V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/4090_minimal_toolset.sh

@@ -45,7 +45,7 @@ minimal_toolset() {
   for var_bin in "${!hmp_tool_pkg[@]}"; do
     if ! do_in_target_script "${TARGET}" "command -v ${var_bin} >/dev/null"; then
       do_in_target "${TARGET}" apt-get install -y "${hmp_tool_pkg[${var_bin}]}"
-      do_log "debug" "true" "Tool '${var_bin}' missing – installing '${hmp_tool_pkg[${var_bin}]}'."
+      do_log "debug" "true" "Tool '${var_bin}' missing, installing '${hmp_tool_pkg[${var_bin}]}'."
     fi
   done
 

func/4160_grub_bootparameter.sh

@@ -22,7 +22,7 @@ guard_sourcing
 #   TARGET
 #   VAR_GRUB_CMDLINE_LINUX_DEFAULT
 # Arguments:
-#  None
+#   None
 # Returns:
 #   0: on success
 #######################################

func/4165_kernel_modules.sh

@@ -28,7 +28,7 @@ setup_kernel_modules() {
 ## The jitterentropy_rng kernel module provides a reliable and hardware-independent source of cryptographic entropy by measuring
 ## minute variations in CPU execution timing (jitter). These microsecond-level differences are unpredictable and rooted in
 ## physical randomness, making them suitable for high-quality entropy generation. Unlike other RNG methods that rely on hardware
-## features like TPMs or Intel's RDRAND—which may not be available or trusted—jitterentropy_rng works across all platforms,
+## features like TPMs or Intel's RDRAND, which may not be available or trusted, jitterentropy_rng works across all platforms,
 ## including virtual machines and air-gapped systems. It is compliant with NIST SP 800-90B and BSI TR-02102-4, ensuring secure
 ## entropy even during early boot stages, such as in initramfs or before full userland is available. It is the most secure,
 ## standards-compliant, and universally applicable entropy source for hardened Linux environments.

func/4170_installation_microcode.sh

@@ -32,7 +32,7 @@ installation_microcode() {
   case "${var_cpu_vendor}" in
     *AuthenticAMD*)   var_microcode_pkgs="amd64-microcode" ;;
     *GenuineIntel*)   var_microcode_pkgs="intel-microcode" ;;
-    ""|*ARM*|*arm*|*) var_microcode_pkgs=""; do_log "info" "true" "ARM or unknown CPU detected – skipping microcode install" ;;
+    ""|*ARM*|*arm*|*) var_microcode_pkgs=""; do_log "info" "true" "ARM or unknown CPU detected, skipping microcode installation." ;;
   esac
 
   ###########################################################################################

func/9997_check_grub_cmdline.sh

@@ -1,82 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-# SPDX-Comment: GRUB Kernel Parameter Linter
-
-set -Ceuo pipefail
-
-GRUB_FILE="${1:-/etc/default/grub}"
-
-# Parse GRUB_CMDLINE string into array of unique options
-parse_cmdline() {
-  local input="${1}"
-  # Remove outer quotes if present
-  input="${input%\"}"
-  input="${input#\"}"
-  # Split into array
-  read -r -a ary <<< "${input}"
-  printf "%s\n" "${ary[@]}"
-}
-
-# Key extractor: for console=tty0 → console
-extract_key() {
-  local param="${1}"
-  if [[ "${param}" == *=* ]]; then
-    echo "${param%%=*}"
-  else
-    echo "${param}"
-  fi
-}
-
-
-# Extract lines
-GRUB_LINUX_LINE=$(grep -E '^GRUB_CMDLINE_LINUX=' "${GRUB_FILE}" | sed -E 's/GRUB_CMDLINE_LINUX=//')
-GRUB_DEFAULT_LINE=$(grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' "${GRUB_FILE}" | sed -E 's/GRUB_CMDLINE_LINUX_DEFAULT=//')
-
-# Parse both lines
-mapfile -t linux_params < <(parse_cmdline "${GRUB_LINUX_LINE}")
-mapfile -t default_params < <(parse_cmdline "${GRUB_DEFAULT_LINE}")
-
-# Combine for conflict analysis
-declare -A param_values=()
-declare -A param_sources=()
-declare -A duplicate_params=()
-
-# Loop over all parameter
-for source in "linux" "default"; do
-  declare -n params="${source}_params"
-  for p in "${params[@]}"; do
-    key=$(extract_key "${p}")
-    if [[ -v param_values["${key}"] ]]; then
-      if [[ "${param_values[${key}]}" != "${p}" ]]; then
-        echo "⚠️  Conflict: Parameter '${key}' has multiple values:"
-        echo "   - ${param_values[${key}]} (from ${param_sources[${key}]})"
-        echo "   - ${p} (from ${source})"
-      else
-        duplicate_params["${p}"]=1
-      fi
-    else
-      param_values["${key}"]="${p}"
-      param_sources["${key}"]="${source}"
-    fi
-  done
-done
-
-# Report duplicates
-if (( ${#duplicate_params[@]} > 0 )); then
-  echo "ℹ️  Duplicate parameters found:"
-  for dup in "${!duplicate_params[@]}"; do
-    echo "   - ${dup}"
-  done
-fi
-
-echo "✅ GRUB_CMDLINE check complete."
-eit 0

