V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-17 06:42:14 +01:00
parent bedd0d3fa5
commit 7d599e8463
71 changed files with 2203 additions and 548 deletions
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -621,8 +621,8 @@ software:
  # gawk
  # gdisk
  # gnupg
  # haveged
  # initramfs-tools
  # jitterentropy-rngd
  # jq
  # kbd
  # keyutils
@@ -803,13 +803,13 @@ software:
 # USA         : time-a-g.nist.gov time-c-b.nist.gov utcnist3.colorado.edu
 ntp:
  server:
-    #- "ntp.ripe.net"
+    #- "ntp.ripe.net"          # Time out as of 2025-10-16
    - "ptbtime3.ptb.de"
    - "ptbtime2.ptb.de"
    - "ptbtime1.ptb.de"
-    #- "ntp13.metas.ch"
+    #- "ntp13.metas.ch"        # Time out as of 2025-10-16
-    #- "time-c-b.nist.gov"
+    #- "time-c-b.nist.gov"     # Time out as of 2025-10-16
-    #- "sth1.ntp.se"
+    #- "sth1.ntp.se"           # Time out as of 2025-10-16
    - "ntp0.fau.de"
  timezone: "Europe/Lisbon"    # Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values.
  utc: true                    # Controls whether the hardware clock is set to UTC.
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -243,6 +243,9 @@ check_debootstrap
 info_echo "4010_prepare_mounts.sh [${TARGET}]"
 prepare_mounts
 info_echo "4011_prepare_xdg_root.sh [${TARGET}]"
 prepare_xdg_root
 info_echo "4015_check_usr_merge.sh [${TARGET}]"
 check_usr_merge
@@ -379,8 +382,8 @@ hardening_fail2ban
 info_echo "4430_hardening_files.sh [${TARGET}]"
 hardening_files
-info_echo "4440_hardening_haveged.sh [${TARGET}]"
+info_echo "4442_hardening_jitterentropy.sh [${TARGET}]"
-hardening_haveged
+hardening_jitterentropy
 info_echo "4450_hardening_memory.sh [${TARGET}]"
 hardening_memory
@@ -411,6 +414,9 @@ accounts_hardening
 info_echo "4520_accounts_setup.sh [${TARGET}]"
 accounts_setup
 info_echo "4530_accounts_timings.sh [${TARGET}]"
 update_shadow
 ### CDI_4600
 info_echo "4600_installation_packages.sh [${TARGET}]"
--- a/func/cdi_4000_debootstrap/4010_prepare_mounts.sh
+++ b/func/cdi_4000_debootstrap/4010_prepare_mounts.sh
@@ -64,7 +64,6 @@ prepare_mounts() {
  done
  for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
    IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
@@ -87,7 +86,6 @@ prepare_mounts() {
  done
  if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
    mkdir -p "${var_target}/run"
@@ -103,7 +101,6 @@ prepare_mounts() {
  fi
  if ! chroot_exec "${var_target}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
    do_log "emergency" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
@@ -115,8 +112,6 @@ prepare_mounts() {
  mkdir -p "${var_target}/media/cdrom0"
  # shellcheck disable=SC2034
  if   [[ "${VAR_RUN_RECOVERY}" == "false" ]]; then
    declare -gx VAR_CHROOT_ACTIVATED="system"
--- a/func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh
+++ b/func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh
@@ -0,0 +1,60 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Prepare '/root' for XDG framework.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 prepare_xdg_root() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/profile.d/ciss-xdg.sh" "${var_target}/etc/profile.d/"
  install -m 0444 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/default/ciss-xdg-profile" "${var_target}/etc/default/"
  install -m 0400 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/root/ciss_xdg_tmp.sh" "${var_target}/etc/root/"
  # shellcheck disable=SC2016
  chroot_script "${var_target}" '
    install -d -m 0755 /etc/xdg
    ### Create canonical directories.
    _xdg_umask="$(umask)"
    umask 0077
    [[ -d "${XDG_CONFIG_HOME}"     ]] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
    [[ -d "${XDG_DATA_HOME}"       ]] || install -d -m 0700 -- "${XDG_DATA_HOME}"
    [[ -d "${XDG_CACHE_HOME}"      ]] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
    [[ -d "${XDG_STATE_HOME}"      ]] || install -d -m 0700 -- "${XDG_STATE_HOME}"
    [[ -d "${XDG_STATE_HOME}/bash" ]] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
    [[ -d "${XDG_STATE_HOME}/less" ]] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
    umask "$_xdg_umask"
    unset _xdg_umask
    '
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f prepare_xdg_root
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4100_base/4110_update_sources.sh
+++ b/func/cdi_4100_base/4110_update_sources.sh
@@ -40,6 +40,7 @@ update_sources() {
  ### Update generated sources.
  # shellcheck disable=SC2312
  chroot_script "${var_target}" "
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get update 2>&1 | tee -a ${var_logfile}
  "
  do_log "info" "file_only" "4110() Sources lists: updated successfully."
@@ -50,6 +51,7 @@ update_sources() {
    chroot_script "${var_target}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
    "
    do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
@@ -58,6 +60,7 @@ update_sources() {
    chroot_script "${var_target}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
    "
--- a/func/cdi_4100_base/4120_installation_kernel.sh
+++ b/func/cdi_4100_base/4120_installation_kernel.sh
@@ -36,6 +36,7 @@ installation_kernel() {
    chroot_script "${TARGET}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get install -y --no-install-recommends --no-install-suggests ${VAR_KERNEL} initramfs-tools 2>&1 | tee -a ${var_logfile}
    "
@@ -47,6 +48,7 @@ installation_kernel() {
    chroot_script "${TARGET}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get install -y --no-install-recommends --no-install-suggests ${image} initramfs-tools 2>&1 | tee -a ${var_logfile}
    "
@@ -55,7 +57,6 @@ installation_kernel() {
    guard_dir && return 0
  fi
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4130_installation_toolset.sh
+++ b/func/cdi_4100_base/4130_installation_toolset.sh
@@ -49,8 +49,8 @@ installation_toolset() {
    [awk]="gawk"
    [gdisk]="gdisk"
    [gnupg]="gnupg"
    [haveged]="haveged"
    [update-initramfs]="initramfs-tools"
    [jitterentropy-rngd]="jitterentropy-rngd"
    [jq]="jq"
    [loadkeys]="kbd"
    [setfont]="kbd"
@@ -96,6 +96,7 @@ installation_toolset() {
    chroot_script "${TARGET}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
    "
--- a/func/cdi_4100_base/4131_installation_systemd.sh
+++ b/func/cdi_4100_base/4131_installation_systemd.sh
@@ -35,6 +35,7 @@ installation_systemd() {
    chroot_script "${TARGET}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
    "
--- a/func/cdi_4100_base/4132_installation_machineid.sh
+++ b/func/cdi_4100_base/4132_installation_machineid.sh
@@ -35,4 +35,7 @@ installation_machineid() {
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f installation_machineid
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4100_base/4140_installation_microcode.sh
+++ b/func/cdi_4100_base/4140_installation_microcode.sh
@@ -56,6 +56,7 @@ installation_microcode() {
      chroot_script "${TARGET}" "
        export INITRD=No
        [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
        apt-get install -y --no-install-recommends --no-install-suggests ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
      "
@@ -63,6 +64,7 @@ installation_microcode() {
      chroot_script "${TARGET}" "
        export INITRD=No
        [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
        apt-get install -y --no-install-recommends --no-install-suggests --only-upgrade ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
      "
--- a/func/cdi_4100_base/4145_installation_firmware.sh
+++ b/func/cdi_4100_base/4145_installation_firmware.sh
@@ -294,6 +294,7 @@ installation_firmware() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests ${ary_pkgs_resolved[*]} 2>&1 | tee -a ${var_logfile}
  "
--- a/func/cdi_4100_base/4150_installation_chrony.sh
+++ b/func/cdi_4100_base/4150_installation_chrony.sh
@@ -49,6 +49,7 @@ installation_chrony() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests chrony 2>&1 | tee -a ${var_logfile}
  "
@@ -78,4 +79,7 @@ installation_chrony() {
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f installation_chrony
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4100_base/4160_installation_eza.sh
+++ b/func/cdi_4100_base/4160_installation_eza.sh
@@ -49,6 +49,7 @@ EOF
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get update
    apt-get install -y --no-install-recommends --no-install-suggests eza 2>&1 | tee -a ${var_logfile}
  "
--- a/func/cdi_4100_base/4170_installation_lynis.sh
+++ b/func/cdi_4100_base/4170_installation_lynis.sh
@@ -49,6 +49,7 @@ EOF
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get update
    apt-get install -y --no-install-recommends --no-install-suggests lynis 2>&1 | tee -a ${var_logfile}
  "
--- a/func/cdi_4200_boot/4220_installation_cryptsetup.sh
+++ b/func/cdi_4200_boot/4220_installation_cryptsetup.sh
@@ -32,6 +32,7 @@ installation_cryptsetup() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a ${var_logfile}
  "
--- a/func/cdi_4200_boot/4230_installation_grub.sh
+++ b/func/cdi_4200_boot/4230_installation_grub.sh
@@ -78,6 +78,7 @@ installation_grub() {
        amd64)
          chroot_script "${TARGET}" "
            export INITRD=No
            [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
            apt-get install -y --no-install-recommends grub2-common grub-efi-amd64 grub-efi-amd64-bin 2>&1 | tee -a ${var_logfile}
          "
          ;;
@@ -85,6 +86,7 @@ installation_grub() {
        arm64)
          chroot_script "${TARGET}" "
            export INITRD=No
            [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
            apt-get install -y --no-install-recommends grub2-common grub-efi-arm64 grub-efi-arm64-bin 2>&1 | tee -a ${var_logfile}
          "
          ;;
@@ -99,6 +101,7 @@ installation_grub() {
      chroot_script "${TARGET}" "
        export INITRD=No
        [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
        apt-get install -y --no-install-recommends grub2-common grub-pc grub-pc-bin 2>&1 | tee -a ${var_logfile}
      "
--- a/func/cdi_4200_boot/4240_update_grub_password.sh
+++ b/func/cdi_4200_boot/4240_update_grub_password.sh
@@ -50,6 +50,9 @@ update_grub_password() {
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f update_grub_password
 #######################################
 # Generate PBKDF2 password hash for GRUB.
@@ -79,4 +82,7 @@ EOF
 return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f generate_grub_password_pbkdf2
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4300_network/4300_installation_network.sh
+++ b/func/cdi_4300_network/4300_installation_network.sh
@@ -45,16 +45,19 @@ installation_network() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get purge -y dhcpcd isc-dhcp-client 2>&1 | tee -a ${var_logfile}
  "
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-suggests dhcpcd-base ifupdown 2>&1 | tee -a ${var_logfile}
  "
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    systemctl disable systemd-networkd NetworkManager 2>/dev/null | tee -a ${var_logfile} || true
  "
--- a/func/cdi_4300_network/4305_installation_netsec.sh
+++ b/func/cdi_4300_network/4305_installation_netsec.sh
@@ -29,6 +29,7 @@ installation_netsec() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-suggests fail2ban ufw 2>&1 | tee -a ${var_logfile}
  "
--- a/func/cdi_4300_network/4311_dropbear_initramfs.sh
+++ b/func/cdi_4300_network/4311_dropbear_initramfs.sh
@@ -37,21 +37,25 @@ dropbear_initramfs() {
  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a ${var_logfile}
  "
  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get purge -y dropbear dropbear-run || true
  "
  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a ${var_logfile}
  "
  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a ${var_logfile}
  "
--- a/func/cdi_4300_network/4330_installation_ssh.sh
+++ b/func/cdi_4300_network/4330_installation_ssh.sh
@@ -38,13 +38,20 @@ installation_ssh() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -a ary_user=()
  declare -i i=0
  declare -r  var_logfile="/root/.ciss/cdi/log/4330_installation_ssh.log"
  declare    var_auth="" var_name="" var_ca="" var_pub=""
  declare    var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
-  chroot_exec "${var_target}" apt-get install -y --no-install-recommends --no-install-suggests ssh
+  chroot_logger "${var_target}${var_logfile}"
  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests ssh 2>&1 | tee -a ${var_logfile}
  "
  mkdir -p "${var_target}/etc/systemd/system/ssh.service.d"
--- a/func/cdi_4400_hardening/4400_kernel_modules.sh
+++ b/func/cdi_4400_hardening/4400_kernel_modules.sh
@@ -49,6 +49,9 @@ EOF
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f kernel_modules
 #######################################
 # Blacklist some kind of potential hazardous modules via '/etc/modprobe.d/0000_ciss_debian_installer.conf'.
@@ -70,4 +73,7 @@ kernel_modprobe() {
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f kernel_modprobe
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4410_kernel_sysctl.sh
+++ b/func/cdi_4400_hardening/4410_kernel_sysctl.sh
@@ -13,7 +13,7 @@
 guard_sourcing
 #######################################
-# Install Kernel Hardening-Presets '/etc/sysctl.d/99_local.hardened'.
+# Install Kernel Hardening-Presets '/etc/sysctl.d/9999_ciss_debian_installer.hardened'.
