diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
index 7af5dbe..2dae5b8 100644
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./setup.sh -v`."
- placeholder: "e.g., Master V9.14.000.2026.06.07"
+ placeholder: "e.g., Master V9.14.002.2026.06.08"
validations:
required: true
diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml
index 18391f9..ede96fb 100644
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V9.14.000.2026.06.07
+ version: V9.14.002.2026.06.08
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml
index a198101..cdf76bf 100644
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V9.14.000.2026.06.07
+### Version Master V9.14.002.2026.06.08
# Gitea Workflow: Shell-Script Linting
#
diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml
index 183283c..26eb1c2 100644
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V9.14.000.2026.06.07
+### Version Master V9.14.002.2026.06.08
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml
index 9d811b6..6b0019c 100644
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V9.14.000.2026.06.07
+### Version Master V9.14.002.2026.06.08
name: 🔁 Render Graphviz Diagrams.
diff --git a/.preseed/SECRETS.yaml b/.preseed/SECRETS.yaml
index d03820b..c2ee631 100644
--- a/.preseed/SECRETS.yaml
+++ b/.preseed/SECRETS.yaml
@@ -11,7 +11,7 @@
#
#
# This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
-# Master V9.14.000.2026.06.07
+# Master V9.14.002.2026.06.08
# YAML specification: 1.2
#
secrets:
@@ -19,7 +19,7 @@ secrets:
created_at: "2025-10-23"
created_for: "host_domain_tld"
name: "CISS.debian.installer"
- version: "V9.14.000.2026.06.07"
+ version: "V9.14.002.2026.06.08"
x_files: "false"
################################################################################################################################
# Grub bootloader passphrase
diff --git a/.preseed/preseed.yaml b/.preseed/preseed.yaml
index 1b60acd..1eede7f 100644
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -11,7 +11,7 @@
%YAML 1.2
---
# This file contains configurations for the CISS.debian.installer
-# Master V9.14.000.2026.06.07
+# Master V9.14.002.2026.06.08
# YAML specification: 1.2
#
preseed:
@@ -19,7 +19,7 @@ preseed:
created_at: "2025-10-23"
created_for: "host_domain_tld"
name: "CISS.debian.installer"
- version: "V9.14.000.2026.06.07"
+ version: "V9.14.002.2026.06.08"
#
################################################################################################################################
# APT settings
@@ -28,7 +28,7 @@ apt:
contrib: true # Optionally, install contrib software.
deb_sources: true # Optionally includes deb-src entries for source repositories.
default_list: false # By default, source repositories are listed in '/etc/apt/sources.list'.
- default_deb822: true # Since Trixie, source repositories are listed in '/etc/apt/sources.list.d/' in deb.822 format.
+ default_deb822: true # Since Trixie, source repositories have been listed in '/etc/apt/sources.list.d/' in deb.822 format.
full_upgrade: true # Whether to upgrade packages after debootstrap.
install_recommends: true # Configure APT to not install recommended packages by default.
non_free: true # Optionally, install non-free software.
@@ -107,7 +107,7 @@ image: "linux-image-6.16.3+deb13-amd64"
# "linux-image-6.16.3+deb13-amd64"
needrun: false # Static linking to "${TARGET}/run" can cause problems if this data is "burned" into the target.
provider: "netcup" # MUST be one of "contabo", "hetzner", "netcup" or leave empty.
-security_ext: "apparmor" # MUST be one of "apparmor" or "selinux".
+security_ext: "apparmor" # MUST be one of "apparmor" or "selinux".
################################################################################################################################
# Dropbear settings
@@ -156,7 +156,7 @@ grub_parameter:
- "debugfs=off"
##############################################################################################################################
- # Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in IOMMU.
+ # Disable the bus master bit on all PCI bridges during very early boot to avoid holes in IOMMU.
