V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-24 10:57:49 +01:00
parent fd60deb5b9
commit dcd3680077
138 changed files with 398 additions and 168 deletions
--- a/.archive/4620_installation_verification.sh
+++ b/.archive/4620_installation_verification.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 ### https://github.com/linux-audit/audit-userspace/tree/master/rules

--- a/.preseed/SECRETS.yaml
+++ b/.preseed/SECRETS.yaml
@@ -8,12 +8,12 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-%YAML 1.2
---
-### This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
-### Master V8.00.000.2025.06.17
-### YAML specification: 1.2
-
+#
+#
+# This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
+# Master V8.00.000.2025.06.17
+# YAML specification: 1.2
+#
 secrets:
  description: "Secrets for automated installation of encrypted systems on this host via primordial-workflow™."
  created_at: "2025-10-23"
@@ -21,7 +21,7 @@ secrets:
  name: "CISS.debian.installer"
  version: "V8.00.000.2025.06.17"
  x_files: "false"
-
+  x_files_key: "marc_s_weidner_msw@coresecret.dev_AGE_PRIVKEY"
  ################################################################################################################################
  # Grub bootloader passphrase
  ################################################################################################################################
@@ -30,7 +30,6 @@ secrets:
    scope: "grub"
    type: "plain"
    value: "PleASE_CHan3e_M!"
-
  ################################################################################################################################
  # LUKS and LUKS Nuke passphrase
  ################################################################################################################################
@@ -55,7 +54,6 @@ secrets:
      scope: "luks"
      type: "plain"
      value: "THIS_IS_THE_NUKE_PASSWORD!"
-
  ################################################################################################################################
  # TOTP MFA seed and salt and other seed variables
  ################################################################################################################################
@@ -76,7 +74,6 @@ secrets:
        scope: "mfa"
        type: "plain"
        value: "7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda"
-
  ################################################################################################################################
  # User passwords and SSH keys
  ################################################################################################################################
@@ -114,5 +111,4 @@ secrets:
        scope: "auth"
        type: "sshpubkey"
        value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
-
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -10,9 +10,9 @@
 # SPDX-Security-Contact: security@coresecret.eu
 %YAML 1.2
 ---
-### This file contains configurations for the CISS.debian.installer
-### Master V8.00.000.2025.06.17
-### YAML specification: 1.2
+# This file contains configurations for the CISS.debian.installer
+# Master V8.00.000.2025.06.17
+# YAML specification: 1.2

 preseed:
  description: "Configuration values for automated installation of encrypted systems on this host via primordial-workflow™."
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -10,9 +10,10 @@
 # SPDX-Security-Contact: security@coresecret.eu
 %YAML 1.2
 ---
-
 creation_rules:
-  - path_regex: '^\.preseed/SECRETS\.ya?ml$'
+  - path_regex: '(^|.*/)\.preseed/SECRETS\.ya?ml$'
    encrypted_regex: '^value$'
-
+stores:
+  yaml:
+    indent: 2
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -112,8 +112,8 @@ for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./meta_loader_cuv.sh; usa
 # shellcheck disable=SC2249
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./meta_loader_cuv.sh; version; exit 0;; esac; done

-### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO(), GUARD_SOURCING(), AND SOURCE_GUARD().
-. ./lib/cdi_0005_guard/0005_guard_sourcing.sh # The function guard_sourcing MUST be present in each file to source.
+### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO(), guard_sourcing || return "${ERR_GUARD_SOURCE}"(), AND SOURCE_GUARD().
+. ./lib/cdi_0005_guard/0005_guard_sourcing.sh # The function guard_sourcing || return "${ERR_GUARD_SOURCE}" MUST be present in each file to source.
 . ./lib/cdi_0005_guard/0006_source_guard.sh   # Wrapper for sourcing modules, libraries, variables.
 source_guard "./var/color.var.sh"
 source_guard "./var/early.var.sh"
@@ -213,6 +213,9 @@ yaml_reader
 info_echo "1252_yaml_validator.sh"
 yaml_validator