 # Globals:
 #   TARGET
 #   VAR_SETUP_PATH
@@ -23,13 +23,16 @@ guard_sourcing
 #   0: on success
 #######################################
 kernel_sysctl() {
-  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/99_local.hardened" \
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/9999_ciss_debian_installer.hardened" \
-    "${TARGET}/etc/sysctl.d/99_local.hardened"
+    "${TARGET}/etc/sysctl.d/9999_ciss_debian_installer.hardened"
-  insert_comments "${TARGET}/etc/sysctl.d/99_local.hardened"
+  insert_comments "${TARGET}/etc/sysctl.d/9999_ciss_debian_installer.hardened"
-  do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/99_local.hardened'."
+  do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/9999_ciss_debian_installer.hardened'."
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f kernel_sysctl
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4440_hardening_haveged.sh
+++ b/func/cdi_4400_hardening/4440_hardening_haveged.sh
@@ -38,4 +38,7 @@ EOF
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_haveged
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4442_hardening_jitterentropy.sh
+++ b/func/cdi_4400_hardening/4442_hardening_jitterentropy.sh
@@ -0,0 +1,43 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Hardening hardening_jitterentropy.
 # Globals:
 #   TARGET
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 hardening_jitterentropy() {
  declare    var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  mkdir -p "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d"
  cat << EOF >> "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d/override.conf"
 [Service]
 ExecStart=
 ExecStart=/usr/sbin/jitterentropy-rngd --sp800-90b --osr=7
 EOF
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_jitterentropy
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4445_hardening_logrotate.sh
+++ b/func/cdi_4400_hardening/4445_hardening_logrotate.sh
@@ -73,4 +73,7 @@ EOF
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_logrotate
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4450_hardening_memory.sh
+++ b/func/cdi_4400_hardening/4450_hardening_memory.sh
@@ -102,6 +102,9 @@ EOF
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_memory
 #######################################
 # Ensure 'pam_limits.so' is activated in:
@@ -158,4 +161,7 @@ guard_pam_limits() {
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f guard_pam_limits
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4460_hardening_openssl.sh
+++ b/func/cdi_4400_hardening/4460_hardening_openssl.sh
@@ -32,4 +32,7 @@ hardening_openssl() {
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_openssl
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4470_hardening_ufw.sh
+++ b/func/cdi_4400_hardening/4470_hardening_ufw.sh
@@ -97,4 +97,7 @@ hardening_ufw() {
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_ufw
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4480_hardening_usb.sh
+++ b/func/cdi_4400_hardening/4480_hardening_usb.sh
@@ -30,6 +30,7 @@ hardening_usb() {
  ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests usbguard 2>&1 | tee -a ${var_logfile}
    touch /tmp/rules.conf
--- a/func/cdi_4400_hardening/4490_hardening_virus.sh
+++ b/func/cdi_4400_hardening/4490_hardening_virus.sh
@@ -29,6 +29,7 @@ hardening_virus() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests rkhunter 2>&1 | tee -a ${var_logfile}
  "
--- a/func/cdi_4500_user/4500_accounts_preparation.sh
+++ b/func/cdi_4500_user/4500_accounts_preparation.sh
@@ -36,6 +36,7 @@ accounts_preparation() {
  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests bash-completion fzf 2>&1 | tee -a ${var_logfile}
  "
--- a/func/cdi_4500_user/4501_accounts_preparation_ciss.sh
+++ b/func/cdi_4500_user/4501_accounts_preparation_ciss.sh
@@ -31,8 +31,8 @@ accounts_preparation_ciss() {
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
-  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${var_target}/etc/skel/.bashrc"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.bashrc" "${var_target}/etc/skel/.bashrc"
-  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${var_target}/etc/skel/.zshrc"
+  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.zshrc" "${var_target}/etc/skel/.zshrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/alias" "${var_target}/etc/skel/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${var_target}/etc/skel/.ciss/"
@@ -50,9 +50,6 @@ accounts_preparation_ciss() {
  insert_comments "${var_target}/etc/skel/.ciss/scan_libwrap"
  insert_comments "${var_target}/etc/skel/.ciss/shortcuts"
  ### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
  echo 'set clipboard=unnamed' >| "${var_target}/etc/skel/.vimrc"
  chmod 0600 "${var_target}/etc/skel/.vimrc"
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
--- a/func/cdi_4500_user/4502_accounts_preparation_physnet.sh
+++ b/func/cdi_4500_user/4502_accounts_preparation_physnet.sh
@@ -30,6 +30,25 @@ accounts_preparation_physnet() {
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.bashrc" "${var_target}/etc/skel/.bashrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.zshrc" "${var_target}/etc/skel/.zshrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/alias" "${var_target}/etc/skel/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${var_target}/etc/skel/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/clean_logout.sh" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/f2bchk" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/scan_libwrap" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/shortcuts" "${var_target}/etc/skel/.ciss/"
  insert_comments "${var_target}/etc/skel/.bashrc"
  insert_comments "${var_target}/etc/skel/.zshrc"
  insert_comments "${var_target}/etc/skel/.ciss/alias"
  insert_comments "${var_target}/etc/skel/.ciss/check_chrony.sh"
  insert_comments "${var_target}/etc/skel/.ciss/clean_logout.sh"
  insert_comments "${var_target}/etc/skel/.ciss/f2bchk"
  insert_comments "${var_target}/etc/skel/.ciss/scan_libwrap"
  insert_comments "${var_target}/etc/skel/.ciss/shortcuts"
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
--- a/func/cdi_4500_user/4510_accounts_hardening.sh
+++ b/func/cdi_4500_user/4510_accounts_hardening.sh
@@ -39,13 +39,14 @@ accounts_hardening() {
  ary_security_pkgs=( "libpam-google-authenticator" "wamerican" "wbritish" "wfrench" "wngerman" )
  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests ${ary_security_pkgs[*]} 2>&1 | tee -a ${var_logfile}
  "
  ### Preparing 2fa hardening.
  install -d -m 0755 -o root -g root "${var_target}/etc/ciss"
  touch "${var_target}/etc/ciss/2fa.users"
-  chmod 0640 "${var_target}/etc/ciss/2fa.users"
+  chmod 0600 "${var_target}/etc/ciss/2fa.users"
  ### Keep 'tty1' active, disable the rest.
  # shellcheck disable=SC2016
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -12,12 +12,6 @@
 guard_sourcing
 # TODO: sudo TOTP deactivation
 # TODO: PAM Module
 # TODO: Check Password activation
 # TODO: Check expiration and other dates
 # TODO: Logic
 #######################################
 # Updating user accounts.
 # Globals:
@@ -59,6 +53,12 @@ accounts_setup() {
  chroot_logger "${var_target}${var_logfile}"
  ### Update pam modules for 2fa.
  write_pam_login "${var_target}"
  write_pam_sshd  "${var_target}"
  write_pam_su    "${var_target}"
  write_pam_sudo  "${var_target}"
  ### Prepare the '2fa'-seed variable.
  read_totp_seed
  do_log "debug" "file_only" "4520() Command: [read_totp_seed]"
@@ -66,57 +66,18 @@ accounts_setup() {
  ### 0) The 'root' account is generated via debootstrap by default.
  ### 1) Prepare the 'root' account.
-  install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
+  case "${VAR_USER_ROOT_SPECIFIC}" in
  install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${var_target}/root/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${var_target}/root/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${var_target}/root/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${var_target}/root/.ciss/"
-  if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
+    "ciss"   ) accounts_setup_ciss_root ;;
-    if [[ -x "${var_target}${user_root_shell}" ]]; then
+    "physnet") accounts_setup_physnet_root ;;
-      case "${VAR_USER_ROOT_SPECIFIC,,}" in
+    "none"   ) do_log "info" "file_only" "4520() Account preparation [none] selected." ;;
-        "ciss")
+    *        ) do_log "warn" "file_only" "4520() Account preparation nothing selected. Keeping defaults." ;;
          zsh_omz_installer "root" "${var_target}"
          mv "${var_target}/root/.zshrc" "${var_target}/root/.zshrc.bak"
          install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${var_target}/root/"
          ;;
        "physnet")
          :
          ;;
        "none"|*)
          :
          ;;
  esac
      chroot_exec "${var_target}" chsh -s "${user_root_shell}" root
      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
    else
      chroot_exec "${var_target}" chsh -s /bin/bash root
      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
    fi
  fi
  ### To be able to copy/paste from vim, one needs to create a '.vimrc' with the following content:
  echo 'set clipboard=unnamed' >| "${var_target}/root/.vimrc"
  chmod 0600 "${var_target}/root/.vimrc"
  do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
  ### 2) Check SSH access capabilities.
  case "${user_root_authentication_access_ssh,,}" in
@@ -126,6 +87,7 @@ accounts_setup() {
      ;;
    true)
      ### SSH Public Key per default, only.
      sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
      do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
      ;;
@@ -141,54 +103,26 @@ accounts_setup() {
  case "${user_root_authentication_access_tty,,}" in
    false)
-      ### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
+      ### Disallow all local access for root in '/etc/security/access.conf'.
      pam_access_sync_login_sshd
      ### 3) A) 2) Ensure 'pam_securetty' in the auth phase; requisite causes immediate fail for disallowed ttys.
      chroot_stdin "${var_target}" "__payload__" <<'EOF'
 export LC_ALL=C
 if ! grep -Eq '^[[:space:]]*auth[[:space:]]+requisite[[:space:]]+pam_securetty[.]so([[:space:]]|$)' /etc/pam.d/login; then
  tmp="$(mktemp /etc/pam.d/login.XXXXXX)"
  awk '
    BEGIN { ins=0 }
    {
      if (!ins && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix[.]so/) {
        print "auth  requisite  pam_securetty.so"
        ins=1
      }
      print
    }
    END {
      if (!ins) print "auth  requisite  pam_securetty.so"
    }
  ' /etc/pam.d/login >| "${tmp}"
  test -s "${tmp}"
  mv -f "${tmp}" /etc/pam.d/login
  rm -f -- "${tmp}"
 fi
 :
 EOF
      ### 3) A) 3) Disallow all local access for root in '/etc/security/access.conf'.
      printf -- '-: root:ALL\n' >> "${var_target}/etc/security/access.conf"
      do_log "info" "file_only" "4520() User: 'root' [disallow all local access in '/etc/security/access.conf']"
-      ### 3) A) 4) Empty "/etc/securetty".
+      ### Empty "/etc/securetty".
      cat << 'EOF' >| "${var_target}/etc/securetty"
 EOF
-
+      do_log "info" "file_only" "4520() User: 'root' [empty '/etc/securetty']"
      do_log "info" "file_only" "4520() User: 'root' tty access: [false]"
      ;;
    true)
-      ### 3) B) 1) Allow local access for 'root' only on 'tty1' in '/etc/security/access.conf'.
+      ### Allow local access for 'root' only on 'tty1' in '/etc/security/access.conf'.
      printf -- "+: root:tty1 \n" >> "${var_target}/etc/security/access.conf"
      do_log "info" "file_only" "4520() User: 'root' [allow local access on tty1 in '/etc/security/access.conf']"
-      ### 3) B) 2) Allow local access for 'root' only on 'tty1' in '/etc/securetty'.
+      ### Allow local access for 'root' only on 'tty1' in '/etc/securetty'.
      cat << 'EOF' >| "${var_target}/etc/securetty"
 tty1
 EOF
-      do_log "info" "file_only" "4520() User: 'root' tty access: [true]"
+      do_log "info" "file_only" "4520() User: 'root' [tty1 in '/etc/securetty']."
      ;;
    *)
@@ -199,6 +133,8 @@ EOF
  esac
  ### 4) Check the password policy for the 'root' account.
  chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${user_root_password}' | /usr/sbin/chpasswd -e"
  case "${user_root_authentication_password,,}" in
    false)
@@ -207,8 +143,7 @@ EOF
      ;;
    true)
-      chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${var_password}' | /usr/sbin/chpasswd -e"
+      chroot_script "${var_target}" "passwd -u root"
      #chroot_script "${var_target}" "/usr/sbin/usermod -p '${user_root_password}' root"
      do_log "info" "file_only" "4520() User: 'root' password access: [true]"
      ;;
@@ -227,17 +162,16 @@ EOF
  fi
-  ### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
+  ### 6) Update the 'root' 'totp'-policy-user file and write the '.google_authenticator'-file.
  if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
    write_google_authenticator_file "root" "0" "0" "${var_target}"
    printf '%s\n' "root" >> "${var_target}/etc/ciss/2fa.users"
  fi
  if [[ "${user_root_authentication_2fa_ssh}" == "true" ]]; then
    pam_access_totp_enable "root" "sshd" "${var_target}"
    var_ssh_totp_update="true"
    cat << EOF >> "${var_target}/etc/ssh/sshd_config"
 Match User root
@@ -246,8 +180,6 @@ Match User root
 EOF
  fi
  [[ "${user_root_authentication_2fa_tty}" == "true" ]] && pam_access_totp_enable "root" "login" "${var_target}"
  ### 7) Install eza themes.
  eza_installer "root" "${var_target}"
@@ -844,172 +776,6 @@ EOF
 # shellcheck disable=SC2034
 readonly -f hardening_sudo
 #######################################
 # Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
 # MUST be executed inside chroot.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 pam_access_sync_login_sshd() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_file_login="/etc/pam.d/login"
  declare     var_file_sshd="/etc/pam.d/sshd"
  ### Guard: The file must exist, no-op otherwise.
  if [[ ! -f "${var_target}${var_file_login}" ]]; then
    return 0
  fi
  ### 1) If the 'pam_access' line is commented in '/etc/pam.d/login', uncomment exactly one occurrence.
  chroot_stdin "${var_target}" "__payload__" <<'EOF'
 tmp="$(mktemp /etc/pam.d/login.XXXXXX)"
 export LC_ALL=C
 awk '
 BEGIN { done=0 }
 {
  if (!done) {
    line=$0
    sub(/^[[:space:]]*#+[[:space:]]*/, "", line)
    if (line ~ /^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)/) {
      print line; done=1; next
    }
  }
  print
 }
 ' /etc/pam.d/login >| "${tmp}"
 test -s "${tmp}"
 mv -f "${tmp}" /etc/pam.d/login
 rm -f "${tmp}" || :
 :
 EOF
  ### 2) If '/etc/pam.d/login' now has an active pam_access line, ensure '/etc/pam.d/sshd' pam_access line(s) are commented out.
  ###    No-op if '/etc/pam.d/sshd' is absent.
  [[ -f "${var_target}${var_file_sshd}" ]] || return 0
  chroot_stdin "${var_target}" "__payload__" <<'EOF'
 export LC_ALL=C
 if grep -Eq '^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)' /etc/pam.d/login; then
  tmp="$(mktemp /etc/pam.d/sshd.XXXXXX)"
  awk '
    /^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)/ { print "# " $0; next }
    { print }
  ' /etc/pam.d/sshd >| "${tmp}"
  test -s "${tmp}"
  mv -f "${tmp}" /etc/pam.d/sshd
  rm -f "${tmp}" || :
 fi
 :
 EOF
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f pam_access_sync_login_sshd
 #######################################
 # Enable per-user TOTP in a given PAM service (login, sshd, su, sudo).
 # Globals:
 #   None
 # Arguments:
 #   1: username
 #   2: pam_module
 #   3: target
 # Returns:
 #   0: on success
 #######################################
 pam_access_totp_enable() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_user="${1}" var_module="${2}" var_target="${3}"
  declare -r  var_pam_file="/etc/pam.d/${var_module}"
  declare -r  var_users_file="${var_target}/etc/ciss/2fa.users"
  declare -r  var_allowlist="/etc/ciss/2fa.users"
  ### Basic sanitation; module must be a safe 'pam.d' filename.
  [[ -n "${var_user:-}" && -n "${var_module:-}" ]] || return 0
  [[ "${var_module}" =~ ^[A-Za-z0-9._+-]+$ ]] || return 0
  [[ -f "${var_target}${var_pam_file}" ]] || return 0
  ### 0) Ensure the allowlist file contains the user (deduplicated).
  if ! grep -Fxq "${var_user}" "${var_users_file}"; then
    printf '%s\n' "${var_user}" >> "${var_users_file}"
  fi
  ### 1) Ensure a single CISS TOTP framework block is present in the PAM file.
  ###    The block gates GA by pam_listfile over '/etc/ciss/2fa.users'.
  ###    We place it right after pam_unix.so or @include common-auth; fallback: append.
  chroot_stdin "${var_target}" "__payload__" -- "${var_pam_file}" "${var_allowlist}" <<'EOF'
 export LC_ALL=C
 pam="$1"
 allowlist="$2"
 tmp="$(mktemp "${pam}.XXXXXX")"
 awk -v MARK_S="# CISS TOTP START" -v MARK_E="# CISS TOTP END" -v allowlist="${allowlist}" '
  BEGIN { ins=0 }
  {
    print
    if (!ins && ($0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix[.]so/ \
                 || $0 ~ /^[[:space:]]*@include[[:space:]]+common-auth/)) {
      print MARK_S
      ### Only users in allowlist must pass GA:
      ### pam_listfile sense=deny succeeds for non-listed > skip next line (GA)
      print "auth  [success=1 default=ignore] pam_listfile.so item=user sense=deny file=" allowlist " onerr=ignore"
      print "auth  required  pam_google_authenticator.so"
      print MARK_E
      ins=1
    }
  }
  END {
    if (!ins) {
      print MARK_S
      print "auth  [success=1 default=ignore] pam_listfile.so item=user sense=deny file=" allowlist " onerr=ignore"
      print "auth  required  pam_google_authenticator.so"
      print MARK_E
    }
  }
 ' "${pam}" >| "${tmp}"
 test -s "${tmp}"
 mv -f "${tmp}" "${pam}"
 rm -f -- "${tmp}" || :
 :
 EOF
  ### 2) Comment out any other active GA lines to avoid double prompts.
  chroot_stdin "${var_target}" "__payload__" -- "${var_pam_file}" <<'EOF'
 export LC_ALL=C
 pam="$1"
 tmp="$(mktemp "${pam}.XXXXXX")"
 awk '
  BEGIN { in_ciss=0 }
  /^# CISS TOTP START$/ { in_ciss=1; print; next }
  /^# CISS TOTP END$/   { in_ciss=0; print; next }
  {
    if (!in_ciss && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_google_authenticator[.]so/ && $0 !~ /^[[:space:]]*#/) {
      print "# " $0
    } else {
      print
    }
  }
 ' "${pam}" >| "${tmp}"
 test -s "${tmp}"
 mv -f "${tmp}" "${pam}"
 rm -f -- "${tmp}" || :
 :
 EOF
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f pam_access_totp_enable
 #######################################
 # Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
 # Globals:
@@ -1113,6 +879,379 @@ write_google_authenticator_file() {
 # shellcheck disable=SC2034
 readonly -f write_google_authenticator_file
 #######################################
 # Writes CISS Header for '/etc/pam.d/login'.
 # Globals:
 #   None
 # Arguments:
 #   1: TARGET
 # Returns:
 #   0: on success
 #######################################
 write_pam_login() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_target="$1"
  mv "${var_target}/etc/pam.d/login" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/login"
  insert_header   "${var_target}/etc/pam.d/login"
  insert_comments "${var_target}/etc/pam.d/login"
  cat << EOF >>   "${var_target}/etc/pam.d/login"
 #
 # The PAM configuration file for the Shadow 'login' service
 #
 # --- AUTH phase ---------------------------------------------------------------------------------------------------------------
 # Root only on secure ttys listed in '/etc/securetty' (fail fast, no prompts).
 auth     requisite  pam_securetty.so
 # Enforce a minimal delay in case of failure (in microseconds). (Replaces the 'FAIL_DELAY' setting from login.defs).
 # Note that other modules may require another minimal delay. (For example, to disable any delay, you should add the 'nodelay'
 # option to pam_unix).
 auth     optional   pam_faildelay.so delay=3200000
 # Outputs an issue file prior to each login prompt (Replaces the ISSUE_FILE option from login.defs). Uncomment for use.
 #auth    required   pam_issue.so issue=/etc/issue
 # Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
 auth     requisite  pam_nologin.so
 # SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
 # possible that a module could execute code in the wrong domain. When the module is present, "required" would be sufficient
 # (When SELinux is disabled, this returns success.)
 session             [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 # Sets the loginuid process attribute
 session  required   pam_loginuid.so
 # Prints the message of the day upon successful login. (Replaces the 'MOTD_FILE' option in login.defs). This includes a
 # dynamically generated part from /run/motd.dynamic, and a static (admin-editable) part from /etc/motd.
 session  optional   pam_motd.so motd=/run/motd.dynamic
 session  optional   pam_motd.so noupdate
 # SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
 # sessions which are intended to run in the user's context should be run after this. The module pam_selinux.so changes the
 # SELinux context of the used TTY and configures SELinux in order to transition to the user context with the next execve()
 # call.
 session             [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
 # When the module is present, "required" would be sufficient (When SELinux is disabled, this returns success.)
 # This module parses environment configuration file(s) and also allows you to use an extended config file
 # /etc/security/pam_env.conf. Parsing /etc/environment needs "readenv=1"
 session  required   pam_env.so readenv=1
 # Locale variables can also be set in /etc/default/locale reading this file *in addition to /etc/environment* does not hurt.
 session  required   pam_env.so readenv=1 envfile=/etc/default/locale
 # Standard Un*x authentication.
@include common-auth
 # ===== CISS 2FA block  ========
 # If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
 auth                [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
 # For listed users: enforce that the secret file exists, else deny without prompting.
 # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_login_totp.prompt
 auth     required   pam_google_authenticator.so disallow-reuse
 # ===== CISS 2FA block end =====
 # This allows certain extra groups to be granted to a user based on things like time of day, tty, service, and user. Please
 # edit /etc/security/group.conf to fit your needs (Replaces the 'CONSOLE_GROUPS' option in login.defs).
 auth     optional   pam_group.so
 # Uncomment and edit /etc/security/time.conf if you need to set time restraint on logins. (Replaces the 'PORTTIME_CHECKS_ENAB'
 # option from login.defs as well as /etc/porttime).
 #account requisite  pam_time.so
 # Uncomment and edit /etc/security/access.conf if you need to set access limits. (Replaces /etc/login.access file).
 #account required   pam_access.so
 # Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
 session  required   pam_limits.so
 # Prints the status of the user's mailbox upon successful login (Replaces the 'MAIL_CHECK_ENAB' option from login.defs).
 # This also defines the MAIL environment variable. However, userdel also needs MAIL_DIR and MAIL_FILE variables in
 # /etc/login.defs to make sure that removing a user also removes the user's mail spool file. See comments in /etc/login.defs.
 session  optional   pam_mail.so standard
 # Create a new session keyring.
 session  optional   pam_keyinit.so force revoke
 # Console-only access control for this service (do NOT also enable in common-account).
 account  requisite  pam_access.so
 # Standard Un*x account and session
@include common-account
@include common-session
@include common-password
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  do_log "info" "file_only" "4520() Written: [/etc/pam.d/login]."
  cat << 'EOF' >| "${var_target}/etc/ciss/pam_login_totp.prompt"
 Please enter your 6-digit TOTP or 8-digit Backup code:
 EOF
  chmod 0444 "${var_target}/etc/ciss/pam_login_totp.prompt"
  do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_login_totp.prompt]."
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f write_pam_login
 #######################################
 # Writes CISS Header for '/etc/pam.d/sshd'.
 # Globals:
 #   None
 # Arguments:
 #   1: TARGET
 # Returns:
 #   0: on success
 #######################################
 write_pam_sshd() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_target="$1"
  mv "${var_target}/etc/pam.d/sshd" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sshd"
  insert_header   "${var_target}/etc/pam.d/sshd"
  insert_comments "${var_target}/etc/pam.d/sshd"
  cat << EOF >>   "${var_target}/etc/pam.d/sshd"
 #
 # PAM configuration for the Secure Shell service
 #
 # ===== CISS 2FA block  ========
 # If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success).
 auth                [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
 # For listed users: enforce that the secret file exists, else deny without prompting.
 # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_ssh_totp.prompt
 auth     required   pam_google_authenticator.so disallow-reuse
 # For non-2FA users KI must be a silent success to satisfy AuthenticationMethods.
 auth     sufficient pam_permit.so
 # ===== CISS 2FA block end =====
 # Keep the rest as shipped by Debian. It will be short-circuited by pam_permit for KI and never reached for 2FA users after
 # successful GA.
 # Standard Un*x authentication.
@include common-auth
 # Disallow non-root logins when /etc/nologin exists.
 account  required   pam_nologin.so
 # Uncomment and edit /etc/security/access.conf if you need to set complex access limits that are hard to express in sshd_config.
 #account required   pam_access.so
 # Standard Un*x authorization.
@include common-account
 # SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
 # possible that a module could execute code in the wrong domain.
 session             [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 # Set the loginuid process attribute.
 session  required   pam_loginuid.so
 # Create a new session keyring.
 session  optional   pam_keyinit.so force revoke
 # Standard Un*x session setup and teardown.
@include common-session
 # Print the message of the day upon successful login. This includes a dynamically generated part from /run/motd.dynamic and a
 # static (admin-editable) part from /etc/motd.
 session  optional   pam_motd.so motd=/run/motd.dynamic
 session  optional   pam_motd.so noupdate
 # Print the status of the user's mailbox upon successful login.
 session  optional   pam_mail.so standard noenv
 # Set up user limits from /etc/security/limits.conf.
 session  required   pam_limits.so
 # Read environment variables from /etc/environment and /etc/security/pam_env.conf.
 session  required   pam_env.so
 # In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well.
 session  required   pam_env.so envfile=/etc/default/locale
 # SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
 # sessions which are intended to run in the user's context should be run after this.
 session             [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
 # Standard Un*x password updating.
@include common-password
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  do_log "info" "file_only" "4520() Written: [/etc/pam.d/sshd]."
  cat << 'EOF' >| "${var_target}/etc/ciss/pam_ssh_totp.prompt"
 Please enter your 6-digit TOTP or 8-digit Backup code:
 EOF
  chmod 0444 "${var_target}/etc/ciss/pam_ssh_totp.prompt"
  do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_ssh_totp.prompt]."
