
+# Uncomment the following line to enable command autocorrection.
+# ENABLE_CORRECTION="true"
+
+# Uncomment the following line to display red dots whilst waiting for completion. You can also set it to another string to have
+# that is shown instead of the default red dots.
+# e.g., COMPLETION_WAITING_DOTS="%F{yellow}waiting...%f"
+# Caution: this setting can cause issues with multiline prompts in zsh < 5.7.1 (see #5765)
+# COMPLETION_WAITING_DOTS="true"
+
+# Uncomment the following line if you want to disable marking untracked files under VCS as dirty. This makes repository status
+# check for large repositories much, much faster.
+# DISABLE_UNTRACKED_FILES_DIRTY="true"
+
+# Uncomment the following line if you want to change the command execution time stamp shown in the history command output.
+# You can set one of the optional three formats:
+# "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
+# or set a custom format using the strftime function format specifications, see 'man strftime' for details.
+export HIST_STAMPS="yyyy-mm-dd"
+
+# Would you like to use another custom folder than $ZSH/custom?
+# ZSH_CUSTOM=/path/to/new-custom-folder
+
+# Which plugins would you like to load?
+# Standard plugins can be found in $ZSH/plugins/
+# Custom plugins may be added to $ZSH_CUSTOM/plugins/
+# Example format: plugins=(rails git textmate ruby lighthouse)
+# Add wisely, as too many plugins slow down shell startup.
+export plugins=(git zsh-syntax-highlighting zsh-autosuggestions)
+
+source ${ZSH}/oh-my-zsh.sh
+
+# User configuration
+
+# export MANPATH="/usr/local/man:{$MANPATH}"
+
+# You may need to manually set your language environment
+# export LANG=en_US.UTF-8
+
+# Preferred editor for local and remote sessions
+# if [[ -n $SSH_CONNECTION ]]; then
+#   export EDITOR='vim'
+# else
+#   export EDITOR='nvim'
+# fi
+
+# Compilation flags
+# export ARCHFLAGS="-arch $(uname -m)"
+
+# Set personal aliases, overriding those provided by Oh My Zsh libs,
+# plugins, and themes. Aliases can be placed here, though Oh My Zsh
+# users are encouraged to define aliases within a top-level file in
+# the $ZSH_CUSTOM folder, with .zsh extension. Examples:
+# - $ZSH_CUSTOM/aliases.zsh
+# - $ZSH_CUSTOM/macos.zsh
+# For a full list of active aliases, run `alias`.
+#
+# Example aliases
+# alias zshconfig="mate ~/.zshrc"
+# alias ohmyzsh="mate ~/.oh-my-zsh"
+
+### Added by CISS.debian.installer ###
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
+. "${HOME}/.ciss/alias"
+. "${HOME}/.ciss/f2bchk"
+. "${HOME}/.ciss/shortcuts"
+. "${HOME}/.ciss/scan_libwrap"
+. /usr/share/doc/fzf/examples/key-bindings.zsh
+. /usr/share/doc/fzf/examples/completion.zsh
+
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
+### Define colors for bash prompt
+export CRED='\033[1;91m'
+export CGRE='\033[1;92m'
+export CYEL='\033[1;93m'
+export CBLU='\033[1;94m'
+export CMAG='\033[1;95m'
+export CCYA='\033[1;96m'
+export CWHI='\033[1;97m'
+export CRES='\033[0m'
+export NL='\n'
+
+### Overwrite Protection
+set -o noclobber
+alias cp="cp -iv"
+alias mv='mv -iv'
+alias rm='rm -iv'
+
+### Preferred editor for local and remote sessions
+export EDITOR="nano"
+
+### History
+# The name of the file in which command history is saved.
+export HISTFILE="${XDG_STATE_HOME}/zsh/history"
+# The maximum number of lines contained in the history file.
+export HISTSIZE=16384
+# The number of commands to remember in the command history.
+export SAVEHIST=16384
+# Timestamp in the file: epoch:duration;command.
+setopt EXTENDED_HISTORY
+# Append, do not overwrite.
+setopt APPEND_HISTORY
+# Append lines immediately to the file.
+setopt INC_APPEND_HISTORY
+# Reload new lines from other sessions.
+setopt SHARE_HISTORY
+# Leading space do not log.
+setopt HIST_IGNORE_SPACE
+# When writing out the history file, older commands that duplicate newer ones are omitted.
+setopt HIST_SAVE_NO_DUPS
+# Remove superfluous blanks from each command line being added to the history list.