func/9998_check_sshd_config_integrity.sh

@@ -27,7 +27,7 @@ red()   { tput setaf 1; echo "$1"; tput sgr0; }
 green() { tput setaf 2; echo "$1"; tput sgr0; }
 
 echo
-bold "🛡️  Checking SSH Configuration Integrity..."
+bold "Checking SSH Configuration Integrity..."
 
 if [[ ! -f "${REF_CONFIG}" ]]; then
   red "ERROR: Reference config '${REF_CONFIG}' not found."

func/9999_check_grub_cmdline.sh

@@ -0,0 +1,104 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+# SPDX-Comment: GRUB Kernel Parameter Linter
+
+set -Ceuo pipefail
+
+#######################################
+# Parse GRUB_CMDLINE string into array of unique options
+# Arguments:
+#   1: Grub file to parse
+#######################################
+parse_cmdline() {
+  declare var_input="${1}"
+  declare -a ary_input
+  ### Remove outer quotes if present.
+  var_input="${var_input%\"}"
+  var_input="${var_input#\"}"
+  ### Split into an array.
+  read -r -a ary_input <<< "${var_input}"
+  printf "%s\n" "${ary_input[@]}"
+}
+
+#######################################
+# Key extractor: for 'console=tty0' -> 'console'
+# Arguments:
+#   1:
+#######################################
+extract_key() {
+  declare var_param="${1}"
+  if [[ "${var_param}" == *=* ]]; then
+    echo "${var_param%%=*}"
+  else
+    echo "${var_param}"
+  fi
+}
+
+#######################################
+# Check Grub Command Lines for duplicate entries.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+check_grub_cmdline() {
+  ### Variable and Array declaration.
+  declare var_grub_file="${TARGET}/etc/default/grub"
+  declare var_grub_linux_line="" var_grub_default_line="" dup="" key="" p="" source=""
+  declare -a ary_default_params=() ary_linux_params=()
+  ### Combine for conflict analysis.
+  declare -A hmp_param_values=()
+  declare -A hmp_param_sources=()
+  declare -A hmp_duplicate_params=()
+
+  ### Extract lines.
+  var_grub_linux_line=$(grep -E '^GRUB_CMDLINE_LINUX=' "${var_grub_file}" | sed -E 's/GRUB_CMDLINE_LINUX=//')
+  var_grub_default_line=$(grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' "${var_grub_file}" | sed -E 's/GRUB_CMDLINE_LINUX_DEFAULT=//')
+
+  ### Parse both lines.
+  mapfile -t ary_linux_params < <(parse_cmdline "${var_grub_linux_line}")
+  mapfile -t ary_default_params < <(parse_cmdline "${var_grub_default_line}")
+
+  ### Loop over all parameters.
+  for source in "linux" "default"; do
+    declare -n params="ary_${source}_params"
+    for p in "${params[@]}"; do
+      key=$(extract_key "${p}")
+      if [[ -v hmp_param_values["${key}"] ]]; then
+        if [[ "${hmp_param_values[${key}]}" != "${p}" ]]; then
+          echo "Conflict: Parameter '${key}' has multiple values:"
+          echo "- ${hmp_param_values[${key}]} (from ${hmp_param_sources[${key}]})"
+          echo "- ${p} (from ${source})"
+        else
+          hmp_duplicate_params["${p}"]=1
+        fi
+      else
+        hmp_param_values["${key}"]="${p}"
+        hmp_param_sources["${key}"]="${source}"
+      fi
+    done
+  done
+
+### Report duplicates.
+if (( ${#hmp_duplicate_params[@]} > 0 )); then
+  echo "Duplicate parameters found:"
+  for dup in "${!hmp_duplicate_params[@]}"; do
+    echo "- ${dup}"
+  done
+fi
+
+echo "GRUB_CMDLINE check complete."
+return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/initramfs-tools/files/unlock_wrapper_signer.sh