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f write_pam_sshd
 #######################################
 # Writes CISS Header for '/etc/pam.d/su'.
 # Globals:
 #   None
 # Arguments:
 #   1: TARGET
 # Returns:
 #   0: on success
 #######################################
 write_pam_sudo() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_target="$1"
  mv "${var_target}/etc/pam.d/su" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/su"
  insert_header   "${var_target}/etc/pam.d/su"
  insert_comments "${var_target}/etc/pam.d/su"
  cat << EOF >>   "${var_target}/etc/pam.d/su"
 #
 # PAM configuration for the su service
 #
 # If caller is already root, allow quickly without further auth:
 auth     sufficient pam_rootok.so
 # Reuse a recent successful su-auth within the TTL:
 auth     sufficient pam_timestamp.so
 # Standard password for the target account (root or other):
@include common-auth
 # ===== CISS 2FA block  ========
 # If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
 auth                [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
 # For listed users: enforce that the secret file exists, else deny without prompting.
 # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_su_totp.prompt
 auth     required   pam_google_authenticator.so disallow-reuse
 # ===== CISS 2FA block end =====
@include common-account
@include common-session
 # Keep a ticket to avoid re-prompts during this shell session:
 session  optional     pam_timestamp.so
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  do_log "info" "file_only" "4520() Written: [/etc/pam.d/su]."
  cat << 'EOF' >| "${var_target}/etc/ciss/pam_su_totp.prompt"
 Please enter the 6-digit TOTP or 8-digit Backup code of the target user:
 EOF
  chmod 0444 "${var_target}/etc/ciss/pam_su_totp.prompt"
  do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_su_totp.prompt]."
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f write_pam_su
 #######################################
 # Writes CISS Header for '/etc/pam.d/sudo'.
 # Globals:
 #   None
 # Arguments:
 #   1: TARGET
 # Returns:
 #   0: on success
 #######################################
 write_pam_sudo() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_target="$1"
  mv "${var_target}/etc/pam.d/sudo" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sudo"
  insert_header   "${var_target}/etc/pam.d/sudo"
  insert_comments "${var_target}/etc/pam.d/sudo"
  cat << EOF >>   "${var_target}/etc/pam.d/sudo"
 #
 # PAM configuration for the sudo service
 #
 # Reuse a recent successful auth to avoid re-prompting within the TTL.
 auth     sufficient pam_timestamp.so
 # Standard UNIX password:
@include common-auth
 # ===== CISS 2FA block  ========
 # If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
 auth                [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
 # For listed users: enforce that the secret file exists, else deny without prompting.
 # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_sudo_totp.prompt
 auth     required   pam_google_authenticator.so disallow-reuse
 # ===== CISS 2FA block end =====
 # Accounts, sessions:
@include common-account
@include common-session-noninteractive
 # Maintain a pam_timestamp ticket on successful sudo to suppress re-prompts.
 session  optional   pam_timestamp.so
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  do_log "info" "file_only" "4520() Written: [/etc/pam.d/sudo]."
  cat << 'EOF' >| "${var_target}/etc/ciss/pam_sudo_totp.prompt"
 Please enter your 6-digit TOTP or 8-digit Backup code:
 EOF
  chmod 0444 "${var_target}/etc/ciss/pam_sudo_totp.prompt"
  do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_sudo_totp.prompt]."
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f write_pam_sudo
 #######################################
 # Use the official ohmyzsh-installer but force non-interactive behavior; do not run zsh; do not chsh.
 # Globals:
@@ -1240,228 +1379,4 @@ EOF
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f zsh_omz_installer
 #######################################
 # Writes CISS Header for '/etc/pam.d/login'.
 # Globals:
 #   None
 # Arguments:
 #   1: TARGET
 # Returns:
 #   0: on success
 #######################################
 write_pam_login() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_target="$1"
  mv "${var_target}/etc/pam.d/sshd" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/login"
  insert_header   "${var_target}/etc/pam.d/login"
  insert_comments "${var_target}/etc/pam.d/login"
  cat << EOF >>   "${var_target}/etc/pam.d/login"
 #
 # The PAM configuration file for the Shadow 'login' service
 #
 # Enforce a minimal delay in case of failure (in microseconds). (Replaces the 'FAIL_DELAY' setting from login.defs).
 # Note that other modules may require another minimal delay. (For example, to disable any delay, you should add the 'nodelay'
 # option to pam_unix).
 auth    optional    pam_faildelay.so    delay=3000000
 # Outputs an issue file prior to each login prompt (Replaces the ISSUE_FILE option from login.defs). Uncomment for use.
 # auth    required    pam_issue.so issue=/etc/issue
 # Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
 auth    requisite    pam_nologin.so
 # SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
 # possible that a module could execute code in the wrong domain. When the module is present, "required" would be sufficient
 # (When SELinux is disabled, this returns success.)
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
 # Sets the loginuid process attribute
 session    required    pam_loginuid.so
 # Prints the message of the day upon successful login. (Replaces the 'MOTD_FILE' option in login.defs). This includes a
 # dynamically generated part from /run/motd.dynamic, and a static (admin-editable) part from /etc/motd.
 session    optional    pam_motd.so motd=/run/motd.dynamic
 session    optional    pam_motd.so noupdate
 # SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
 # sessions which are intended to run in the user's context should be run after this. The module pam_selinux.so changes the
 # SELinux context of the used TTY and configures SELinux in order to transition to the user context with the next execve()
 # call.
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
 # When the module is present, "required" would be sufficient (When SELinux is disabled, this returns success.)
 # This module parses environment configuration file(s) and also allows you to use an extended config file
 # /etc/security/pam_env.conf. Parsing /etc/environment needs "readenv=1"
 session    required    pam_env.so readenv=1
 # Locale variables can also be set in /etc/default/locale reading this file *in addition to /etc/environment* does not hurt.
 session    required    pam_env.so readenv=1 envfile=/etc/default/locale
 # Standard Un*x authentication.
@include common-auth
 # ===== CISS 2FA block  =====
 # If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
 auth  [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
 # Listed users: show a clear hint and then require GA. No 'nullok': missing secret -> fail.
 auth  required                    pam_echo.so file=/etc/ciss/login_totp.prompt
 auth  required                    pam_google_authenticator.so
 # ===== CISS 2FA block end =====
 # This allows certain extra groups to be granted to a user based on things like time of day, tty, service, and user. Please
 # edit /etc/security/group.conf to fit your needs (Replaces the 'CONSOLE_GROUPS' option in login.defs).
 auth    optional    pam_group.so
 # Uncomment and edit /etc/security/time.conf if you need to set time restraint on logins. (Replaces the 'PORTTIME_CHECKS_ENAB'
 # option from login.defs as well as /etc/porttime).
 # account    requisite    am_time.so
 # Uncomment and edit /etc/security/access.conf if you need to set access limits. (Replaces /etc/login.access file).
 # account    required    pam_access.so
 # Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
 session    required    pam_limits.so
 # Prints the status of the user's mailbox upon successful login (Replaces the 'MAIL_CHECK_ENAB' option from login.defs).
 # This also defines the MAIL environment variable. However, userdel also needs MAIL_DIR and MAIL_FILE variables in
 # /etc/login.defs to make sure that removing a user also removes the user's mail spool file. See comments in /etc/login.defs.
 session     optional    pam_mail.so standard
 # Create a new session keyring.
 session    optional    pam_keyinit.so force revoke
 # Standard Un*x account and session
@include common-account
@include common-session
@include common-password
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  do_log "info" "file_only" "4520() Written: [/etc/pam.d/login]."
  cat << 'EOF' >| "${var_target}/etc/ciss/login_totp.prompt"
 After your UNIX password, please enter your 6-digit TOTP code.
 EOF
  chmod 0444 "${var_target}/etc/ciss/login_totp.prompt"
  do_log "info" "file_only" "4520() Written: [/etc/ciss/login_totp.prompt]."
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f write_pam_login
 #######################################
 # Writes CISS Header for '/etc/pam.d/sshd'.
 # Globals:
 #   None
 # Arguments:
 #   1: TARGET
 # Returns:
 #   0: on success
 #######################################
 write_pam_sshd() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_target="$1"
  mv "${var_target}/etc/pam.d/sshd" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sshd"
  insert_header   "${var_target}/etc/pam.d/sshd"
  insert_comments "${var_target}/etc/pam.d/sshd"
  cat << EOF >>   "${var_target}/etc/pam.d/sshd"
 #
 # PAM configuration for the Secure Shell service
 #
 # ===== CISS 2FA block  =====
 # If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success).
 auth  [success=2 default=ignore]  pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
 # For listed users: enforce that the secret file exists, else deny without prompting.
 # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
 auth  required                    pam_echo.so file=/etc/ciss/ssh_totp.prompt
 auth  required                    pam_google_authenticator.so
                                  # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 # For non-2FA users KI must be a silent success to satisfy AuthenticationMethods.
 auth  sufficient                  pam_permit.so
 # ===== CISS 2FA block end =====
 # Keep the rest as shipped by Debian. It will be short-circuited by pam_permit for KI and never reached for 2FA users after
 # successful GA.
 # Standard Un*x authentication.
@include    common-auth
 # Disallow non-root logins when /etc/nologin exists.
 account    required    pam_nologin.so
 # Uncomment and edit /etc/security/access.conf if you need to set complex access limits that are hard to express in sshd_config.
 # account    required    pam_access.so
 # Standard Un*x authorization.
@include common-account
 # SELinux needs to be the first session rule.  This ensures that any lingering context has been cleared. Without this it is
 # possible that a module could execute code in the wrong domain.
 session [success=ok ignore=ignore module_unknown=ignore default=bad]    pam_selinux.so close
 # Set the loginuid process attribute.
 session    required    pam_loginuid.so
 # Create a new session keyring.
 session    optional    pam_keyinit.so force revoke
 # Standard Un*x session setup and teardown.
@include    common-session
 # Print the message of the day upon successful login. This includes a dynamically generated part from /run/motd.dynamic and a
 # static (admin-editable) part from /etc/motd.
 session    optional    pam_motd.so    motd=/run/motd.dynamic
 session    optional    pam_motd.so    noupdate
 # Print the status of the user's mailbox upon successful login.
 session    optional    pam_mail.so    standard noenv # [1]
 # Set up user limits from /etc/security/limits.conf.
 session    required    pam_limits.so
 # Read environment variables from /etc/environment and /etc/security/pam_env.conf.
 session    required    pam_env.so # [1]
 # In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well.
 session    required    pam_env.so envfile=/etc/default/locale
 # SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
 # sessions which are intended to run in the user's context should be run after this.
 session [success=ok ignore=ignore module_unknown=ignore default=bad]    pam_selinux.so open
 # Standard Un*x password updating.
@include common-password
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  do_log "info" "file_only" "4520() Written: [/etc/pam.d/sshd]."
  cat << 'EOF' >| "${var_target}/etc/ciss/ssh_totp.prompt"
 Please enter your 6-digit TOTP code for %u@%H.
 EOF
  chmod 0444 "${var_target}/etc/ciss/ssh_totp.prompt"
  do_log "info" "file_only" "4520() Written: [/etc/ciss/ssh_totp.prompt]."
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f write_pam_sshd
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4500_user/4521_accounts_setup_ciss.sh
+++ b/func/cdi_4500_user/4521_accounts_setup_ciss.sh
@@ -23,16 +23,60 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-accounts_setup_ciss() {
+accounts_setup_ciss_root() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
  install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss.bashrc" "${var_target}/root/.bashrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/theme_eza_ciss.yml" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${var_target}/root/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/check_chrony.sh" "${var_target}/root/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${var_target}/root/.ciss/"
  insert_comments "${var_target}/root/.bashrc"
  insert_comments "${var_target}/root/.ciss/alias"
  insert_comments "${var_target}/root/.ciss/check_chrony.sh"
  insert_comments "${var_target}/root/.ciss/clean_logout.sh"
  insert_comments "${var_target}/root/.ciss/f2bchk"
  insert_comments "${var_target}/root/.ciss/scan_libwrap"
  insert_comments "${var_target}/root/.ciss/shortcuts"
  if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
    if [[ -x "${var_target}${user_root_shell}" ]]; then
      zsh_omz_installer "root" "${var_target}"
      mkdir -p "${var_target}/root/.ciss/cdi/backup/root"
      mv "${var_target}/root/.zshrc" "${var_target}/root/.ciss/cdi/backup/root/.zshrc.bak"
      install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss.zshrc" "${var_target}/root/.zshrc"
      insert_comments "${var_target}/root/.zshrc"
      chroot_exec "${var_target}" chsh -s "${user_root_shell}" root
      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
    else
      chroot_exec "${var_target}" chsh -s /bin/bash root
      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
    fi
  fi
  do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
-readonly -f accounts_setup_ciss
+readonly -f accounts_setup_ciss_root
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4500_user/4522_accounts_setup_physnet.sh
+++ b/func/cdi_4500_user/4522_accounts_setup_physnet.sh
@@ -23,13 +23,58 @@ guard_sourcing
 # Returns:
 #   0: on success
 #######################################
-accounts_setup_physnet() {
+accounts_setup_physnet_root() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
  install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.physnet.bashrc" "${var_target}/root/.bashrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/theme_eza_ciss.yml" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${var_target}/root/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/check_chrony.sh" "${var_target}/root/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${var_target}/root/.ciss/"
  insert_comments "${var_target}/root/.bashrc"
  insert_comments "${var_target}/root/.ciss/alias"
  insert_comments "${var_target}/root/.ciss/check_chrony.sh"
  insert_comments "${var_target}/root/.ciss/clean_logout.sh"
  insert_comments "${var_target}/root/.ciss/f2bchk"
  insert_comments "${var_target}/root/.ciss/scan_libwrap"
  insert_comments "${var_target}/root/.ciss/shortcuts"
  if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
    if [[ -x "${var_target}${user_root_shell}" ]]; then
      zsh_omz_installer "root" "${var_target}"
      mkdir -p "${var_target}/root/.ciss/cdi/backup/root"
      mv "${var_target}/root/.zshrc" "${var_target}/root/.ciss/cdi/backup/root/.zshrc.bak"
      install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.physnet.zshrc" "${var_target}/root/.zshrc"
      insert_comments "${var_target}/root/.zshrc"
      chroot_exec "${var_target}" chsh -s "${user_root_shell}" root
      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
    else
      chroot_exec "${var_target}" chsh -s /bin/bash root
      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
    fi
  fi
  do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
--- a/func/cdi_4500_user/4530_accounts_timings.sh
+++ b/func/cdi_4500_user/4530_accounts_timings.sh
@@ -15,7 +15,7 @@ guard_sourcing
 #######################################
 # Iterates all '/etc/shadow' entries and sets:
 #   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
-#   Safe: creates a timestamped backup and (if available) locks /etc/.pwd.lock.
+#   Safe: creates a timestamped backup and (if available) locks '/etc/.pwd.lock'.
 # Globals:
 #   RECOVERY
 #   TARGET
@@ -28,6 +28,7 @@ guard_sourcing
 update_shadow() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
@@ -66,12 +67,12 @@ update_shadow() {
  ### Rewrite fields 4..8 for every line
  ### Preserve fields 1..3 and 9, keep password hashes untouched.
  ### Pad to 9 fields if shorter; keep empty lines intact (rare but safe).
-  awk -v FS=":" -v OFS=":" -v exp="${var_exp_ds}" '
+  awk -v FS=":" -v OFS=":" -v v_exp="${var_exp_ds}" '
    NF==0 { print; next }                      # preserve blank lines verbatim
    {
      # pad missing trailing fields to 9
      for (i=NF+1; i<=9; i++) $i="";
-      $4=0; $5=16384; $6=128; $7=42; $8=exp;  # set required fields
+      $4=0; $5=16384; $6=128; $7=42; $8=v_exp; # set required fields
      print
    }
  ' "${var_backup}" >| "${var_temp}"
--- a/func/cdi_4600_packages/4600_installation_packages.sh
+++ b/func/cdi_4600_packages/4600_installation_packages.sh
@@ -31,6 +31,7 @@ installation_packages() {
  if [[ "${VAR_APT_FULL_UPGRADE}" == "true" ]]; then
    chroot_script "${TARGET}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get update  -qq 2>&1 | tee -a ${var_logfile}
      apt-get upgrade -y  2>&1 | tee -a ${var_logfile}
    "
@@ -38,11 +39,13 @@ installation_packages() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests ${ARY_PACKAGES[*]} 2>&1 | tee -a ${var_logfile}
  "
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get autoclean  -y 2>&1 | tee -a ${var_logfile}
    apt-get autopurge  -y 2>&1 | tee -a ${var_logfile}
    apt-get autoremove -y 2>&1 | tee -a ${var_logfile}
--- a/func/cdi_4600_packages/4610_installation_security.sh
+++ b/func/cdi_4600_packages/4610_installation_security.sh
@@ -38,6 +38,7 @@ installation_security() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests ${ary_fw[*]} 2>&1 | tee -a ${var_logfile}
    if [[ ${VAR_SEC_FW} == apparmor ]]; then
--- a/func/cdi_4600_packages/4620_installation_verification.sh
+++ b/func/cdi_4600_packages/4620_installation_verification.sh
@@ -33,6 +33,7 @@ install_verification() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests auditd 2>&1 | tee -a ${var_logfile}
  "
--- a/func/cdi_4600_packages/4630_auditing_packages.sh
+++ b/func/cdi_4600_packages/4630_auditing_packages.sh
@@ -99,4 +99,7 @@ auditing_packages() {
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f auditing_packages
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4900_xtended/4900_final_command.sh
+++ b/func/cdi_4900_xtended/4900_final_command.sh
@@ -13,12 +13,10 @@
 guard_sourcing
 #######################################
-# Exiting chroot of the target system.
+# Finalize the chroot system before exiting.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_CHROOT_ACTIVATED
 #   VAR_NEED_RUN_IN_TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
@@ -39,6 +37,9 @@ final_commands() {
    updatedb | tee -a ${var_logfile}
  "
  rm -f "${var_target}/etc/root/ciss_xdg_tmp.sh"
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
--- a/includes/target/etc/default/ciss-xdg-profile
+++ b/includes/target/etc/default/ciss-xdg-profile
@@ -0,0 +1,19 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 # Default toggles for ciss-xdg-profile
 # 1 = enable, 0 = disable
 ENABLE_XDG_BASH_HISTORY=1
 ENABLE_XDG_LESS_HISTORY=1
 ENABLE_XDG_ZSH_HISTORY=1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/includes/target/etc/profile.d/ciss-xdg.sh
+++ b/includes/target/etc/profile.d/ciss-xdg.sh
@@ -0,0 +1,63 @@
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 # shellcheck shell=sh
 # This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
 ### XDG variables (do not override if already set).
 export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
 export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
 export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
 export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
 export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
 export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
 ### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path.
 # shellcheck disable=SC2312
 if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then
  # shellcheck disable=SC2155
  export XDG_RUNTIME_DIR="/run/user/$(id -u)"
 fi
 ### Create canonical directories idempotently with 0700.
 _xdg_umask="$(umask)"
 umask 077
 [ -d "${XDG_CONFIG_HOME}"     ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
 [ -d "${XDG_DATA_HOME}"       ] || install -d -m 0700 -- "${XDG_DATA_HOME}"
 [ -d "${XDG_CACHE_HOME}"      ] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
 [ -d "${XDG_STATE_HOME}"      ] || install -d -m 0700 -- "${XDG_STATE_HOME}"
 umask "${_xdg_umask}"
 unset _xdg_umask
 ### Optional migrations (controlled via /'etc/default/ciss-xdg-profile').
 [ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile
 ### Bash history -> XDG_STATE_HOME (only if running bash).
 if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then
  [ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
  export HISTFILE="${XDG_STATE_HOME}/bash/history"
 fi
 ### Zsh history -> XDG_STATE_HOME (best-effort; zsh might not read /etc/profile)
 if [ "${ENABLE_XDG_ZSH_HISTORY:-1}" = "1" ] && [ -n "${ZSH_VERSION:-}" ]; then
  [ -d "${XDG_STATE_HOME}/zsh" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/zsh"
  export HISTFILE="${XDG_STATE_HOME}/zsh/history"
 fi
 ### Less history -> XDG_STATE_HOME
 if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then
  [ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
  export LESSHISTFILE="${XDG_STATE_HOME}/less/history"
 fi
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/target/etc/skel/.cache/.keep
+++ b/includes/target/etc/skel/.cache/.keep
@@ -0,0 +1,10 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
--- a/includes/target/etc/skel/.ciss.bashrc
+++ b/includes/target/etc/skel/.ciss.bashrc
@@ -11,6 +11,9 @@
 [[ $- != *i* ]] && return
 ### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
 set +o errexit +o nounset +o pipefail
 # shellcheck disable=SC2312
 if [[ "$(id -u)" -eq 0 ]]; then
  umask 0022
@@ -27,9 +30,6 @@ trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
 . "${HOME}/.ciss/scan_libwrap"
 . "${HOME}/.ciss/shortcuts"
 ### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
 set +o errexit +o nounset +o pipefail
 ### Preferred editor for local and remote sessions.
 export EDITOR="nano"
@@ -40,7 +40,7 @@ export HISTCONTROL='ignoreboth:erasedups'
 # The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
 # is not saved when a shell exits.
-export HISTFILE=~/.bash_history
+export HISTFILE="${XDG_STATE_HOME}/bash/history"
 # The maximum number of lines contained in the history file.
 export HISTFILESIZE="16384"
--- a/includes/target/etc/skel/.ciss.zshrc
+++ b/includes/target/etc/skel/.ciss.zshrc
@@ -152,7 +152,7 @@ export EDITOR="nano"
 ### History
 # The name of the file in which command history is saved.
-export HISTFILE="${HOME}/.zsh_history"
+export HISTFILE="${XDG_STATE_HOME}/zsh/history"
 # The maximum number of lines contained in the history file.
 export HISTSIZE=16384
 # The number of commands to remember in the command history.
--- a/includes/target/etc/skel/.ciss/alias
+++ b/includes/target/etc/skel/.ciss/alias
@@ -10,9 +10,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 ########################################################################################### Alpha
 alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
 ########################################################################################### Bash
 alias clear="printf '\033c'"
 alias c='clear'
@@ -225,12 +222,12 @@ swget() {
 }
 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters.
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
 #   None
 #######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/9999_ciss_debian_installer.hardened
  # sleep 1
  # shellcheck disable=SC2312
  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
--- a/includes/target/etc/skel/.config/.keep
+++ b/includes/target/etc/skel/.config/.keep
@@ -0,0 +1,10 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
--- a/includes/target/etc/skel/.local/.keep
+++ b/includes/target/etc/skel/.local/.keep
@@ -0,0 +1,10 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
--- a/includes/target/etc/skel/.local/share/.keep
+++ b/includes/target/etc/skel/.local/share/.keep
@@ -0,0 +1,10 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
--- a/includes/target/etc/skel/.local/state/.keep
+++ b/includes/target/etc/skel/.local/state/.keep
@@ -0,0 +1,10 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
--- a/includes/target/etc/skel/.local/state/bash/.keep
+++ b/includes/target/etc/skel/.local/state/bash/.keep
@@ -0,0 +1,10 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
--- a/includes/target/etc/skel/.local/state/less/.keep
+++ b/includes/target/etc/skel/.local/state/less/.keep
@@ -0,0 +1,10 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
--- a/includes/target/etc/skel/.local/state/zsh/.keep
+++ b/includes/target/etc/skel/.local/state/zsh/.keep
@@ -0,0 +1,10 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
--- a/includes/target/etc/skel/.physnet.bashrc
+++ b/includes/target/etc/skel/.physnet.bashrc
@@ -0,0 +1,127 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 [[ $- != *i* ]] && return
 ### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
 set +o errexit +o nounset +o pipefail
 # shellcheck disable=SC2312
 if [[ "$(id -u)" -eq 0 ]]; then
  umask 0022
  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 else
  umask 0077
  PATH="/usr/local/bin:/usr/bin:/bin"
 fi
 export PATH
 trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
 . "${HOME}/.ciss/alias"
 . "${HOME}/.ciss/f2bchk"
 . "${HOME}/.ciss/scan_libwrap"
 . "${HOME}/.ciss/shortcuts"
 ### Preferred editor for local and remote sessions.
 export EDITOR="nano"
 ### History-Settings
 # -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
 # -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
 export HISTCONTROL='ignoreboth:erasedups'
 # The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
 # is not saved when a shell exits.
 export HISTFILE="${XDG_STATE_HOME}/bash/history"
 # The maximum number of lines contained in the history file.
 export HISTFILESIZE="16384"
 # The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
 # Numeric values less than zero result in every command being saved on the history list (there is no limit).
 export HISTSIZE="16384"
 # If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
 export HISTTIMEFORMAT='%F %T %z  '
 # Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
 export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*'
 # With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
 # "-a": Appends new entries from RAM to the file.
 # "-c": Then empties only the RAM buffer. Not used here for performance reasons.
 # "-r": Loads the file back into RAM.
 __ciss_hist_pc__='history -a; history -n'
 if [[ ${PROMPT_COMMAND-} != *"history -a; history -n"* ]]; then
  PROMPT_COMMAND="${PROMPT_COMMAND:+${PROMPT_COMMAND}; }${__ciss_hist_pc__}"
 fi
 unset __ciss_hist_pc__
 export PROMPT_COMMAND
 # Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
 shopt -s checkwinsize
 # Append to the history file, don't overwrite it.
 shopt -s histappend
 # If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
 shopt -s globstar
 # Multi-line entries (line breaks using \ or via PS2) are stored in the history as a single entry.
 shopt -s cmdhist
 # Works in addition to cmdhist: Multi-line commands are stored in the history with real newlines, i.e., in their original format.
 shopt -s lithist
 # Check History permissions.
 [[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
 ### Define colors for bash prompt.
 export CRED='\033[1;91m'
 export CGRE='\033[1;92m'
 export CYEL='\033[1;93m'
 export CBLU='\033[1;94m'
 export CMAG='\033[1;95m'
 export CCYA='\033[1;96m'
 export CWHI='\033[1;97m'
 export CRES='\033[0m'
 export NL='\n'
 ### Define color prompt incl. 'Exit Code' feedback.
 export PS1="\
 \[\033[1;91m\]\d\[\033[0m\]|\
 \[\033[1;91m\]\u\[\033[0m\]@\
 \[\033[1;95m\]\h\[\033[0m\]:\
 \[\033[1;96m\]\w\[\033[0m\]/>>\
 \$(if [[ \$? -eq 0 ]]; then \
    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
  else \
    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
  fi)\
 \$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
 ### Overwrite Protection.
 set -o noclobber
 alias cp='cp -iv'
 alias mv='mv -iv'
 alias rm='rm -iv'
 printf "\n"
 printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
 printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
 printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
 printf "%b! Type%b" "${CGRE}" "${CRES}"
 printf "%b 'celp'%b" "${CMAG}" "${CRES}"
 printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
 printf "\n"
 printf "\n"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/target/etc/skel/.physnet.zshrc
+++ b/includes/target/etc/skel/.physnet.zshrc
@@ -0,0 +1,200 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 [[ -o interactive ]] || return
 # shellcheck disable=SC2312
 if [[ "$(id -u)" -eq 0 ]]; then
  umask 0022
  # If you come from bash, you might have to change your $PATH.
  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 else
  umask 0077
  # If you come from bash, you might have to change your $PATH.
  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/bin:/usr/bin:/bin"
 fi
 export PATH
 ### Path to your Oh My Zsh installation.
 export ZSH="${HOME}/.oh-my-zsh"
 # Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
 # case, to know what specific theme was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
 export ZSH_THEME="robbyrussell"
 # Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
 # a theme from this variable instead of looking in $ZSH/themes/. If set to an empty array, this variable will have no effect.
 # ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
 # Uncomment the following line to use case-sensitive completion.
 # CASE_SENSITIVE="true"
 # Uncomment the following line to use hyphen-insensitive completion. Case-sensitive completion must be off. _ and - will be
 # interchangeable.
 # HYPHEN_INSENSITIVE="true"
 # Uncomment one of the following lines to change the auto-update behavior
 # zstyle ':omz:update' mode disabled  # disable automatic updates
 # zstyle ':omz:update' mode auto      # update automatically without asking
 # zstyle ':omz:update' mode reminder  # just remind me to update when it's time
 # Uncomment the following line to change how often to auto-update (in days).
 # zstyle ':omz:update' frequency 13
 # Uncomment the following line if pasting URLs and other text is messed up.
 # DISABLE_MAGIC_FUNCTIONS="true"
 # Uncomment the following line to disable colors in ls.
 # DISABLE_LS_COLORS="true"
 # Uncomment the following line to disable auto-setting terminal title.
 # DISABLE_AUTO_TITLE="true"
 # Uncomment the following line to enable command autocorrection.
 # ENABLE_CORRECTION="true"
 # Uncomment the following line to display red dots whilst waiting for completion. You can also set it to another string to have
 # that is shown instead of the default red dots.
 # e.g., COMPLETION_WAITING_DOTS="%F{yellow}waiting...%f"
 # Caution: this setting can cause issues with multiline prompts in zsh < 5.7.1 (see #5765)
 # COMPLETION_WAITING_DOTS="true"
 # Uncomment the following line if you want to disable marking untracked files under VCS as dirty. This makes repository status
 # check for large repositories much, much faster.
 # DISABLE_UNTRACKED_FILES_DIRTY="true"
 # Uncomment the following line if you want to change the command execution time stamp shown in the history command output.
 # You can set one of the optional three formats:
 # "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
 # or set a custom format using the strftime function format specifications, see 'man strftime' for details.
 export HIST_STAMPS="yyyy-mm-dd"
 # Would you like to use another custom folder than $ZSH/custom?
 # ZSH_CUSTOM=/path/to/new-custom-folder
 # Which plugins would you like to load?
 # Standard plugins can be found in $ZSH/plugins/
 # Custom plugins may be added to $ZSH_CUSTOM/plugins/
 # Example format: plugins=(rails git textmate ruby lighthouse)
 # Add wisely, as too many plugins slow down shell startup.
 export plugins=(git zsh-syntax-highlighting zsh-autosuggestions)
 source ${ZSH}/oh-my-zsh.sh
 # User configuration
 # export MANPATH="/usr/local/man:{$MANPATH}"
 # You may need to manually set your language environment
 # export LANG=en_US.UTF-8
 # Preferred editor for local and remote sessions
 # if [[ -n $SSH_CONNECTION ]]; then
 #   export EDITOR='vim'
 # else
 #   export EDITOR='nvim'
 # fi
 # Compilation flags
 # export ARCHFLAGS="-arch $(uname -m)"
 # Set personal aliases, overriding those provided by Oh My Zsh libs,
 # plugins, and themes. Aliases can be placed here, though Oh My Zsh
 # users are encouraged to define aliases within a top-level file in
 # the $ZSH_CUSTOM folder, with .zsh extension. Examples:
 # - $ZSH_CUSTOM/aliases.zsh
 # - $ZSH_CUSTOM/macos.zsh
 # For a full list of active aliases, run `alias`.
 #
 # Example aliases
 # alias zshconfig="mate ~/.zshrc"
 # alias ohmyzsh="mate ~/.oh-my-zsh"
 ### Added by CISS.debian.installer ###
 trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
 . "${HOME}/.ciss/alias"
 . "${HOME}/.ciss/f2bchk"
 . "${HOME}/.ciss/shortcuts"
 . "${HOME}/.ciss/scan_libwrap"
 . /usr/share/doc/fzf/examples/key-bindings.zsh
 . /usr/share/doc/fzf/examples/completion.zsh
 ### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
 set +o errexit +o nounset +o pipefail
 ### Define colors for bash prompt
 export CRED='\033[1;91m'
 export CGRE='\033[1;92m'
 export CYEL='\033[1;93m'
 export CBLU='\033[1;94m'
 export CMAG='\033[1;95m'
 export CCYA='\033[1;96m'
 export CWHI='\033[1;97m'
 export CRES='\033[0m'
 export NL='\n'
 ### Overwrite Protection
 set -o noclobber
 alias cp="cp -iv"
 alias mv='mv -iv'
 alias rm='rm -iv'
 ### Preferred editor for local and remote sessions
 export EDITOR="nano"
 ### History
 # The name of the file in which command history is saved.
 export HISTFILE="${XDG_STATE_HOME}/zsh/history"
 # The maximum number of lines contained in the history file.
 export HISTSIZE=16384
 # The number of commands to remember in the command history.
 export SAVEHIST=16384
 # Timestamp in the file: epoch:duration;command.
 setopt EXTENDED_HISTORY
 # Append, do not overwrite.
 setopt APPEND_HISTORY
 # Append lines immediately to the file.
 setopt INC_APPEND_HISTORY
 # Reload new lines from other sessions.
 setopt SHARE_HISTORY
 # Leading space do not log.
 setopt HIST_IGNORE_SPACE
 # When writing out the history file, older commands that duplicate newer ones are omitted.
 setopt HIST_SAVE_NO_DUPS
 # Remove superfluous blanks from each command line being added to the history list.
 setopt HIST_REDUCE_BLANKS
 # Check History permissions.
 [[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
 ### Define Users
 if [ "${UID}" -eq 0 ]; then
  export USER_COLOR="%F{001}"
 else
  export USER_COLOR="%F{002}"
 fi
 ### CISS.debian.installer Prompt
 PROMPT='${USER_COLOR}%D%f|${USER_COLOR}%n%f@%F{005}%M%f:%F{006}%d%f/>>%(?.%F{002}%?.%F{001}%?)%f|~%#> '
 RPROMPT='%h|[${USER_COLOR}%*%f]'
 ### Welcome message after login.
 printf "\n"
 printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
 printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
 printf "%b'%b'%b" "${CMAG}" "${USER}" "${CRES}"
 printf "%b! Type%b" "${CGRE}" "${CRES}"
 printf "%b 'celp'%b" "${CMAG}" "${CRES}"
 printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
 printf "\n"
 printf "\n"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/target/etc/ssh/sshd_config
+++ b/includes/target/etc/ssh/sshd_config
@@ -10,7 +10,8 @@
 # SPDX-Security-Contact: security@coresecret.eu
 ### https://www.ssh-audit.com/
-### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
+### ssh -Q cipher | cipher-auth | compression
 ### ssh -Q kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
 Include                      /etc/ssh/sshd_config.d/*.conf
--- a/includes/target/etc/sysctl.d/9999_ciss_debian_installer.hardened
+++ b/includes/target/etc/sysctl.d/9999_ciss_debian_installer.hardened
--- a/includes/target/root/.ciss.bashrc
+++ b/includes/target/root/.ciss.bashrc
@@ -0,0 +1,127 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 [[ $- != *i* ]] && return
 ### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
 set +o errexit +o nounset +o pipefail
 # shellcheck disable=SC2312
 if [[ "$(id -u)" -eq 0 ]]; then
  umask 0022
  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 else
  umask 0077
  PATH="/usr/local/bin:/usr/bin:/bin"
 fi
 export PATH
 trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
 . "${HOME}/.ciss/alias"
 . "${HOME}/.ciss/f2bchk"
 . "${HOME}/.ciss/scan_libwrap"
 . "${HOME}/.ciss/shortcuts"
 ### Preferred editor for local and remote sessions.
 export EDITOR="nano"
 ### History-Settings
 # -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
 # -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
 export HISTCONTROL='ignoreboth:erasedups'
 # The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
 # is not saved when a shell exits.
 export HISTFILE="${XDG_STATE_HOME}/bash/history"
 # The maximum number of lines contained in the history file.
 export HISTFILESIZE="16384"
 # The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
 # Numeric values less than zero result in every command being saved on the history list (there is no limit).
 export HISTSIZE="16384"
 # If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
 export HISTTIMEFORMAT='%F %T %z  '
 # Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
 export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*'
 # With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
 # "-a": Appends new entries from RAM to the file.
 # "-c": Then empties only the RAM buffer. Not used here for performance reasons.
 # "-r": Loads the file back into RAM.
 __ciss_hist_pc__='history -a; history -n'
 if [[ ${PROMPT_COMMAND-} != *"history -a; history -n"* ]]; then
  PROMPT_COMMAND="${PROMPT_COMMAND:+${PROMPT_COMMAND}; }${__ciss_hist_pc__}"
 fi
 unset __ciss_hist_pc__
 export PROMPT_COMMAND
 # Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
 shopt -s checkwinsize
 # Append to the history file, don't overwrite it.
 shopt -s histappend
 # If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
 shopt -s globstar
 # Multi-line entries (line breaks using \ or via PS2) are stored in the history as a single entry.
 shopt -s cmdhist
 # Works in addition to cmdhist: Multi-line commands are stored in the history with real newlines, i.e., in their original format.
 shopt -s lithist
 # Check History permissions.
 [[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
 ### Define colors for bash prompt.
 export CRED='\033[1;91m'
 export CGRE='\033[1;92m'
 export CYEL='\033[1;93m'
 export CBLU='\033[1;94m'
 export CMAG='\033[1;95m'
 export CCYA='\033[1;96m'
 export CWHI='\033[1;97m'
 export CRES='\033[0m'
 export NL='\n'
 ### Define color prompt incl. 'Exit Code' feedback.
 export PS1="\
 \[\033[1;91m\]\d\[\033[0m\]|\
 \[\033[1;91m\]\u\[\033[0m\]@\
 \[\033[1;95m\]\h\[\033[0m\]:\
 \[\033[1;96m\]\w\[\033[0m\]/>>\
 \$(if [[ \$? -eq 0 ]]; then \
    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
  else \
    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
  fi)\
 \$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
 ### Overwrite Protection.
 set -o noclobber
 alias cp='cp -iv'
 alias mv='mv -iv'
 alias rm='rm -iv'
 printf "\n"
 printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
 printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
 printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
 printf "%b! Type%b" "${CGRE}" "${CRES}"
 printf "%b 'celp'%b" "${CMAG}" "${CRES}"
 printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
 printf "\n"
 printf "\n"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/target/root/.ciss.zshrc
+++ b/includes/target/root/.ciss.zshrc
@@ -0,0 +1,200 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 [[ -o interactive ]] || return
 # shellcheck disable=SC2312
 if [[ "$(id -u)" -eq 0 ]]; then
  umask 0022
  # If you come from bash, you might have to change your $PATH.
  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 else
  umask 0077
  # If you come from bash, you might have to change your $PATH.
  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/bin:/usr/bin:/bin"
 fi
 export PATH
 ### Path to your Oh My Zsh installation.
 export ZSH="${HOME}/.oh-my-zsh"
 # Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
 # case, to know what specific theme was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
 export ZSH_THEME="robbyrussell"
 # Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
 # a theme from this variable instead of looking in $ZSH/themes/. If set to an empty array, this variable will have no effect.
 # ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
 # Uncomment the following line to use case-sensitive completion.
 # CASE_SENSITIVE="true"
 # Uncomment the following line to use hyphen-insensitive completion. Case-sensitive completion must be off. _ and - will be
 # interchangeable.
 # HYPHEN_INSENSITIVE="true"
 # Uncomment one of the following lines to change the auto-update behavior
 # zstyle ':omz:update' mode disabled  # disable automatic updates
 # zstyle ':omz:update' mode auto      # update automatically without asking
 # zstyle ':omz:update' mode reminder  # just remind me to update when it's time
 # Uncomment the following line to change how often to auto-update (in days).
 # zstyle ':omz:update' frequency 13
 # Uncomment the following line if pasting URLs and other text is messed up.
 # DISABLE_MAGIC_FUNCTIONS="true"
 # Uncomment the following line to disable colors in ls.
 # DISABLE_LS_COLORS="true"
 # Uncomment the following line to disable auto-setting terminal title.
 # DISABLE_AUTO_TITLE="true"
 # Uncomment the following line to enable command autocorrection.
 # ENABLE_CORRECTION="true"
 # Uncomment the following line to display red dots whilst waiting for completion. You can also set it to another string to have
 # that is shown instead of the default red dots.
 # e.g., COMPLETION_WAITING_DOTS="%F{yellow}waiting...%f"
 # Caution: this setting can cause issues with multiline prompts in zsh < 5.7.1 (see #5765)
 # COMPLETION_WAITING_DOTS="true"
 # Uncomment the following line if you want to disable marking untracked files under VCS as dirty. This makes repository status
 # check for large repositories much, much faster.
 # DISABLE_UNTRACKED_FILES_DIRTY="true"
 # Uncomment the following line if you want to change the command execution time stamp shown in the history command output.
 # You can set one of the optional three formats:
 # "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
 # or set a custom format using the strftime function format specifications, see 'man strftime' for details.
 export HIST_STAMPS="yyyy-mm-dd"
 # Would you like to use another custom folder than $ZSH/custom?
 # ZSH_CUSTOM=/path/to/new-custom-folder
 # Which plugins would you like to load?
 # Standard plugins can be found in $ZSH/plugins/
 # Custom plugins may be added to $ZSH_CUSTOM/plugins/
 # Example format: plugins=(rails git textmate ruby lighthouse)
 # Add wisely, as too many plugins slow down shell startup.
 export plugins=(git zsh-syntax-highlighting zsh-autosuggestions)
 source ${ZSH}/oh-my-zsh.sh
 # User configuration
 # export MANPATH="/usr/local/man:{$MANPATH}"
 # You may need to manually set your language environment
 # export LANG=en_US.UTF-8
 # Preferred editor for local and remote sessions
 # if [[ -n $SSH_CONNECTION ]]; then
 #   export EDITOR='vim'
 # else
 #   export EDITOR='nvim'
 # fi
 # Compilation flags
 # export ARCHFLAGS="-arch $(uname -m)"
 # Set personal aliases, overriding those provided by Oh My Zsh libs,
 # plugins, and themes. Aliases can be placed here, though Oh My Zsh
 # users are encouraged to define aliases within a top-level file in
 # the $ZSH_CUSTOM folder, with .zsh extension. Examples:
 # - $ZSH_CUSTOM/aliases.zsh
 # - $ZSH_CUSTOM/macos.zsh
 # For a full list of active aliases, run `alias`.
 #
 # Example aliases
 # alias zshconfig="mate ~/.zshrc"
 # alias ohmyzsh="mate ~/.oh-my-zsh"
 ### Added by CISS.debian.installer ###
 trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
 . "${HOME}/.ciss/alias"
 . "${HOME}/.ciss/f2bchk"
 . "${HOME}/.ciss/shortcuts"
 . "${HOME}/.ciss/scan_libwrap"
 . /usr/share/doc/fzf/examples/key-bindings.zsh
 . /usr/share/doc/fzf/examples/completion.zsh
 ### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
 set +o errexit +o nounset +o pipefail
 ### Define colors for bash prompt
 export CRED='\033[1;91m'
 export CGRE='\033[1;92m'
 export CYEL='\033[1;93m'
 export CBLU='\033[1;94m'
 export CMAG='\033[1;95m'
 export CCYA='\033[1;96m'
 export CWHI='\033[1;97m'
 export CRES='\033[0m'
 export NL='\n'
 ### Overwrite Protection
 set -o noclobber
 alias cp="cp -iv"
 alias mv='mv -iv'
 alias rm='rm -iv'
 ### Preferred editor for local and remote sessions
 export EDITOR="nano"
 ### History
 # The name of the file in which command history is saved.
 export HISTFILE="${XDG_STATE_HOME}/zsh/history"
 # The maximum number of lines contained in the history file.
 export HISTSIZE=16384
 # The number of commands to remember in the command history.
 export SAVEHIST=16384
 # Timestamp in the file: epoch:duration;command.
 setopt EXTENDED_HISTORY
 # Append, do not overwrite.
 setopt APPEND_HISTORY
 # Append lines immediately to the file.
 setopt INC_APPEND_HISTORY
 # Reload new lines from other sessions.
 setopt SHARE_HISTORY
 # Leading space do not log.
 setopt HIST_IGNORE_SPACE
 # When writing out the history file, older commands that duplicate newer ones are omitted.
 setopt HIST_SAVE_NO_DUPS
 # Remove superfluous blanks from each command line being added to the history list.
 setopt HIST_REDUCE_BLANKS
 # Check History permissions.
 [[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
 ### Define Users
 if [ "${UID}" -eq 0 ]; then
  export USER_COLOR="%F{001}"
 else
  export USER_COLOR="%F{002}"
 fi
 ### CISS.debian.installer Prompt
 PROMPT='${USER_COLOR}%D%f|${USER_COLOR}%n%f@%F{005}%M%f:%F{006}%d%f/>>%(?.%F{002}%?.%F{001}%?)%f|~%#> '
 RPROMPT='%h|[${USER_COLOR}%*%f]'
 ### Welcome message after login.
 printf "\n"
 printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
 printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
 printf "%b'%b'%b" "${CMAG}" "${USER}" "${CRES}"
 printf "%b! Type%b" "${CGRE}" "${CRES}"
 printf "%b 'celp'%b" "${CMAG}" "${CRES}"
 printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
 printf "\n"
 printf "\n"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/target/root/.ciss/alias
+++ b/includes/target/root/.ciss/alias
@@ -10,9 +10,6 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 ########################################################################################### Alpha
 alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
 ########################################################################################### Bash
 alias clear="printf '\033c'"
 alias c='clear'
@@ -225,12 +222,12 @@ swget() {
 }
 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters.
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
 #   None
 #######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/9999_ciss_debian_installer.hardened
  # sleep 1
  # shellcheck disable=SC2312
  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
--- a/includes/target/root/.ciss/check_chrony.sh
+++ b/includes/target/root/.ciss/check_chrony.sh
@@ -0,0 +1,142 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 #######################################
 # Minimal leap-second probe for Debian/chrony systems.
 # - Prints kernel leap flags & TAI offset (delta AT).
 # - Reads tzdata's leap-seconds list (authoritative TAI-UTC).
 # - Shows chrony tracking summary (incl. leap status).
 # - Demonstrates 23:59:60 rendering via TZ=right/UTC.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 main() {
  ### 1) System TZ and tzdata source.
  printf "System TZ link: [%s]\n\n" "$(readlink -f /etc/localtime || true)"
  if [[ -f /usr/share/zoneinfo/leap-seconds.list ]]; then
    declare tz_leap_line tz_tai tz_ntp ts_human
    tz_leap_line="$(awk '($1 !~ /^#/) {L=$0} END{print L}' /usr/share/zoneinfo/leap-seconds.list)"
    tz_ntp="$(awk '{print $1}' <<<"${tz_leap_line}")"
    tz_tai="$(awk '{print $2}' <<<"${tz_leap_line}")"
    ts_human="$(awk -F'#' '{gsub(/^[[:space:]]+/, "", $2); print $2}' <<<"${tz_leap_line}")"
    printf "tzdata delta AT (TAI-UTC): %s s [last change at: %s; NTP ts: %s]\n\n" "${tz_tai:-?}" "${ts_human:-?}" "${tz_ntp:-?}"
  else
    printf "tzdata leap-seconds.list not found.\n"
  fi
  ### 2) Kernel view (requires adjtimex).
  if command -v adjtimex >/dev/null 2>&1; then
    printf "Kernel time status (adjtimex -p):\n"
    adjtimex -p | sed 's/^/  /'
    declare k_tai
    k_tai="$(adjtimex -p | awk '/^tai:/ {print $2}')"
    if [[ -n "${k_tai:-}" ]]; then
      printf "Kernel-exported delta AT [tai]: %s s\n" "${k_tai}"
    fi
  else
    printf "Package: 'adjtimex' not found. Install 'adjtimex' for kernel leap/TAI details.\n\n"
  fi
  ### 3) Chrony summary.
  if command -v chronyc >/dev/null 2>&1; then
    printf "\n"
    printf "chronyc tracking:\n"
    chronyc -n tracking | sed 's/^/  /'
  else
    printf "Package: 'chronyc' not found. Skipping chrony status.\n\n"
  fi
  ### 4) right/UTC demonstration of 23:59:60 (uses 2016-12-31 leap).
  if [[ -f /usr/share/zoneinfo/right/UTC ]]; then
    printf "\n"
    printf "right/UTC leap rendering check (expect 23:59:60):\n\n"
    TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
  else
    printf "\n"
    printf "File: 'tzdata right/UTC' zone not installed; skipping 23:59:60 demo.\n\n"
  fi
  printf "\n"
  printf "Hint:\n"
  printf "  - delta AT (TAI-UTC) should match tzdata and kernel (chrony sets kernel TAI if leapsectz/leapseclist is used).\n"
  printf "  - For monotonic intervals, apps must use CLOCK_MONOTONIC, not CLOCK_REALTIME.\n"
  return 0
 }
 ### Build right/UTC from tzdata leap table if missing.
 if [[ ! -e /usr/share/zoneinfo/right/UTC ]]; then
  install -d -m 0755 /usr/share/zoneinfo/right
  ### Minimal zic source for a fixed UTC zone.
  declare -r tmp_src="/tmp/UTC.src"
  printf 'Zone UTC  0  -  UTC\n' > "${tmp_src}"
  ### Prefer the zic-format leapseconds file.
  declare leap_zic="/usr/share/zoneinfo/leapseconds"
  if [[ -s "${leap_zic}" ]]; then
    zic -d /usr/share/zoneinfo/right -L "${leap_zic}" "${tmp_src}"
  else
    echo "WARNING: ${leap_zic} not found; building right/UTC without leap info." >&2
    zic -d /usr/share/zoneinfo/right -L /dev/null "${tmp_src}"
  fi
  rm -f "${tmp_src}"
 fi
 if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
  ### Expect to see 'Sat Dec 31 23:59:60 UTC 2016' rendered in right/UTC
  TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
 fi
 main "$@"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/target/root/.ciss/theme_eza_ciss.yml
+++ b/includes/target/root/.ciss/theme_eza_ciss.yml
@@ -0,0 +1,125 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 %YAML 1.2
 ---
 colourful: true
 filekinds:
  normal: {foreground: Default}
  directory: {foreground: Purple, is_bold: true}
  symlink: {foreground: Cyan}
  pipe: {foreground: Yellow}
  block_device: {foreground: Yellow, is_bold: true}
  char_device: {foreground: Yellow, is_bold: true}
  socket: {foreground: Red, is_bold: true}
  special: {foreground: Yellow}
  executable: {foreground: Green, is_bold: true}
  mount_point: {foreground: Purple, is_bold: true, is_underlined: true}
 perms:
  user_read: {foreground: Yellow, is_bold: true}
  user_write: {foreground: Red, is_bold: true}
  user_execute_file: {foreground: Green, is_bold: true, is_underlined: true}
  user_execute_other: {foreground: Green, is_bold: true}
  group_read: {foreground: Yellow}
  group_write: {foreground: Red}
  group_execute: {foreground: Green}
  other_read: {foreground: Yellow}
  other_write: {foreground: Red}
  other_execute: {foreground: Green}
  special_user_file: {foreground: Purple}
  special_other: {foreground: Purple}
  attribute: {foreground: Default}
 size:
  major: {foreground: Green, is_bold: true}
  minor: {foreground: Green}
  number_byte: {foreground: Green, is_bold: true}
  number_kilo: {foreground: Green, is_bold: true}
  number_mega: {foreground: Green, is_bold: true}
  number_giga: {foreground: Green, is_bold: true}
  number_huge: {foreground: Green, is_bold: true}
  unit_byte: {foreground: Green}
  unit_kilo: {foreground: Green}
  unit_mega: {foreground: Green}
  unit_giga: {foreground: Green}
  unit_huge: {foreground: Green}
 users:
  user_you: {foreground: Yellow, is_bold: true}
  user_root: {foreground: Default}
  user_other: {foreground: Default}
  group_yours: {foreground: Yellow, is_bold: true}
  group_other: {foreground: Default}
  group_root: {foreground: Default}
 links:
  normal: {foreground: Red, is_bold: true}
  multi_link_file: {foreground: Red, background: Yellow}
 git:
  new: {foreground: Green}
  modified: {foreground: Blue}
  deleted: {foreground: Red}
  renamed: {foreground: Yellow}
  typechange: {foreground: Purple}
  ignored: {foreground: Default, is_dimmed: true}
  conflicted: {foreground: Red}
 git_repo:
  branch_main: {foreground: Green}
  branch_other: {foreground: Yellow}
  git_clean: {foreground: Green}
  git_dirty: {foreground: Yellow}
 security_context:
  colon: {foreground: Default, is_dimmed: true}
  user: {foreground: Blue}
  role: {foreground: Green}
  typ: {foreground: Yellow}
  range: {foreground: Cyan}
 file_type:
  image: {foreground: Purple}
  video: {foreground: Purple, is_bold: true}
  music: {foreground: Cyan}
  lossless: {foreground: Cyan, is_bold: true}
  crypto: {foreground: Green, is_bold: true}
  document: {foreground: Green}
  compressed: {foreground: Red}
  temp: {foreground: White}
  compiled: {foreground: Yellow}
  build: {foreground: Yellow, is_bold: true, is_underlined: true}
  source: {foreground: Yellow, is_bold: true}
 punctuation: {foreground: DarkGray, is_bold: true}
 date: {foreground: Cyan}
 inode: {foreground: Purple}
 blocks: {foreground: Cyan}
 header: {foreground: White, is_bold: true, is_underlined: true}
 octal: {foreground: Purple}
 flags: {foreground: Default}
 symlink_path: {foreground: Cyan}
 control_char: {foreground: Red}
 broken_symlink: {foreground: Red}
 broken_path_overlay: {foreground: Default, is_underlined: true}
 filenames:
 # Custom filename-based overrides
 # Cargo.toml: {icon: {glyph: ðŸ¦€}}
 extensions:
 # Custom extension-based overrides
 # rs: {filename: {foreground: Red}, icon: {glyph: ðŸ¦€}}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/includes/target/root/.physnet.bashrc
+++ b/includes/target/root/.physnet.bashrc
@@ -0,0 +1,127 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 [[ $- != *i* ]] && return
 ### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
 set +o errexit +o nounset +o pipefail
 # shellcheck disable=SC2312
 if [[ "$(id -u)" -eq 0 ]]; then
  umask 0022
  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 else
  umask 0077
  PATH="/usr/local/bin:/usr/bin:/bin"
 fi
 export PATH
 trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
 . "${HOME}/.ciss/alias"
 . "${HOME}/.ciss/f2bchk"
 . "${HOME}/.ciss/scan_libwrap"
 . "${HOME}/.ciss/shortcuts"
 ### Preferred editor for local and remote sessions.
 export EDITOR="nano"
 ### History-Settings
 # -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
 # -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
 export HISTCONTROL='ignoreboth:erasedups'
 # The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
 # is not saved when a shell exits.
 export HISTFILE="${XDG_STATE_HOME}/bash/history"
 # The maximum number of lines contained in the history file.
 export HISTFILESIZE="16384"
 # The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
 # Numeric values less than zero result in every command being saved on the history list (there is no limit).
 export HISTSIZE="16384"
 # If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
 export HISTTIMEFORMAT='%F %T %z  '
 # Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
 export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*'
 # With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
 # "-a": Appends new entries from RAM to the file.
 # "-c": Then empties only the RAM buffer. Not used here for performance reasons.
 # "-r": Loads the file back into RAM.
 __ciss_hist_pc__='history -a; history -n'
 if [[ ${PROMPT_COMMAND-} != *"history -a; history -n"* ]]; then
  PROMPT_COMMAND="${PROMPT_COMMAND:+${PROMPT_COMMAND}; }${__ciss_hist_pc__}"
 fi
 unset __ciss_hist_pc__
 export PROMPT_COMMAND
 # Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
 shopt -s checkwinsize
 # Append to the history file, don't overwrite it.
 shopt -s histappend
 # If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
 shopt -s globstar
 # Multi-line entries (line breaks using \ or via PS2) are stored in the history as a single entry.
 shopt -s cmdhist
 # Works in addition to cmdhist: Multi-line commands are stored in the history with real newlines, i.e., in their original format.
 shopt -s lithist
 # Check History permissions.
 [[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
 ### Define colors for bash prompt.
 export CRED='\033[1;91m'
 export CGRE='\033[1;92m'
 export CYEL='\033[1;93m'
 export CBLU='\033[1;94m'
 export CMAG='\033[1;95m'
 export CCYA='\033[1;96m'
 export CWHI='\033[1;97m'
 export CRES='\033[0m'
 export NL='\n'
 ### Define color prompt incl. 'Exit Code' feedback.
 export PS1="\
 \[\033[1;91m\]\d\[\033[0m\]|\
 \[\033[1;91m\]\u\[\033[0m\]@\
 \[\033[1;95m\]\h\[\033[0m\]:\
 \[\033[1;96m\]\w\[\033[0m\]/>>\
 \$(if [[ \$? -eq 0 ]]; then \
    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
  else \
    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
  fi)\
 \$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
 ### Overwrite Protection.
 set -o noclobber
 alias cp='cp -iv'
 alias mv='mv -iv'
 alias rm='rm -iv'
 printf "\n"
 printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
 printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
 printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
 printf "%b! Type%b" "${CGRE}" "${CRES}"
 printf "%b 'celp'%b" "${CMAG}" "${CRES}"
 printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
 printf "\n"
 printf "\n"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/target/root/.physnet.zshrc
+++ b/includes/target/root/.physnet.zshrc
@@ -0,0 +1,200 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 [[ -o interactive ]] || return
 # shellcheck disable=SC2312
 if [[ "$(id -u)" -eq 0 ]]; then
  umask 0022
  # If you come from bash, you might have to change your $PATH.
  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 else
  umask 0077
  # If you come from bash, you might have to change your $PATH.
  PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/bin:/usr/bin:/bin"
 fi
 export PATH
 ### Path to your Oh My Zsh installation.
 export ZSH="${HOME}/.oh-my-zsh"
 # Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
 # case, to know what specific theme was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
 export ZSH_THEME="robbyrussell"
 # Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
 # a theme from this variable instead of looking in $ZSH/themes/. If set to an empty array, this variable will have no effect.
 # ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
 # Uncomment the following line to use case-sensitive completion.
 # CASE_SENSITIVE="true"
 # Uncomment the following line to use hyphen-insensitive completion. Case-sensitive completion must be off. _ and - will be
 # interchangeable.
 # HYPHEN_INSENSITIVE="true"
 # Uncomment one of the following lines to change the auto-update behavior
 # zstyle ':omz:update' mode disabled  # disable automatic updates
 # zstyle ':omz:update' mode auto      # update automatically without asking
 # zstyle ':omz:update' mode reminder  # just remind me to update when it's time
 # Uncomment the following line to change how often to auto-update (in days).
 # zstyle ':omz:update' frequency 13
 # Uncomment the following line if pasting URLs and other text is messed up.
 # DISABLE_MAGIC_FUNCTIONS="true"
 # Uncomment the following line to disable colors in ls.
 # DISABLE_LS_COLORS="true"
 # Uncomment the following line to disable auto-setting terminal title.
 # DISABLE_AUTO_TITLE="true"
 # Uncomment the following line to enable command autocorrection.
 # ENABLE_CORRECTION="true"
 # Uncomment the following line to display red dots whilst waiting for completion. You can also set it to another string to have
 # that is shown instead of the default red dots.
 # e.g., COMPLETION_WAITING_DOTS="%F{yellow}waiting...%f"
 # Caution: this setting can cause issues with multiline prompts in zsh < 5.7.1 (see #5765)
 # COMPLETION_WAITING_DOTS="true"
 # Uncomment the following line if you want to disable marking untracked files under VCS as dirty. This makes repository status
 # check for large repositories much, much faster.
 # DISABLE_UNTRACKED_FILES_DIRTY="true"
 # Uncomment the following line if you want to change the command execution time stamp shown in the history command output.
 # You can set one of the optional three formats:
 # "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
 # or set a custom format using the strftime function format specifications, see 'man strftime' for details.
 export HIST_STAMPS="yyyy-mm-dd"
 # Would you like to use another custom folder than $ZSH/custom?
 # ZSH_CUSTOM=/path/to/new-custom-folder
 # Which plugins would you like to load?
 # Standard plugins can be found in $ZSH/plugins/
 # Custom plugins may be added to $ZSH_CUSTOM/plugins/
 # Example format: plugins=(rails git textmate ruby lighthouse)
 # Add wisely, as too many plugins slow down shell startup.
 export plugins=(git zsh-syntax-highlighting zsh-autosuggestions)
 source ${ZSH}/oh-my-zsh.sh
 # User configuration
 # export MANPATH="/usr/local/man:{$MANPATH}"
 # You may need to manually set your language environment
 # export LANG=en_US.UTF-8
 # Preferred editor for local and remote sessions
 # if [[ -n $SSH_CONNECTION ]]; then
 #   export EDITOR='vim'
 # else
 #   export EDITOR='nvim'
 # fi
 # Compilation flags
 # export ARCHFLAGS="-arch $(uname -m)"
 # Set personal aliases, overriding those provided by Oh My Zsh libs,
 # plugins, and themes. Aliases can be placed here, though Oh My Zsh
 # users are encouraged to define aliases within a top-level file in
 # the $ZSH_CUSTOM folder, with .zsh extension. Examples:
 # - $ZSH_CUSTOM/aliases.zsh
 # - $ZSH_CUSTOM/macos.zsh
 # For a full list of active aliases, run `alias`.
 #
 # Example aliases
 # alias zshconfig="mate ~/.zshrc"
 # alias ohmyzsh="mate ~/.oh-my-zsh"
 ### Added by CISS.debian.installer ###
 trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' EXIT
 . "${HOME}/.ciss/alias"
 . "${HOME}/.ciss/f2bchk"
 . "${HOME}/.ciss/shortcuts"
 . "${HOME}/.ciss/scan_libwrap"
 . /usr/share/doc/fzf/examples/key-bindings.zsh
 . /usr/share/doc/fzf/examples/completion.zsh
 ### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
 set +o errexit +o nounset +o pipefail
 ### Define colors for bash prompt
 export CRED='\033[1;91m'
 export CGRE='\033[1;92m'
 export CYEL='\033[1;93m'
 export CBLU='\033[1;94m'
 export CMAG='\033[1;95m'
 export CCYA='\033[1;96m'
 export CWHI='\033[1;97m'
 export CRES='\033[0m'
 export NL='\n'
 ### Overwrite Protection
 set -o noclobber
 alias cp="cp -iv"
 alias mv='mv -iv'
 alias rm='rm -iv'
 ### Preferred editor for local and remote sessions
 export EDITOR="nano"
 ### History
 # The name of the file in which command history is saved.
 export HISTFILE="${XDG_STATE_HOME}/zsh/history"
 # The maximum number of lines contained in the history file.
 export HISTSIZE=16384
 # The number of commands to remember in the command history.
 export SAVEHIST=16384
 # Timestamp in the file: epoch:duration;command.
 setopt EXTENDED_HISTORY
 # Append, do not overwrite.
 setopt APPEND_HISTORY
 # Append lines immediately to the file.
 setopt INC_APPEND_HISTORY
 # Reload new lines from other sessions.
 setopt SHARE_HISTORY
 # Leading space do not log.
 setopt HIST_IGNORE_SPACE
 # When writing out the history file, older commands that duplicate newer ones are omitted.
 setopt HIST_SAVE_NO_DUPS
 # Remove superfluous blanks from each command line being added to the history list.
 setopt HIST_REDUCE_BLANKS
 # Check History permissions.
 [[ -f "${HISTFILE}" ]] && chmod 0600 "${HISTFILE}"
 ### Define Users
 if [ "${UID}" -eq 0 ]; then
  export USER_COLOR="%F{001}"
 else
  export USER_COLOR="%F{002}"
 fi
 ### CISS.debian.installer Prompt
 PROMPT='${USER_COLOR}%D%f|${USER_COLOR}%n%f@%F{005}%M%f:%F{006}%d%f/>>%(?.%F{002}%?.%F{001}%?)%f|~%#> '
 RPROMPT='%h|[${USER_COLOR}%*%f]'
 ### Welcome message after login.
 printf "\n"
 printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
 printf "%b✅ Welcome back %b" "${CGRE}" "${CRES}"
 printf "%b'%b'%b" "${CMAG}" "${USER}" "${CRES}"
 printf "%b! Type%b" "${CGRE}" "${CRES}"
 printf "%b 'celp'%b" "${CMAG}" "${CRES}"
 printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
 printf "\n"
 printf "\n"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/target/root/ciss_xdg_tmp.sh
+++ b/includes/target/root/ciss_xdg_tmp.sh
@@ -0,0 +1,40 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 ### XDG variables (do not override if already set).
 set -a
 # shellcheck disable=SC2034
 XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
 # shellcheck disable=SC2034
 XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
 # shellcheck disable=SC2034
 XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
 # shellcheck disable=SC2034
 XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
 # shellcheck disable=SC2034
 XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
 # shellcheck disable=SC2034
 XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
 ### Optional migrations (controlled via /etc/default/ciss-xdg-profile).
 [[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile
 ### Bash history -> XDG_STATE_HOME (only if running bash).
 if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then
  HISTFILE="${XDG_STATE_HOME}/bash/history"
 fi
 set +a
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/meta_loader_func.sh
+++ b/meta_loader_func.sh
@@ -42,6 +42,7 @@ source_guard "./func/cdi_3200_partitioning/3295_get_label.sh"
 source_guard "./func/cdi_4000_debootstrap/4000_debootstrap.sh"
 source_guard "./func/cdi_4000_debootstrap/4005_debootstrap_checks.sh"
 source_guard "./func/cdi_4000_debootstrap/4010_prepare_mounts.sh"
 source_guard "./func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh"
 source_guard "./func/cdi_4000_debootstrap/4015_check_usr_merge.sh"
 source_guard "./func/cdi_4000_debootstrap/4020_remove_x509.sh"
 source_guard "./func/cdi_4000_debootstrap/4030_setup_hostname.sh"
@@ -89,6 +90,7 @@ source_guard "./func/cdi_4400_hardening/4410_kernel_sysctl.sh"
 source_guard "./func/cdi_4400_hardening/4420_hardening_fail2ban.sh"
 source_guard "./func/cdi_4400_hardening/4430_hardening_files.sh"
 source_guard "./func/cdi_4400_hardening/4440_hardening_haveged.sh"
 source_guard "./func/cdi_4400_hardening/4442_hardening_jitterentropy.sh"
 source_guard "./func/cdi_4400_hardening/4445_hardening_logrotate.sh"
 source_guard "./func/cdi_4400_hardening/4450_hardening_memory.sh"
 source_guard "./func/cdi_4400_hardening/4460_hardening_openssl.sh"