# https://mjg59.dreamwidth.org/54433.html
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
##############################################################################################################################
@@ -262,7 +262,7 @@ grub_parameter:
##############################################################################################################################
# All Kernel Messages with a loglevel smaller than the console loglevel will be printed to the console. It can also be
# changed with 'klogd' or other programs. The log levels are defined as follows:
- # 0 (KERN_EMERG) system is unusable
+ # 0 (KERN_EMERG) the system is unusable
# 1 (KERN_ALERT) action must be taken immediately
# 2 (KERN_CRIT) critical conditions
# 3 (KERN_ERR) error conditions
diff --git a/.version.properties b/.version.properties
index f3bbd79..eec3ab1 100644
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.installer"
properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.000.2026.06.07"
+properties_version="V9.14.002.2026.06.08"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/CISS.debian.installer.spdx b/CISS.debian.installer.spdx
index 5b6205b..c563fb1 100644
--- a/CISS.debian.installer.spdx
+++ b/CISS.debian.installer.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-06-17T12:00:00Z
Package: CISS.debian.installer
PackageName: CISS.debian.installer
-PackageVersion: Master V9.14.000.2026.06.07
+PackageVersion: Master V9.14.002.2026.06.08
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.installer
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.installer
diff --git a/README.md b/README.md
index 3650b11..412f9cc 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
-[](https://git.coresecret.dev/msw/CISS.debian.installer)
+[](https://git.coresecret.dev/msw/CISS.debian.installer)
[](https://eupl.eu/1.2/en/)
[](https://opensource.org/license/eupl-1-2)
@@ -27,7 +27,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
This is a digitally signed, self-verifying shell script for installing a hardened Debian Bookworm server environment, based on
the latest server and service hardening best practices. Compared to the original Debian installer, this installer offers much
diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md
index c6a5b62..22fee56 100644
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. DNSSEC Status
diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md
index d08313a..dba21d2 100644
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. TLS Audit:
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 83775ed..212ce9a 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,11 +8,11 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Changelog
-## V9.14.000.2026.06.07
+## V9.14.002.2026.06.08
* Initial Release
diff --git a/docs/CNET.md b/docs/CNET.md
index 69e46ca..79fe1f4 100644
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Centurion Net - Developer Branch Overview
diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md
index 33cddd7..285a175 100644
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Purpose
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 2376bd4..dbd85ee 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Contributing / participating
diff --git a/docs/CREDITS.md b/docs/CREDITS.md
index c4fd444..c2c1fcb 100644
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Credits
diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md
index d80b300..a131244 100644
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,15 +8,15 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Usage
````text
CISS.debian.installer
-Master V9.14.000.2026.06.07
+Master V9.14.002.2026.06.08
-(c) Marc S. Weidner, 2018 - 2025
-(p) Centurion Press, 2024 - 2025
+(c) Marc S. Weidner, 2018 - 2026
+(p) Centurion Press, 2024 - 2026
https://coresecret.eu/
@@ -34,6 +34,11 @@ A powerful Debian installer for setting up a hardened Debian environment.
Enables debug logging for the main program routine. Detailed logging
information are written to "/tmp/ciss_live_builder_516151.log"
+ --dropbear-version .
+ Sets the Dropbear source version used for the hardened Dropbear build.
+ Also accepts "--dropbear-version=.".
+ Defaults to "2026.91".
+
--renice-priority
Reset the nice priority value of the script and all its children
to the desired PRIORITY. MUST be an integer (between "-19" and 19).
diff --git a/docs/MANPAGES.md b/docs/MANPAGES.md
index 7f89aa2..e558dba 100644
--- a/docs/MANPAGES.md
+++ b/docs/MANPAGES.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. ToC
diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md
index 52bce3c..7c0b50d 100644
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Resources
diff --git a/docs/man/BOOTPARAMS.md b/docs/man/BOOTPARAMS.md
index a17357d..a7b0a9a 100644
--- a/docs/man/BOOTPARAMS.md
+++ b/docs/man/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Hardened Kernel Boot Parameters
diff --git a/docs/man/DEBUG_HANDLING.md b/docs/man/DEBUG_HANDLING.md
index 17fecac..709b0ed 100644
--- a/docs/man/DEBUG_HANDLING.md
+++ b/docs/man/DEBUG_HANDLING.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Debugging and Tracing Infrastructure
diff --git a/docs/man/ERROR_HANDLING.md b/docs/man/ERROR_HANDLING.md
index 471b686..d5c46ca 100644
--- a/docs/man/ERROR_HANDLING.md
+++ b/docs/man/ERROR_HANDLING.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Global Environment and Error Handling in CISS.debian.installer
diff --git a/docs/man/LINTER_CHAR.md b/docs/man/LINTER_CHAR.md
index 3e330e8..5f6ed2c 100644
--- a/docs/man/LINTER_CHAR.md
+++ b/docs/man/LINTER_CHAR.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Git Workflow Linter — Character Set Policy Enforcement
diff --git a/docs/man/TRAP_MECHANISM.md b/docs/man/TRAP_MECHANISM.md
index db6024a..540881a 100644
--- a/docs/man/TRAP_MECHANISM.md
+++ b/docs/man/TRAP_MECHANISM.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Interplay Between Global Hardening Settings and TRAP Mechanisms
diff --git a/func/cdi_1000_helper/README/README_1080.md b/func/cdi_1000_helper/README/README_1080.md
index b733ea6..9b783d2 100644
--- a/func/cdi_1000_helper/README/README_1080.md
+++ b/func/cdi_1000_helper/README/README_1080.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. [1080_helper_chroot.sh](../1080_helper_chroot.sh)
**Scope:** This note explains *what to use when* among
diff --git a/func/cdi_4000_debootstrap/README/README_4000.md b/func/cdi_4000_debootstrap/README/README_4000.md
index feef5df..a2c983b 100644
--- a/func/cdi_4000_debootstrap/README/README_4000.md
+++ b/func/cdi_4000_debootstrap/README/README_4000.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. [4000_debootstrap.sh](../4000_debootstrap.sh)
This module provisions a minimal Debian userspace into the installers target root (`$TARGET`) using `debootstrap`.
diff --git a/func/cdi_4300_network/4310_dropbear_build.sh b/func/cdi_4300_network/4310_dropbear_build.sh
index d6cbff7..5279644 100644
--- a/func/cdi_4300_network/4310_dropbear_build.sh
+++ b/func/cdi_4300_network/4310_dropbear_build.sh
@@ -15,7 +15,10 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
#######################################
# Build Ultra Hardened dropbear from sources.
# Globals:
+# PATH
# TARGET
+# VAR_DROPBEAR_BUILD_ROOT
+# VAR_DROPBEAR_VERSION
# VAR_SETUP_PATH
# Arguments:
# None
@@ -27,10 +30,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
#######################################
dropbear_build() {
### Declare Arrays, HashMaps, and Variables.
- declare var_dropbear_version="2026.91"
- declare var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
- declare var_build_root="/opt/.ciss/build"
- declare var_build_dir="${var_build_root}/dropbear-${var_dropbear_version}"
+ declare -r var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${VAR_DROPBEAR_VERSION}.tar.bz2"
+ declare -r var_build_root="${VAR_DROPBEAR_BUILD_ROOT}"
+ declare -r var_build_dir="${var_build_root}/dropbear-${VAR_DROPBEAR_VERSION}"
declare -r var_logfile="/root/.ciss/cdi/log/4310_dropbear_build.log"
declare -r var_build_log="${TARGET}${var_logfile}"
declare -r var_build_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -49,7 +51,7 @@ dropbear_build() {
fi
case "${var_build_dir}" in
- /opt/.ciss/build/dropbear-*) ;;
+ "${VAR_DROPBEAR_BUILD_ROOT}"/dropbear-*) ;;
*)
do_log "error" "file_only" "4310() Refusing to clean unexpected Dropbear build directory: '${var_build_dir}'."
return "${ERR_PATH_NOT_VALID}"
diff --git a/func/cdi_4300_network/4311_dropbear_initramfs.sh b/func/cdi_4300_network/4311_dropbear_initramfs.sh
index adcaa9d..0f48a0e 100644
--- a/func/cdi_4300_network/4311_dropbear_initramfs.sh
+++ b/func/cdi_4300_network/4311_dropbear_initramfs.sh
@@ -15,9 +15,10 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
#######################################
# Install the 'dropbear-initramfs' and replace the binaries with those from the previous Ultra Hardened build.
# Globals:
-# DIR_TMP
# RECOVERY
# TARGET
+# VAR_DROPBEAR_BUILD_ROOT
+# VAR_DROPBEAR_VERSION
# VAR_RUN_RECOVERY
# Arguments:
# None
@@ -27,6 +28,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
dropbear_initramfs() {
### Declare Arrays, HashMaps, and Variables.
declare var_file=""
+ declare -r var_build_dir="${VAR_DROPBEAR_BUILD_ROOT}/dropbear-${VAR_DROPBEAR_VERSION}"
declare -r var_logfile="/root/.ciss/cdi/log/4311_dropbear_initramfs.log"
declare var_target="${TARGET}"
@@ -35,6 +37,21 @@ dropbear_initramfs() {
chroot_logger "${var_target}${var_logfile}"
+ case "${var_build_dir}" in
+ "${VAR_DROPBEAR_BUILD_ROOT}"/dropbear-*) ;;
+ *)
+ do_log "error" "file_only" "4311() Refusing unexpected Dropbear build directory: '${var_build_dir}'."
+ return "${ERR_PATH_NOT_VALID}"
+ ;;
+ esac
+
+ for var_file in dropbear dbclient dropbearconvert dropbearkey; do
+ if [[ ! -x "${var_build_dir}/${var_file}" ]]; then
+ do_log "error" "file_only" "4311() Dropbear build artifact missing or not executable: '${var_build_dir}/${var_file}'."
+ return "${ERR_PATH_NOT_VALID}"
+ fi
+ done
+
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
@@ -60,14 +77,14 @@ dropbear_initramfs() {
"
mv "${var_target}/usr/sbin/dropbear" "${var_target}/usr/sbin/dropbear.trixie"
- install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${var_target}/usr/sbin/"
+ install -D -m 0755 -o root -g root "${var_build_dir}/dropbear" "${var_target}/usr/sbin/"
do_log "debug" "file_only" "4311() Installation [dropbear] successful."
for var_file in dbclient dropbearconvert dropbearkey; do
mv "${var_target}/usr/bin/${var_file}" "${var_target}/usr/bin/${var_file}.trixie"
- install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${var_target}/usr/bin/"
+ install -D -m 0755 -o root -g root "${var_build_dir}/${var_file}" "${var_target}/usr/bin/"
do_log "debug" "file_only" "4311() Installation [${var_file}] successful."
done
diff --git a/lib/cdi_0000_preliminary/0002_usage.sh b/lib/cdi_0000_preliminary/0002_usage.sh
index 6b3cbe6..e951b18 100644
--- a/lib/cdi_0000_preliminary/0002_usage.sh
+++ b/lib/cdi_0000_preliminary/0002_usage.sh
@@ -37,9 +37,9 @@ usage() {
declare var_cols=$(tput cols 2> /dev/null || echo 80)
# shellcheck disable=SC2155
- declare var_header=$(center "V9.14.000.2026.06.07 CISS.debian.installer" "${var_cols}")
+ declare var_header=$(center "V9.14.002.2026.06.08 CISS.debian.installer" "${var_cols}")
# shellcheck disable=SC2155
- declare var_footer=$(center "V9.14.000.2026.06.07 CISS.debian.installer" "${var_cols}")
+ declare var_footer=$(center "V9.14.002.2026.06.08 CISS.debian.installer" "${var_cols}")
{
echo -e "\e[97m${var_header} \e[0m"
@@ -48,8 +48,8 @@ usage() {
echo -e "\e[92m${VAR_VERSION} \e[0m"
echo -e "\e[92mA powerful Debian installer for setting up a hardened Debian environment. \e[0m"
echo
- echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
- echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
+ echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
+ echo -e "\e[97m(p) Centurion Press, 2024 - 2026 \e[0m"
echo
echo -e "\e[91mUse only in trusted, non-production environments unless code audited! \e[0m"
echo
@@ -75,6 +75,12 @@ usage() {
echo " - /tmp/.ciss/log/ciss_debian_installer_$$_trace.log"
echo " - /tmp/.ciss/log/ciss_debian_installer_$$_var.log"
echo
+ echo -e "\e[97m --dropbear-version . \e[0m"
+ echo " Set the Dropbear source version used for the hardened Dropbear build."
+ echo " Also accepts '--dropbear-version=.'."
+ echo " Example: --dropbear-version 2026.91"
+ echo " Defaults to '${VAR_DROPBEAR_VERSION:-2026.91}'."
+ echo
echo -e "\e[97m --log, -l \e[0m"
echo " This changes the default log level from 'info' to one of the following values:"
echo " debug"
diff --git a/lib/cdi_0000_preliminary/README.md b/lib/cdi_0000_preliminary/README.md
index 24330d3..e0586ac 100644
--- a/lib/cdi_0000_preliminary/README.md
+++ b/lib/cdi_0000_preliminary/README.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Preliminary Components – `cdi_0000_preliminary`
diff --git a/lib/cdi_0005_guard/README.md b/lib/cdi_0005_guard/README.md
index 6df8925..9c96928 100644
--- a/lib/cdi_0005_guard/README.md
+++ b/lib/cdi_0005_guard/README.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. Guarding and Safe Execution – `cdi_0005_guard`
diff --git a/lib/cdi_0100_arg/0100_arg_mismatch.sh b/lib/cdi_0100_arg/0100_arg_mismatch.sh
index 1384c20..0baeec4 100644
--- a/lib/cdi_0100_arg/0100_arg_mismatch.sh
+++ b/lib/cdi_0100_arg/0100_arg_mismatch.sh
@@ -23,17 +23,21 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
# VAR_IN_DIALOG_WR
# Arguments:
# 1: Message to be printed.
+# 2: Optional exit code.
#######################################
arg_mismatch() {
+ declare -i err_code="${2:-${ERR_ARG_MISMATCH}}"
+
### Call cleaner if and only if not in auto-install mode.
if [[ "${VAR_AUTO_INSTALL}" == "false" ]]; then
### Dynamically select the cleaner based on the dialog wrapper type.
+ # shellcheck disable=SC2249
case "${VAR_IN_DIALOG_WR}" in
box|gauge) "dialog_${VAR_IN_DIALOG_WR}_cleaner" ;;
esac
fi
printf "%b❌ Error: '%s'. %b%b" "${RED}" "${1}" "${RES}" "${NL}" >&2
- read -pr $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
- exit "${ERR_ARG_MISMATCH}"
+ read -rp $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+ exit "${err_code}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/lib/cdi_0100_arg/0102_arg_parser.sh b/lib/cdi_0100_arg/0102_arg_parser.sh
index 4791a6c..3b2bce0 100644
--- a/lib/cdi_0100_arg/0102_arg_parser.sh
+++ b/lib/cdi_0100_arg/0102_arg_parser.sh
@@ -17,6 +17,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
# Globals:
# VAR_DEFAULT_LOG_LEVEL
# VAR_AUTO_INSTALL
+# VAR_DROPBEAR_VERSION
# VAR_IN_DIALOG_WR
# VAR_PRIORITY
# VAR_REIONICE_CLASS
@@ -51,6 +52,24 @@ arg_parser() {
shift 1
;;
+ --dropbear-version)
+ if [[ -n "${2-}" && "${2}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+ declare -gx VAR_DROPBEAR_VERSION="${2}"
+ shift 2
+ else
+ arg_mismatch "--dropbear-version MUST match .." "${ERR_DROPBEAR_V}"
+ fi
+ ;;
+
+ --dropbear-version=*)
+ if [[ "${argument#*=}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+ declare -gx VAR_DROPBEAR_VERSION="${argument#*=}"
+ shift 1
+ else
+ arg_mismatch "--dropbear-version MUST match .." "${ERR_DROPBEAR_V}"
+ fi
+ ;;
+
-l | --log)
case "${2,,}" in
debug|info|notice|warn|error|critical|fatal|emergency) declare -gx VAR_DEFAULT_LOG_LEVEL="$2"; shift 2 ;;
diff --git a/var/README/README_BASH_VAR.md b/var/README/README_BASH_VAR.md
index f83edac..198fa34 100644
--- a/var/README/README_BASH_VAR.md
+++ b/var/README/README_BASH_VAR.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*The CISS Debian Installer provides a fully automated and hardened installation process.*
**Master Version**: 9.00
-**Build**: V9.14.000.2026.06.07
+**Build**: V9.14.002.2026.06.08
# 2. [bash.var.sh](../bash.var.sh)
This module establishes the global execution profile for all modules of the `CISS.debian.installer`. It is sourced at the very
diff --git a/var/early.var.sh b/var/early.var.sh
index 6fe4a27..debe9e6 100644
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -24,7 +24,7 @@ declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{
declare -grx VAR_CONTACT="security@coresecret.eu"
# shellcheck disable=SC2155
declare -grx VAR_DS_VER="$(debootstrap --version)"
-declare -grx VAR_VERSION="Master V9.14.000.2026.06.07"
+declare -grx VAR_VERSION="Master V9.14.002.2026.06.08"
# shellcheck disable=SC2155
declare -grx VAR_SYSTEM="$(uname -mnosv)"
declare -gx VAR_ARG_SANITIZED=""
diff --git a/var/errors.var.sh b/var/errors.var.sh
index 7fc4052..e5c18e3 100644
--- a/var/errors.var.sh
+++ b/var/errors.var.sh
@@ -42,10 +42,10 @@ declare -girx ERR_MOUNTING_LUKS=231 # The LUKS Volume could not be mounted.
declare -girx ERR_UNKNOWN_DEV=230 # Unknown Device Path.
declare -girx ERR_DEBOOTSTRAP=229 # Failure occurred on the debootstrap.
declare -girx ERR_CHRT_MOUNTS=228 # Failure occurred while mounting system devices.
-declare -girx ERR_CHRT_COMMAND=227 # Failure occurred while executing chroot environment command.
+declare -girx ERR_CHRT_COMMAND=227 # Failure occurred while executing the chroot environment command.
declare -girx ERR_GRUB_INSTALL=226 # Error while installing Grub on the specified device.
declare -girx ERR_GRUB_BACKGROUND=225 # Failure occurred on setting up the GRUB-background.
-declare -girx ERR_GRUB_ARCHITECTURE=224 # Architecture is not supported by Grub.
+declare -girx ERR_GRUB_ARCHITECTURE=224 # Grub does not support architecture.
declare -girx ERR_PATH_NOT_VALID=223 # A specific path is not existing.
declare -girx ERR_READ_NUKE_FILE=222 # Error reading the Luks Nuke password file.
declare -girx ERR_READ_GRUB_FILE=221 # Error reading the Grub password file.
@@ -60,6 +60,7 @@ declare -girx ERR_VERIFY_LOGROTATE=213 # Error verification by 'logrotate'.
declare -girx ERR_READ_AUTH_FILE=212 # Error reading the Luks Backup auth token file.
declare -girx ERR_ACCOUNT_CREATE=211 # Error creating user accounts.
declare -girx ERR_LUKS_HEADER_ENC=210 # Error encrypting LUKS Header backup.
+declare -girx ERR_DROPBEAR_V=209 # Invalid Dropbear version argument.
declare -girx ERR_DECRYPTION_SOPS=132 # An error occurred while decrypting SECRETS.yaml.
declare -girx ERR_MISSING_AGE_BIN=130 # SOPS binary for decryption SECRETS.yaml missing.
declare -girx ERR_MISSING_AGE_KEY=129 # AGE key for decryption SECRETS.yaml values missing.
diff --git a/var/global.var.sh b/var/global.var.sh
index 47fc59b..f9bdae6 100644
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -87,6 +87,8 @@ declare -gx VAR_GRUB_PASSWORD="false"
### 4310_dropbear_build.sh
declare -gx VAR_DROPBEAR=""
+declare -gx VAR_DROPBEAR_VERSION="2026.91"
+declare -gx VAR_DROPBEAR_BUILD_ROOT="/opt/.ciss/build"
### 4330_installation_ssh.sh
declare -gx VAR_SSH_PORT=""