+setopt HIST_REDUCE_BLANKS
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
+### Define Users
+if [ "${UID}" -eq 0 ]; then
+  export USER_COLOR="%F{001}"
+else
+  export USER_COLOR="%F{002}"
+fi
+
+### CISS.debian.installer Prompt
+PROMPT='${USER_COLOR}%D%f|${USER_COLOR}%n%f@%F{005}%M%f:%F{006}%d%f/>>%(?.%F{002}%?.%F{001}%?)%f|~%#> '
+RPROMPT='%h|[${USER_COLOR}%*%f]'
+
+### Welcome message after login.
+printf "\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
+printf "%b'%b'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "\n"
+printf "\n"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/ssh/sshd_config

@@ -10,7 +10,8 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### https://www.ssh-audit.com/
-### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
+### ssh -Q cipher | cipher-auth | compression
+### ssh -Q kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
 
 Include                      /etc/ssh/sshd_config.d/*.conf
 

includes/target/root/.ciss.bashrc

@@ -0,0 +1,127 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[[ $- != *i* ]] && return
+
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  PATH="/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
+. "${HOME}/.ciss/alias"
+. "${HOME}/.ciss/f2bchk"
+. "${HOME}/.ciss/scan_libwrap"
+. "${HOME}/.ciss/shortcuts"
+
+### Preferred editor for local and remote sessions.
+export EDITOR="nano"
+
+### History-Settings
+# -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
+# -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
+export HISTCONTROL='ignoreboth:erasedups'
+
+# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
+# is not saved when a shell exits.
+export HISTFILE="${XDG_STATE_HOME}/bash/history"
+
+# The maximum number of lines contained in the history file.
+export HISTFILESIZE="16384"
+
+# The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
+# Numeric values less than zero result in every command being saved on the history list (there is no limit).
+export HISTSIZE="16384"
+
+# If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
+export HISTTIMEFORMAT='%F %T %z  '
+
+# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
+export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*'
+
+# With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
+# "-a": Appends new entries from RAM to the file.
+# "-c": Then empties only the RAM buffer. Not used here for performance reasons.
+# "-r": Loads the file back into RAM.
+__ciss_hist_pc__='history -a; history -n'
+if [[ ${PROMPT_COMMAND-} != *"history -a; history -n"* ]]; then
+  PROMPT_COMMAND="${PROMPT_COMMAND:+${PROMPT_COMMAND}; }${__ciss_hist_pc__}"
+fi
+unset __ciss_hist_pc__
+export PROMPT_COMMAND
+
+# Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
+shopt -s checkwinsize
+
+# Append to the history file, don't overwrite it.
+shopt -s histappend
+
+# If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
+shopt -s globstar
+
+# Multi-line entries (line breaks using \ or via PS2) are stored in the history as a single entry.
+shopt -s cmdhist
+
+# Works in addition to cmdhist: Multi-line commands are stored in the history with real newlines, i.e., in their original format.
+shopt -s lithist
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
+### Define colors for bash prompt.
+export CRED='\033[1;91m'
+export CGRE='\033[1;92m'
+export CYEL='\033[1;93m'
+export CBLU='\033[1;94m'
+export CMAG='\033[1;95m'
+export CCYA='\033[1;96m'
+export CWHI='\033[1;97m'
+export CRES='\033[0m'
+export NL='\n'
+
+### Define color prompt incl. 'Exit Code' feedback.
+export PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\
+\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;95m\]\h\[\033[0m\]:\
+\[\033[1;96m\]\w\[\033[0m\]/>>\
+\$(if [[ \$? -eq 0 ]]; then \
+    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
+  else \
+    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
+  fi)\
+\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
+
+### Overwrite Protection.
+set -o noclobber
+alias cp='cp -iv'
+alias mv='mv -iv'
+alias rm='rm -iv'
+
+printf "\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
+printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "\n"
+printf "\n"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/root/.ciss.zshrc

@@ -0,0 +1,200 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[[ -o interactive ]] || return
+
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  # If you come from bash, you might have to change your $PATH.
+  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  # If you come from bash, you might have to change your $PATH.
+  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
+### Path to your Oh My Zsh installation.
+export ZSH="${HOME}/.oh-my-zsh"
+
+# Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
+# case, to know what specific theme was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
+export ZSH_THEME="robbyrussell"
+
+# Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
+# a theme from this variable instead of looking in $ZSH/themes/. If set to an empty array, this variable will have no effect.
+# ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
+
+# Uncomment the following line to use case-sensitive completion.
+# CASE_SENSITIVE="true"
+
+# Uncomment the following line to use hyphen-insensitive completion. Case-sensitive completion must be off. _ and - will be
+# interchangeable.
+# HYPHEN_INSENSITIVE="true"
+
+# Uncomment one of the following lines to change the auto-update behavior
+# zstyle ':omz:update' mode disabled  # disable automatic updates
+# zstyle ':omz:update' mode auto      # update automatically without asking
+# zstyle ':omz:update' mode reminder  # just remind me to update when it's time
+
+# Uncomment the following line to change how often to auto-update (in days).
+# zstyle ':omz:update' frequency 13
+
+# Uncomment the following line if pasting URLs and other text is messed up.
+# DISABLE_MAGIC_FUNCTIONS="true"
+
+# Uncomment the following line to disable colors in ls.
+# DISABLE_LS_COLORS="true"
+
+# Uncomment the following line to disable auto-setting terminal title.
+# DISABLE_AUTO_TITLE="true"
+
+# Uncomment the following line to enable command autocorrection.
+# ENABLE_CORRECTION="true"
+
+# Uncomment the following line to display red dots whilst waiting for completion. You can also set it to another string to have
+# that is shown instead of the default red dots.
+# e.g., COMPLETION_WAITING_DOTS="%F{yellow}waiting...%f"
+# Caution: this setting can cause issues with multiline prompts in zsh < 5.7.1 (see #5765)
+# COMPLETION_WAITING_DOTS="true"
+
+# Uncomment the following line if you want to disable marking untracked files under VCS as dirty. This makes repository status
+# check for large repositories much, much faster.
+# DISABLE_UNTRACKED_FILES_DIRTY="true"
+
+# Uncomment the following line if you want to change the command execution time stamp shown in the history command output.
+# You can set one of the optional three formats:
+# "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
+# or set a custom format using the strftime function format specifications, see 'man strftime' for details.
+export HIST_STAMPS="yyyy-mm-dd"
+
+# Would you like to use another custom folder than $ZSH/custom?
+# ZSH_CUSTOM=/path/to/new-custom-folder
+
+# Which plugins would you like to load?
+# Standard plugins can be found in $ZSH/plugins/
+# Custom plugins may be added to $ZSH_CUSTOM/plugins/
+# Example format: plugins=(rails git textmate ruby lighthouse)
+# Add wisely, as too many plugins slow down shell startup.
+export plugins=(git zsh-syntax-highlighting zsh-autosuggestions)
+
+source ${ZSH}/oh-my-zsh.sh
+
+# User configuration
+
+# export MANPATH="/usr/local/man:{$MANPATH}"
+
+# You may need to manually set your language environment
+# export LANG=en_US.UTF-8
+
+# Preferred editor for local and remote sessions
+# if [[ -n $SSH_CONNECTION ]]; then
+#   export EDITOR='vim'
+# else
+#   export EDITOR='nvim'
+# fi
+
+# Compilation flags
+# export ARCHFLAGS="-arch $(uname -m)"
+
+# Set personal aliases, overriding those provided by Oh My Zsh libs,
+# plugins, and themes. Aliases can be placed here, though Oh My Zsh
+# users are encouraged to define aliases within a top-level file in
+# the $ZSH_CUSTOM folder, with .zsh extension. Examples:
+# - $ZSH_CUSTOM/aliases.zsh
+# - $ZSH_CUSTOM/macos.zsh
+# For a full list of active aliases, run `alias`.
+#
+# Example aliases
+# alias zshconfig="mate ~/.zshrc"
+# alias ohmyzsh="mate ~/.oh-my-zsh"
+
+### Added by CISS.debian.installer ###
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
+. "${HOME}/.ciss/alias"
+. "${HOME}/.ciss/f2bchk"
+. "${HOME}/.ciss/shortcuts"
+. "${HOME}/.ciss/scan_libwrap"
+. /usr/share/doc/fzf/examples/key-bindings.zsh
+. /usr/share/doc/fzf/examples/completion.zsh
+
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
+### Define colors for bash prompt
+export CRED='\033[1;91m'
+export CGRE='\033[1;92m'
+export CYEL='\033[1;93m'
+export CBLU='\033[1;94m'
+export CMAG='\033[1;95m'
+export CCYA='\033[1;96m'
+export CWHI='\033[1;97m'
+export CRES='\033[0m'
+export NL='\n'
+
+### Overwrite Protection
+set -o noclobber
+alias cp="cp -iv"
+alias mv='mv -iv'
+alias rm='rm -iv'
+
+### Preferred editor for local and remote sessions
+export EDITOR="nano"
+
+### History
+# The name of the file in which command history is saved.
+export HISTFILE="${XDG_STATE_HOME}/zsh/history"
+# The maximum number of lines contained in the history file.
+export HISTSIZE=16384
+# The number of commands to remember in the command history.
+export SAVEHIST=16384
+# Timestamp in the file: epoch:duration;command.
+setopt EXTENDED_HISTORY
+# Append, do not overwrite.
+setopt APPEND_HISTORY
+# Append lines immediately to the file.
+setopt INC_APPEND_HISTORY
+# Reload new lines from other sessions.
+setopt SHARE_HISTORY
+# Leading space do not log.
+setopt HIST_IGNORE_SPACE
+# When writing out the history file, older commands that duplicate newer ones are omitted.
+setopt HIST_SAVE_NO_DUPS
+# Remove superfluous blanks from each command line being added to the history list.
+setopt HIST_REDUCE_BLANKS
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
+### Define Users
+if [ "${UID}" -eq 0 ]; then
+  export USER_COLOR="%F{001}"
+else
+  export USER_COLOR="%F{002}"
+fi
+
+### CISS.debian.installer Prompt
+PROMPT='${USER_COLOR}%D%f|${USER_COLOR}%n%f@%F{005}%M%f:%F{006}%d%f/>>%(?.%F{002}%?.%F{001}%?)%f|~%#> '
+RPROMPT='%h|[${USER_COLOR}%*%f]'
+
+### Welcome message after login.
+printf "\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
+printf "%b'%b'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "\n"
+printf "\n"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/root/.ciss/alias

@@ -10,9 +10,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-########################################################################################### Alpha
-alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
-
 ########################################################################################### Bash
 alias clear="printf '\033c'"
 alias c='clear'
@@ -115,7 +112,7 @@ genpasswd() {
         ;;
       '' | *[!0-9]*) ;;
       *)
-         length="$1"
+        length="$1"
         ;;
     esac
     shift
@@ -177,11 +174,11 @@ scurl() {
   declare url="$1"
   declare output_path="$2"
   if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
-            --doh-cert-status \
-            --tlsv1.3 \
-            -sSf \
-            -o "${output_path}" \
-            "${url}"
+    --doh-cert-status \
+    --tlsv1.3 \
+    -sSf \
+    -o "${output_path}" \
+    "${url}"
   then
     printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
     return 2
@@ -212,11 +209,11 @@ swget() {
   declare output_path="$2"
   mkdir -p "$(dirname "${output_path}")"
   if ! wget --show-progress \
-            --no-clobber \
-            --https-only \
-            --secure-protocol=TLSv1_3 \
-            -qO "${output_path}" \
-            "${url}"
+    --no-clobber \
+    --https-only \
+    --secure-protocol=TLSv1_3 \
+    -qO "${output_path}" \
+    "${url}"
   then
     printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
     return 2
@@ -225,12 +222,12 @@ swget() {
 }
 
 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters.
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
 #   None
 #######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/9999_ciss_debian_installer.hardened
   # sleep 1
   # shellcheck disable=SC2312
   sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log

includes/target/root/.ciss/check_chrony.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -Ceuo pipefail
+
+#######################################
+# Minimal leap-second probe for Debian/chrony systems.
+# - Prints kernel leap flags & TAI offset (delta AT).
+# - Reads tzdata's leap-seconds list (authoritative TAI-UTC).
+# - Shows chrony tracking summary (incl. leap status).
+# - Demonstrates 23:59:60 rendering via TZ=right/UTC.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+main() {
+  ### 1) System TZ and tzdata source.
+  printf "System TZ link: [%s]\n\n" "$(readlink -f /etc/localtime || true)"
+
+  if [[ -f /usr/share/zoneinfo/leap-seconds.list ]]; then
+
+    declare tz_leap_line tz_tai tz_ntp ts_human
+
+    tz_leap_line="$(awk '($1 !~ /^#/) {L=$0} END{print L}' /usr/share/zoneinfo/leap-seconds.list)"
+    tz_ntp="$(awk '{print $1}' <<<"${tz_leap_line}")"
+    tz_tai="$(awk '{print $2}' <<<"${tz_leap_line}")"
+    ts_human="$(awk -F'#' '{gsub(/^[[:space:]]+/, "", $2); print $2}' <<<"${tz_leap_line}")"
+
+    printf "tzdata delta AT (TAI-UTC): %s s [last change at: %s; NTP ts: %s]\n\n" "${tz_tai:-?}" "${ts_human:-?}" "${tz_ntp:-?}"
+
+  else
+
+    printf "tzdata leap-seconds.list not found.\n"
+
+  fi
+
+  ### 2) Kernel view (requires adjtimex).
+  if command -v adjtimex >/dev/null 2>&1; then
+
+    printf "Kernel time status (adjtimex -p):\n"
+    adjtimex -p | sed 's/^/  /'
+    declare k_tai
+    k_tai="$(adjtimex -p | awk '/^tai:/ {print $2}')"
+
+    if [[ -n "${k_tai:-}" ]]; then
+
+      printf "Kernel-exported delta AT [tai]: %s s\n" "${k_tai}"
+
+    fi
+
+  else
+
+    printf "Package: 'adjtimex' not found. Install 'adjtimex' for kernel leap/TAI details.\n\n"
+
+  fi
+
+  ### 3) Chrony summary.
+  if command -v chronyc >/dev/null 2>&1; then
+
+    printf "\n"
+    printf "chronyc tracking:\n"
+    chronyc -n tracking | sed 's/^/  /'
+
+  else
+
+    printf "Package: 'chronyc' not found. Skipping chrony status.\n\n"
+
+  fi
+
+  ### 4) right/UTC demonstration of 23:59:60 (uses 2016-12-31 leap).
+  if [[ -f /usr/share/zoneinfo/right/UTC ]]; then
+
+    printf "\n"
+    printf "right/UTC leap rendering check (expect 23:59:60):\n\n"
+    TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
+
+  else
+
+    printf "\n"
+    printf "File: 'tzdata right/UTC' zone not installed; skipping 23:59:60 demo.\n\n"
+
+  fi
+
+  printf "\n"
+  printf "Hint:\n"
+
+  printf "  - delta AT (TAI-UTC) should match tzdata and kernel (chrony sets kernel TAI if leapsectz/leapseclist is used).\n"
+  printf "  - For monotonic intervals, apps must use CLOCK_MONOTONIC, not CLOCK_REALTIME.\n"
+
+  return 0
+}
+
+### Build right/UTC from tzdata leap table if missing.
+if [[ ! -e /usr/share/zoneinfo/right/UTC ]]; then
+
+  install -d -m 0755 /usr/share/zoneinfo/right
+
+  ### Minimal zic source for a fixed UTC zone.
+  declare -r tmp_src="/tmp/UTC.src"
+  printf 'Zone UTC  0  -  UTC\n' > "${tmp_src}"
+
+  ### Prefer the zic-format leapseconds file.
+  declare leap_zic="/usr/share/zoneinfo/leapseconds"
+
+  if [[ -s "${leap_zic}" ]]; then
+
+    zic -d /usr/share/zoneinfo/right -L "${leap_zic}" "${tmp_src}"
+
+  else
+
+    echo "WARNING: ${leap_zic} not found; building right/UTC without leap info." >&2
+    zic -d /usr/share/zoneinfo/right -L /dev/null "${tmp_src}"
+
+  fi
+
+  rm -f "${tmp_src}"
+
+fi
+
+if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
+
+  ### Expect to see 'Sat Dec 31 23:59:60 UTC 2016' rendered in right/UTC
+  TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
+
+fi
+
+main "$@"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/root/.ciss/theme_eza_ciss.yml

@@ -0,0 +1,125 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+%YAML 1.2
+---
+
+colourful: true
+
+filekinds:
+  normal: {foreground: Default}
+  directory: {foreground: Purple, is_bold: true}
+  symlink: {foreground: Cyan}
+  pipe: {foreground: Yellow}
+  block_device: {foreground: Yellow, is_bold: true}
+  char_device: {foreground: Yellow, is_bold: true}
+  socket: {foreground: Red, is_bold: true}
+  special: {foreground: Yellow}
+  executable: {foreground: Green, is_bold: true}
+  mount_point: {foreground: Purple, is_bold: true, is_underlined: true}
+
+perms:
+  user_read: {foreground: Yellow, is_bold: true}
+  user_write: {foreground: Red, is_bold: true}
+  user_execute_file: {foreground: Green, is_bold: true, is_underlined: true}
+  user_execute_other: {foreground: Green, is_bold: true}
+  group_read: {foreground: Yellow}
+  group_write: {foreground: Red}
+  group_execute: {foreground: Green}
+  other_read: {foreground: Yellow}
+  other_write: {foreground: Red}
+  other_execute: {foreground: Green}
+  special_user_file: {foreground: Purple}
+  special_other: {foreground: Purple}
+  attribute: {foreground: Default}
+
+size:
+  major: {foreground: Green, is_bold: true}
+  minor: {foreground: Green}
+  number_byte: {foreground: Green, is_bold: true}
+  number_kilo: {foreground: Green, is_bold: true}
+  number_mega: {foreground: Green, is_bold: true}
+  number_giga: {foreground: Green, is_bold: true}
+  number_huge: {foreground: Green, is_bold: true}
+  unit_byte: {foreground: Green}
+  unit_kilo: {foreground: Green}
+  unit_mega: {foreground: Green}
+  unit_giga: {foreground: Green}
+  unit_huge: {foreground: Green}
+
+users:
+  user_you: {foreground: Yellow, is_bold: true}
+  user_root: {foreground: Default}
+  user_other: {foreground: Default}
+  group_yours: {foreground: Yellow, is_bold: true}
+  group_other: {foreground: Default}
+  group_root: {foreground: Default}
+
+links:
+  normal: {foreground: Red, is_bold: true}
+  multi_link_file: {foreground: Red, background: Yellow}
+
+git:
+  new: {foreground: Green}
+  modified: {foreground: Blue}
+  deleted: {foreground: Red}
+  renamed: {foreground: Yellow}
+  typechange: {foreground: Purple}
+  ignored: {foreground: Default, is_dimmed: true}
+  conflicted: {foreground: Red}
+
+git_repo:
+  branch_main: {foreground: Green}
+  branch_other: {foreground: Yellow}
+  git_clean: {foreground: Green}
+  git_dirty: {foreground: Yellow}
+
+security_context:
+  colon: {foreground: Default, is_dimmed: true}
+  user: {foreground: Blue}
+  role: {foreground: Green}
+  typ: {foreground: Yellow}
+  range: {foreground: Cyan}
+
+file_type:
+  image: {foreground: Purple}
+  video: {foreground: Purple, is_bold: true}
+  music: {foreground: Cyan}
+  lossless: {foreground: Cyan, is_bold: true}
+  crypto: {foreground: Green, is_bold: true}
+  document: {foreground: Green}
+  compressed: {foreground: Red}
+  temp: {foreground: White}
+  compiled: {foreground: Yellow}
+  build: {foreground: Yellow, is_bold: true, is_underlined: true}
+  source: {foreground: Yellow, is_bold: true}
+
+punctuation: {foreground: DarkGray, is_bold: true}
+date: {foreground: Cyan}
+inode: {foreground: Purple}
+blocks: {foreground: Cyan}
+header: {foreground: White, is_bold: true, is_underlined: true}
+octal: {foreground: Purple}
+flags: {foreground: Default}
+
+symlink_path: {foreground: Cyan}
+control_char: {foreground: Red}
+broken_symlink: {foreground: Red}
+broken_path_overlay: {foreground: Default, is_underlined: true}
+
+filenames:
+# Custom filename-based overrides
+# Cargo.toml: {icon: {glyph: 🦀}}
+
+extensions:
+# Custom extension-based overrides
+# rs: {filename: {foreground: Red}, icon: {glyph: 🦀}}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

includes/target/root/.physnet.bashrc

@@ -0,0 +1,127 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[[ $- != *i* ]] && return
+
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  PATH="/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
+. "${HOME}/.ciss/alias"
+. "${HOME}/.ciss/f2bchk"
+. "${HOME}/.ciss/scan_libwrap"
+. "${HOME}/.ciss/shortcuts"
+
+### Preferred editor for local and remote sessions.
+export EDITOR="nano"
+
+### History-Settings
+# -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
+# -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
+export HISTCONTROL='ignoreboth:erasedups'
+
+# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
+# is not saved when a shell exits.
+export HISTFILE="${XDG_STATE_HOME}/bash/history"
+
+# The maximum number of lines contained in the history file.
+export HISTFILESIZE="16384"
+
+# The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
+# Numeric values less than zero result in every command being saved on the history list (there is no limit).
+export HISTSIZE="16384"
+
+# If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
+export HISTTIMEFORMAT='%F %T %z  '
+
+# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
+export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*'
+
+# With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
+# "-a": Appends new entries from RAM to the file.
+# "-c": Then empties only the RAM buffer. Not used here for performance reasons.
+# "-r": Loads the file back into RAM.
+__ciss_hist_pc__='history -a; history -n'
+if [[ ${PROMPT_COMMAND-} != *"history -a; history -n"* ]]; then
+  PROMPT_COMMAND="${PROMPT_COMMAND:+${PROMPT_COMMAND}; }${__ciss_hist_pc__}"
+fi
+unset __ciss_hist_pc__
+export PROMPT_COMMAND
+
+# Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
+shopt -s checkwinsize
+
+# Append to the history file, don't overwrite it.
+shopt -s histappend
+
+# If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
+shopt -s globstar
+
+# Multi-line entries (line breaks using \ or via PS2) are stored in the history as a single entry.
+shopt -s cmdhist
+
+# Works in addition to cmdhist: Multi-line commands are stored in the history with real newlines, i.e., in their original format.
+shopt -s lithist
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
+### Define colors for bash prompt.
+export CRED='\033[1;91m'
+export CGRE='\033[1;92m'
+export CYEL='\033[1;93m'
+export CBLU='\033[1;94m'
+export CMAG='\033[1;95m'
+export CCYA='\033[1;96m'
+export CWHI='\033[1;97m'
+export CRES='\033[0m'
+export NL='\n'
+
+### Define color prompt incl. 'Exit Code' feedback.
+export PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\
+\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;95m\]\h\[\033[0m\]:\
+\[\033[1;96m\]\w\[\033[0m\]/>>\
+\$(if [[ \$? -eq 0 ]]; then \
+    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
+  else \
+    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
+  fi)\
+\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
+
+### Overwrite Protection.
+set -o noclobber
+alias cp='cp -iv'
+alias mv='mv -iv'
+alias rm='rm -iv'
+
+printf "\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
+printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "\n"
+printf "\n"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/root/.physnet.zshrc

@@ -0,0 +1,200 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[[ -o interactive ]] || return
+
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  # If you come from bash, you might have to change your $PATH.
+  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  # If you come from bash, you might have to change your $PATH.
+  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
+### Path to your Oh My Zsh installation.
+export ZSH="${HOME}/.oh-my-zsh"
+
+# Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
+# case, to know what specific theme was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
+export ZSH_THEME="robbyrussell"
+
+# Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
+# a theme from this variable instead of looking in $ZSH/themes/. If set to an empty array, this variable will have no effect.
+# ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
+
+# Uncomment the following line to use case-sensitive completion.
+# CASE_SENSITIVE="true"
+
+# Uncomment the following line to use hyphen-insensitive completion. Case-sensitive completion must be off. _ and - will be
+# interchangeable.
+# HYPHEN_INSENSITIVE="true"
+
+# Uncomment one of the following lines to change the auto-update behavior
+# zstyle ':omz:update' mode disabled  # disable automatic updates
+# zstyle ':omz:update' mode auto      # update automatically without asking
+# zstyle ':omz:update' mode reminder  # just remind me to update when it's time
+
+# Uncomment the following line to change how often to auto-update (in days).
+# zstyle ':omz:update' frequency 13
+
+# Uncomment the following line if pasting URLs and other text is messed up.
+# DISABLE_MAGIC_FUNCTIONS="true"
+
+# Uncomment the following line to disable colors in ls.
+# DISABLE_LS_COLORS="true"
+
+# Uncomment the following line to disable auto-setting terminal title.
+# DISABLE_AUTO_TITLE="true"
+
+# Uncomment the following line to enable command autocorrection.
+# ENABLE_CORRECTION="true"
+
+# Uncomment the following line to display red dots whilst waiting for completion. You can also set it to another string to have
+# that is shown instead of the default red dots.
+# e.g., COMPLETION_WAITING_DOTS="%F{yellow}waiting...%f"
+# Caution: this setting can cause issues with multiline prompts in zsh < 5.7.1 (see #5765)
+# COMPLETION_WAITING_DOTS="true"
+
+# Uncomment the following line if you want to disable marking untracked files under VCS as dirty. This makes repository status
+# check for large repositories much, much faster.
+# DISABLE_UNTRACKED_FILES_DIRTY="true"
+
+# Uncomment the following line if you want to change the command execution time stamp shown in the history command output.
+# You can set one of the optional three formats:
+# "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
+# or set a custom format using the strftime function format specifications, see 'man strftime' for details.
+export HIST_STAMPS="yyyy-mm-dd"
+
+# Would you like to use another custom folder than $ZSH/custom?
+# ZSH_CUSTOM=/path/to/new-custom-folder
+
+# Which plugins would you like to load?
+# Standard plugins can be found in $ZSH/plugins/
+# Custom plugins may be added to $ZSH_CUSTOM/plugins/
+# Example format: plugins=(rails git textmate ruby lighthouse)
+# Add wisely, as too many plugins slow down shell startup.
+export plugins=(git zsh-syntax-highlighting zsh-autosuggestions)
+
+source ${ZSH}/oh-my-zsh.sh
+
+# User configuration
+
+# export MANPATH="/usr/local/man:{$MANPATH}"
+
+# You may need to manually set your language environment
+# export LANG=en_US.UTF-8
+
+# Preferred editor for local and remote sessions
+# if [[ -n $SSH_CONNECTION ]]; then
+#   export EDITOR='vim'
+# else
+#   export EDITOR='nvim'
+# fi
+
+# Compilation flags
+# export ARCHFLAGS="-arch $(uname -m)"
+
+# Set personal aliases, overriding those provided by Oh My Zsh libs,
+# plugins, and themes. Aliases can be placed here, though Oh My Zsh
+# users are encouraged to define aliases within a top-level file in
+# the $ZSH_CUSTOM folder, with .zsh extension. Examples:
+# - $ZSH_CUSTOM/aliases.zsh
+# - $ZSH_CUSTOM/macos.zsh
+# For a full list of active aliases, run `alias`.
+#
+# Example aliases
+# alias zshconfig="mate ~/.zshrc"
+# alias ohmyzsh="mate ~/.oh-my-zsh"
+
+### Added by CISS.debian.installer ###
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
+. "${HOME}/.ciss/alias"
+. "${HOME}/.ciss/f2bchk"
+. "${HOME}/.ciss/shortcuts"
+. "${HOME}/.ciss/scan_libwrap"
+. /usr/share/doc/fzf/examples/key-bindings.zsh
+. /usr/share/doc/fzf/examples/completion.zsh
+
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
+### Define colors for bash prompt
+export CRED='\033[1;91m'
+export CGRE='\033[1;92m'
+export CYEL='\033[1;93m'
+export CBLU='\033[1;94m'
+export CMAG='\033[1;95m'
+export CCYA='\033[1;96m'
+export CWHI='\033[1;97m'
+export CRES='\033[0m'
+export NL='\n'
+
+### Overwrite Protection
+set -o noclobber
+alias cp="cp -iv"
+alias mv='mv -iv'
+alias rm='rm -iv'
+
+### Preferred editor for local and remote sessions
+export EDITOR="nano"
+
+### History
+# The name of the file in which command history is saved.
+export HISTFILE="${XDG_STATE_HOME}/zsh/history"
+# The maximum number of lines contained in the history file.
+export HISTSIZE=16384
+# The number of commands to remember in the command history.
+export SAVEHIST=16384
+# Timestamp in the file: epoch:duration;command.
+setopt EXTENDED_HISTORY
+# Append, do not overwrite.
+setopt APPEND_HISTORY
+# Append lines immediately to the file.
+setopt INC_APPEND_HISTORY
+# Reload new lines from other sessions.
+setopt SHARE_HISTORY
+# Leading space do not log.
+setopt HIST_IGNORE_SPACE
+# When writing out the history file, older commands that duplicate newer ones are omitted.
+setopt HIST_SAVE_NO_DUPS
+# Remove superfluous blanks from each command line being added to the history list.
+setopt HIST_REDUCE_BLANKS
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
+### Define Users
+if [ "${UID}" -eq 0 ]; then
+  export USER_COLOR="%F{001}"
+else
+  export USER_COLOR="%F{002}"
+fi
+
+### CISS.debian.installer Prompt
+PROMPT='${USER_COLOR}%D%f|${USER_COLOR}%n%f@%F{005}%M%f:%F{006}%d%f/>>%(?.%F{002}%?.%F{001}%?)%f|~%#> '
+RPROMPT='%h|[${USER_COLOR}%*%f]'
+
+### Welcome message after login.
+printf "\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
+printf "%b'%b'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "\n"
+printf "\n"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/root/ciss_xdg_tmp.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+### XDG variables (do not override if already set).
+
+set -a
+
+# shellcheck disable=SC2034
+XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+# shellcheck disable=SC2034
+XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+# shellcheck disable=SC2034
+XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+# shellcheck disable=SC2034
+XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+# shellcheck disable=SC2034
+XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+# shellcheck disable=SC2034
+XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### Optional migrations (controlled via /etc/default/ciss-xdg-profile).
+[[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then
+  HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+set +a
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh