V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -621,8 +621,8 @@ software:
   # gawk
   # gdisk
   # gnupg
-  # haveged
   # initramfs-tools
+  # jitterentropy-rngd
   # jq
   # kbd
   # keyutils
@@ -803,13 +803,13 @@ software:
 # USA         : time-a-g.nist.gov time-c-b.nist.gov utcnist3.colorado.edu
 ntp:
   server:
-    #- "ntp.ripe.net"
+    #- "ntp.ripe.net"          # Time out as of 2025-10-16
     - "ptbtime3.ptb.de"
     - "ptbtime2.ptb.de"
     - "ptbtime1.ptb.de"
-    #- "ntp13.metas.ch"
-    #- "time-c-b.nist.gov"
-    #- "sth1.ntp.se"
+    #- "ntp13.metas.ch"        # Time out as of 2025-10-16
+    #- "time-c-b.nist.gov"     # Time out as of 2025-10-16
+    #- "sth1.ntp.se"           # Time out as of 2025-10-16
     - "ntp0.fau.de"
   timezone: "Europe/Lisbon"    # Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values.
   utc: true                    # Controls whether the hardware clock is set to UTC.

ciss_debian_installer.sh

@@ -243,6 +243,9 @@ check_debootstrap
 info_echo "4010_prepare_mounts.sh [${TARGET}]"
 prepare_mounts
 
+info_echo "4011_prepare_xdg_root.sh [${TARGET}]"
+prepare_xdg_root
+
 info_echo "4015_check_usr_merge.sh [${TARGET}]"
 check_usr_merge
 
@@ -379,8 +382,8 @@ hardening_fail2ban
 info_echo "4430_hardening_files.sh [${TARGET}]"
 hardening_files
 
-info_echo "4440_hardening_haveged.sh [${TARGET}]"
-hardening_haveged
+info_echo "4442_hardening_jitterentropy.sh [${TARGET}]"
+hardening_jitterentropy
 
 info_echo "4450_hardening_memory.sh [${TARGET}]"
 hardening_memory
@@ -411,6 +414,9 @@ accounts_hardening
 info_echo "4520_accounts_setup.sh [${TARGET}]"
 accounts_setup
 
+info_echo "4530_accounts_timings.sh [${TARGET}]"
+update_shadow
+
 
 ### CDI_4600
 info_echo "4600_installation_packages.sh [${TARGET}]"

func/cdi_4000_debootstrap/4010_prepare_mounts.sh

@@ -64,7 +64,6 @@ prepare_mounts() {
 
   done
 
-
   for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
 
     IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
@@ -87,7 +86,6 @@ prepare_mounts() {
 
   done
 
-
   if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
 
     mkdir -p "${var_target}/run"
@@ -103,7 +101,6 @@ prepare_mounts() {
 
   fi
 
-
   if ! chroot_exec "${var_target}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
 
     do_log "emergency" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
@@ -115,8 +112,6 @@ prepare_mounts() {
 
   mkdir -p "${var_target}/media/cdrom0"
 
-  # shellcheck disable=SC2034
-
   if   [[ "${VAR_RUN_RECOVERY}" == "false" ]]; then
 
     declare -gx VAR_CHROOT_ACTIVATED="system"

func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Prepare '/root' for XDG framework.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+#   VAR_SETUP_PATH
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+prepare_xdg_root() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/profile.d/ciss-xdg.sh" "${var_target}/etc/profile.d/"
+  install -m 0444 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/default/ciss-xdg-profile" "${var_target}/etc/default/"
+  install -m 0400 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/root/ciss_xdg_tmp.sh" "${var_target}/etc/root/"
+
+  # shellcheck disable=SC2016
+  chroot_script "${var_target}" '
+    install -d -m 0755 /etc/xdg
+
+    ### Create canonical directories.
+    _xdg_umask="$(umask)"
+    umask 0077
+    [[ -d "${XDG_CONFIG_HOME}"     ]] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
+    [[ -d "${XDG_DATA_HOME}"       ]] || install -d -m 0700 -- "${XDG_DATA_HOME}"
+    [[ -d "${XDG_CACHE_HOME}"      ]] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
+    [[ -d "${XDG_STATE_HOME}"      ]] || install -d -m 0700 -- "${XDG_STATE_HOME}"
+    [[ -d "${XDG_STATE_HOME}/bash" ]] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
+    [[ -d "${XDG_STATE_HOME}/less" ]] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
+    umask "$_xdg_umask"
+    unset _xdg_umask
+    '
+
+  guard_dir && return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f prepare_xdg_root
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4110_update_sources.sh

@@ -40,6 +40,7 @@ update_sources() {
   ### Update generated sources.
   # shellcheck disable=SC2312
   chroot_script "${var_target}" "
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get update 2>&1 | tee -a ${var_logfile}
   "
   do_log "info" "file_only" "4110() Sources lists: updated successfully."
@@ -50,6 +51,7 @@ update_sources() {
 
     chroot_script "${var_target}" "
       export INITRD=No
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
       apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
     "
     do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
@@ -58,6 +60,7 @@ update_sources() {
 
     chroot_script "${var_target}" "
       export INITRD=No
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
       apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
     "
 

func/cdi_4100_base/4120_installation_kernel.sh

@@ -36,6 +36,7 @@ installation_kernel() {
 
     chroot_script "${TARGET}" "
       export INITRD=No
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
       apt-get install -y --no-install-recommends --no-install-suggests ${VAR_KERNEL} initramfs-tools 2>&1 | tee -a ${var_logfile}
     "
 
@@ -47,6 +48,7 @@ installation_kernel() {
 
     chroot_script "${TARGET}" "
       export INITRD=No
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
       apt-get install -y --no-install-recommends --no-install-suggests ${image} initramfs-tools 2>&1 | tee -a ${var_logfile}
     "
 
@@ -55,7 +57,6 @@ installation_kernel() {
     guard_dir && return 0
 
   fi
-
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034

func/cdi_4100_base/4130_installation_toolset.sh

@@ -49,8 +49,8 @@ installation_toolset() {
     [awk]="gawk"
     [gdisk]="gdisk"
     [gnupg]="gnupg"
-    [haveged]="haveged"
     [update-initramfs]="initramfs-tools"
+    [jitterentropy-rngd]="jitterentropy-rngd"
     [jq]="jq"
     [loadkeys]="kbd"
     [setfont]="kbd"
@@ -96,6 +96,7 @@ installation_toolset() {
 
     chroot_script "${TARGET}" "
       export INITRD=No
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
       apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
     "
 

func/cdi_4100_base/4131_installation_systemd.sh

@@ -35,6 +35,7 @@ installation_systemd() {
 
     chroot_script "${TARGET}" "
       export INITRD=No
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
       apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
     "
 

func/cdi_4100_base/4132_installation_machineid.sh

@@ -35,4 +35,7 @@ installation_machineid() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_machineid
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4133_installation_masking.sh

@@ -28,7 +28,7 @@ installation_masking() {
   do_log "info" "file_only" "4133() Masked: [ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target]"
 
   chroot_script "${TARGET}" "
-      systemctl mask plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service
+    systemctl mask plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service
   "
   do_log "info" "file_only" "4133() Masked: [plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service]"
 

func/cdi_4100_base/4140_installation_microcode.sh

@@ -56,6 +56,7 @@ installation_microcode() {
 
       chroot_script "${TARGET}" "
         export INITRD=No
+        [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
         apt-get install -y --no-install-recommends --no-install-suggests ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
       "
 
@@ -63,6 +64,7 @@ installation_microcode() {
 
       chroot_script "${TARGET}" "
         export INITRD=No
+        [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
         apt-get install -y --no-install-recommends --no-install-suggests --only-upgrade ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
       "
 

func/cdi_4100_base/4145_installation_firmware.sh

@@ -294,6 +294,7 @@ installation_firmware() {
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests ${ary_pkgs_resolved[*]} 2>&1 | tee -a ${var_logfile}
   "
 

func/cdi_4100_base/4150_installation_chrony.sh

@@ -49,6 +49,7 @@ installation_chrony() {
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests chrony 2>&1 | tee -a ${var_logfile}
   "
 
@@ -78,4 +79,7 @@ installation_chrony() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f installation_chrony
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4100_base/4160_installation_eza.sh

@@ -49,6 +49,7 @@ EOF
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get update
     apt-get install -y --no-install-recommends --no-install-suggests eza 2>&1 | tee -a ${var_logfile}
   "

func/cdi_4100_base/4170_installation_lynis.sh

@@ -49,6 +49,7 @@ EOF
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get update
     apt-get install -y --no-install-recommends --no-install-suggests lynis 2>&1 | tee -a ${var_logfile}
   "

func/cdi_4200_boot/4220_installation_cryptsetup.sh

@@ -32,6 +32,7 @@ installation_cryptsetup() {
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a ${var_logfile}
   "
 

func/cdi_4200_boot/4230_installation_grub.sh

@@ -78,6 +78,7 @@ installation_grub() {
         amd64)
           chroot_script "${TARGET}" "
             export INITRD=No
+            [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
             apt-get install -y --no-install-recommends grub2-common grub-efi-amd64 grub-efi-amd64-bin 2>&1 | tee -a ${var_logfile}
           "
           ;;
@@ -85,6 +86,7 @@ installation_grub() {
         arm64)
           chroot_script "${TARGET}" "
             export INITRD=No
+            [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
             apt-get install -y --no-install-recommends grub2-common grub-efi-arm64 grub-efi-arm64-bin 2>&1 | tee -a ${var_logfile}
           "
           ;;
@@ -99,6 +101,7 @@ installation_grub() {
 
       chroot_script "${TARGET}" "
         export INITRD=No
+        [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
         apt-get install -y --no-install-recommends grub2-common grub-pc grub-pc-bin 2>&1 | tee -a ${var_logfile}
       "
 

func/cdi_4200_boot/4240_update_grub_password.sh

@@ -50,6 +50,9 @@ update_grub_password() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_grub_password
 
 #######################################
 # Generate PBKDF2 password hash for GRUB.
@@ -79,4 +82,7 @@ EOF
 
  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_grub_password_pbkdf2
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4300_network/4300_installation_network.sh

@@ -45,16 +45,19 @@ installation_network() {
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get purge -y dhcpcd isc-dhcp-client 2>&1 | tee -a ${var_logfile}
   "
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-suggests dhcpcd-base ifupdown 2>&1 | tee -a ${var_logfile}
   "
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     systemctl disable systemd-networkd NetworkManager 2>/dev/null | tee -a ${var_logfile} || true
   "
 

func/cdi_4300_network/4305_installation_netsec.sh

@@ -29,6 +29,7 @@ installation_netsec() {
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-suggests fail2ban ufw 2>&1 | tee -a ${var_logfile}
   "
 

func/cdi_4300_network/4311_dropbear_initramfs.sh

@@ -37,21 +37,25 @@ dropbear_initramfs() {
 
   chroot_script "${var_target}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a ${var_logfile}
   "
 
   chroot_script "${var_target}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get purge -y dropbear dropbear-run || true
   "
 
   chroot_script "${var_target}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a ${var_logfile}
   "
 
   chroot_script "${var_target}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a ${var_logfile}
   "
 

func/cdi_4300_network/4330_installation_ssh.sh

@@ -38,13 +38,20 @@ installation_ssh() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -a ary_user=()
   declare -i i=0
+  declare -r  var_logfile="/root/.ciss/cdi/log/4330_installation_ssh.log"
   declare    var_auth="" var_name="" var_ca="" var_pub=""
   declare    var_target="${TARGET}"
 
   ### Check for TARGET / RECOVERY.
   [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
-  chroot_exec "${var_target}" apt-get install -y --no-install-recommends --no-install-suggests ssh
+  chroot_logger "${var_target}${var_logfile}"
+
+  chroot_script "${var_target}" "
+    export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+    apt-get install -y --no-install-recommends --no-install-suggests ssh 2>&1 | tee -a ${var_logfile}
+  "
 
   mkdir -p "${var_target}/etc/systemd/system/ssh.service.d"
 

func/cdi_4400_hardening/4400_kernel_modules.sh

@@ -49,6 +49,9 @@ EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f kernel_modules
 
 #######################################
 # Blacklist some kind of potential hazardous modules via '/etc/modprobe.d/0000_ciss_debian_installer.conf'.
@@ -70,4 +73,7 @@ kernel_modprobe() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f kernel_modprobe
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4410_kernel_sysctl.sh

@@ -13,7 +13,7 @@
 guard_sourcing
 
 #######################################
-# Install Kernel Hardening-Presets '/etc/sysctl.d/99_local.hardened'.
+# Install Kernel Hardening-Presets '/etc/sysctl.d/9999_ciss_debian_installer.hardened'.
 # Globals:
 #   TARGET
 #   VAR_SETUP_PATH
@@ -23,13 +23,16 @@ guard_sourcing
 #   0: on success
 #######################################
 kernel_sysctl() {
-  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/99_local.hardened" \
-    "${TARGET}/etc/sysctl.d/99_local.hardened"
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/9999_ciss_debian_installer.hardened" \
+    "${TARGET}/etc/sysctl.d/9999_ciss_debian_installer.hardened"
 
-  insert_comments "${TARGET}/etc/sysctl.d/99_local.hardened"
+  insert_comments "${TARGET}/etc/sysctl.d/9999_ciss_debian_installer.hardened"
 
-  do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/99_local.hardened'."
+  do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/9999_ciss_debian_installer.hardened'."
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f kernel_sysctl
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4440_hardening_haveged.sh

@@ -38,4 +38,7 @@ EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_haveged
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4442_hardening_jitterentropy.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Hardening hardening_jitterentropy.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_jitterentropy() {
+  declare    var_target="${TARGET}"
+
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
+
+  mkdir -p "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d"
+
+  cat << EOF >> "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d/override.conf"
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/jitterentropy-rngd --sp800-90b --osr=7
+EOF
+
+  guard_dir && return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_jitterentropy
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4445_hardening_logrotate.sh

@@ -73,4 +73,7 @@ EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_logrotate
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4450_hardening_memory.sh

@@ -102,6 +102,9 @@ EOF
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_memory
 
 #######################################
 # Ensure 'pam_limits.so' is activated in:
@@ -158,4 +161,7 @@ guard_pam_limits() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f guard_pam_limits
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4460_hardening_openssl.sh

@@ -32,4 +32,7 @@ hardening_openssl() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_openssl
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4470_hardening_ufw.sh

@@ -97,4 +97,7 @@ hardening_ufw() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f hardening_ufw
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4400_hardening/4480_hardening_usb.sh

@@ -30,6 +30,7 @@ hardening_usb() {
   ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests usbguard 2>&1 | tee -a ${var_logfile}
 
     touch /tmp/rules.conf

func/cdi_4400_hardening/4490_hardening_virus.sh

@@ -29,6 +29,7 @@ hardening_virus() {
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests rkhunter 2>&1 | tee -a ${var_logfile}
   "
 

func/cdi_4500_user/4500_accounts_preparation.sh

@@ -36,6 +36,7 @@ accounts_preparation() {
 
   chroot_script "${var_target}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests bash-completion fzf 2>&1 | tee -a ${var_logfile}
   "
 

func/cdi_4500_user/4501_accounts_preparation_ciss.sh

@@ -31,8 +31,8 @@ accounts_preparation_ciss() {
   ### Check for TARGET / RECOVERY.
   [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
-  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${var_target}/etc/skel/.bashrc"
-  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${var_target}/etc/skel/.zshrc"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.bashrc" "${var_target}/etc/skel/.bashrc"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.zshrc" "${var_target}/etc/skel/.zshrc"
   install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"
   install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/alias" "${var_target}/etc/skel/.ciss/"
   install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${var_target}/etc/skel/.ciss/"
@@ -50,9 +50,6 @@ accounts_preparation_ciss() {
   insert_comments "${var_target}/etc/skel/.ciss/scan_libwrap"
   insert_comments "${var_target}/etc/skel/.ciss/shortcuts"
 
-  ### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
-  echo 'set clipboard=unnamed' >| "${var_target}/etc/skel/.vimrc"
-  chmod 0600 "${var_target}/etc/skel/.vimrc"
   guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.

func/cdi_4500_user/4502_accounts_preparation_physnet.sh

@@ -30,6 +30,25 @@ accounts_preparation_physnet() {
   ### Check for TARGET / RECOVERY.
   [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.bashrc" "${var_target}/etc/skel/.bashrc"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.zshrc" "${var_target}/etc/skel/.zshrc"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/alias" "${var_target}/etc/skel/.ciss/"
+  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${var_target}/etc/skel/.ciss/"
+  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/clean_logout.sh" "${var_target}/etc/skel/.ciss/"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/f2bchk" "${var_target}/etc/skel/.ciss/"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/scan_libwrap" "${var_target}/etc/skel/.ciss/"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/shortcuts" "${var_target}/etc/skel/.ciss/"
+
+  insert_comments "${var_target}/etc/skel/.bashrc"
+  insert_comments "${var_target}/etc/skel/.zshrc"
+  insert_comments "${var_target}/etc/skel/.ciss/alias"
+  insert_comments "${var_target}/etc/skel/.ciss/check_chrony.sh"
+  insert_comments "${var_target}/etc/skel/.ciss/clean_logout.sh"
+  insert_comments "${var_target}/etc/skel/.ciss/f2bchk"
+  insert_comments "${var_target}/etc/skel/.ciss/scan_libwrap"
+  insert_comments "${var_target}/etc/skel/.ciss/shortcuts"
+
   guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.

func/cdi_4500_user/4510_accounts_hardening.sh

@@ -39,13 +39,14 @@ accounts_hardening() {
   ary_security_pkgs=( "libpam-google-authenticator" "wamerican" "wbritish" "wfrench" "wngerman" )
   chroot_script "${var_target}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests ${ary_security_pkgs[*]} 2>&1 | tee -a ${var_logfile}
   "
 
   ### Preparing 2fa hardening.
   install -d -m 0755 -o root -g root "${var_target}/etc/ciss"
   touch "${var_target}/etc/ciss/2fa.users"
-  chmod 0640 "${var_target}/etc/ciss/2fa.users"
+  chmod 0600 "${var_target}/etc/ciss/2fa.users"
 
   ### Keep 'tty1' active, disable the rest.
   # shellcheck disable=SC2016

func/cdi_4500_user/4520_accounts_setup.sh

@@ -12,12 +12,6 @@
 
 guard_sourcing
 
-# TODO: sudo TOTP deactivation
-# TODO: PAM Module
-# TODO: Check Password activation
-# TODO: Check expiration and other dates
-# TODO: Logic
-
 #######################################
 # Updating user accounts.
 # Globals:
@@ -59,6 +53,12 @@ accounts_setup() {
 
   chroot_logger "${var_target}${var_logfile}"
 
+  ### Update pam modules for 2fa.
+  write_pam_login "${var_target}"
+  write_pam_sshd  "${var_target}"
+  write_pam_su    "${var_target}"
+  write_pam_sudo  "${var_target}"
+
   ### Prepare the '2fa'-seed variable.
   read_totp_seed
   do_log "debug" "file_only" "4520() Command: [read_totp_seed]"
@@ -66,56 +66,17 @@ accounts_setup() {
   ### 0) The 'root' account is generated via debootstrap by default.
 
   ### 1) Prepare the 'root' account.
-  install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
-  install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
-  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${var_target}/root/"
-  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/root/.ciss/"
-  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${var_target}/root/.ciss/"
-  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${var_target}/root/.ciss/"
-  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${var_target}/root/.ciss/"
-  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk" "${var_target}/root/.ciss/"
-  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${var_target}/root/.ciss/"
-  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${var_target}/root/.ciss/"
+  case "${VAR_USER_ROOT_SPECIFIC}" in
 
-  if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
+    "ciss"   ) accounts_setup_ciss_root ;;
 
-    if [[ -x "${var_target}${user_root_shell}" ]]; then
+    "physnet") accounts_setup_physnet_root ;;
 
-      case "${VAR_USER_ROOT_SPECIFIC,,}" in
+    "none"   ) do_log "info" "file_only" "4520() Account preparation [none] selected." ;;
 
-        "ciss")
-          zsh_omz_installer "root" "${var_target}"
-          mv "${var_target}/root/.zshrc" "${var_target}/root/.zshrc.bak"
-          install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${var_target}/root/"
-          ;;
+    *        ) do_log "warn" "file_only" "4520() Account preparation nothing selected. Keeping defaults." ;;
 
-        "physnet")
-          :
-          ;;
-
-        "none"|*)
-          :
-          ;;
-
-      esac
-
-      chroot_exec "${var_target}" chsh -s "${user_root_shell}" root
-      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
-
-    else
-
-      chroot_exec "${var_target}" chsh -s /bin/bash root
-      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
-
-    fi
-
-  fi
-
-  ### To be able to copy/paste from vim, one needs to create a '.vimrc' with the following content:
-  echo 'set clipboard=unnamed' >| "${var_target}/root/.vimrc"
-  chmod 0600 "${var_target}/root/.vimrc"
-
-  do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
+  esac
 
   ### 2) Check SSH access capabilities.
   case "${user_root_authentication_access_ssh,,}" in
@@ -126,6 +87,7 @@ accounts_setup() {
       ;;
 
     true)
+      ### SSH Public Key per default, only.
       sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
       do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
       ;;
@@ -141,54 +103,26 @@ accounts_setup() {
   case "${user_root_authentication_access_tty,,}" in
 
     false)
-      ### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
-      pam_access_sync_login_sshd
-
-      ### 3) A) 2) Ensure 'pam_securetty' in the auth phase; requisite causes immediate fail for disallowed ttys.
-      chroot_stdin "${var_target}" "__payload__" <<'EOF'
-export LC_ALL=C
-if ! grep -Eq '^[[:space:]]*auth[[:space:]]+requisite[[:space:]]+pam_securetty[.]so([[:space:]]|$)' /etc/pam.d/login; then
-  tmp="$(mktemp /etc/pam.d/login.XXXXXX)"
-  awk '
-    BEGIN { ins=0 }
-    {
-      if (!ins && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix[.]so/) {
-        print "auth  requisite  pam_securetty.so"
-        ins=1
-      }
-      print
-    }
-    END {
-      if (!ins) print "auth  requisite  pam_securetty.so"
-    }
-  ' /etc/pam.d/login >| "${tmp}"
-
-  test -s "${tmp}"
-  mv -f "${tmp}" /etc/pam.d/login
-  rm -f -- "${tmp}"
-fi
-:
-EOF
-
-      ### 3) A) 3) Disallow all local access for root in '/etc/security/access.conf'.
+      ### Disallow all local access for root in '/etc/security/access.conf'.
       printf -- '-: root:ALL\n' >> "${var_target}/etc/security/access.conf"
+      do_log "info" "file_only" "4520() User: 'root' [disallow all local access in '/etc/security/access.conf']"
 
-      ### 3) A) 4) Empty "/etc/securetty".
+      ### Empty "/etc/securetty".
       cat << 'EOF' >| "${var_target}/etc/securetty"
 EOF
-
-      do_log "info" "file_only" "4520() User: 'root' tty access: [false]"
+      do_log "info" "file_only" "4520() User: 'root' [empty '/etc/securetty']"
       ;;
 
     true)
-      ### 3) B) 1) Allow local access for 'root' only on 'tty1' in '/etc/security/access.conf'.
+      ### Allow local access for 'root' only on 'tty1' in '/etc/security/access.conf'.
       printf -- "+: root:tty1 \n" >> "${var_target}/etc/security/access.conf"
+      do_log "info" "file_only" "4520() User: 'root' [allow local access on tty1 in '/etc/security/access.conf']"
 
-      ### 3) B) 2) Allow local access for 'root' only on 'tty1' in '/etc/securetty'.
+      ### Allow local access for 'root' only on 'tty1' in '/etc/securetty'.
       cat << 'EOF' >| "${var_target}/etc/securetty"
 tty1
 EOF
-      do_log "info" "file_only" "4520() User: 'root' tty access: [true]"
+      do_log "info" "file_only" "4520() User: 'root' [tty1 in '/etc/securetty']."
       ;;
 
     *)
@@ -199,6 +133,8 @@ EOF
   esac
 
   ### 4) Check the password policy for the 'root' account.
+  chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${user_root_password}' | /usr/sbin/chpasswd -e"
+
   case "${user_root_authentication_password,,}" in
 
     false)
@@ -207,8 +143,7 @@ EOF
       ;;
 
     true)
-      chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${var_password}' | /usr/sbin/chpasswd -e"
-      #chroot_script "${var_target}" "/usr/sbin/usermod -p '${user_root_password}' root"
+      chroot_script "${var_target}" "passwd -u root"
       do_log "info" "file_only" "4520() User: 'root' password access: [true]"
       ;;
 
@@ -227,17 +162,16 @@ EOF
 
   fi
 
-  ### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
+  ### 6) Update the 'root' 'totp'-policy-user file and write the '.google_authenticator'-file.
   if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
 
     write_google_authenticator_file "root" "0" "0" "${var_target}"
+    printf '%s\n' "root" >> "${var_target}/etc/ciss/2fa.users"
 
   fi
 
-
   if [[ "${user_root_authentication_2fa_ssh}" == "true" ]]; then
 
-    pam_access_totp_enable "root" "sshd" "${var_target}"
     var_ssh_totp_update="true"
     cat << EOF >> "${var_target}/etc/ssh/sshd_config"
 Match User root
@@ -246,8 +180,6 @@ Match User root
 EOF
   fi
 
-  [[ "${user_root_authentication_2fa_tty}" == "true" ]] && pam_access_totp_enable "root" "login" "${var_target}"
-
   ### 7) Install eza themes.
   eza_installer "root" "${var_target}"
 
@@ -844,172 +776,6 @@ EOF
 # shellcheck disable=SC2034
 readonly -f hardening_sudo
 
-#######################################
-# Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
-# MUST be executed inside chroot.
-# Globals:
-#   None
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-pam_access_sync_login_sshd() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare     var_file_login="/etc/pam.d/login"
-  declare     var_file_sshd="/etc/pam.d/sshd"
-
-  ### Guard: The file must exist, no-op otherwise.
-  if [[ ! -f "${var_target}${var_file_login}" ]]; then
-    return 0
-  fi
-
-  ### 1) If the 'pam_access' line is commented in '/etc/pam.d/login', uncomment exactly one occurrence.
-  chroot_stdin "${var_target}" "__payload__" <<'EOF'
-tmp="$(mktemp /etc/pam.d/login.XXXXXX)"
-export LC_ALL=C
-awk '
-BEGIN { done=0 }
-{
-  if (!done) {
-    line=$0
-    sub(/^[[:space:]]*#+[[:space:]]*/, "", line)
-    if (line ~ /^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)/) {
-      print line; done=1; next
-    }
-  }
-  print
-}
-' /etc/pam.d/login >| "${tmp}"
-test -s "${tmp}"
-mv -f "${tmp}" /etc/pam.d/login
-rm -f "${tmp}" || :
-:
-EOF
-
-  ### 2) If '/etc/pam.d/login' now has an active pam_access line, ensure '/etc/pam.d/sshd' pam_access line(s) are commented out.
-  ###    No-op if '/etc/pam.d/sshd' is absent.
-  [[ -f "${var_target}${var_file_sshd}" ]] || return 0
-
-  chroot_stdin "${var_target}" "__payload__" <<'EOF'
-export LC_ALL=C
-if grep -Eq '^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)' /etc/pam.d/login; then
-  tmp="$(mktemp /etc/pam.d/sshd.XXXXXX)"
-  awk '
-    /^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)/ { print "# " $0; next }
-    { print }
-  ' /etc/pam.d/sshd >| "${tmp}"
-  test -s "${tmp}"
-  mv -f "${tmp}" /etc/pam.d/sshd
-  rm -f "${tmp}" || :
-fi
-:
-EOF
-
-  return 0
-}
-### Prevents accidental 'unset -f'.
-# shellcheck disable=SC2034
-readonly -f pam_access_sync_login_sshd
-
-#######################################
-# Enable per-user TOTP in a given PAM service (login, sshd, su, sudo).
-# Globals:
-#   None
-# Arguments:
-#   1: username
-#   2: pam_module
-#   3: target
-# Returns:
-#   0: on success
-#######################################
-pam_access_totp_enable() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -r  var_user="${1}" var_module="${2}" var_target="${3}"
-  declare -r  var_pam_file="/etc/pam.d/${var_module}"
-  declare -r  var_users_file="${var_target}/etc/ciss/2fa.users"
-  declare -r  var_allowlist="/etc/ciss/2fa.users"
-
-  ### Basic sanitation; module must be a safe 'pam.d' filename.
-  [[ -n "${var_user:-}" && -n "${var_module:-}" ]] || return 0
-  [[ "${var_module}" =~ ^[A-Za-z0-9._+-]+$ ]] || return 0
-  [[ -f "${var_target}${var_pam_file}" ]] || return 0
-
-  ### 0) Ensure the allowlist file contains the user (deduplicated).
-  if ! grep -Fxq "${var_user}" "${var_users_file}"; then
-    printf '%s\n' "${var_user}" >> "${var_users_file}"
-  fi
-
-  ### 1) Ensure a single CISS TOTP framework block is present in the PAM file.
-  ###    The block gates GA by pam_listfile over '/etc/ciss/2fa.users'.
-  ###    We place it right after pam_unix.so or @include common-auth; fallback: append.
-  chroot_stdin "${var_target}" "__payload__" -- "${var_pam_file}" "${var_allowlist}" <<'EOF'
-export LC_ALL=C
-pam="$1"
-allowlist="$2"
-tmp="$(mktemp "${pam}.XXXXXX")"
-
-awk -v MARK_S="# CISS TOTP START" -v MARK_E="# CISS TOTP END" -v allowlist="${allowlist}" '
-  BEGIN { ins=0 }
-  {
-    print
-    if (!ins && ($0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix[.]so/ \
-                 || $0 ~ /^[[:space:]]*@include[[:space:]]+common-auth/)) {
-      print MARK_S
-      ### Only users in allowlist must pass GA:
-      ### pam_listfile sense=deny succeeds for non-listed > skip next line (GA)
-      print "auth  [success=1 default=ignore] pam_listfile.so item=user sense=deny file=" allowlist " onerr=ignore"
-      print "auth  required  pam_google_authenticator.so"
-      print MARK_E
-      ins=1
-    }
-  }
-  END {
-    if (!ins) {
-      print MARK_S
-      print "auth  [success=1 default=ignore] pam_listfile.so item=user sense=deny file=" allowlist " onerr=ignore"
-      print "auth  required  pam_google_authenticator.so"
-      print MARK_E
-    }
-  }
-' "${pam}" >| "${tmp}"
-
-test -s "${tmp}"
-mv -f "${tmp}" "${pam}"
-rm -f -- "${tmp}" || :
-:
-EOF
-
-  ### 2) Comment out any other active GA lines to avoid double prompts.
-  chroot_stdin "${var_target}" "__payload__" -- "${var_pam_file}" <<'EOF'
-export LC_ALL=C
-pam="$1"
-tmp="$(mktemp "${pam}.XXXXXX")"
-awk '
-  BEGIN { in_ciss=0 }
-  /^# CISS TOTP START$/ { in_ciss=1; print; next }
-  /^# CISS TOTP END$/   { in_ciss=0; print; next }
-  {
-    if (!in_ciss && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_google_authenticator[.]so/ && $0 !~ /^[[:space:]]*#/) {
-      print "# " $0
-    } else {
-      print
-    }
-  }
-' "${pam}" >| "${tmp}"
-
-test -s "${tmp}"
-mv -f "${tmp}" "${pam}"
-rm -f -- "${tmp}" || :
-:
-EOF
-
-  return 0
-}
-### Prevents accidental 'unset -f'.
-# shellcheck disable=SC2034
-readonly -f pam_access_totp_enable
-
 #######################################
 # Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
 # Globals:
@@ -1113,6 +879,379 @@ write_google_authenticator_file() {
 # shellcheck disable=SC2034
 readonly -f write_google_authenticator_file
 
+#######################################
+# Writes CISS Header for '/etc/pam.d/login'.
+# Globals:
+#   None
+# Arguments:
+#   1: TARGET
+# Returns:
+#   0: on success
+#######################################
+write_pam_login() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_target="$1"
+
+  mv "${var_target}/etc/pam.d/login" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/login"
+
+  insert_header   "${var_target}/etc/pam.d/login"
+  insert_comments "${var_target}/etc/pam.d/login"
+  cat << EOF >>   "${var_target}/etc/pam.d/login"
+#
+# The PAM configuration file for the Shadow 'login' service
+#
+
+# --- AUTH phase ---------------------------------------------------------------------------------------------------------------
+
+# Root only on secure ttys listed in '/etc/securetty' (fail fast, no prompts).
+auth     requisite  pam_securetty.so
+
+# Enforce a minimal delay in case of failure (in microseconds). (Replaces the 'FAIL_DELAY' setting from login.defs).
+# Note that other modules may require another minimal delay. (For example, to disable any delay, you should add the 'nodelay'
+# option to pam_unix).
+auth     optional   pam_faildelay.so delay=3200000
+
+# Outputs an issue file prior to each login prompt (Replaces the ISSUE_FILE option from login.defs). Uncomment for use.
+#auth    required   pam_issue.so issue=/etc/issue
+
+# Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
+auth     requisite  pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
+# possible that a module could execute code in the wrong domain. When the module is present, "required" would be sufficient
+# (When SELinux is disabled, this returns success.)
+session             [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Sets the loginuid process attribute
+session  required   pam_loginuid.so
+
+# Prints the message of the day upon successful login. (Replaces the 'MOTD_FILE' option in login.defs). This includes a
+# dynamically generated part from /run/motd.dynamic, and a static (admin-editable) part from /etc/motd.
+session  optional   pam_motd.so motd=/run/motd.dynamic
+session  optional   pam_motd.so noupdate
+
+# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
+# sessions which are intended to run in the user's context should be run after this. The module pam_selinux.so changes the
+# SELinux context of the used TTY and configures SELinux in order to transition to the user context with the next execve()
+# call.
+session             [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux is disabled, this returns success.)
+
+# This module parses environment configuration file(s) and also allows you to use an extended config file
+# /etc/security/pam_env.conf. Parsing /etc/environment needs "readenv=1"
+session  required   pam_env.so readenv=1
+# Locale variables can also be set in /etc/default/locale reading this file *in addition to /etc/environment* does not hurt.
+session  required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+
+# ===== CISS 2FA block  ========
+
+# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
+auth                [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
+
+# For listed users: enforce that the secret file exists, else deny without prompting.
+# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
+# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
+auth     required   pam_echo.so file=/etc/ciss/pam_login_totp.prompt
+auth     required   pam_google_authenticator.so disallow-reuse
+
+# ===== CISS 2FA block end =====
+
+
+# This allows certain extra groups to be granted to a user based on things like time of day, tty, service, and user. Please
+# edit /etc/security/group.conf to fit your needs (Replaces the 'CONSOLE_GROUPS' option in login.defs).
+auth     optional   pam_group.so
+
+
+
+# Uncomment and edit /etc/security/time.conf if you need to set time restraint on logins. (Replaces the 'PORTTIME_CHECKS_ENAB'
+# option from login.defs as well as /etc/porttime).
+#account requisite  pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set access limits. (Replaces /etc/login.access file).
+#account required   pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
+session  required   pam_limits.so
+
+# Prints the status of the user's mailbox upon successful login (Replaces the 'MAIL_CHECK_ENAB' option from login.defs).
+# This also defines the MAIL environment variable. However, userdel also needs MAIL_DIR and MAIL_FILE variables in
+# /etc/login.defs to make sure that removing a user also removes the user's mail spool file. See comments in /etc/login.defs.
+session  optional   pam_mail.so standard
+
+# Create a new session keyring.
+session  optional   pam_keyinit.so force revoke
+
+# Console-only access control for this service (do NOT also enable in common-account).
+account  requisite  pam_access.so
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+  do_log "info" "file_only" "4520() Written: [/etc/pam.d/login]."
+
+  cat << 'EOF' >| "${var_target}/etc/ciss/pam_login_totp.prompt"
+Please enter your 6-digit TOTP or 8-digit Backup code:
+EOF
+  chmod 0444 "${var_target}/etc/ciss/pam_login_totp.prompt"
+  do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_login_totp.prompt]."
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_pam_login
+
+#######################################
+# Writes CISS Header for '/etc/pam.d/sshd'.
+# Globals:
+#   None
+# Arguments:
+#   1: TARGET
+# Returns:
+#   0: on success
+#######################################
+write_pam_sshd() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_target="$1"
+
+  mv "${var_target}/etc/pam.d/sshd" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sshd"
+
+  insert_header   "${var_target}/etc/pam.d/sshd"
+  insert_comments "${var_target}/etc/pam.d/sshd"
+  cat << EOF >>   "${var_target}/etc/pam.d/sshd"
+#
+# PAM configuration for the Secure Shell service
+#
+
+# ===== CISS 2FA block  ========
+
+# If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success).
+auth                [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
+
+# For listed users: enforce that the secret file exists, else deny without prompting.
+# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
+# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
+auth     required   pam_echo.so file=/etc/ciss/pam_ssh_totp.prompt
+auth     required   pam_google_authenticator.so disallow-reuse
+
+# For non-2FA users KI must be a silent success to satisfy AuthenticationMethods.
+auth     sufficient pam_permit.so
+
+# ===== CISS 2FA block end =====
+
+
+# Keep the rest as shipped by Debian. It will be short-circuited by pam_permit for KI and never reached for 2FA users after
+# successful GA.
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account  required   pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex access limits that are hard to express in sshd_config.
+#account required   pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
+# possible that a module could execute code in the wrong domain.
+session             [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# Set the loginuid process attribute.
+session  required   pam_loginuid.so
+
+# Create a new session keyring.
+session  optional   pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login. This includes a dynamically generated part from /run/motd.dynamic and a
+# static (admin-editable) part from /etc/motd.
+session  optional   pam_motd.so motd=/run/motd.dynamic
+session  optional   pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session  optional   pam_mail.so standard noenv
+
+# Set up user limits from /etc/security/limits.conf.
+session  required   pam_limits.so
+
+# Read environment variables from /etc/environment and /etc/security/pam_env.conf.
+session  required   pam_env.so
+
+# In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well.
+session  required   pam_env.so envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
+# sessions which are intended to run in the user's context should be run after this.
+session             [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  do_log "info" "file_only" "4520() Written: [/etc/pam.d/sshd]."
+
+  cat << 'EOF' >| "${var_target}/etc/ciss/pam_ssh_totp.prompt"
+Please enter your 6-digit TOTP or 8-digit Backup code:
+EOF
+  chmod 0444 "${var_target}/etc/ciss/pam_ssh_totp.prompt"
+  do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_ssh_totp.prompt]."
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_pam_sshd
+
+#######################################
+# Writes CISS Header for '/etc/pam.d/su'.
+# Globals:
+#   None
+# Arguments:
+#   1: TARGET
+# Returns:
+#   0: on success
+#######################################
+write_pam_sudo() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_target="$1"
+
+  mv "${var_target}/etc/pam.d/su" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/su"
+
+  insert_header   "${var_target}/etc/pam.d/su"
+  insert_comments "${var_target}/etc/pam.d/su"
+  cat << EOF >>   "${var_target}/etc/pam.d/su"
+#
+# PAM configuration for the su service
+#
+
+# If caller is already root, allow quickly without further auth:
+auth     sufficient pam_rootok.so
+
+# Reuse a recent successful su-auth within the TTL:
+auth     sufficient pam_timestamp.so
+
+# Standard password for the target account (root or other):
+@include common-auth
+
+
+# ===== CISS 2FA block  ========
+
+# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
+auth                [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
+
+# For listed users: enforce that the secret file exists, else deny without prompting.
+# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
+# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
+auth     required   pam_echo.so file=/etc/ciss/pam_su_totp.prompt
+auth     required   pam_google_authenticator.so disallow-reuse
+
+# ===== CISS 2FA block end =====
+
+
+@include common-account
+@include common-session
+# Keep a ticket to avoid re-prompts during this shell session:
+session  optional     pam_timestamp.so
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  do_log "info" "file_only" "4520() Written: [/etc/pam.d/su]."
+
+  cat << 'EOF' >| "${var_target}/etc/ciss/pam_su_totp.prompt"
+Please enter the 6-digit TOTP or 8-digit Backup code of the target user:
+EOF
+  chmod 0444 "${var_target}/etc/ciss/pam_su_totp.prompt"
+  do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_su_totp.prompt]."
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_pam_su
+
+#######################################
+# Writes CISS Header for '/etc/pam.d/sudo'.
+# Globals:
+#   None
+# Arguments:
+#   1: TARGET
+# Returns:
+#   0: on success
+#######################################
+write_pam_sudo() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_target="$1"
+
+  mv "${var_target}/etc/pam.d/sudo" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sudo"
+
+  insert_header   "${var_target}/etc/pam.d/sudo"
+  insert_comments "${var_target}/etc/pam.d/sudo"
+  cat << EOF >>   "${var_target}/etc/pam.d/sudo"
+#
+# PAM configuration for the sudo service
+#
+
+# Reuse a recent successful auth to avoid re-prompting within the TTL.
+auth     sufficient pam_timestamp.so
+
+# Standard UNIX password:
+@include common-auth
+
+
+# ===== CISS 2FA block  ========
+
+# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
+auth                [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
+
+# For listed users: enforce that the secret file exists, else deny without prompting.
+# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
+# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
+auth     required   pam_echo.so file=/etc/ciss/pam_sudo_totp.prompt
+auth     required   pam_google_authenticator.so disallow-reuse
+
+# ===== CISS 2FA block end =====
+
+
+# Accounts, sessions:
+@include common-account
+@include common-session-noninteractive
+
+# Maintain a pam_timestamp ticket on successful sudo to suppress re-prompts.
+session  optional   pam_timestamp.so
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  do_log "info" "file_only" "4520() Written: [/etc/pam.d/sudo]."
+
+  cat << 'EOF' >| "${var_target}/etc/ciss/pam_sudo_totp.prompt"
+Please enter your 6-digit TOTP or 8-digit Backup code:
+EOF
+  chmod 0444 "${var_target}/etc/ciss/pam_sudo_totp.prompt"
+  do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_sudo_totp.prompt]."
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_pam_sudo
+
 #######################################
 # Use the official ohmyzsh-installer but force non-interactive behavior; do not run zsh; do not chsh.
 # Globals:
@@ -1240,228 +1379,4 @@ EOF
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f zsh_omz_installer
-
-
-
-#######################################
-# Writes CISS Header for '/etc/pam.d/login'.
-# Globals:
-#   None
-# Arguments:
-#   1: TARGET
-# Returns:
-#   0: on success
-#######################################
-write_pam_login() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -r  var_target="$1"
-
-  mv "${var_target}/etc/pam.d/sshd" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/login"
-
-  insert_header   "${var_target}/etc/pam.d/login"
-  insert_comments "${var_target}/etc/pam.d/login"
-  cat << EOF >>   "${var_target}/etc/pam.d/login"
-#
-# The PAM configuration file for the Shadow 'login' service
-#
-
-# Enforce a minimal delay in case of failure (in microseconds). (Replaces the 'FAIL_DELAY' setting from login.defs).
-# Note that other modules may require another minimal delay. (For example, to disable any delay, you should add the 'nodelay'
-# option to pam_unix).
-auth    optional    pam_faildelay.so    delay=3000000
-
-# Outputs an issue file prior to each login prompt (Replaces the ISSUE_FILE option from login.defs). Uncomment for use.
-# auth    required    pam_issue.so issue=/etc/issue
-
-# Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
-auth    requisite    pam_nologin.so
-
-# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
-# possible that a module could execute code in the wrong domain. When the module is present, "required" would be sufficient
-# (When SELinux is disabled, this returns success.)
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
-
-# Sets the loginuid process attribute
-session    required    pam_loginuid.so
-
-# Prints the message of the day upon successful login. (Replaces the 'MOTD_FILE' option in login.defs). This includes a
-# dynamically generated part from /run/motd.dynamic, and a static (admin-editable) part from /etc/motd.
-session    optional    pam_motd.so motd=/run/motd.dynamic
-session    optional    pam_motd.so noupdate
-
-# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
-# sessions which are intended to run in the user's context should be run after this. The module pam_selinux.so changes the
-# SELinux context of the used TTY and configures SELinux in order to transition to the user context with the next execve()
-# call.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-# When the module is present, "required" would be sufficient (When SELinux is disabled, this returns success.)
-
-# This module parses environment configuration file(s) and also allows you to use an extended config file
-# /etc/security/pam_env.conf. Parsing /etc/environment needs "readenv=1"
-session    required    pam_env.so readenv=1
-# Locale variables can also be set in /etc/default/locale reading this file *in addition to /etc/environment* does not hurt.
-session    required    pam_env.so readenv=1 envfile=/etc/default/locale
-
-# Standard Un*x authentication.
-@include common-auth
-
-# ===== CISS 2FA block  =====
-
-# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
-auth  [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
-
-# Listed users: show a clear hint and then require GA. No 'nullok': missing secret -> fail.
-auth  required                    pam_echo.so file=/etc/ciss/login_totp.prompt
-auth  required                    pam_google_authenticator.so
-
-# ===== CISS 2FA block end =====
-
-# This allows certain extra groups to be granted to a user based on things like time of day, tty, service, and user. Please
-# edit /etc/security/group.conf to fit your needs (Replaces the 'CONSOLE_GROUPS' option in login.defs).
-auth    optional    pam_group.so
-
-# Uncomment and edit /etc/security/time.conf if you need to set time restraint on logins. (Replaces the 'PORTTIME_CHECKS_ENAB'
-# option from login.defs as well as /etc/porttime).
-# account    requisite    am_time.so
-
-# Uncomment and edit /etc/security/access.conf if you need to set access limits. (Replaces /etc/login.access file).
-# account    required    pam_access.so
-
-# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
-session    required    pam_limits.so
-
-# Prints the status of the user's mailbox upon successful login (Replaces the 'MAIL_CHECK_ENAB' option from login.defs).
-# This also defines the MAIL environment variable. However, userdel also needs MAIL_DIR and MAIL_FILE variables in
-# /etc/login.defs to make sure that removing a user also removes the user's mail spool file. See comments in /etc/login.defs.
-session     optional    pam_mail.so standard
-
-# Create a new session keyring.
-session    optional    pam_keyinit.so force revoke
-
-# Standard Un*x account and session
-@include common-account
-@include common-session
-@include common-password
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-  do_log "info" "file_only" "4520() Written: [/etc/pam.d/login]."
-
-  cat << 'EOF' >| "${var_target}/etc/ciss/login_totp.prompt"
-After your UNIX password, please enter your 6-digit TOTP code.
-EOF
-  chmod 0444 "${var_target}/etc/ciss/login_totp.prompt"
-  do_log "info" "file_only" "4520() Written: [/etc/ciss/login_totp.prompt]."
-
-  return 0
-}
-### Prevents accidental 'unset -f'.
-# shellcheck disable=SC2034
-readonly -f write_pam_login
-
-#######################################
-# Writes CISS Header for '/etc/pam.d/sshd'.
-# Globals:
-#   None
-# Arguments:
-#   1: TARGET
-# Returns:
-#   0: on success
-#######################################
-write_pam_sshd() {
-  ### Declare Arrays, HashMaps, and Variables.
-  declare -r  var_target="$1"
-
-  mv "${var_target}/etc/pam.d/sshd" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sshd"
-
-  insert_header   "${var_target}/etc/pam.d/sshd"
-  insert_comments "${var_target}/etc/pam.d/sshd"
-  cat << EOF >>   "${var_target}/etc/pam.d/sshd"
-#
-# PAM configuration for the Secure Shell service
-#
-
-# ===== CISS 2FA block  =====
-
-# If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success).
-auth  [success=2 default=ignore]  pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
-
-# For listed users: enforce that the secret file exists, else deny without prompting.
-# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
-auth  required                    pam_echo.so file=/etc/ciss/ssh_totp.prompt
-auth  required                    pam_google_authenticator.so
-                                  # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
-
-# For non-2FA users KI must be a silent success to satisfy AuthenticationMethods.
-auth  sufficient                  pam_permit.so
-# ===== CISS 2FA block end =====
-
-# Keep the rest as shipped by Debian. It will be short-circuited by pam_permit for KI and never reached for 2FA users after
-# successful GA.
-
-# Standard Un*x authentication.
-@include    common-auth
-
-# Disallow non-root logins when /etc/nologin exists.
-account    required    pam_nologin.so
-
-# Uncomment and edit /etc/security/access.conf if you need to set complex access limits that are hard to express in sshd_config.
-# account    required    pam_access.so
-
-# Standard Un*x authorization.
-@include common-account
-
-# SELinux needs to be the first session rule.  This ensures that any lingering context has been cleared. Without this it is
-# possible that a module could execute code in the wrong domain.
-session [success=ok ignore=ignore module_unknown=ignore default=bad]    pam_selinux.so close
-
-# Set the loginuid process attribute.
-session    required    pam_loginuid.so
-
-# Create a new session keyring.
-session    optional    pam_keyinit.so force revoke
-
-# Standard Un*x session setup and teardown.
-@include    common-session
-
-# Print the message of the day upon successful login. This includes a dynamically generated part from /run/motd.dynamic and a
-# static (admin-editable) part from /etc/motd.
-session    optional    pam_motd.so    motd=/run/motd.dynamic
-session    optional    pam_motd.so    noupdate
-
-# Print the status of the user's mailbox upon successful login.
-session    optional    pam_mail.so    standard noenv # [1]
-
-# Set up user limits from /etc/security/limits.conf.
-session    required    pam_limits.so
-
-# Read environment variables from /etc/environment and /etc/security/pam_env.conf.
-session    required    pam_env.so # [1]
-
-# In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well.
-session    required    pam_env.so envfile=/etc/default/locale
-
-# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
-# sessions which are intended to run in the user's context should be run after this.
-session [success=ok ignore=ignore module_unknown=ignore default=bad]    pam_selinux.so open
-
-# Standard Un*x password updating.
-@include common-password
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-EOF
-
-  do_log "info" "file_only" "4520() Written: [/etc/pam.d/sshd]."
-
-  cat << 'EOF' >| "${var_target}/etc/ciss/ssh_totp.prompt"
-Please enter your 6-digit TOTP code for %u@%H.
-EOF
-  chmod 0444 "${var_target}/etc/ciss/ssh_totp.prompt"
-  do_log "info" "file_only" "4520() Written: [/etc/ciss/ssh_totp.prompt]."
-
-  return 0
-}
-### Prevents accidental 'unset -f'.
-# shellcheck disable=SC2034
-readonly -f write_pam_sshd
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4500_user/4521_accounts_setup_ciss.sh

@@ -23,16 +23,60 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-accounts_setup_ciss() {
+accounts_setup_ciss_root() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     var_target="${TARGET}"
 
   ### Check for TARGET / RECOVERY.
   [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
+  install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
+  install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
+
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss.bashrc" "${var_target}/root/.bashrc"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/theme_eza_ciss.yml" "${var_target}/root/.ciss/"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${var_target}/root/.ciss/"
+  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/check_chrony.sh" "${var_target}/root/.ciss/"
+  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${var_target}/root/.ciss/"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk" "${var_target}/root/.ciss/"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${var_target}/root/.ciss/"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${var_target}/root/.ciss/"
+
+  insert_comments "${var_target}/root/.bashrc"
+  insert_comments "${var_target}/root/.ciss/alias"
+  insert_comments "${var_target}/root/.ciss/check_chrony.sh"
+  insert_comments "${var_target}/root/.ciss/clean_logout.sh"
+  insert_comments "${var_target}/root/.ciss/f2bchk"
+  insert_comments "${var_target}/root/.ciss/scan_libwrap"
+  insert_comments "${var_target}/root/.ciss/shortcuts"
+
+  if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
+
+    if [[ -x "${var_target}${user_root_shell}" ]]; then
+
+      zsh_omz_installer "root" "${var_target}"
+      mkdir -p "${var_target}/root/.ciss/cdi/backup/root"
+      mv "${var_target}/root/.zshrc" "${var_target}/root/.ciss/cdi/backup/root/.zshrc.bak"
+      install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss.zshrc" "${var_target}/root/.zshrc"
+      insert_comments "${var_target}/root/.zshrc"
+
+      chroot_exec "${var_target}" chsh -s "${user_root_shell}" root
+      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
+
+    else
+
+      chroot_exec "${var_target}" chsh -s /bin/bash root
+      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
+
+    fi
+
+  fi
+
+  do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
+
   guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
-readonly -f accounts_setup_ciss
+readonly -f accounts_setup_ciss_root
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4500_user/4522_accounts_setup_physnet.sh

@@ -23,13 +23,58 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-accounts_setup_physnet() {
+accounts_setup_physnet_root() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     var_target="${TARGET}"
 
   ### Check for TARGET / RECOVERY.
   [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
+
+  install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
+  install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
+
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.physnet.bashrc" "${var_target}/root/.bashrc"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/theme_eza_ciss.yml" "${var_target}/root/.ciss/"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${var_target}/root/.ciss/"
+  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/check_chrony.sh" "${var_target}/root/.ciss/"
+  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${var_target}/root/.ciss/"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk" "${var_target}/root/.ciss/"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${var_target}/root/.ciss/"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${var_target}/root/.ciss/"
+
+  insert_comments "${var_target}/root/.bashrc"
+  insert_comments "${var_target}/root/.ciss/alias"
+  insert_comments "${var_target}/root/.ciss/check_chrony.sh"
+  insert_comments "${var_target}/root/.ciss/clean_logout.sh"
+  insert_comments "${var_target}/root/.ciss/f2bchk"
+  insert_comments "${var_target}/root/.ciss/scan_libwrap"
+  insert_comments "${var_target}/root/.ciss/shortcuts"
+
+  if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
+
+    if [[ -x "${var_target}${user_root_shell}" ]]; then
+
+      zsh_omz_installer "root" "${var_target}"
+      mkdir -p "${var_target}/root/.ciss/cdi/backup/root"
+      mv "${var_target}/root/.zshrc" "${var_target}/root/.ciss/cdi/backup/root/.zshrc.bak"
+      install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.physnet.zshrc" "${var_target}/root/.zshrc"
+      insert_comments "${var_target}/root/.zshrc"
+
+      chroot_exec "${var_target}" chsh -s "${user_root_shell}" root
+      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
+
+    else
+
+      chroot_exec "${var_target}" chsh -s /bin/bash root
+      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
+
+    fi
+
+  fi
+
+  do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
+
   guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.

func/cdi_4500_user/4530_accounts_timings.sh

@@ -15,7 +15,7 @@ guard_sourcing
 #######################################
 # Iterates all '/etc/shadow' entries and sets:
 #   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
-#   Safe: creates a timestamped backup and (if available) locks /etc/.pwd.lock.
+#   Safe: creates a timestamped backup and (if available) locks '/etc/.pwd.lock'.
 # Globals:
 #   RECOVERY
 #   TARGET
@@ -28,6 +28,7 @@ guard_sourcing
 update_shadow() {
   ### Declare Arrays, HashMaps, and Variables.
   declare     var_target="${TARGET}"
+
   ### Check for TARGET / RECOVERY.
   [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
@@ -66,12 +67,12 @@ update_shadow() {
   ### Rewrite fields 4..8 for every line
   ### Preserve fields 1..3 and 9, keep password hashes untouched.
   ### Pad to 9 fields if shorter; keep empty lines intact (rare but safe).
-  awk -v FS=":" -v OFS=":" -v exp="${var_exp_ds}" '
-    NF==0 { print; next }                     # preserve blank lines verbatim
+  awk -v FS=":" -v OFS=":" -v v_exp="${var_exp_ds}" '
+    NF==0 { print; next }                      # preserve blank lines verbatim
     {
       # pad missing trailing fields to 9
       for (i=NF+1; i<=9; i++) $i="";
-      $4=0; $5=16384; $6=128; $7=42; $8=exp;  # set required fields
+      $4=0; $5=16384; $6=128; $7=42; $8=v_exp; # set required fields
       print
     }
   ' "${var_backup}" >| "${var_temp}"

func/cdi_4600_packages/4600_installation_packages.sh

@@ -31,6 +31,7 @@ installation_packages() {
   if [[ "${VAR_APT_FULL_UPGRADE}" == "true" ]]; then
     chroot_script "${TARGET}" "
       export INITRD=No
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
       apt-get update  -qq 2>&1 | tee -a ${var_logfile}
       apt-get upgrade -y  2>&1 | tee -a ${var_logfile}
     "
@@ -38,11 +39,13 @@ installation_packages() {
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests ${ARY_PACKAGES[*]} 2>&1 | tee -a ${var_logfile}
   "
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get autoclean  -y 2>&1 | tee -a ${var_logfile}
     apt-get autopurge  -y 2>&1 | tee -a ${var_logfile}
     apt-get autoremove -y 2>&1 | tee -a ${var_logfile}

func/cdi_4600_packages/4610_installation_security.sh

@@ -38,6 +38,7 @@ installation_security() {
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests ${ary_fw[*]} 2>&1 | tee -a ${var_logfile}
 
     if [[ ${VAR_SEC_FW} == apparmor ]]; then

func/cdi_4600_packages/4620_installation_verification.sh

@@ -33,6 +33,7 @@ install_verification() {
 
   chroot_script "${TARGET}" "
     export INITRD=No
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
     apt-get install -y --no-install-recommends --no-install-suggests auditd 2>&1 | tee -a ${var_logfile}
   "
 

func/cdi_4600_packages/4630_auditing_packages.sh

@@ -99,4 +99,7 @@ auditing_packages() {
 
   guard_dir && return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f auditing_packages
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_4900_xtended/4900_final_command.sh

@@ -13,12 +13,10 @@
 guard_sourcing
 
 #######################################
-# Exiting chroot of the target system.
+# Finalize the chroot system before exiting.
 # Globals:
 #   RECOVERY
 #   TARGET
-#   VAR_CHROOT_ACTIVATED
-#   VAR_NEED_RUN_IN_TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
@@ -39,6 +37,9 @@ final_commands() {
     updatedb | tee -a ${var_logfile}
   "
 
+  rm -f "${var_target}/etc/root/ciss_xdg_tmp.sh"
+
+
   guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.

includes/target/etc/default/ciss-xdg-profile

@@ -0,0 +1,19 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Default toggles for ciss-xdg-profile
+# 1 = enable, 0 = disable
+
+ENABLE_XDG_BASH_HISTORY=1
+ENABLE_XDG_LESS_HISTORY=1
+ENABLE_XDG_ZSH_HISTORY=1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

includes/target/etc/profile.d/ciss-xdg.sh

@@ -0,0 +1,63 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# shellcheck shell=sh
+
+# This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
+
+### XDG variables (do not override if already set).
+export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path.
+# shellcheck disable=SC2312
+if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then
+  # shellcheck disable=SC2155
+  export XDG_RUNTIME_DIR="/run/user/$(id -u)"
+fi
+
+### Create canonical directories idempotently with 0700.
+_xdg_umask="$(umask)"
+umask 077
+[ -d "${XDG_CONFIG_HOME}"     ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
+[ -d "${XDG_DATA_HOME}"       ] || install -d -m 0700 -- "${XDG_DATA_HOME}"
+[ -d "${XDG_CACHE_HOME}"      ] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
+[ -d "${XDG_STATE_HOME}"      ] || install -d -m 0700 -- "${XDG_STATE_HOME}"
+umask "${_xdg_umask}"
+unset _xdg_umask
+
+### Optional migrations (controlled via /'etc/default/ciss-xdg-profile').
+[ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then
+  [ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
+  export HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+### Zsh history -> XDG_STATE_HOME (best-effort; zsh might not read /etc/profile)
+if [ "${ENABLE_XDG_ZSH_HISTORY:-1}" = "1" ] && [ -n "${ZSH_VERSION:-}" ]; then
+  [ -d "${XDG_STATE_HOME}/zsh" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/zsh"
+  export HISTFILE="${XDG_STATE_HOME}/zsh/history"
+fi
+
+### Less history -> XDG_STATE_HOME
+if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then
+  [ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
+  export LESSHISTFILE="${XDG_STATE_HOME}/less/history"
+fi
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/skel/.cache/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.ciss.bashrc

@@ -11,6 +11,9 @@
 
 [[ $- != *i* ]] && return
 
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
 # shellcheck disable=SC2312
 if [[ "$(id -u)" -eq 0 ]]; then
   umask 0022
@@ -27,9 +30,6 @@ trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
 . "${HOME}/.ciss/scan_libwrap"
 . "${HOME}/.ciss/shortcuts"
 
-### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
-set +o errexit +o nounset +o pipefail
-
 ### Preferred editor for local and remote sessions.
 export EDITOR="nano"
 
@@ -40,7 +40,7 @@ export HISTCONTROL='ignoreboth:erasedups'
 
 # The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
 # is not saved when a shell exits.
-export HISTFILE=~/.bash_history
+export HISTFILE="${XDG_STATE_HOME}/bash/history"
 
 # The maximum number of lines contained in the history file.
 export HISTFILESIZE="16384"

includes/target/etc/skel/.ciss.zshrc

@@ -152,7 +152,7 @@ export EDITOR="nano"
 
 ### History
 # The name of the file in which command history is saved.
-export HISTFILE="${HOME}/.zsh_history"
+export HISTFILE="${XDG_STATE_HOME}/zsh/history"
 # The maximum number of lines contained in the history file.
 export HISTSIZE=16384
 # The number of commands to remember in the command history.

includes/target/etc/skel/.ciss/alias

@@ -10,9 +10,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-########################################################################################### Alpha
-alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
-
 ########################################################################################### Bash
 alias clear="printf '\033c'"
 alias c='clear'
@@ -225,12 +222,12 @@ swget() {
 }
 
 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters.
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
 #   None
 #######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/9999_ciss_debian_installer.hardened
   # sleep 1
   # shellcheck disable=SC2312
   sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log

includes/target/etc/skel/.config/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.local/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.local/share/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.local/state/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.local/state/bash/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.local/state/less/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.local/state/zsh/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

includes/target/etc/skel/.physnet.bashrc

@@ -0,0 +1,127 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[[ $- != *i* ]] && return
+
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  PATH="/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
+. "${HOME}/.ciss/alias"
+. "${HOME}/.ciss/f2bchk"
+. "${HOME}/.ciss/scan_libwrap"
+. "${HOME}/.ciss/shortcuts"
+
+### Preferred editor for local and remote sessions.
+export EDITOR="nano"
+
+### History-Settings
+# -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
+# -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
+export HISTCONTROL='ignoreboth:erasedups'
+
+# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
+# is not saved when a shell exits.
+export HISTFILE="${XDG_STATE_HOME}/bash/history"
+
+# The maximum number of lines contained in the history file.
+export HISTFILESIZE="16384"
+
+# The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
+# Numeric values less than zero result in every command being saved on the history list (there is no limit).
+export HISTSIZE="16384"
+
+# If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
+export HISTTIMEFORMAT='%F %T %z  '
+
+# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
+export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*'
+
+# With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
+# "-a": Appends new entries from RAM to the file.
+# "-c": Then empties only the RAM buffer. Not used here for performance reasons.
+# "-r": Loads the file back into RAM.
+__ciss_hist_pc__='history -a; history -n'
+if [[ ${PROMPT_COMMAND-} != *"history -a; history -n"* ]]; then
+  PROMPT_COMMAND="${PROMPT_COMMAND:+${PROMPT_COMMAND}; }${__ciss_hist_pc__}"
+fi
+unset __ciss_hist_pc__
+export PROMPT_COMMAND
+
+# Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
+shopt -s checkwinsize
+
+# Append to the history file, don't overwrite it.
+shopt -s histappend
+
+# If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
+shopt -s globstar
+
+# Multi-line entries (line breaks using \ or via PS2) are stored in the history as a single entry.
+shopt -s cmdhist
+
+# Works in addition to cmdhist: Multi-line commands are stored in the history with real newlines, i.e., in their original format.
+shopt -s lithist
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
+### Define colors for bash prompt.
+export CRED='\033[1;91m'
+export CGRE='\033[1;92m'
+export CYEL='\033[1;93m'
+export CBLU='\033[1;94m'
+export CMAG='\033[1;95m'
+export CCYA='\033[1;96m'
+export CWHI='\033[1;97m'
+export CRES='\033[0m'
+export NL='\n'
+
+### Define color prompt incl. 'Exit Code' feedback.
+export PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\
+\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;95m\]\h\[\033[0m\]:\
+\[\033[1;96m\]\w\[\033[0m\]/>>\
+\$(if [[ \$? -eq 0 ]]; then \
+    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
+  else \
+    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
+  fi)\
+\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
+
+### Overwrite Protection.
+set -o noclobber
+alias cp='cp -iv'
+alias mv='mv -iv'
+alias rm='rm -iv'
+
+printf "\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
+printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "\n"
+printf "\n"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/skel/.physnet.zshrc

@@ -0,0 +1,200 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[[ -o interactive ]] || return
+
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  # If you come from bash, you might have to change your $PATH.
+  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  # If you come from bash, you might have to change your $PATH.
+  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
+### Path to your Oh My Zsh installation.
+export ZSH="${HOME}/.oh-my-zsh"
+
+# Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
+# case, to know what specific theme was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
+export ZSH_THEME="robbyrussell"
+
+# Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
+# a theme from this variable instead of looking in $ZSH/themes/. If set to an empty array, this variable will have no effect.
+# ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
+
+# Uncomment the following line to use case-sensitive completion.
+# CASE_SENSITIVE="true"
+
+# Uncomment the following line to use hyphen-insensitive completion. Case-sensitive completion must be off. _ and - will be
+# interchangeable.
+# HYPHEN_INSENSITIVE="true"
+
+# Uncomment one of the following lines to change the auto-update behavior
+# zstyle ':omz:update' mode disabled  # disable automatic updates
+# zstyle ':omz:update' mode auto      # update automatically without asking
+# zstyle ':omz:update' mode reminder  # just remind me to update when it's time
+
+# Uncomment the following line to change how often to auto-update (in days).
+# zstyle ':omz:update' frequency 13
+
+# Uncomment the following line if pasting URLs and other text is messed up.
+# DISABLE_MAGIC_FUNCTIONS="true"
+
+# Uncomment the following line to disable colors in ls.
+# DISABLE_LS_COLORS="true"
+
+# Uncomment the following line to disable auto-setting terminal title.
+# DISABLE_AUTO_TITLE="true"
+
+# Uncomment the following line to enable command autocorrection.
+# ENABLE_CORRECTION="true"
+
+# Uncomment the following line to display red dots whilst waiting for completion. You can also set it to another string to have
+# that is shown instead of the default red dots.
+# e.g., COMPLETION_WAITING_DOTS="%F{yellow}waiting...%f"
+# Caution: this setting can cause issues with multiline prompts in zsh < 5.7.1 (see #5765)
+# COMPLETION_WAITING_DOTS="true"
+
+# Uncomment the following line if you want to disable marking untracked files under VCS as dirty. This makes repository status
+# check for large repositories much, much faster.
+# DISABLE_UNTRACKED_FILES_DIRTY="true"
+
+# Uncomment the following line if you want to change the command execution time stamp shown in the history command output.
+# You can set one of the optional three formats:
+# "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
+# or set a custom format using the strftime function format specifications, see 'man strftime' for details.
+export HIST_STAMPS="yyyy-mm-dd"
+
+# Would you like to use another custom folder than $ZSH/custom?
+# ZSH_CUSTOM=/path/to/new-custom-folder
+
+# Which plugins would you like to load?
+# Standard plugins can be found in $ZSH/plugins/
+# Custom plugins may be added to $ZSH_CUSTOM/plugins/
+# Example format: plugins=(rails git textmate ruby lighthouse)
+# Add wisely, as too many plugins slow down shell startup.
+export plugins=(git zsh-syntax-highlighting zsh-autosuggestions)
+
+source ${ZSH}/oh-my-zsh.sh
+
+# User configuration
+
+# export MANPATH="/usr/local/man:{$MANPATH}"
+
+# You may need to manually set your language environment
+# export LANG=en_US.UTF-8
+
+# Preferred editor for local and remote sessions
+# if [[ -n $SSH_CONNECTION ]]; then
+#   export EDITOR='vim'
+# else
+#   export EDITOR='nvim'
+# fi
+
+# Compilation flags
+# export ARCHFLAGS="-arch $(uname -m)"
+
+# Set personal aliases, overriding those provided by Oh My Zsh libs,
+# plugins, and themes. Aliases can be placed here, though Oh My Zsh
+# users are encouraged to define aliases within a top-level file in
+# the $ZSH_CUSTOM folder, with .zsh extension. Examples:
+# - $ZSH_CUSTOM/aliases.zsh
+# - $ZSH_CUSTOM/macos.zsh
+# For a full list of active aliases, run `alias`.
+#
+# Example aliases
+# alias zshconfig="mate ~/.zshrc"
+# alias ohmyzsh="mate ~/.oh-my-zsh"
+
+### Added by CISS.debian.installer ###
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
+. "${HOME}/.ciss/alias"
+. "${HOME}/.ciss/f2bchk"
+. "${HOME}/.ciss/shortcuts"
+. "${HOME}/.ciss/scan_libwrap"
+. /usr/share/doc/fzf/examples/key-bindings.zsh
+. /usr/share/doc/fzf/examples/completion.zsh
+
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
+### Define colors for bash prompt
+export CRED='\033[1;91m'
+export CGRE='\033[1;92m'
+export CYEL='\033[1;93m'
+export CBLU='\033[1;94m'
+export CMAG='\033[1;95m'
+export CCYA='\033[1;96m'
+export CWHI='\033[1;97m'
+export CRES='\033[0m'
+export NL='\n'
+
+### Overwrite Protection
+set -o noclobber
+alias cp="cp -iv"
+alias mv='mv -iv'
+alias rm='rm -iv'
+
+### Preferred editor for local and remote sessions
+export EDITOR="nano"
+
+### History
+# The name of the file in which command history is saved.
+export HISTFILE="${XDG_STATE_HOME}/zsh/history"
+# The maximum number of lines contained in the history file.
+export HISTSIZE=16384
+# The number of commands to remember in the command history.
+export SAVEHIST=16384
+# Timestamp in the file: epoch:duration;command.
+setopt EXTENDED_HISTORY
+# Append, do not overwrite.
+setopt APPEND_HISTORY
+# Append lines immediately to the file.
+setopt INC_APPEND_HISTORY
+# Reload new lines from other sessions.
+setopt SHARE_HISTORY
+# Leading space do not log.
+setopt HIST_IGNORE_SPACE
+# When writing out the history file, older commands that duplicate newer ones are omitted.
+setopt HIST_SAVE_NO_DUPS
+# Remove superfluous blanks from each command line being added to the history list.
+setopt HIST_REDUCE_BLANKS
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
+### Define Users
+if [ "${UID}" -eq 0 ]; then
+  export USER_COLOR="%F{001}"
+else
+  export USER_COLOR="%F{002}"
+fi
+
+### CISS.debian.installer Prompt
+PROMPT='${USER_COLOR}%D%f|${USER_COLOR}%n%f@%F{005}%M%f:%F{006}%d%f/>>%(?.%F{002}%?.%F{001}%?)%f|~%#> '
+RPROMPT='%h|[${USER_COLOR}%*%f]'
+
+### Welcome message after login.
+printf "\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
+printf "%b'%b'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "\n"
+printf "\n"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/ssh/sshd_config

@@ -10,7 +10,8 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### https://www.ssh-audit.com/
-### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
+### ssh -Q cipher | cipher-auth | compression
+### ssh -Q kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
 
 Include                      /etc/ssh/sshd_config.d/*.conf
 

includes/target/root/.ciss.bashrc

@@ -0,0 +1,127 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[[ $- != *i* ]] && return
+
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  PATH="/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
+. "${HOME}/.ciss/alias"
+. "${HOME}/.ciss/f2bchk"
+. "${HOME}/.ciss/scan_libwrap"
+. "${HOME}/.ciss/shortcuts"
+
+### Preferred editor for local and remote sessions.
+export EDITOR="nano"
+
+### History-Settings
+# -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
+# -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
+export HISTCONTROL='ignoreboth:erasedups'
+
+# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
+# is not saved when a shell exits.
+export HISTFILE="${XDG_STATE_HOME}/bash/history"
+
+# The maximum number of lines contained in the history file.
+export HISTFILESIZE="16384"
+
+# The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
+# Numeric values less than zero result in every command being saved on the history list (there is no limit).
+export HISTSIZE="16384"
+
+# If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
+export HISTTIMEFORMAT='%F %T %z  '
+
+# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
+export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*'
+
+# With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
+# "-a": Appends new entries from RAM to the file.
+# "-c": Then empties only the RAM buffer. Not used here for performance reasons.
+# "-r": Loads the file back into RAM.
+__ciss_hist_pc__='history -a; history -n'
+if [[ ${PROMPT_COMMAND-} != *"history -a; history -n"* ]]; then
+  PROMPT_COMMAND="${PROMPT_COMMAND:+${PROMPT_COMMAND}; }${__ciss_hist_pc__}"
+fi
+unset __ciss_hist_pc__
+export PROMPT_COMMAND
+
+# Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
+shopt -s checkwinsize
+
+# Append to the history file, don't overwrite it.
+shopt -s histappend
+
+# If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
+shopt -s globstar
+
+# Multi-line entries (line breaks using \ or via PS2) are stored in the history as a single entry.
+shopt -s cmdhist
+
+# Works in addition to cmdhist: Multi-line commands are stored in the history with real newlines, i.e., in their original format.
+shopt -s lithist
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
+### Define colors for bash prompt.
+export CRED='\033[1;91m'
+export CGRE='\033[1;92m'
+export CYEL='\033[1;93m'
+export CBLU='\033[1;94m'
+export CMAG='\033[1;95m'
+export CCYA='\033[1;96m'
+export CWHI='\033[1;97m'
+export CRES='\033[0m'
+export NL='\n'
+
+### Define color prompt incl. 'Exit Code' feedback.
+export PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\
+\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;95m\]\h\[\033[0m\]:\
+\[\033[1;96m\]\w\[\033[0m\]/>>\
+\$(if [[ \$? -eq 0 ]]; then \
+    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
+  else \
+    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
+  fi)\
+\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
+
+### Overwrite Protection.
+set -o noclobber
+alias cp='cp -iv'
+alias mv='mv -iv'
+alias rm='rm -iv'
+
+printf "\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
+printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "\n"
+printf "\n"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/root/.ciss.zshrc

@@ -0,0 +1,200 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[[ -o interactive ]] || return
+
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  # If you come from bash, you might have to change your $PATH.
+  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  # If you come from bash, you might have to change your $PATH.
+  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
+### Path to your Oh My Zsh installation.
+export ZSH="${HOME}/.oh-my-zsh"
+
+# Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
+# case, to know what specific theme was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
+export ZSH_THEME="robbyrussell"
+
+# Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
+# a theme from this variable instead of looking in $ZSH/themes/. If set to an empty array, this variable will have no effect.
+# ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
+
+# Uncomment the following line to use case-sensitive completion.
+# CASE_SENSITIVE="true"
+
+# Uncomment the following line to use hyphen-insensitive completion. Case-sensitive completion must be off. _ and - will be
+# interchangeable.
+# HYPHEN_INSENSITIVE="true"
+
+# Uncomment one of the following lines to change the auto-update behavior
+# zstyle ':omz:update' mode disabled  # disable automatic updates
+# zstyle ':omz:update' mode auto      # update automatically without asking
+# zstyle ':omz:update' mode reminder  # just remind me to update when it's time
+
+# Uncomment the following line to change how often to auto-update (in days).
+# zstyle ':omz:update' frequency 13
+
+# Uncomment the following line if pasting URLs and other text is messed up.
+# DISABLE_MAGIC_FUNCTIONS="true"
+
+# Uncomment the following line to disable colors in ls.
+# DISABLE_LS_COLORS="true"
+
+# Uncomment the following line to disable auto-setting terminal title.
+# DISABLE_AUTO_TITLE="true"
+
+# Uncomment the following line to enable command autocorrection.
+# ENABLE_CORRECTION="true"
+
+# Uncomment the following line to display red dots whilst waiting for completion. You can also set it to another string to have
+# that is shown instead of the default red dots.
+# e.g., COMPLETION_WAITING_DOTS="%F{yellow}waiting...%f"
+# Caution: this setting can cause issues with multiline prompts in zsh < 5.7.1 (see #5765)
+# COMPLETION_WAITING_DOTS="true"
+
+# Uncomment the following line if you want to disable marking untracked files under VCS as dirty. This makes repository status
+# check for large repositories much, much faster.
+# DISABLE_UNTRACKED_FILES_DIRTY="true"
+
+# Uncomment the following line if you want to change the command execution time stamp shown in the history command output.
+# You can set one of the optional three formats:
+# "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
+# or set a custom format using the strftime function format specifications, see 'man strftime' for details.
+export HIST_STAMPS="yyyy-mm-dd"
+
+# Would you like to use another custom folder than $ZSH/custom?
+# ZSH_CUSTOM=/path/to/new-custom-folder
+
+# Which plugins would you like to load?
+# Standard plugins can be found in $ZSH/plugins/
+# Custom plugins may be added to $ZSH_CUSTOM/plugins/
+# Example format: plugins=(rails git textmate ruby lighthouse)
+# Add wisely, as too many plugins slow down shell startup.
+export plugins=(git zsh-syntax-highlighting zsh-autosuggestions)
+
+source ${ZSH}/oh-my-zsh.sh
+
+# User configuration
+
+# export MANPATH="/usr/local/man:{$MANPATH}"
+
+# You may need to manually set your language environment
+# export LANG=en_US.UTF-8
+
+# Preferred editor for local and remote sessions
+# if [[ -n $SSH_CONNECTION ]]; then
+#   export EDITOR='vim'
+# else
+#   export EDITOR='nvim'
+# fi
+
+# Compilation flags
+# export ARCHFLAGS="-arch $(uname -m)"
+
+# Set personal aliases, overriding those provided by Oh My Zsh libs,
+# plugins, and themes. Aliases can be placed here, though Oh My Zsh
+# users are encouraged to define aliases within a top-level file in
+# the $ZSH_CUSTOM folder, with .zsh extension. Examples:
+# - $ZSH_CUSTOM/aliases.zsh
+# - $ZSH_CUSTOM/macos.zsh
+# For a full list of active aliases, run `alias`.
+#
+# Example aliases
+# alias zshconfig="mate ~/.zshrc"
+# alias ohmyzsh="mate ~/.oh-my-zsh"
+
+### Added by CISS.debian.installer ###
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
+. "${HOME}/.ciss/alias"
+. "${HOME}/.ciss/f2bchk"
+. "${HOME}/.ciss/shortcuts"
+. "${HOME}/.ciss/scan_libwrap"
+. /usr/share/doc/fzf/examples/key-bindings.zsh
+. /usr/share/doc/fzf/examples/completion.zsh
+
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
+### Define colors for bash prompt
+export CRED='\033[1;91m'
+export CGRE='\033[1;92m'
+export CYEL='\033[1;93m'
+export CBLU='\033[1;94m'
+export CMAG='\033[1;95m'
+export CCYA='\033[1;96m'
+export CWHI='\033[1;97m'
+export CRES='\033[0m'
+export NL='\n'
+
+### Overwrite Protection
+set -o noclobber
+alias cp="cp -iv"
+alias mv='mv -iv'
+alias rm='rm -iv'
+
+### Preferred editor for local and remote sessions
+export EDITOR="nano"
+
+### History
+# The name of the file in which command history is saved.
+export HISTFILE="${XDG_STATE_HOME}/zsh/history"
+# The maximum number of lines contained in the history file.
+export HISTSIZE=16384
+# The number of commands to remember in the command history.
+export SAVEHIST=16384
+# Timestamp in the file: epoch:duration;command.
+setopt EXTENDED_HISTORY
+# Append, do not overwrite.
+setopt APPEND_HISTORY
+# Append lines immediately to the file.
+setopt INC_APPEND_HISTORY
+# Reload new lines from other sessions.
+setopt SHARE_HISTORY
+# Leading space do not log.
+setopt HIST_IGNORE_SPACE
+# When writing out the history file, older commands that duplicate newer ones are omitted.
+setopt HIST_SAVE_NO_DUPS
+# Remove superfluous blanks from each command line being added to the history list.
+setopt HIST_REDUCE_BLANKS
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
+### Define Users
+if [ "${UID}" -eq 0 ]; then
+  export USER_COLOR="%F{001}"
+else
+  export USER_COLOR="%F{002}"
+fi
+
+### CISS.debian.installer Prompt
+PROMPT='${USER_COLOR}%D%f|${USER_COLOR}%n%f@%F{005}%M%f:%F{006}%d%f/>>%(?.%F{002}%?.%F{001}%?)%f|~%#> '
+RPROMPT='%h|[${USER_COLOR}%*%f]'
+
+### Welcome message after login.
+printf "\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
+printf "%b'%b'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "\n"
+printf "\n"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/root/.ciss/alias

@@ -10,9 +10,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-########################################################################################### Alpha
-alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
-
 ########################################################################################### Bash
 alias clear="printf '\033c'"
 alias c='clear'
@@ -115,7 +112,7 @@ genpasswd() {
         ;;
       '' | *[!0-9]*) ;;
       *)
-         length="$1"
+        length="$1"
         ;;
     esac
     shift
@@ -177,11 +174,11 @@ scurl() {
   declare url="$1"
   declare output_path="$2"
   if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
-            --doh-cert-status \
-            --tlsv1.3 \
-            -sSf \
-            -o "${output_path}" \
-            "${url}"
+    --doh-cert-status \
+    --tlsv1.3 \
+    -sSf \
+    -o "${output_path}" \
+    "${url}"
   then
     printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
     return 2
@@ -212,11 +209,11 @@ swget() {
   declare output_path="$2"
   mkdir -p "$(dirname "${output_path}")"
   if ! wget --show-progress \
-            --no-clobber \
-            --https-only \
-            --secure-protocol=TLSv1_3 \
-            -qO "${output_path}" \
-            "${url}"
+    --no-clobber \
+    --https-only \
+    --secure-protocol=TLSv1_3 \
+    -qO "${output_path}" \
+    "${url}"
   then
     printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
     return 2
@@ -225,12 +222,12 @@ swget() {
 }
 
 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters.
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
 #   None
 #######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/9999_ciss_debian_installer.hardened
   # sleep 1
   # shellcheck disable=SC2312
   sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log

includes/target/root/.ciss/check_chrony.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -Ceuo pipefail
+
+#######################################
+# Minimal leap-second probe for Debian/chrony systems.
+# - Prints kernel leap flags & TAI offset (delta AT).
+# - Reads tzdata's leap-seconds list (authoritative TAI-UTC).
+# - Shows chrony tracking summary (incl. leap status).
+# - Demonstrates 23:59:60 rendering via TZ=right/UTC.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+main() {
+  ### 1) System TZ and tzdata source.
+  printf "System TZ link: [%s]\n\n" "$(readlink -f /etc/localtime || true)"
+
+  if [[ -f /usr/share/zoneinfo/leap-seconds.list ]]; then
+
+    declare tz_leap_line tz_tai tz_ntp ts_human
+
+    tz_leap_line="$(awk '($1 !~ /^#/) {L=$0} END{print L}' /usr/share/zoneinfo/leap-seconds.list)"
+    tz_ntp="$(awk '{print $1}' <<<"${tz_leap_line}")"
+    tz_tai="$(awk '{print $2}' <<<"${tz_leap_line}")"
+    ts_human="$(awk -F'#' '{gsub(/^[[:space:]]+/, "", $2); print $2}' <<<"${tz_leap_line}")"
+
+    printf "tzdata delta AT (TAI-UTC): %s s [last change at: %s; NTP ts: %s]\n\n" "${tz_tai:-?}" "${ts_human:-?}" "${tz_ntp:-?}"
+
+  else
+
+    printf "tzdata leap-seconds.list not found.\n"
+
+  fi
+
+  ### 2) Kernel view (requires adjtimex).
+  if command -v adjtimex >/dev/null 2>&1; then
+
+    printf "Kernel time status (adjtimex -p):\n"
+    adjtimex -p | sed 's/^/  /'
+    declare k_tai
+    k_tai="$(adjtimex -p | awk '/^tai:/ {print $2}')"
+
+    if [[ -n "${k_tai:-}" ]]; then
+
+      printf "Kernel-exported delta AT [tai]: %s s\n" "${k_tai}"
+
+    fi
+
+  else
+
+    printf "Package: 'adjtimex' not found. Install 'adjtimex' for kernel leap/TAI details.\n\n"
+
+  fi
+
+  ### 3) Chrony summary.
+  if command -v chronyc >/dev/null 2>&1; then
+
+    printf "\n"
+    printf "chronyc tracking:\n"
+    chronyc -n tracking | sed 's/^/  /'
+
+  else
+
+    printf "Package: 'chronyc' not found. Skipping chrony status.\n\n"
+
+  fi
+
+  ### 4) right/UTC demonstration of 23:59:60 (uses 2016-12-31 leap).
+  if [[ -f /usr/share/zoneinfo/right/UTC ]]; then
+
+    printf "\n"
+    printf "right/UTC leap rendering check (expect 23:59:60):\n\n"
+    TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
+
+  else
+
+    printf "\n"
+    printf "File: 'tzdata right/UTC' zone not installed; skipping 23:59:60 demo.\n\n"
+
+  fi
+
+  printf "\n"
+  printf "Hint:\n"
+
+  printf "  - delta AT (TAI-UTC) should match tzdata and kernel (chrony sets kernel TAI if leapsectz/leapseclist is used).\n"
+  printf "  - For monotonic intervals, apps must use CLOCK_MONOTONIC, not CLOCK_REALTIME.\n"
+
+  return 0
+}
+
+### Build right/UTC from tzdata leap table if missing.
+if [[ ! -e /usr/share/zoneinfo/right/UTC ]]; then
+
+  install -d -m 0755 /usr/share/zoneinfo/right
+
+  ### Minimal zic source for a fixed UTC zone.
+  declare -r tmp_src="/tmp/UTC.src"
+  printf 'Zone UTC  0  -  UTC\n' > "${tmp_src}"
+
+  ### Prefer the zic-format leapseconds file.
+  declare leap_zic="/usr/share/zoneinfo/leapseconds"
+
+  if [[ -s "${leap_zic}" ]]; then
+
+    zic -d /usr/share/zoneinfo/right -L "${leap_zic}" "${tmp_src}"
+
+  else
+
+    echo "WARNING: ${leap_zic} not found; building right/UTC without leap info." >&2
+    zic -d /usr/share/zoneinfo/right -L /dev/null "${tmp_src}"
+
+  fi
+
+  rm -f "${tmp_src}"
+
+fi
+
+if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
+
+  ### Expect to see 'Sat Dec 31 23:59:60 UTC 2016' rendered in right/UTC
+  TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
+
+fi
+
+main "$@"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/root/.ciss/theme_eza_ciss.yml

@@ -0,0 +1,125 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+%YAML 1.2
+---
+
+colourful: true
+
+filekinds:
+  normal: {foreground: Default}
+  directory: {foreground: Purple, is_bold: true}
+  symlink: {foreground: Cyan}
+  pipe: {foreground: Yellow}
+  block_device: {foreground: Yellow, is_bold: true}
+  char_device: {foreground: Yellow, is_bold: true}
+  socket: {foreground: Red, is_bold: true}
+  special: {foreground: Yellow}
+  executable: {foreground: Green, is_bold: true}
+  mount_point: {foreground: Purple, is_bold: true, is_underlined: true}
+
+perms:
+  user_read: {foreground: Yellow, is_bold: true}
+  user_write: {foreground: Red, is_bold: true}
+  user_execute_file: {foreground: Green, is_bold: true, is_underlined: true}
+  user_execute_other: {foreground: Green, is_bold: true}
+  group_read: {foreground: Yellow}
+  group_write: {foreground: Red}
+  group_execute: {foreground: Green}
+  other_read: {foreground: Yellow}
+  other_write: {foreground: Red}
+  other_execute: {foreground: Green}
+  special_user_file: {foreground: Purple}
+  special_other: {foreground: Purple}
+  attribute: {foreground: Default}
+
+size:
+  major: {foreground: Green, is_bold: true}
+  minor: {foreground: Green}
+  number_byte: {foreground: Green, is_bold: true}
+  number_kilo: {foreground: Green, is_bold: true}
+  number_mega: {foreground: Green, is_bold: true}
+  number_giga: {foreground: Green, is_bold: true}
+  number_huge: {foreground: Green, is_bold: true}
+  unit_byte: {foreground: Green}
+  unit_kilo: {foreground: Green}
+  unit_mega: {foreground: Green}
+  unit_giga: {foreground: Green}
+  unit_huge: {foreground: Green}
+
+users:
+  user_you: {foreground: Yellow, is_bold: true}
+  user_root: {foreground: Default}
+  user_other: {foreground: Default}
+  group_yours: {foreground: Yellow, is_bold: true}
+  group_other: {foreground: Default}
+  group_root: {foreground: Default}
+
+links:
+  normal: {foreground: Red, is_bold: true}
+  multi_link_file: {foreground: Red, background: Yellow}
+
+git:
+  new: {foreground: Green}
+  modified: {foreground: Blue}
+  deleted: {foreground: Red}
+  renamed: {foreground: Yellow}
+  typechange: {foreground: Purple}
+  ignored: {foreground: Default, is_dimmed: true}
+  conflicted: {foreground: Red}
+
+git_repo:
+  branch_main: {foreground: Green}
+  branch_other: {foreground: Yellow}
+  git_clean: {foreground: Green}
+  git_dirty: {foreground: Yellow}
+
+security_context:
+  colon: {foreground: Default, is_dimmed: true}
+  user: {foreground: Blue}
+  role: {foreground: Green}
+  typ: {foreground: Yellow}
+  range: {foreground: Cyan}
+
+file_type:
+  image: {foreground: Purple}
+  video: {foreground: Purple, is_bold: true}
+  music: {foreground: Cyan}
+  lossless: {foreground: Cyan, is_bold: true}
+  crypto: {foreground: Green, is_bold: true}
+  document: {foreground: Green}
+  compressed: {foreground: Red}
+  temp: {foreground: White}
+  compiled: {foreground: Yellow}
+  build: {foreground: Yellow, is_bold: true, is_underlined: true}
+  source: {foreground: Yellow, is_bold: true}
+
+punctuation: {foreground: DarkGray, is_bold: true}
+date: {foreground: Cyan}
+inode: {foreground: Purple}
+blocks: {foreground: Cyan}
+header: {foreground: White, is_bold: true, is_underlined: true}
+octal: {foreground: Purple}
+flags: {foreground: Default}
+
+symlink_path: {foreground: Cyan}
+control_char: {foreground: Red}
+broken_symlink: {foreground: Red}
+broken_path_overlay: {foreground: Default, is_underlined: true}
+
+filenames:
+# Custom filename-based overrides
+# Cargo.toml: {icon: {glyph: 🦀}}
+
+extensions:
+# Custom extension-based overrides
+# rs: {filename: {foreground: Red}, icon: {glyph: 🦀}}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

includes/target/root/.physnet.bashrc

@@ -0,0 +1,127 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[[ $- != *i* ]] && return
+
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  PATH="/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
+. "${HOME}/.ciss/alias"
+. "${HOME}/.ciss/f2bchk"
+. "${HOME}/.ciss/scan_libwrap"
+. "${HOME}/.ciss/shortcuts"
+
+### Preferred editor for local and remote sessions.
+export EDITOR="nano"
+
+### History-Settings
+# -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
+# -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
+export HISTCONTROL='ignoreboth:erasedups'
+
+# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
+# is not saved when a shell exits.
+export HISTFILE="${XDG_STATE_HOME}/bash/history"
+
+# The maximum number of lines contained in the history file.
+export HISTFILESIZE="16384"
+
+# The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
+# Numeric values less than zero result in every command being saved on the history list (there is no limit).
+export HISTSIZE="16384"
+
+# If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
+export HISTTIMEFORMAT='%F %T %z  '
+
+# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
+export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*'
+
+# With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
+# "-a": Appends new entries from RAM to the file.
+# "-c": Then empties only the RAM buffer. Not used here for performance reasons.
+# "-r": Loads the file back into RAM.
+__ciss_hist_pc__='history -a; history -n'
+if [[ ${PROMPT_COMMAND-} != *"history -a; history -n"* ]]; then
+  PROMPT_COMMAND="${PROMPT_COMMAND:+${PROMPT_COMMAND}; }${__ciss_hist_pc__}"
+fi
+unset __ciss_hist_pc__
+export PROMPT_COMMAND
+
+# Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
+shopt -s checkwinsize
+
+# Append to the history file, don't overwrite it.
+shopt -s histappend
+
+# If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
+shopt -s globstar
+
+# Multi-line entries (line breaks using \ or via PS2) are stored in the history as a single entry.
+shopt -s cmdhist
+
+# Works in addition to cmdhist: Multi-line commands are stored in the history with real newlines, i.e., in their original format.
+shopt -s lithist
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
+### Define colors for bash prompt.
+export CRED='\033[1;91m'
+export CGRE='\033[1;92m'
+export CYEL='\033[1;93m'
+export CBLU='\033[1;94m'
+export CMAG='\033[1;95m'
+export CCYA='\033[1;96m'
+export CWHI='\033[1;97m'
+export CRES='\033[0m'
+export NL='\n'
+
+### Define color prompt incl. 'Exit Code' feedback.
+export PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\
+\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;95m\]\h\[\033[0m\]:\
+\[\033[1;96m\]\w\[\033[0m\]/>>\
+\$(if [[ \$? -eq 0 ]]; then \
+    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
+  else \
+    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
+  fi)\
+\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
+
+### Overwrite Protection.
+set -o noclobber
+alias cp='cp -iv'
+alias mv='mv -iv'
+alias rm='rm -iv'
+
+printf "\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
+printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "\n"
+printf "\n"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/root/.physnet.zshrc

@@ -0,0 +1,200 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+[[ -o interactive ]] || return
+
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  # If you come from bash, you might have to change your $PATH.
+  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  # If you come from bash, you might have to change your $PATH.
+  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
+### Path to your Oh My Zsh installation.
+export ZSH="${HOME}/.oh-my-zsh"
+
+# Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
+# case, to know what specific theme was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
+export ZSH_THEME="robbyrussell"
+
+# Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
+# a theme from this variable instead of looking in $ZSH/themes/. If set to an empty array, this variable will have no effect.
+# ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
+
+# Uncomment the following line to use case-sensitive completion.
+# CASE_SENSITIVE="true"
+
+# Uncomment the following line to use hyphen-insensitive completion. Case-sensitive completion must be off. _ and - will be
+# interchangeable.
+# HYPHEN_INSENSITIVE="true"
+
+# Uncomment one of the following lines to change the auto-update behavior
+# zstyle ':omz:update' mode disabled  # disable automatic updates
+# zstyle ':omz:update' mode auto      # update automatically without asking
+# zstyle ':omz:update' mode reminder  # just remind me to update when it's time
+
+# Uncomment the following line to change how often to auto-update (in days).
+# zstyle ':omz:update' frequency 13
+
+# Uncomment the following line if pasting URLs and other text is messed up.
+# DISABLE_MAGIC_FUNCTIONS="true"
+
+# Uncomment the following line to disable colors in ls.
+# DISABLE_LS_COLORS="true"
+
+# Uncomment the following line to disable auto-setting terminal title.
+# DISABLE_AUTO_TITLE="true"
+
+# Uncomment the following line to enable command autocorrection.
+# ENABLE_CORRECTION="true"
+
+# Uncomment the following line to display red dots whilst waiting for completion. You can also set it to another string to have
+# that is shown instead of the default red dots.
+# e.g., COMPLETION_WAITING_DOTS="%F{yellow}waiting...%f"
+# Caution: this setting can cause issues with multiline prompts in zsh < 5.7.1 (see #5765)
+# COMPLETION_WAITING_DOTS="true"
+
+# Uncomment the following line if you want to disable marking untracked files under VCS as dirty. This makes repository status
+# check for large repositories much, much faster.
+# DISABLE_UNTRACKED_FILES_DIRTY="true"
+
+# Uncomment the following line if you want to change the command execution time stamp shown in the history command output.
+# You can set one of the optional three formats:
+# "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
+# or set a custom format using the strftime function format specifications, see 'man strftime' for details.
+export HIST_STAMPS="yyyy-mm-dd"
+
+# Would you like to use another custom folder than $ZSH/custom?
+# ZSH_CUSTOM=/path/to/new-custom-folder
+
+# Which plugins would you like to load?
+# Standard plugins can be found in $ZSH/plugins/
+# Custom plugins may be added to $ZSH_CUSTOM/plugins/
+# Example format: plugins=(rails git textmate ruby lighthouse)
+# Add wisely, as too many plugins slow down shell startup.
+export plugins=(git zsh-syntax-highlighting zsh-autosuggestions)
+
+source ${ZSH}/oh-my-zsh.sh
+
+# User configuration
+
+# export MANPATH="/usr/local/man:{$MANPATH}"
+
+# You may need to manually set your language environment
+# export LANG=en_US.UTF-8
+
+# Preferred editor for local and remote sessions
+# if [[ -n $SSH_CONNECTION ]]; then
+#   export EDITOR='vim'
+# else
+#   export EDITOR='nvim'
+# fi
+
+# Compilation flags
+# export ARCHFLAGS="-arch $(uname -m)"
+
+# Set personal aliases, overriding those provided by Oh My Zsh libs,
+# plugins, and themes. Aliases can be placed here, though Oh My Zsh
+# users are encouraged to define aliases within a top-level file in
+# the $ZSH_CUSTOM folder, with .zsh extension. Examples:
+# - $ZSH_CUSTOM/aliases.zsh
+# - $ZSH_CUSTOM/macos.zsh
+# For a full list of active aliases, run `alias`.
+#
+# Example aliases
+# alias zshconfig="mate ~/.zshrc"
+# alias ohmyzsh="mate ~/.oh-my-zsh"
+
+### Added by CISS.debian.installer ###
+trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
+. "${HOME}/.ciss/alias"
+. "${HOME}/.ciss/f2bchk"
+. "${HOME}/.ciss/shortcuts"
+. "${HOME}/.ciss/scan_libwrap"
+. /usr/share/doc/fzf/examples/key-bindings.zsh
+. /usr/share/doc/fzf/examples/completion.zsh
+
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
+### Define colors for bash prompt
+export CRED='\033[1;91m'
+export CGRE='\033[1;92m'
+export CYEL='\033[1;93m'
+export CBLU='\033[1;94m'
+export CMAG='\033[1;95m'
+export CCYA='\033[1;96m'
+export CWHI='\033[1;97m'
+export CRES='\033[0m'
+export NL='\n'
+
+### Overwrite Protection
+set -o noclobber
+alias cp="cp -iv"
+alias mv='mv -iv'
+alias rm='rm -iv'
+
+### Preferred editor for local and remote sessions
+export EDITOR="nano"
+
+### History
+# The name of the file in which command history is saved.
+export HISTFILE="${XDG_STATE_HOME}/zsh/history"
+# The maximum number of lines contained in the history file.
+export HISTSIZE=16384
+# The number of commands to remember in the command history.
+export SAVEHIST=16384
+# Timestamp in the file: epoch:duration;command.
+setopt EXTENDED_HISTORY
+# Append, do not overwrite.
+setopt APPEND_HISTORY
+# Append lines immediately to the file.
+setopt INC_APPEND_HISTORY
+# Reload new lines from other sessions.
+setopt SHARE_HISTORY
+# Leading space do not log.
+setopt HIST_IGNORE_SPACE
+# When writing out the history file, older commands that duplicate newer ones are omitted.
+setopt HIST_SAVE_NO_DUPS
+# Remove superfluous blanks from each command line being added to the history list.
+setopt HIST_REDUCE_BLANKS
+
+# Check History permissions.
+[[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
+
+### Define Users
+if [ "${UID}" -eq 0 ]; then
+  export USER_COLOR="%F{001}"
+else
+  export USER_COLOR="%F{002}"
+fi
+
+### CISS.debian.installer Prompt
+PROMPT='${USER_COLOR}%D%f|${USER_COLOR}%n%f@%F{005}%M%f:%F{006}%d%f/>>%(?.%F{002}%?.%F{001}%?)%f|~%#> '
+RPROMPT='%h|[${USER_COLOR}%*%f]'
+
+### Welcome message after login.
+printf "\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
+printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
+printf "%b'%b'%b" "${CMAG}" "${USER}" "${CRES}"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
+printf "%b 'celp'%b" "${CMAG}" "${CRES}"
+printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
+printf "\n"
+printf "\n"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/root/ciss_xdg_tmp.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+### XDG variables (do not override if already set).
+
+set -a
+
+# shellcheck disable=SC2034
+XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+# shellcheck disable=SC2034
+XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+# shellcheck disable=SC2034
+XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+# shellcheck disable=SC2034
+XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+# shellcheck disable=SC2034
+XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+# shellcheck disable=SC2034
+XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### Optional migrations (controlled via /etc/default/ciss-xdg-profile).
+[[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then
+  HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+set +a
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

meta_loader_func.sh

@@ -42,6 +42,7 @@ source_guard "./func/cdi_3200_partitioning/3295_get_label.sh"
 source_guard "./func/cdi_4000_debootstrap/4000_debootstrap.sh"
 source_guard "./func/cdi_4000_debootstrap/4005_debootstrap_checks.sh"
 source_guard "./func/cdi_4000_debootstrap/4010_prepare_mounts.sh"
+source_guard "./func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh"
 source_guard "./func/cdi_4000_debootstrap/4015_check_usr_merge.sh"
 source_guard "./func/cdi_4000_debootstrap/4020_remove_x509.sh"
 source_guard "./func/cdi_4000_debootstrap/4030_setup_hostname.sh"
@@ -89,6 +90,7 @@ source_guard "./func/cdi_4400_hardening/4410_kernel_sysctl.sh"
 source_guard "./func/cdi_4400_hardening/4420_hardening_fail2ban.sh"
 source_guard "./func/cdi_4400_hardening/4430_hardening_files.sh"
 source_guard "./func/cdi_4400_hardening/4440_hardening_haveged.sh"
+source_guard "./func/cdi_4400_hardening/4442_hardening_jitterentropy.sh"
 source_guard "./func/cdi_4400_hardening/4445_hardening_logrotate.sh"
 source_guard "./func/cdi_4400_hardening/4450_hardening_memory.sh"
 source_guard "./func/cdi_4400_hardening/4460_hardening_openssl.sh"