@@ -61,7 +61,7 @@ fi
 printf "\e[0;92m🔢 Generating Hashes done. \e[0m\n"
 
 ### Signing Hashes
-printf "\e[0;95m✍️ Signing hashes ... \e[0m\n"
+printf "\e[0;95m🔑 Signing hashes ... \e[0m\n"
 
 if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG384}" --detach-sign "${HASH384}"; then
   printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH384}" "${SIG384}"
@@ -71,7 +71,7 @@ if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${
   printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH512}" "${SIG512}"
 fi
 
-printf "\e[0;92m✍️ Signing hashes done.  \e[0m\n"
+printf "\e[0;92m🔑 Signing hashes done.  \e[0m\n"
 
 exit 0
 

includes/root/.ciss/alias

@@ -0,0 +1,257 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+########################################################################################### Alpha
+alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
+
+########################################################################################### Bash
+alias clear="printf '\033c'"
+alias c='clear'
+alias q='exit'
+
+########################################################################################### Chrony
+alias cytr='echo "tracking -a -v" | chronyc'
+alias cysd='echo "selectdata -a -v" | chronyc'
+alias cyss='echo "sourcestats -a -v" | chronyc'
+
+########################################################################################### fail2ban & ufw
+alias f2ball='fail2ban-client status'
+alias f2bubn='fail2ban-client unban --all'
+alias f2bufw='fail2ban-client status ufw'
+alias usn='ufw status numbered'
+alias usv='ufw status verbose'
+
+########################################################################################### ls
+alias ls='eza --group-directories-first --icons=always --oneline --long --all --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension'
+alias lsf='eza --group-directories-first --icons=always --oneline --long --all --absolute --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension'
+alias lss='eza --group-directories-first --icons=always --oneline --long --all --absolute --group --header --blocksize --inode --flags --binary --octal-permissions --total-size --sort extension --extended'
+alias la='ls'
+alias ll=ls
+alias l=ls
+
+########################################################################################### Package Management
+alias aptac='apt autoclean'
+alias aptap='apt autopurge'
+alias aptar='apt autoremove'
+alias aptcheck='apt-get check'
+alias aptdep='apt-cache depends'
+alias aptdl='apt-get install --download-only'
+alias aptfug='apt full-upgrade'
+alias aptupd='apt update'
+alias aptupg='apt upgrade'
+alias apti='apt install'
+alias aptp='apt purge'
+alias aptpp='dpkg --purge'
+alias aptr='apt remove'
+alias aptse='apt search'
+alias aptsh='apt show'
+alias aptimage='apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "dbg" | grep -v "meta-package" | grep -v "cloud" | grep -v "PREEMPT"'
+
+########################################################################################### Readability
+alias df='df -h'
+alias free='free -m'
+alias mkdir='mkdir -pv'
+
+########################################################################################### Service restart
+alias rsban='systemctl restart fail2ban'
+alias rsweb='systemctl restart nginx php8.4-fpm redis'
+
+########################################################################################### System maintaining
+alias boot='reboot -h now'
+alias cscan='clamscan -r --bell -i'
+alias chkhvg='haveged -n 0 | dieharder -g 200 -a'
+alias dev='lsblk -o NAME,MAJ:MIN,FSTYPE,FSVER,SIZE,UUID,MOUNTPOINT,PATH'
+alias i='echo "$(whoami) @ $(uname -a)"'
+alias ipunused='iptables -L -v -n'
+alias jboot='journalctl --boot=0'
+alias lsadt='lynis audit system --auditor Centurion_Intelligence_Consulting_Agency'
+alias lsadtdoc='lynis audit system --auditor Centurion_Intelligence_Consulting_Agency > /root/lynis-$(date +%F_%H-%M-%S).txt 2>&1'
+alias n='nano'
+alias nstat='netstat -tlpnvWa'
+alias s='sudo -i'
+alias sas='systemd-analyze security'
+alias shut='shutdown -h now'
+alias ssa='systemctl status'
+alias ssf='systemctl status --failed'
+alias sysdr='systemctl daemon-reload'
+alias syses='systemctl edit'
+alias sysrl='systemctl reload'
+alias sysrs='systemctl restart'
+alias syssp='systemctl stop'
+alias sysst='systemctl start'
+alias v='nvim'
+alias whatdelete='lsof | grep deleted'
+alias whatimage='dpkg --list | grep linux-image'
+alias whatpurge='dpkg --get-selections | grep deinstall'
+
+########################################################################################### Functions
+
+#######################################
+# Generates Secure (/dev/random) Passwords
+# Arguments:
+#    Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
+#######################################
+# shellcheck disable=SC2317
+genpasswd() {
+  declare -i length=32
+  declare -i usebase64=0
+
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --base64)
+        usebase64=1
+        ;;
+      '' | *[!0-9]*) ;;
+      *)
+         length="$1"
+        ;;
+    esac
+    shift
+  done
+
+  declare passwd
+  passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}")
+
+  if [[ ${usebase64} -eq 1 ]]; then
+    echo -n "${passwd}" | base64
+  else
+    echo "${passwd}"
+  fi
+}
+
+#######################################
+# Generates Secure (/dev/random) Passwords.
+# Arguments:
+#   none
+#######################################
+# shellcheck disable=SC2317
+genpasswdhash() {
+  declare salt
+  salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
+  mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
+}
+
+#######################################
+# Outputs a 16-character random printable string
+# Arguments:
+#   None
+#######################################
+genstring() {
+  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
+}
+
+#######################################
+# Wrapper for secure curl
+# Arguments:
+#   1: URL from which to download a specific file
+#   2: /path/to/file to be saved to
+# Returns:
+#   0: Download successful
+#   1: Usage error
+#   2: Download failure
+#######################################
+scurl() {
+  if [[ $# -ne 2 ]]; then
+    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
+    return 1
+  fi
+  declare url="$1"
+  declare output_path="$2"
+  if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
+            --doh-cert-status \
+            --tlsv1.3 \
+            -sSf \
+            -o "${output_path}" \
+            "${url}"
+  then
+    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
+    return 2
+  fi
+  return 0
+}
+
+#######################################
+# Wrapper for secure wget
+# Arguments:
+#   1: URL from which to download a specific file
+#   2: /path/to/file to be saved to
+# Returns:
+#   0: Download successful
+#   1: Usage error
+#   2: Download failure
+#######################################
+swget() {
+  if [[ $# -ne 2 ]]; then
+    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
+    return 1
+  fi
+  declare url="$1"
+  declare output_path="$2"
+  mkdir -p "$(dirname "${output_path}")"
+  if ! wget --show-progress \
+            --no-clobber \
+            --https-only \
+            --secure-protocol=TLSv1_3 \
+            -qO "${output_path}" \
+            "${url}"
+  then
+    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
+    return 2
+  fi
+  return 0
+}
+
+#######################################
+# Wrapper for loading CISS.2025 hardened Kernel Parameters
+# Arguments:
+#   None
+#######################################
+sysp() {
+  sysctl -p /etc/sysctl.d/99_local.hardened
+  # sleep 1
+  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+}
+
+#######################################
+# Wrapper for tree
+# Arguments:
+#   1: Depth of Directory Listing
+#######################################
+trel() {
+  declare depth=${1:-3}
+  tree -C -h --dirsfirst -L "${depth}"
+}
+
+#######################################
+# Wrapper for package and path to bin.
+# Arguments:
+#   1: Program
+#######################################
+whichpackage() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    printf 'Error: Program '%s' not found.\n' "$1" >&2
+    exit 1
+  fi
+  dpkg -S "$(which "$1")"
+}
+
+#######################################
+# Wrapper for Diskspace used in Path.
+# Arguments:
+#   1: Path (defaults /var)
+#   2: Depth (defaults 1)
+#   3: Number of Entries (defaults 16)
+#######################################
+whichused() {
+  du -h --max-depth="${2:-1}" "${1:-/var}" | sort -hr | head -n "${3:-16}"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/root/.ciss/clean_logout.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+clear
+
+cat << 'EOF'
+#######################################################################
+                 #                                              #
+                 ##                                             ##
+ ###### ######## ###  ## ######## ###  ## #######  ### #######  ###  ##
+###              #### ##    ###   ###  ##       ## ###       ## #### ##
+###      ####### #######    ###   ###  ##  ######  ###  ##   ## #######
+###      ###     ### ###    ###   ###  ##  ##  ##  ###  ##   ## ### ###
+ ######  ####### ###  ##    ###    #####   ##   ## ###   #####  ###  ##
+                       #                                              #
+#######################################################################
+EOF
+
+echo ""
+echo -e "\e[97m      (c) Marc S. Weidner, 2018 - 2025 \e[0m"
+echo -e "\e[97m      (p) Centurion Press, 2018 - 2025 \e[0m"
+echo -e "\e[97m          Centurion Intelligence Consulting Agency (tm) \e[0m"
+echo -e "\e[97m          https://coresecret.eu/ \e[0m"
+echo -e "\e[95m          Please consider making a donation: \e[0m"
+echo -e "\e[95m          https://coresecret.eu/spenden/ \e[0m"
+echo ""
+echo -e "\e[92m          All done" "\e[95m'${USER}'" "\e[92m! \e[0m"
+echo -e "\e[92m          Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m"
+# shellcheck disable=SC2162
+read
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/root/.ciss/f2bchk.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -Ceuo pipefail
+
+#######################################
+# Wrapper for fail2ban filter checks against logs.
+# Usage: f2bchk --mode=ignored || --mode=matched  || --mode=missed \
+#               --filter=/etc/fail2ban/filter.d/ufw.aggressive.conf \
+#               --log=/var/log/ufw.log \
+#               --output=/tmp/f2bchk.log
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   1: In case of any errors
+#######################################
+f2bchk(){
+  # Declare default values (readonly)
+  declare -r DEFAULT_MODE="matched"
+  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
+  declare -r DEFAULT_LOG="/var/log/ufw.log"
+
+  declare mode="${DEFAULT_MODE}"
+  declare filter="${DEFAULT_FILTER}"
+  declare log="${DEFAULT_LOG}"
+  declare output=""
+  declare arg=""
+
+  for arg in "$@"; do
+    case "${arg}" in
+      --mode=*)   mode="${arg#--mode=}";;
+      --filter=*) filter="${arg#--filter=}";;
+      --log=*)    log="${arg#--log=}";;
+      --output=*) output="${arg#--output=}";;
+      *)
+        printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
+        return 1
+        ;;
+    esac
+  done
+
+  declare flag suffix
+  case "${mode}" in
+    ignored) flag="--print-all-ignored"; suffix="all.ignored";;
+    matched) flag="--print-all-matched"; suffix="all.matched";;
+    missed)  flag="--print-all-missed";  suffix="all.missed";;
+    *)
+      printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
+      return 1
+      ;;
+  esac
+
+  if [[ -z "${output}" ]]; then
+    declare filter_name="${filter##*/}"
+    filter_name="${filter_name%.conf}"
+    output="/tmp/${filter_name}.${suffix}.log"
+  fi
+  if [[ ! -r "${log}" ]]; then
+    printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
+    return 1
+  fi
+  if [[ ! -r "${filter}" ]]; then
+    printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
+    return 1
+  fi
+
+  printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
+  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
+    printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
+    printf "You can view it with: cat %s\n" "$output"
+  else
+    printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
+    return 1
+  fi
+
+  exit 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/root/.ciss/scan_libwrap

@@ -0,0 +1,42 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Scanner for 'libwrap' usage.
+# Arguments:
+#   None
+#######################################
+scanlw() {
+  printf "\e[92m🔍 Scanning all running processes for 'libwrap' usage ... \e[0m\n"
+  printf "\n"
+
+  # Collect binaries from all running PIDs
+  declare pid exe_path comm user
+
+  for pid in $(ps -e -o pid=); do
+    exe_path=$(readlink -f "/proc/${pid}/exe" 2>/dev/null)
+
+    # Skip if not a regular executable
+    [[ -x "${exe_path}" ]] || continue
+
+    # Check if the binary is linked with libwrap
+    if ldd "$exe_path" 2>/dev/null | grep -q "libwrap"; then
+      comm=$(ps -p "$pid" -o comm=)
+      user=$(ps -p "$pid" -o user=)
+      printf "\e[92m✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. \e[0m\n" "${pid}" "${comm}" "${user}"
+    fi
+  done
+  printf "\n"
+  printf "\e[92m✅ Scan complete. \e[0m\n"
+  exit 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/root/.ciss/shortcuts

@@ -0,0 +1,119 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+declare -ga shortcuts=(
+  "aptac: apt autoclean"
+  "aptap: apt autopurge"
+  "aptar: apt autoremove"
+  "aptcheck: apt-get check"
+  "aptdep: apt-cache depends"
+  "aptdl: apti --download-only"
+  "aptfug: apt full-upgrade"
+  "apti: apt install"
+  "aptimage: get Kernel Img"
+  "aptp: apt purge"
+  "aptpp: dpkg --purge"
+  "aptr: apt remove"
+  "aptse: apt search"
+  "aptsh: apt show"
+  "aptupd: apt update"
+  "aptupg: apt upgrade"
+  "boot: reboot -h now"
+  "c: clear"
+  "clear: printf \033c"
+  "cscan: clamscan -r --bell -i"
+  "chkhvg: hvg -n 0 | dieharder -g 200 -a"
+  "cysd: chrony selectdata"
+  "cyss: chrony sourcestats"
+  "cytr: chrony tracking"
+  "dev: lsblk -o ..."
+  "df: df -h"
+  "f2ball: f2b status all"
+  "f2bubn: f2b unban --all"
+  "f2bufw: f2b status ufw"
+  "free: free -m"
+  "genkeyfile: 1MiBi"
+  "genpasswd: PWD"
+  "genpasswdhash: PWD Hash"
+  "genstring: Random String"
+  "i: who you are"
+  "ipunused: iptables -L -v -n"
+  "jboot: journalctl --boot=0"
+  "l: ls"
+  "la: ls"
+  "ll: ls"
+  "ls: eza"
+  "lsadt: lynis audit system"
+  "lsadtdoc: lynis audit system"
+  "lsf: eza --absolute"
+  "lss: eza --extended"
+  "mkdir: mkdir -pv"
+  "n: nano"
+  "nstat: netstat -tlpnvWa"
+  "q: exit"
+  "rsban: restart fail2ban"
+  "rsweb: restart nginx php8.4-fpm redis"
+  "s: sudo -i"
+  "sas: systemd-analyze security"
+  "scanlw: scan libwrap"
+  "scurl: TLS1.3 curl"
+  "shut: shutdown -h now"
+  "ssa: systemctl status"
+  "ssf: systemctl status --failed"
+  "swget: TLS1.3 wget"
+  "sysdr: systemctl daemon-reload"
+  "syses: systemctl edit"
+  "sysp: load 99_local.hardened"
+  "sysrl: systemctl reload"
+  "sysrs: systemctl restart'"
+  "syssp: systemctl stop"
+  "sysst: systemctl start"
+  "trel: tree"
+  "usn: ufw status numbered"
+  "usv: ufw status verbose"
+  "v: nvim"
+  "whatdelete: lsof | grep deleted"
+  "whatimage: dpkg --list | grep linux"
+  "whatpurge: dpkg --get-selections"
+  "whichpackage <PROGRAM>"
+  "whichused <PATH> <DEPTH> <ENTRIES>"
+)
+
+#######################################
+# Show available Aliases
+# Globals:
+#   CMAG
+#   CRES
+#   shortcuts
+# Arguments:
+#  None
+#######################################
+celp() {
+  declare arr=("${shortcuts[@]}")
+  declare cols=3
+  declare col_width=42
+  declare i=0
+  declare entry
+  for entry in "${arr[@]}"; do
+    # Print entry left-aligned in fixed width, colored
+    printf "${CMAG}%-${col_width}s${CRES}" "${entry}"
+    ((i++))
+    if ((i % cols == 0)); then
+      printf "\n"
+    fi
+  done
+  # If last line not full, add a newline
+  if ((i % cols != 0)); then
+    printf "\n"
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh