V9.14.002.2026.06.08

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-08 15:21:48 +01:00
parent 830aa1afa7
commit 925cdae81c
38 changed files with 114 additions and 58 deletions
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./setup.sh -v`."
-      placeholder: "e.g., Master V9.14.000.2026.06.07"
+      placeholder: "e.g., Master V9.14.002.2026.06.08"
    validations:
      required: true

@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.000.2026.06.07
+  version: V9.14.002.2026.06.08
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V9.14.000.2026.06.07
+### Version Master V9.14.002.2026.06.08

 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V9.14.000.2026.06.07
+### Version Master V9.14.002.2026.06.08

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V9.14.000.2026.06.07
+### Version Master V9.14.002.2026.06.08

 name: 🔁 Render Graphviz Diagrams.

@@ -11,7 +11,7 @@
 #
 #
 # This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
-# Master V9.14.000.2026.06.07
+# Master V9.14.002.2026.06.08
 # YAML specification: 1.2
 #
 secrets:
@@ -19,7 +19,7 @@ secrets:
  created_at: "2025-10-23"
  created_for: "host_domain_tld"
  name: "CISS.debian.installer"
-  version: "V9.14.000.2026.06.07"
+  version: "V9.14.002.2026.06.08"
  x_files: "false"
  ################################################################################################################################
  # Grub bootloader passphrase
@@ -11,7 +11,7 @@
 %YAML 1.2
 ---
 # This file contains configurations for the CISS.debian.installer
-# Master V9.14.000.2026.06.07
+# Master V9.14.002.2026.06.08
 # YAML specification: 1.2
 #
 preseed:
@@ -19,7 +19,7 @@ preseed:
  created_at: "2025-10-23"
  created_for: "host_domain_tld"
  name: "CISS.debian.installer"
-  version: "V9.14.000.2026.06.07"
+  version: "V9.14.002.2026.06.08"
 #
 ################################################################################################################################
 # APT settings
@@ -28,7 +28,7 @@ apt:
  contrib: true                # Optionally, install contrib software.
  deb_sources: true            # Optionally includes deb-src entries for source repositories.
  default_list: false          # By default, source repositories are listed in '/etc/apt/sources.list'.
-  default_deb822: true         # Since Trixie, source repositories are listed in '/etc/apt/sources.list.d/' in deb.822 format.
+  default_deb822: true         # Since Trixie, source repositories have been listed in '/etc/apt/sources.list.d/' in deb.822 format.
  full_upgrade: true           # Whether to upgrade packages after debootstrap.
  install_recommends: true     # Configure APT to not install recommended packages by default.
  non_free: true               # Optionally, install non-free software.
@@ -156,7 +156,7 @@ grub_parameter:
  - "debugfs=off"

  ##############################################################################################################################
-  # Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in IOMMU.
+  # Disable the bus master bit on all PCI bridges during very early boot to avoid holes in IOMMU.
  # https://mjg59.dreamwidth.org/54433.html
  # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
  ##############################################################################################################################
@@ -262,7 +262,7 @@ grub_parameter:
  ##############################################################################################################################
  # All Kernel Messages with a loglevel smaller than the console loglevel will be printed to the console. It can also be
  # changed with 'klogd' or other programs. The log levels are defined as follows:
-  # 0 (KERN_EMERG)          system is unusable
+  # 0 (KERN_EMERG)          the system is unusable
  # 1 (KERN_ALERT)          action must be taken immediately
  # 2 (KERN_CRIT)           critical conditions
  # 3 (KERN_ERR)            error conditions
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.installer"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.000.2026.06.07"
+properties_version="V9.14.002.2026.06.08"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-06-17T12:00:00Z
 Package: CISS.debian.installer
 PackageName: CISS.debian.installer
-PackageVersion: Master V9.14.000.2026.06.07
+PackageVersion: Master V9.14.002.2026.06.08
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.installer
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.installer
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.000.2026.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.002.2026.06.08-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 This is a digitally signed, self-verifying shell script for installing a hardened Debian Bookworm server environment, based on 
 the latest server and service hardening best practices. Compared to the original Debian installer, this installer offers much 
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. DNSSEC Status

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. TLS Audit:

@@ -8,11 +8,11 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Changelog

-## V9.14.000.2026.06.07
+## V9.14.002.2026.06.08

 * Initial Release

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Centurion Net - Developer Branch Overview

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Purpose

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Contributing / participating

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Credits

@@ -8,15 +8,15 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Usage
 ````text
 CISS.debian.installer
-Master V9.14.000.2026.06.07
+Master V9.14.002.2026.06.08

-(c) Marc S. Weidner, 2018 - 2025
-(p) Centurion Press, 2024 - 2025
+(c) Marc S. Weidner, 2018 - 2026
+(p) Centurion Press, 2024 - 2026

 https://coresecret.eu/

@@ -34,6 +34,11 @@ A powerful Debian installer for setting up a hardened Debian environment.
    Enables debug logging for the main program routine. Detailed logging
    information are written to "/tmp/ciss_live_builder_516151.log"

+  --dropbear-version <YYYY>.<NUMBER>
+    Sets the Dropbear source version used for the hardened Dropbear build.
+    Also accepts "--dropbear-version=<YYYY>.<NUMBER>".
+    Defaults to "2026.91".
+
  --renice-priority <PRIORITY>
    Reset the nice priority value of the script and all its children
    to the desired PRIORITY. MUST be an integer (between "-19" and 19).
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. ToC

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Resources

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Hardened Kernel Boot Parameters

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>


 # 2. Debugging and Tracing Infrastructure
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Global Environment and Error Handling in CISS.debian.installer

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Git Workflow Linter — Character Set Policy Enforcement

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Interplay Between Global Hardening Settings and TRAP Mechanisms

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. [1080_helper_chroot.sh](../1080_helper_chroot.sh)
 **Scope:** This note explains *what to use when* among
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. [4000_debootstrap.sh](../4000_debootstrap.sh)
 This module provisions a minimal Debian userspace into the installers target root (`$TARGET`) using `debootstrap`.
@@ -15,7 +15,10 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Build Ultra Hardened dropbear from sources.
 # Globals:
+#   PATH
 #   TARGET
+#   VAR_DROPBEAR_BUILD_ROOT
+#   VAR_DROPBEAR_VERSION
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
@@ -27,10 +30,9 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 dropbear_build() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare     var_dropbear_version="2026.91"
-  declare     var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
-  declare     var_build_root="/opt/.ciss/build"
-  declare     var_build_dir="${var_build_root}/dropbear-${var_dropbear_version}"
+  declare -r  var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${VAR_DROPBEAR_VERSION}.tar.bz2"
+  declare -r  var_build_root="${VAR_DROPBEAR_BUILD_ROOT}"
+  declare -r  var_build_dir="${var_build_root}/dropbear-${VAR_DROPBEAR_VERSION}"
  declare -r  var_logfile="/root/.ciss/cdi/log/4310_dropbear_build.log"
  declare -r  var_build_log="${TARGET}${var_logfile}"
  declare -r  var_build_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -49,7 +51,7 @@ dropbear_build() {
  fi

  case "${var_build_dir}" in
-    /opt/.ciss/build/dropbear-*) ;;
+    "${VAR_DROPBEAR_BUILD_ROOT}"/dropbear-*) ;;
    *)
      do_log "error" "file_only" "4310() Refusing to clean unexpected Dropbear build directory: '${var_build_dir}'."
      return "${ERR_PATH_NOT_VALID}"
@@ -15,9 +15,10 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install the 'dropbear-initramfs' and replace the binaries with those from the previous Ultra Hardened build.
 # Globals:
-#   DIR_TMP
 #   RECOVERY
 #   TARGET
+#   VAR_DROPBEAR_BUILD_ROOT
+#   VAR_DROPBEAR_VERSION
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
@@ -27,6 +28,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 dropbear_initramfs() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_file=""
+  declare -r  var_build_dir="${VAR_DROPBEAR_BUILD_ROOT}/dropbear-${VAR_DROPBEAR_VERSION}"
  declare -r  var_logfile="/root/.ciss/cdi/log/4311_dropbear_initramfs.log"
  declare     var_target="${TARGET}"

@@ -35,6 +37,21 @@ dropbear_initramfs() {

  chroot_logger "${var_target}${var_logfile}"