+#info_echo "1256_secret_parser.sh"
+#yaml_validator
+

 ### CDI_3200
 info_echo "3200_partitioning.sh"
--- a/func/cdi_1000_helper/1030_check_nic.sh
+++ b/func/cdi_1000_helper/1030_check_nic.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Specify the network interface card (NIC) interactively for setup.
--- a/func/cdi_1000_helper/1080_helper_chroot.sh
+++ b/func/cdi_1000_helper/1080_helper_chroot.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Use chroot_exec() for:
--- a/func/cdi_1000_helper/1081_helper_grub.sh
+++ b/func/cdi_1000_helper/1081_helper_grub.sh
@@ -13,7 +13,7 @@
 ### Options in "GRUB_CMDLINE_LINUX" are always effective.
 ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Helper module to extract the current GRUB CMDLINE strings.
--- a/func/cdi_1000_helper/1082_helper_modules.sh
+++ b/func/cdi_1000_helper/1082_helper_modules.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Wrapper for preparing logfile inside chroot.
--- a/func/cdi_1000_helper/1084_helper_sanitizer.sh
+++ b/func/cdi_1000_helper/1084_helper_sanitizer.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Remove any leading or trailing whitespace.
--- a/func/cdi_1000_helper/1085_helper_secure_dl.sh
+++ b/func/cdi_1000_helper/1085_helper_secure_dl.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Wrapper for secure curl.
--- a/func/cdi_1000_helper/1086_helper_yaml.sh
+++ b/func/cdi_1000_helper/1086_helper_yaml.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # yq_val <YQ expression> <file> - Returns value, converts null to "".
--- a/func/cdi_1200_validation/1220_validation_element.sh
+++ b/func/cdi_1200_validation/1220_validation_element.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Checks if a search pattern / string / value is present in an array.
--- a/func/cdi_1200_validation/1221_validation_ip.sh
+++ b/func/cdi_1200_validation/1221_validation_ip.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # IPv4 validation.
--- a/func/cdi_1200_validation/1222_validation_preseed.sh
+++ b/func/cdi_1200_validation/1222_validation_preseed.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Validate all preseed network variables (IPv4 & IPv6)
--- a/func/cdi_1250_yaml/1250_yaml_parser.sh
+++ b/func/cdi_1250_yaml/1250_yaml_parser.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Parsing './.preseed/preseed.yaml' and './.preseed/partitioning.yaml'.
--- a/func/cdi_1250_yaml/1251_yaml_reader.sh
+++ b/func/cdi_1250_yaml/1251_yaml_reader.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Reading and extracting variables from "${PRESEED}".
--- a/func/cdi_1250_yaml/1252_yaml_validator.sh
+++ b/func/cdi_1250_yaml/1252_yaml_validator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Extended dynamic network variable checks and declarations depending on preseed.yaml.
--- a/func/cdi_1250_yaml/1256_secret_parser.sh
+++ b/func/cdi_1250_yaml/1256_secret_parser.sh
@@ -0,0 +1,214 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing || return "${ERR_GUARD_SOURCE}" || return "${ERR_GUARD_SOURCE}"
+
+#######################################
+# Debug helper: list variable names (no values).
+# Globals:
+#   CISS_SECRETS_MAP
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+ciss_secrets_list_names() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_k=""
+
+  for var_k in "${!CISS_SECRETS_MAP[@]}"; do
+
+    printf '%s.value -> %s\n' "${var_k}" "${CISS_SECRETS_MAP[${var_k}]}"
+
+  done
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ciss_secrets_list_names
+
+#######################################
+# Unset all previously created secret variables.
+# Globals:
+#   CISS_SECRETS_MAP
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+ciss_secrets_unset() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_k="" var_v=""
+
+  guard_trace on
+
+  for var_k in "${!CISS_SECRETS_MAP[@]}"; do
+
+    var_v="${CISS_SECRETS_MAP[${var_k}]}"
+
+    if [[ -v "${var_v}" ]]; then
+
+      unset -v "${var_v}" 2>/dev/null || true
+
+    fi
+
+  done
+
+  CISS_SECRETS_MAP=()
+
+  guard_trace off
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ciss_secrets_unset
+
+#######################################
+# Build the canonical var name from a dotted path (without 'secrets.' and without '.value').
+# Globals:
+#   None
+# Arguments:
+#   1: Variable path
+# Returns:
+#   0: on success
+#######################################
+ciss_secret_varname_from_path() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_path="${1:-}"
+
+  var_path="${var_path//./_}"
+  var_path="${var_path//-/_}"
+  var_path="${var_path//\//_}"
+  var_path="${var_path// /_}"
+  var_path="${var_path^^}"
+
+  printf 'CISS_SECRET_%s' "${var_path}"
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ciss_secret_varname_from_path
+
+#######################################
+# Purpose:
+#   High-performance parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
+#   If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass.
+#   No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls.
+# Conventions:
+#   Variables: CISS_SECRET_<UPPER_SNAKE_CASE_PATH> (PATH excludes "secrets." and trailing ".value")
+#   All with "declare -g" (no export).
+#   Mapping: CISS_SECRETS_MAP["foo.bar"]=CISS_SECRET_FOO_BAR
+# Security:
+#   No logging of values. No plaintext temp files. Streaming pipeline; no full-doc materialization.
+# Globals:
+#   CISS_SECRETS_MAP
+#   CISS_SECRETS_SOURCE
+#   DIR_CNF
+#   ERR_MISSING_AGE_KEY
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+yaml_secret() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     secrets_encrypted="" secrets_privkey="" secrets_yaml="${CISS_SECRETS_SOURCE}" \
+              __path="" __path_wo_prefix="" __pipe_fd="" __umask="" __value="" __varname="" __yq_expr=""
+
+  secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_yaml}")" || secrets_encrypted="false"
+
+  if [[ "${secrets_encrypted}" == "true" ]]; then
+
+    if ! command -v sops >/dev/null 2>&1; then
+
+      do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed."
+      return "${ERR_MISSING_AGE_KEY}"
+
+    fi
+
+    secrets_privkey="$(yq -r '.secrets.x_files_key // ""' -- "${secrets_yaml}")" || secrets_privkey=""
+
+    [[ -z "${secrets_privkey}" ]] && return "${ERR_MISSING_AGE_KEY}"
+
+    secrets_privkey="${DIR_CNF}/${secrets_privkey}"
+
+  fi
+
+  __umask=$(umask)
+  umask 0077
+
+  ### Build a single streaming producer: (sops -d |) yq -rj '...'
+  ### yq emits: <path_wo_value>\0<plain_value>\0 -> for each secret.
+  ### No newlines between results (-j), only NUL (\u0000) separators -> robust with arbitrary value content.
+  # shellcheck disable=SC2016
+  __yq_expr='
+    paths(scalars) as $p
+    | select($p[0] == "secrets" and $p[-1] == "value")
+    | ($p[0:-1] | join("."))                           # E.g. "secrets.db.password".
+      + "\u0000"
+      + ((getpath($p) // "") | tostring)               # Plain scalar value; coerce non-strings.
+      + "\u0000"
+  '
+
+  ### Create the producer as a process substitution.
+  if [[ "${secrets_encrypted}" == "true" ]]; then
+
+    ### Decrypt once, stream into yq; avoid storing full doc in memory.
+    # shellcheck disable=SC1083,SC2312
+    exec {__pipe_fd} < <(
+      SOPS_AGE_KEY_FILE="${secrets_privkey}" sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -rj "${__yq_expr}" -
+    )
+
+  else
+
+    # shellcheck disable=SC1083,SC2312
+    exec {__pipe_fd} < <( yq -rj "${__yq_expr}" -- "${secrets_yaml}")
+
+  fi
+
+  ### Single consumer: read NUL-delimited pairs and assign variables.
+  ### Loop invariant: next read is PATH, then VALUE. Stop cleanly at EOF.
+  while :; do
+
+    ### Read path (up to NUL); break on EOF.
+    IFS= read -r -d '' __path <&"${__pipe_fd}" || break
+
+    ### Read value (up to NUL); if missing (odd count), treat as empty
+    IFS= read -r -d '' __value <&"${__pipe_fd}" || __value=""
+
+    ### Drop the leading 'secrets.' prefix for naming.
+    __path_wo_prefix="${__path#secrets.}"
+    __varname="$(ciss_secret_varname_from_path "${__path_wo_prefix}")"
+
+    ### Assign to a global variable, preserving content verbatim (including newlines).
+    unset -v "${__varname}"
+    declare -g "${__varname}"
+    printf -v "${__varname}" '%s' "${__value}"
+
+    ### Track in the map (without .value)
+    CISS_SECRETS_MAP["${__path_wo_prefix}"]="${__varname}"
+
+  done
+
+  ### Close the producer FD
+  exec {__pipe_fd}>&-
+
+  umask "${__umask}"
+
+  guard_dir && return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f yaml_secret
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_3200_partitioning/3200_partitioning.sh
+++ b/func/cdi_3200_partitioning/3200_partitioning.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # EFI System Partition | EF00 | UEFI Bootloader (ESP, FAT32)
--- a/func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
+++ b/func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Benchmark cryptsetup KDF to determine pbkdf-memory and pbkdf-force-iterations for given pbkdf-threads.
--- a/func/cdi_3200_partitioning/3220_partition_encryption.sh
+++ b/func/cdi_3200_partitioning/3220_partition_encryption.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Function to encrypt the respective partition on each entry of 'ARY_CRYPT_MOUNT_PATHS'.
--- a/func/cdi_3200_partitioning/3240_partition_formatting.sh
+++ b/func/cdi_3200_partitioning/3240_partition_formatting.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Function to format the respective partition on each entry of 'ARY_FORMT_MOUNT_PATHS'.
--- a/func/cdi_3200_partitioning/3280_mount_partition.sh
+++ b/func/cdi_3200_partitioning/3280_mount_partition.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Function to create the mount command, incl. mount path and options, and mount the respective device.
--- a/func/cdi_3200_partitioning/3290_uuid_logger.sh
+++ b/func/cdi_3200_partitioning/3290_uuid_logger.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Logger for all generated partition, LUKS container and file system UUIDs.
--- a/func/cdi_3200_partitioning/3295_get_label.sh
+++ b/func/cdi_3200_partitioning/3295_get_label.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Returns standardized labels for the provided mount path depending on filesystem and art of label.
--- a/func/cdi_4000_debootstrap/4000_debootstrap.sh
+++ b/func/cdi_4000_debootstrap/4000_debootstrap.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Install a minimal Debian environment using the 'debootstrap' command.
--- a/func/cdi_4000_debootstrap/4005_debootstrap_checks.sh
+++ b/func/cdi_4000_debootstrap/4005_debootstrap_checks.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Preliminary post debootstrap checks.
--- a/func/cdi_4000_debootstrap/4010_prepare_mounts.sh
+++ b/func/cdi_4000_debootstrap/4010_prepare_mounts.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Configure the target system for chroot.
--- a/func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh
+++ b/func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Prepare '/root' for XDG framework.
--- a/func/cdi_4000_debootstrap/4015_check_usr_merge.sh
+++ b/func/cdi_4000_debootstrap/4015_check_usr_merge.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Check if the target system is not 'tainted: unmerged-usr'.
--- a/func/cdi_4000_debootstrap/4020_remove_x509.sh
+++ b/func/cdi_4000_debootstrap/4020_remove_x509.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Chroot hook for deleting all expired X.509 certificates in the target system.
--- a/func/cdi_4000_debootstrap/4030_setup_hostname.sh
+++ b/func/cdi_4000_debootstrap/4030_setup_hostname.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
--- a/func/cdi_4000_debootstrap/4035_setup_resolv.sh
+++ b/func/cdi_4000_debootstrap/4035_setup_resolv.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Configure the '/etc/resolv.conf' file.
--- a/func/cdi_4000_debootstrap/4040_setup_timezone.sh
+++ b/func/cdi_4000_debootstrap/4040_setup_timezone.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Configure the '/etc/timezone' | '/etc/localtime' files.
--- a/func/cdi_4000_debootstrap/4050_setup_locales.sh
+++ b/func/cdi_4000_debootstrap/4050_setup_locales.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Set locale, locale overrides and configure keyboard layout.
--- a/func/cdi_4100_base/4100_generate_sources.sh
+++ b/func/cdi_4100_base/4100_generate_sources.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Generate target '/etc/apt/sources.list' entries.
--- a/func/cdi_4100_base/4105_generate_sources_822.sh
+++ b/func/cdi_4100_base/4105_generate_sources_822.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Generate target '/etc/apt/sources.list.d/' deb.822 entries.
--- a/func/cdi_4100_base/4110_update_sources.sh
+++ b/func/cdi_4100_base/4110_update_sources.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Update generated sources.
--- a/func/cdi_4100_base/4120_installation_kernel.sh
+++ b/func/cdi_4100_base/4120_installation_kernel.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Installation of the specified kernel.
--- a/func/cdi_4100_base/4121_installation_initramfs.sh
+++ b/func/cdi_4100_base/4121_installation_initramfs.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Installation of 'initramfs'-environment.
--- a/func/cdi_4100_base/4130_installation_toolset.sh
+++ b/func/cdi_4100_base/4130_installation_toolset.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Check and set up the minimum required tools for the next installation steps.
--- a/func/cdi_4100_base/4131_installation_systemd.sh
+++ b/func/cdi_4100_base/4131_installation_systemd.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Ensure systemd is in place.
--- a/func/cdi_4100_base/4132_installation_machineid.sh
+++ b/func/cdi_4100_base/4132_installation_machineid.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Generate machine-id if missing.
--- a/func/cdi_4100_base/4133_installation_masking.sh
+++ b/func/cdi_4100_base/4133_installation_masking.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Turn off Energy saving mode and ctrl-alt-del.
--- a/func/cdi_4100_base/4140_installation_microcode.sh
+++ b/func/cdi_4100_base/4140_installation_microcode.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
--- a/func/cdi_4100_base/4145_installation_firmware.sh
+++ b/func/cdi_4100_base/4145_installation_firmware.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
--- a/func/cdi_4100_base/4150_installation_chrony.sh
+++ b/func/cdi_4100_base/4150_installation_chrony.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Setup chrony NTPSec client.
--- a/func/cdi_4100_base/4160_installation_eza.sh
+++ b/func/cdi_4100_base/4160_installation_eza.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Install Cisofy Lynis.
--- a/func/cdi_4100_base/4170_installation_lynis.sh
+++ b/func/cdi_4100_base/4170_installation_lynis.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Install Cisofy Lynis.
--- a/func/cdi_4200_boot/4200_generate_fstab.sh
+++ b/func/cdi_4200_boot/4200_generate_fstab.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Wrapper to write '/etc/fstab' entries.
@@ -169,11 +169,10 @@ EOF
  mkdir -p "${TARGET}/media/cdrom0"
  cat << 'EOF' >> "${TARGET}/etc/fstab"

-/dev/sr0                                   /media/cdrom0               auto              noauto,nofail,ro,user,x-systemd.automount,x-systemd.device-timeout=0                                0 0
-#/dev/sr0                                  /media/cdrom0               udf,iso9660       user,noauto                                                                                         0 0
+# /dev/sr0                                 /media/cdrom0               auto              noauto,nofail,ro,user,x-systemd.automount,x-systemd.device-timeout=0                                0 0                                                                                        0 0

 EOF
-  do_log "info" "file_only" "4200() fstab entry generated: '/dev/sr0  /media/cdrom0  udf,iso9660  user,noauto  0 0'."
+  do_log "info" "file_only" "4200() fstab entry generated: '/dev/sr0  /media/cdrom0  auto  noauto,nofail,ro,user,x-systemd.automount,x-systemd.device-timeout=0  0 0'."

  cat << 'EOF' >> "${TARGET}/etc/fstab"
 ### Secure tmpfs mounts for a hardened system
--- a/func/cdi_4200_boot/4205_check_fstab.sh
+++ b/func/cdi_4200_boot/4205_check_fstab.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Basic '/etc/fstab' checks inside chroot.
--- a/func/cdi_4200_boot/4210_generate_crypttab.sh
+++ b/func/cdi_4200_boot/4210_generate_crypttab.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # '/etc/crypttab' entry writer and logger.
--- a/func/cdi_4200_boot/4220_installation_cryptsetup.sh
+++ b/func/cdi_4200_boot/4220_installation_cryptsetup.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Installation of 'cryptsetup' and 'cryptsetup-initramfs' after '/etc/crypttab' generation.
--- a/func/cdi_4200_boot/4230_installation_grub.sh
+++ b/func/cdi_4200_boot/4230_installation_grub.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # --- UEFI GRUB Installation Strategy ---
--- a/func/cdi_4200_boot/4240_update_grub_password.sh
+++ b/func/cdi_4200_boot/4240_update_grub_password.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Append the GRUB superuser block to '/etc/grub.d/40_custom'.
--- a/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
+++ b/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
@@ -13,7 +13,7 @@
 ### Options in "GRUB_CMDLINE_LINUX" are always effective, (incl. recovery).
 ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Hardening: update the Grub boot parameter and the Dropbear and Nuke parameters if opted in.
--- a/func/cdi_4300_network/4300_installation_network.sh
+++ b/func/cdi_4300_network/4300_installation_network.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Setup network.
--- a/func/cdi_4300_network/4305_installation_netsec.sh
+++ b/func/cdi_4300_network/4305_installation_netsec.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Installation of packages 'fail2ban' and 'ufw'.
--- a/func/cdi_4300_network/4310_dropbear_build.sh
+++ b/func/cdi_4300_network/4310_dropbear_build.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Build Ultra Hardened dropbear-2025.88 from sources.
--- a/func/cdi_4300_network/4311_dropbear_initramfs.sh
+++ b/func/cdi_4300_network/4311_dropbear_initramfs.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Install the 'dropbear-initramfs' and replace the binaries with those from the previous Ultra Hardened build.
--- a/func/cdi_4300_network/4312_dropbear_setup.sh
+++ b/func/cdi_4300_network/4312_dropbear_setup.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Set up the 'dropbear-initramfs' environment.
--- a/func/cdi_4300_network/4320_update_initramfs.sh
+++ b/func/cdi_4300_network/4320_update_initramfs.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Deploy all changes made using the 'update-grub' and 'update-initramfs' commands.
--- a/func/cdi_4300_network/4330_installation_ssh.sh
+++ b/func/cdi_4300_network/4330_installation_ssh.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Setup ssh server.
--- a/func/cdi_4400_hardening/4400_kernel_modules.sh
+++ b/func/cdi_4400_hardening/4400_kernel_modules.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Entropy collection improvements '/usr/lib/modules-load.d/30_security-misc.conf'.
--- a/func/cdi_4400_hardening/4410_kernel_sysctl.sh
+++ b/func/cdi_4400_hardening/4410_kernel_sysctl.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Install Kernel Hardening-Presets '/etc/sysctl.d/9999_ciss_debian_installer.hardened'.
--- a/func/cdi_4400_hardening/4420_hardening_fail2ban.sh
+++ b/func/cdi_4400_hardening/4420_hardening_fail2ban.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Hardening 'fail2ban'.
@@ -62,6 +62,8 @@ EOF
    ### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 [DEFAULT]
+banaction             = nftables-multiport
+banaction_allports    = nftables-allports
 dbpurgeage            = 384d
 #                       127.0.0.1/8 - IPv4 loopback range (local host)
 #                       ::1/128     - IPv6 loopback
@@ -97,7 +99,7 @@ usedns                = yes

 [recidive]
 enabled               = true
-banaction             = ufw[blocktype=deny]
+banaction             = %(banaction_allports)s
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
@@ -136,7 +138,7 @@ maxretry              = 4

 [icmp]
 enabled               = true
-banaction             = ufw[blocktype=deny]
+banaction             = %(banaction_allports)s
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
@@ -151,7 +153,7 @@ maxretry              = 1

 [ufw]
 enabled               = true
-banaction             = ufw[blocktype=deny]
+banaction             = %(banaction_allports)s
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
@@ -172,6 +174,8 @@ EOF
    ### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration.
    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 [DEFAULT]
+banaction             = nftables-multiport
+banaction_allports    = nftables-allports
 dbpurgeage            = 384d
 #                       127.0.0.1/8 - IPv4 loopback range (local host)
 #                       ::1/128     - IPv6 loopback
@@ -195,7 +199,7 @@ usedns                = yes

 [recidive]
 enabled               = true
-banaction             = ufw[blocktype=deny]
+banaction             = %(banaction_allports)s
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
@@ -234,7 +238,7 @@ maxretry              = 4

 [icmp]
 enabled               = true
-banaction             = ufw[blocktype=deny]
+banaction             = %(banaction_allports)s
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
@@ -249,7 +253,7 @@ maxretry              = 3

 [ufw]
 enabled               = true
-banaction             = ufw[blocktype=deny]
+banaction             = %(banaction_allports)s
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
--- a/func/cdi_4400_hardening/4430_hardening_files.sh
+++ b/func/cdi_4400_hardening/4430_hardening_files.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Hardening files and directories.
--- a/func/cdi_4400_hardening/4440_hardening_haveged.sh
+++ b/func/cdi_4400_hardening/4440_hardening_haveged.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Hardening haveged.
--- a/func/cdi_4400_hardening/4442_hardening_jitterentropy.sh
+++ b/func/cdi_4400_hardening/4442_hardening_jitterentropy.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Hardening hardening_jitterentropy.
--- a/func/cdi_4400_hardening/4445_hardening_logrotate.sh
+++ b/func/cdi_4400_hardening/4445_hardening_logrotate.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Hardening '/etc/logrotate'.
--- a/func/cdi_4400_hardening/4450_hardening_memory.sh
+++ b/func/cdi_4400_hardening/4450_hardening_memory.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # NOTE:
--- a/func/cdi_4400_hardening/4460_hardening_openssl.sh
+++ b/func/cdi_4400_hardening/4460_hardening_openssl.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Hardening OpenSSL library defaults (system-wide), TLSv1.2-, TLSv1.3-, AES-256-only.
--- a/func/cdi_4400_hardening/4470_hardening_ufw.sh
+++ b/func/cdi_4400_hardening/4470_hardening_ufw.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Hardening 'ufw'.
--- a/func/cdi_4400_hardening/4480_hardening_usb.sh
+++ b/func/cdi_4400_hardening/4480_hardening_usb.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Hardening 'usb-guard'.
--- a/func/cdi_4400_hardening/4490_hardening_virus.sh
+++ b/func/cdi_4400_hardening/4490_hardening_virus.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Installing anti-rootkit and antivirus packages.
--- a/func/cdi_4500_user/4500_accounts_preparation.sh
+++ b/func/cdi_4500_user/4500_accounts_preparation.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Account generation preparation.
--- a/func/cdi_4500_user/4501_accounts_preparation_ciss.sh
+++ b/func/cdi_4500_user/4501_accounts_preparation_ciss.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Account preparation CISS specific.
--- a/func/cdi_4500_user/4502_accounts_preparation_physnet.sh
+++ b/func/cdi_4500_user/4502_accounts_preparation_physnet.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Account preparation PHYSNET specific.
--- a/func/cdi_4500_user/4510_accounts_hardening.sh
+++ b/func/cdi_4500_user/4510_accounts_hardening.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Hardening accounts: Google TOTP, Wordlists, masking ttys, expiration of accounts.
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Updating root account and generation user accounts.
--- a/func/cdi_4500_user/4521_accounts_setup_ciss.sh
+++ b/func/cdi_4500_user/4521_accounts_setup_ciss.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Account setup CISS specific.
--- a/func/cdi_4500_user/4522_accounts_setup_physnet.sh
+++ b/func/cdi_4500_user/4522_accounts_setup_physnet.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Account setup PHYSNET specific.
--- a/func/cdi_4500_user/4530_accounts_timings.sh
+++ b/func/cdi_4500_user/4530_accounts_timings.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Iterates all '/etc/shadow' entries and sets:
--- a/func/cdi_4600_packages/4600_installation_packages.sh
+++ b/func/cdi_4600_packages/4600_installation_packages.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Install Debian Packages as specified in 'preseed.yaml'.
--- a/func/cdi_4600_packages/4610_installation_security.sh
+++ b/func/cdi_4600_packages/4610_installation_security.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Installs the desired security extension framework.
--- a/func/cdi_4600_packages/4620_installation_verification.sh
+++ b/func/cdi_4600_packages/4620_installation_verification.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 ### https://github.com/linux-audit/audit-userspace/tree/master/rules

--- a/func/cdi_4600_packages/4630_auditing_packages.sh
+++ b/func/cdi_4600_packages/4630_auditing_packages.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Final checks.
--- a/func/cdi_4900_xtended/4900_final_command.sh
+++ b/func/cdi_4900_xtended/4900_final_command.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Finalize the chroot system before exiting.
--- a/func/cdi_4900_xtended/4950_final_logrotate.sh
+++ b/func/cdi_4900_xtended/4950_final_logrotate.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Final update '/etc/logrotate.d/*'.
--- a/func/cdi_4900_xtended/4999_exiting_chroot_system.sh
+++ b/func/cdi_4900_xtended/4999_exiting_chroot_system.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Exiting chroot of the target system.
--- a/func/cdi_5000_recovery/5120_installation_kernel.sh
+++ b/func/cdi_5000_recovery/5120_installation_kernel.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Installation of the specified kernel.
--- a/func/cdi_5000_recovery/5121_installation_initramfs.sh
+++ b/func/cdi_5000_recovery/5121_installation_initramfs.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Installation of 'initramfs'-environment.
--- a/func/cdi_5000_recovery/5130_installation_toolset.sh
+++ b/func/cdi_5000_recovery/5130_installation_toolset.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Check and set up the minimum required tools for the next installation steps.
--- a/func/cdi_5000_recovery/5131_installation_systemd.sh
+++ b/func/cdi_5000_recovery/5131_installation_systemd.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Ensure systemd is in place.
--- a/func/cdi_5000_recovery/5132_installation_machineid.sh
+++ b/func/cdi_5000_recovery/5132_installation_machineid.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Generate machine-id if missing.
--- a/func/cdi_5000_recovery/5133_installation_masking.sh
+++ b/func/cdi_5000_recovery/5133_installation_masking.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Turn off Energy saving mode and ctrl-alt-del.
--- a/func/cdi_5000_recovery/5999_exiting_chroot_recovery.sh
+++ b/func/cdi_5000_recovery/5999_exiting_chroot_recovery.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Exiting chroot of the target system.
--- a/lib/cdi_0005_guard/0005_guard_sourcing.sh
+++ b/lib/cdi_0005_guard/0005_guard_sourcing.sh
@@ -16,11 +16,11 @@
 # Globals:
 #   BASH_SOURCE
 # Arguments:
-#   1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
+#   1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing || return "${ERR_GUARD_SOURCE}"() determine dynamically.)
 # Returns:
 #   0: Returns '0' in both cases as they are intended to be successful.
 #######################################
-guard_sourcing() {
+guard_sourcing || return "${ERR_GUARD_SOURCE}"() {
  ### Determine the caller script (the library being sourced).
  declare    var_src="${1:-${BASH_SOURCE[1]}}"
  ### Strip path, keep only the filename
@@ -32,7 +32,7 @@ guard_sourcing() {

  ### If already loaded, abort sourcing
  if [[ -n "${!var_guard_var:-}" ]]; then
-    return 0
+    return "${ERR_GUARD_SOURCE}"
  fi

  ### Mark as loaded (readonly + exported)
@@ -41,5 +41,5 @@ guard_sourcing() {
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
-readonly -f guard_sourcing
+readonly -f guard_sourcing || return "${ERR_GUARD_SOURCE}"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0005_guard/0007_guard_safe_exec.sh
+++ b/lib/cdi_0005_guard/0007_guard_safe_exec.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"

 #######################################
 # Generic safe wrapper for external commands.
--- a/Show More
+++ b/Show More