+  case "${var_build_dir}" in
+    "${VAR_DROPBEAR_BUILD_ROOT}"/dropbear-*) ;;
+    *)
+      do_log "error" "file_only" "4311() Refusing unexpected Dropbear build directory: '${var_build_dir}'."
+      return "${ERR_PATH_NOT_VALID}"
+      ;;
+  esac
+
+  for var_file in dropbear dbclient dropbearconvert dropbearkey; do
+    if [[ ! -x "${var_build_dir}/${var_file}" ]]; then
+      do_log "error" "file_only" "4311() Dropbear build artifact missing or not executable: '${var_build_dir}/${var_file}'."
+      return "${ERR_PATH_NOT_VALID}"
+    fi
+  done
+
  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
@@ -60,14 +77,14 @@ dropbear_initramfs() {
  "

  mv "${var_target}/usr/sbin/dropbear" "${var_target}/usr/sbin/dropbear.trixie"
-  install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${var_target}/usr/sbin/"
+  install -D -m 0755 -o root -g root "${var_build_dir}/dropbear" "${var_target}/usr/sbin/"
  do_log "debug" "file_only" "4311() Installation [dropbear] successful."


  for var_file in dbclient dropbearconvert dropbearkey; do

    mv "${var_target}/usr/bin/${var_file}" "${var_target}/usr/bin/${var_file}.trixie"
-    install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${var_target}/usr/bin/"
+    install -D -m 0755 -o root -g root "${var_build_dir}/${var_file}" "${var_target}/usr/bin/"
    do_log "debug" "file_only" "4311() Installation [${var_file}] successful."

  done
@@ -37,9 +37,9 @@ usage() {
  declare var_cols=$(tput cols 2> /dev/null || echo 80)

  # shellcheck disable=SC2155
-  declare var_header=$(center "V9.14.000.2026.06.07                                          CISS.debian.installer" "${var_cols}")
+  declare var_header=$(center "V9.14.002.2026.06.08                                          CISS.debian.installer" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V9.14.000.2026.06.07                                          CISS.debian.installer" "${var_cols}")
+  declare var_footer=$(center "V9.14.002.2026.06.08                                          CISS.debian.installer" "${var_cols}")

  {
    echo -e "\e[97m${var_header} \e[0m"
@@ -48,8 +48,8 @@ usage() {
    echo -e "\e[92m${VAR_VERSION} \e[0m"
    echo -e "\e[92mA powerful Debian installer for setting up a hardened Debian environment. \e[0m"
    echo
-    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
-    echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
+    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
+    echo -e "\e[97m(p) Centurion Press, 2024 - 2026 \e[0m"
    echo
    echo -e "\e[91mUse only in trusted, non-production environments unless code audited! \e[0m"
    echo
@@ -75,6 +75,12 @@ usage() {
    echo "    - /tmp/.ciss/log/ciss_debian_installer_$$_trace.log"
    echo "    - /tmp/.ciss/log/ciss_debian_installer_$$_var.log"
    echo
+    echo -e "\e[97m  --dropbear-version <YYYY>.<NUMBER> \e[0m"
+    echo "    Set the Dropbear source version used for the hardened Dropbear build."
+    echo "    Also accepts '--dropbear-version=<YYYY>.<NUMBER>'."
+    echo "    Example: --dropbear-version 2026.91"
+    echo "    Defaults to '${VAR_DROPBEAR_VERSION:-2026.91}'."
+    echo
    echo -e "\e[97m  --log, -l <LEVEL> \e[0m"
    echo "    This changes the default log level from 'info' to one of the following values:"
    echo "      debug"
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Preliminary Components – `cdi_0000_preliminary`

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. Guarding and Safe Execution – `cdi_0005_guard`

@@ -23,17 +23,21 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #   VAR_IN_DIALOG_WR
 # Arguments:
 #   1: Message to be printed.
+#   2: Optional exit code.
 #######################################
 arg_mismatch() {
+  declare -i err_code="${2:-${ERR_ARG_MISMATCH}}"
+
  ### Call cleaner if and only if not in auto-install mode.
  if [[ "${VAR_AUTO_INSTALL}" == "false" ]]; then
    ### Dynamically select the cleaner based on the dialog wrapper type.
+    # shellcheck disable=SC2249
    case "${VAR_IN_DIALOG_WR}" in
      box|gauge) "dialog_${VAR_IN_DIALOG_WR}_cleaner" ;;
    esac
  fi
  printf "%b❌ Error: '%s'. %b%b" "${RED}" "${1}" "${RES}" "${NL}" >&2
-  read -pr $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
-  exit "${ERR_ARG_MISMATCH}"
+  read -rp $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+  exit "${err_code}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -17,6 +17,7 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 # Globals:
 #   VAR_DEFAULT_LOG_LEVEL
 #   VAR_AUTO_INSTALL
+#   VAR_DROPBEAR_VERSION
 #   VAR_IN_DIALOG_WR
 #   VAR_PRIORITY
 #   VAR_REIONICE_CLASS
@@ -51,6 +52,24 @@ arg_parser() {
          shift 1
          ;;

+        --dropbear-version)
+          if [[ -n "${2-}" && "${2}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+            declare -gx VAR_DROPBEAR_VERSION="${2}"
+            shift 2
+          else
+            arg_mismatch "--dropbear-version MUST match <YYYY>.<NUMBER>." "${ERR_DROPBEAR_V}"
+          fi
+          ;;
+
+        --dropbear-version=*)
+          if [[ "${argument#*=}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+            declare -gx VAR_DROPBEAR_VERSION="${argument#*=}"
+            shift 1
+          else
+            arg_mismatch "--dropbear-version MUST match <YYYY>.<NUMBER>." "${ERR_DROPBEAR_V}"
+          fi
+          ;;
+
        -l | --log)
          case "${2,,}" in
            debug|info|notice|warn|error|critical|fatal|emergency) declare -gx VAR_DEFAULT_LOG_LEVEL="$2"; shift 2 ;;
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
 **Master Version**: 9.00<br>
-**Build**: V9.14.000.2026.06.07<br>
+**Build**: V9.14.002.2026.06.08<br>

 # 2. [bash.var.sh](../bash.var.sh)
 This module establishes the global execution profile for all modules of the `CISS.debian.installer`. It is sourced at the very 
@@ -24,7 +24,7 @@ declare -grx VAR_BASH_VER="$(bash --version | head -n1 | awk '{
 declare -grx VAR_CONTACT="security@coresecret.eu"
 # shellcheck disable=SC2155
 declare -grx VAR_DS_VER="$(debootstrap --version)"
-declare -grx VAR_VERSION="Master V9.14.000.2026.06.07"
+declare -grx VAR_VERSION="Master V9.14.002.2026.06.08"
 # shellcheck disable=SC2155
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
 declare -gx VAR_ARG_SANITIZED=""
@@ -42,10 +42,10 @@ declare -girx ERR_MOUNTING_LUKS=231     # The LUKS Volume could not be mounted.
 declare -girx ERR_UNKNOWN_DEV=230       # Unknown Device Path.
 declare -girx ERR_DEBOOTSTRAP=229       # Failure occurred on the debootstrap.
 declare -girx ERR_CHRT_MOUNTS=228       # Failure occurred while mounting system devices.
-declare -girx ERR_CHRT_COMMAND=227      # Failure occurred while executing chroot environment command.
+declare -girx ERR_CHRT_COMMAND=227      # Failure occurred while executing the chroot environment command.
 declare -girx ERR_GRUB_INSTALL=226      # Error while installing Grub on the specified device.
 declare -girx ERR_GRUB_BACKGROUND=225   # Failure occurred on setting up the GRUB-background.
-declare -girx ERR_GRUB_ARCHITECTURE=224 # Architecture is not supported by Grub.
+declare -girx ERR_GRUB_ARCHITECTURE=224 # Grub does not support architecture.
 declare -girx ERR_PATH_NOT_VALID=223    # A specific path is not existing.
 declare -girx ERR_READ_NUKE_FILE=222    # Error reading the Luks Nuke password file.
 declare -girx ERR_READ_GRUB_FILE=221    # Error reading the Grub password file.
@@ -60,6 +60,7 @@ declare -girx ERR_VERIFY_LOGROTATE=213  # Error verification by 'logrotate'.
 declare -girx ERR_READ_AUTH_FILE=212    # Error reading the Luks Backup auth token file.
 declare -girx ERR_ACCOUNT_CREATE=211    # Error creating user accounts.
 declare -girx ERR_LUKS_HEADER_ENC=210   # Error encrypting LUKS Header backup.
+declare -girx ERR_DROPBEAR_V=209        # Invalid Dropbear version argument.
 declare -girx ERR_DECRYPTION_SOPS=132   # An error occurred while decrypting SECRETS.yaml.
 declare -girx ERR_MISSING_AGE_BIN=130   # SOPS binary for decryption SECRETS.yaml missing.
 declare -girx ERR_MISSING_AGE_KEY=129   # AGE key for decryption SECRETS.yaml values missing.
@@ -87,6 +87,8 @@ declare -gx VAR_GRUB_PASSWORD="false"

 ### 4310_dropbear_build.sh
 declare -gx VAR_DROPBEAR=""
+declare -gx VAR_DROPBEAR_VERSION="2026.91"
+declare -gx VAR_DROPBEAR_BUILD_ROOT="/opt/.ciss/build"

 ### 4330_installation_ssh.sh
 declare -gx VAR_SSH_PORT=""