DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@aef00ec at 2025-10-26T18:19:48Z on 6f8f9a786bfa Generated at : 2025-10-26T18:19:48Z Runner Host : 6f8f9a786bfa Workflow ID : 🛡️ Shell Script Linting Git Commit : aef00ec HEAD -> master
V8.00.000.2025.06.17
2025-10-26 18:19:48 +00:00 · 2025-10-26 18:17:28 +00:00 · 2025-10-26 17:24:00 +00:00 · 2025-10-26 17:22:09 +00:00 · 2025-10-26 17:21:58 +00:00 · 2025-10-26 17:21:53 +00:00
187 changed files with 6187 additions and 2649 deletions
--- a/.archive/4520_accounts_setup.sh
+++ b/.archive/4520_accounts_setup.sh
--- a/.archive/4620_installation_verification.sh
+++ b/.archive/4620_installation_verification.sh
@@ -0,0 +1,410 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules
 #######################################
 # Installs 'aide', 'audit', and 'debsums' audit and logging packages.
 # Finalizes 'rkhunter' baseline.
 # Globals:
 #   TARGET
 #   VAR_SEC_FW
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 install_verification() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_logfile="/root/.ciss/cdi/log/4620_installation_verification.log"
  chroot_logger "${TARGET}${var_logfile}"
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests acct 2>&1 | tee -a ${var_logfile}
    mkdir -p /etc/systemd/system/multi-user.target.wants
    if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
      printf 'Process Accounting enabled successfully.'
    else
      printf 'Process Accounting already enabled.'
    fi
  "
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests auditd 2>&1 | tee -a ${var_logfile}
  "
  rm -f "${TARGET}/etc/audit/rules.d/audit.rules"
  ############################################################### /etc/audit/rules.d/10-base-config.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/10-base-config.rules"
 ## First rule - delete all
 -D
 ## Increase the buffers to survive stress events.
 ## Make this bigger for busy systems
 -b 16384
 ## This determine how long to wait in burst of events
 --backlog_wait_time 1024
 ## Set failure mode to syslog
 -f 1
 EOF
  ############################################################### /etc/audit/rules.d/11-loginuid.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/11-loginuid.rules"
 --loginuid-immutable
 EOF
  ############################################################### /etc/audit/rules.d/20-dont-audit.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/20-dont-audit.rules"
 ## This is for don't audit rules. We put these early because audit
 ## is a first match wins system. Uncomment the rules you want.
 ## Cron jobs fill the logs with stuff we normally don't want
 -a never,user
 ## This prevents chrony from overwhelming the logs
 -a never,exit -F arch=b64 -S adjtimex -F exe=/usr/sbin/chronyd
 -a never,exit -F arch=b32 -S adjtimex -F exe=/usr/sbin/chronyd
 ## Human-attributable time changes
 -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
 ### This is not very interesting and wastes a lot of space if
 ### the server is public facing
 -a always,exclude -F msgtype=CRYPTO_KEY_USER
 EOF
  ############################################################### /etc/audit/rules.d/21-no32bit.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/21-no32bit.rules"
 ## If you are on a 64 bit platform, everything _should_ be running
 ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
 ## because this might be a sign of someone exploiting a hole in the 32
 ## bit ABI.
 -a always,exit -F arch=b32 -S all -F key=32bit-abi
 EOF
  ############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/22-ignore-chrony.rules"
 ## This rule suppresses the time-change event when chrony does time updates
 -a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
 -a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-1-create-failed.rules"
 ## Unsuccessful file creation (open with O_CREAT)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-1-create-success.rules"
 ## Successful file creation (open with O_CREAT)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules"
 ## Unsuccessful file modifications (open for write or truncate)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-2-modify-success.rules"
 ## Successful file modifications (open for write or truncate)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-3-access-failed.rules"
 ## Unsuccessful file access (any other opens) This has to go last.
 -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-3-access-success.rules"
 ## Successful file access (any other opens) This has to go last.
 ## These next two are likely to result in a whole lot of events
 -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules"
 ## Unsuccessful file delete
 -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules"
 ## Successful file delete
 -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules"
 ## Unsuccessful permission change
 -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules"
 ## Successful permission change
 -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules"
 ## Unsuccessful ownership change
 -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules"
 ## Successful ownership change
 -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42.rules"
 ## The purpose of these rules is to meet the requirements for Operating
 ## System Protection Profile (OSPP)v4.2. These rules depends on having
 ## the following rule files copied to /etc/audit/rules.d:
 ##
 ## 10-base-config.rules, 11-loginuid.rules,
 ## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
 ## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
 ## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
 ## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
 ## 30-ospp-v42-5-perm-change-failed.rules,
 ## 30-ospp-v42-5-perm-change-success.rules,
 ## 30-ospp-v42-6-owner-change-failed.rules,
 ## 30-ospp-v42-6-owner-change-success.rules
 ##
 ## original copies may be found in /usr/share/audit-rules
 ## User add delete modify. This is covered by pam. However, someone could
 ## open a file and directly create or modify a user, so we'll watch passwd and
 ## shadow for writes
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
 ## User enable and disable. This is entirely handled by pam.
 ## Group add delete modify. This is covered by pam. However, someone could
 ## open a file and directly create or modify a user, so we'll watch group and
 ## gshadow for writes
 -a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
 -a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
 -a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
 -a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
 ## Use of special rights for config changes. This would be use of setuid
 ## programs that relate to user accts. This is not all setuid apps because
 ## requirements are only for ones that affect system configuration.
 -a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 ## Privilege escalation via su or sudo. This is entirely handled by pam.
 ## Special case for systemd-run. It is not audit aware, specifically watch it
 -a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
 -a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
 ## Special case for pkexec. It is not audit aware, specifically watch it
 -a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
 -a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
 ## Watch for configuration changes to privilege escalation.
 -a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
 -a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
 -a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
 ## Audit log access
 -a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
 -a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
 ## Attempts to Alter Process and Session Initiation Information
 -a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
 -a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
 -a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
 -a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
 -a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
 -a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
 ## Attempts to modify MAC controls
 -a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
 -a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
 ## Application invocation. The requirements list an optional requirement
 ## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
 ## state results from that policy. This would be handled entirely by
 ## that daemon.
 EOF
  ############################################################### /etc/audit/rules.d/99-finalize.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/99-finalize.rules"
 -e 2
 EOF
  chroot_script "${TARGET}" "
    systemctl enable auditd.service 2>&1 | tee -a ${var_logfile}
  "
  ### Validate and build audit rules now; fail early if syntax is wrong.
  chroot_script "${TARGET}" "
    if command -v augenrules >/dev/null 2>&1; then
      augenrules --load 2>&1 | tee -a ${var_logfile}
    else
      ### Fallback: build consolidated rules file without loading into the kernel.
      if command -v bash >/dev/null 2>&1; then
        bash -lc 'cat /etc/audit/rules.d/*.rules > /etc/audit/audit.rules'
      fi
    fi
  "
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests aide aide-common 2>&1 | tee -a ${var_logfile}
    sed -i 's/Checksums = H/Checksums = sha512/' /etc/aide/aide.conf
    aideinit > /dev/null 2>> ${var_logfile}
  "
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests debsums 2>&1 | tee -a ${var_logfile}
    if ! debsums -g >> ${var_logfile} 2>> ${var_logfile}; then
      printf 'Running debsums -g - encountered errors.' >> ${var_logfile}
    fi
    mkdir -p /root/.ciss/cdi/backup/etc/default
    cp -a /etc/default/debsums /root/.ciss/cdi/backup/etc/default/debsums.bak
    sed -i 's/CRON_CHECK=never/CRON_CHECK=monthly/' /etc/default/debsums
  "
  chroot_script "${TARGET}" "
    rkhunter --propupd 2>&1 | tee -a ${var_logfile}
  "
  chroot_exec "${TARGET}" sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f install_verification
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.preseed/SECRETS.yaml
+++ b/.preseed/SECRETS.yaml
@@ -0,0 +1,115 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 #
 #
 # This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
 # Master V8.00.000.2025.06.17
 # YAML specification: 1.2
 #
 secrets:
  description: "Secrets for automated installation of encrypted systems on this host via primordial-workflow™."
  created_at: "2025-10-23"
  created_for: "host_domain_tld"
  name: "CISS.debian.installer"
  version: "V8.00.000.2025.06.17"
  x_files: "false"
  ################################################################################################################################
  # Grub bootloader passphrase
  ################################################################################################################################
  grub:
    note: "Password used to unlock the GRUB bootloader before system initialization."
    scope: "grub"
    type: "plain"
    value: "PleASE_CHan3e_M!"
  ################################################################################################################################
  # LUKS and LUKS Nuke passphrase
  ################################################################################################################################
  luks:
    backup:
      note: "The value is [<share-identifier>:<password>] (colon-separated). Use the same dedicated destination and credentials across servers."
      scope: "offsite-backup"
      type: "plain"
      value: "NextcloudFolderNameOrShareID:SuperSecurePassword123!"
    boot:
      note: "Dedicated passphrase for the [/boot] partition; chosen for easy manual input via the VPS web console."
      scope: "luks"
      type: "plain"
      value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
    common:
      note: "Main LUKS passphrase baked into the installer for automated setup. For dropbear SSH input method only."
      scope: "luks"
      type: "plain"
      value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
    nuke:
      note: "Special LUKS passphrase that triggers secure wipe of all volumes when entered."
      scope: "luks"
      type: "plain"
      value: "THIS_IS_THE_NUKE_PASSWORD!"
  ################################################################################################################################
  # TOTP MFA seed and salt and other seed variables
  ################################################################################################################################
  seeds:
    mfa:
      info:
        note: "MFA version identifier, e.g., [totp:v1] for seamless mfa secrets rollover."
        scope: "mfa"
        type: "plain"
        value: "totp:v1"
      salt:
        note: "Used to add a salt to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
        scope: "mfa"
        type: "plain"
        value: "CISS:CDI:OTP"
      secret:
        note: "Master seed (hex) used to derive per-machine MFA secrets for remote unlock authentication."
        scope: "mfa"
        type: "plain"
        value: "7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda"
  ################################################################################################################################
  # User passwords and SSH keys
  ################################################################################################################################
  user:
    root:
      password:
        note: "Password-hash, YESCRYPT only, for the root user. Leave value empty if disabled password authentication."
        scope: "auth"
        type: "hash"
        value: "$y$jFT$7pQlcZrgTEGrzkEm7UQW/.$QoCamalYEAV5mN4QWIE.xpHo8kvXa9sym2Uz.9oELwA"
      sshpubkey:
        note: "SSH public key for the root user. This key is also used for dropbear SSH authentication."
        scope: "auth"
        type: "sshpubkey"
        value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
    user0:
      name: "user"
      password:
        note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
        scope: "auth"
        type: "hash"
        value: "$y$jFT$OGeZONH5ho2JSXvAbyIBQ1$5OhyHqOaMZ9BZcfMOYEwF.nMLFKd9ceiW2oNksPCHVB"
      sshpubkey:
        note: "SSH public key for the specified user."
        scope: "auth"
        type: "sshpubkey"
        value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
    user1:
      name: "ansible"
      password:
        note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
        scope: "auth"
        type: "hash"
        value: ""
      sshpubkey:
        note: "SSH public key for the specified user."
        scope: "auth"
        type: "sshpubkey"
        value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.preseed/mfa_master.txt
+++ b/.preseed/mfa_master.txt
@@ -1 +0,0 @@
 7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda
--- a/.preseed/partitioning.yaml
+++ b/.preseed/partitioning.yaml
@@ -34,9 +34,12 @@ recipe:
        time: 256              # The number of milliseconds to spend with PBKDF passphrase processing.
      luks_backup: true        # Specify if LUKS Header backups should be created. If so, provide an external backup URL:
                               # luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup.
-                               # Also provide the cloud access token and access passwords via ./.preseed/password_luks_backup.txt
+                               # Also provide the cloud access token and access passwords via
-                               # Yet Nextcloud only is supported.
+                               # ./.preseed/SECRETS.yaml. Yet Nextcloud only is supported.
      luks_backup_url: "https://cloud.e2ee.li/"
      luks_backup_pgp: "ciss"  # Specify the trigger for use of the LUKS Header backup encryption key.
                               # Allowed values are: 'ciss', and 'physnet'. MUST be provided.
                               # Otherwise, the backup is NOT created.
      name: "ciss.2025.gpt.btrfs.ephemeral.non-raid.256GiB.rescue"
      nuke: true               # Activates Nuke-Mechanism in '/etc/crypttab' keyscript and via dropbear SSH forced command.
      nuke_rounds: 16384       # SHA512 KDF Rounds for Nuke Passphrase. If omitted, the default value is '8,388,608'.
@@ -51,7 +54,7 @@ recipe:
      table: "gpt"             # MUST be "gpt" for "UEFI" || "msdos":
      syntax: true             # This is set to "false" by default, otherwise if the recipe is tested by the authors to "true".
      ### Version of the specific recipe.
-      version: "1.3.0"
+      version: "1.3.2"
    dev:
      sda:
        1:                     # MUST be always 'ESP' for [UEFI|GPT] or 'BIOS' for [BIOS|GPT].
@@ -176,7 +179,7 @@ recipe:
            version: "ext4"
          mount:
            enable: true
-            options: "defaults,discard"
+            options: "defaults"
            optsnap: ""
            path: "SWAP"
          primary: primary
--- a/.preseed/password_grub.txt
+++ b/.preseed/password_grub.txt
@@ -1 +0,0 @@
 PleASE_CHan3e_M!
--- a/.preseed/password_luks_backup.txt
+++ b/.preseed/password_luks_backup.txt
@@ -1 +0,0 @@
 SJF3kOdvm0o9xwT:VdmXE^2w^VTFJeJPdHkd7qNwQVf^7SDmcyZKjcfadS
--- a/.preseed/password_luks_boot.txt
+++ b/.preseed/password_luks_boot.txt
@@ -1 +0,0 @@
 Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!
--- a/.preseed/password_luks_common.txt
+++ b/.preseed/password_luks_common.txt
@@ -1 +0,0 @@
 Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!
--- a/.preseed/password_luks_nuke.txt
+++ b/.preseed/password_luks_nuke.txt
@@ -1 +0,0 @@
 THIS_IS_THE_NUKE_PASSWORD!
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -10,14 +10,17 @@
 # SPDX-Security-Contact: security@coresecret.eu
 %YAML 1.2
 ---
-### This file contains configurations for the CISS.debian.installer
+# This file contains configurations for the CISS.debian.installer
-### Master V8.00.000.2025.06.17
+# Master V8.00.000.2025.06.17
-### YAML specification: 1.2
+# YAML specification: 1.2
-
+#
-installer:
+preseed:
  description: "Configuration values for automated installation of encrypted systems on this host via primordial-workflow™."
  created_at: "2025-10-23"
  created_for: "host_domain_tld"
  name: "CISS.debian.installer"
  version: "V8.00.000.2025.06.17"
-
+#
 ################################################################################################################################
 # APT settings
 ################################################################################################################################
@@ -104,7 +107,7 @@ image: "linux-image-6.16.3+deb13-amd64"
                               # "linux-image-6.16.3+deb13-amd64"
 needrun: false                 # Static linking to "${TARGET}/run" can cause problems if this data is "burned" into the target.
 provider: "netcup"             # MUST be one of "contabo", "hetzner", "netcup" or leave empty.
-security_ext: "selinux"        # MUST be one of "apparmor" or "selinux".
+security_ext: "apparmor"        # MUST be one of "apparmor" or "selinux".
 ################################################################################################################################
 # Dropbear settings
@@ -133,7 +136,7 @@ grub_parameter:
  # undetected. During boot if audit=1, then the backlog will hold 64 records. If more than 64 records are created during boot,
  # auditd records will be lost, and potential malicious activity could go undetected.
  ##############################################################################################################################
-  - "audit_backlog_limit=16384"
+  - "audit_backlog_limit=262144"
  - "audit=1"
  ##############################################################################################################################
@@ -451,7 +454,7 @@ grub:
  other-os: true               # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds
                               # some other OS, which is less safe as it might not be able to boot that other OS.
  password: true               # If you want to set a password for GRUB. The password MUST be set at:
-                               # '/.preseed/password_grub.txt'.
+                               # '/.preseed/SECRETS.yaml'.
  prober: false                # OS-prober did not detect any other operating systems on your computer at this time, but you
                               # may still wish to enable it in case you install more in the future.
  skip: false                  # Skip installing grub.
@@ -509,6 +512,7 @@ network:
    dhcp: 60                   # If the dhcp server is slow, and the installer times out waiting for it, this might be useful.
    linkwait: 3                # To set a different link detection timeout (default is 3 seconds).
  static:
    dns_dhcp_override: true    # If you want to override the DNS settings of the DHCP server.
    enable: true               # If you want the preconfiguration file to work on systems both with and without a dhcp
                               # server, change 'network.static.enable' from "false" to "true" and configure the static
                               # configuration below.
@@ -620,8 +624,8 @@ software:
  # gawk
  # gdisk
  # gnupg
  # haveged
  # initramfs-tools
  # jitterentropy-rngd
  # jq
  # kbd
  # keyutils
@@ -780,6 +784,7 @@ software:
  ##############################################################################################################################
  # Installed by 4620_installation_verification.sh
  ##############################################################################################################################
  # acct
  # aide
  # aide-common
  # audit
@@ -802,13 +807,13 @@ software:
 # USA         : time-a-g.nist.gov time-c-b.nist.gov utcnist3.colorado.edu
 ntp:
  server:
-    - "ntp.ripe.net"
+    #- "ntp.ripe.net"          # Time out as of 2025-10-16
    - "ptbtime3.ptb.de"
    - "ptbtime2.ptb.de"
    - "ptbtime1.ptb.de"
-    - "ntp13.metas.ch"
+    #- "ntp13.metas.ch"        # Time out as of 2025-10-16
-    - "time-c-b.nist.gov"
+    #- "time-c-b.nist.gov"     # Time out as of 2025-10-16
-    - "sth1.ntp.se"
+    #- "sth1.ntp.se"           # Time out as of 2025-10-16
    - "ntp0.fau.de"
  timezone: "Europe/Lisbon"    # Any valid setting for $TZ; see the contents of '/usr/share/zoneinfo' for valid values.
  utc: true                    # Controls whether the hardware clock is set to UTC.
@@ -820,6 +825,10 @@ ssh:
  allow_hardening: true        # For additional hardening of SSH connections via TCP wrapper: '/etc/hosts.allow'.
                               # If "allow_hardening" = "true", at least one 'allow_ipv4' MUST be provided.
  allow_ipv4:                  # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv4: will be added: 'f2ban-ignoreip'.
                               # Also, ufw will be configured to ufw aggressive approach:
                               # Any valid client communicating with the server should be going directly to the service ports
                               # opened in ufw (ssh, 80, ...). Any client touching other ports is treated as malicious and
                               # therefore is blocked access to ALL ports after 1 attempt.
    - 202.61.246.50
  allow_ipv6:                  # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv6: will be added: 'f2ban-ignoreip'.
    - 2a03:4000:53:f:abcd:9494:0:2
@@ -830,9 +839,6 @@ ssh:
 # User settings
 ################################################################################################################################
 user:
  mfa:
    info: "totp:v1"
    salt: "CISS:CDI:OTP"       # + (Server_FQDN/Username)
  ##############################################################################################################################
  # Root: The superuser account (normally disabled for direct login).
  #       Key 'user.root.password' MUST contain a valid yescrypt hashed password string.
@@ -846,19 +852,20 @@ user:
    sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
    authentication:
      access:
-        ssh: true              # Allow SSH access.
+        ssh: false             # Allow SSH access.
-        tty: true              # Allow TTY (local console) login.
+        tty: false             # Allow TTY (local console) login.
      password: true           # Allow password login. SSH password login is always disabled.
      2fa:
-        ssh: false             # Require 2FA for SSH access.
+        ssh: true              # Require 2FA for SSH access.
-        tty: false             # Require 2FA for TTY (local console) login.
+        tty: true              # Require 2FA for TTY (local console) login.
    privileges:
      description: "Root user with full system access and administrative privileges."
      restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
      shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
      sudo: false              # Whether the user can escalate to root using sudo.
      system: true             # Whether this is a low-UID system user (e.g., for automation).
-    specific: "ciss"
+    specific: "ciss"           # Adjust the settings for the user account as required. Allowed values are 'none', 'ciss', and
                               # 'physnet'.
  ##############################################################################################################################
  # Primary administrative user with full sudo access
@@ -866,7 +873,7 @@ user:
  user0:
    ensure: present            # Must always be 'present'. (Not in use in this version of the installer.)
    protected: true            # Prevent unintentional edits or deletions. (Not in use in this version of the installer.)
-    name: "msw"                # The name of the user account.
+    name: "msw"                # The name of the user account. No ":" allowed.
    fullname: "msw"            # The full name of the user account holder.
    uid: 1000                  # Ensures that the same user has the same UID on all systems.
    gid: 1000                  # Ensures that the same user has the same GID on all systems.
@@ -879,15 +886,16 @@ user:
        tty: true              # Allow TTY (local console) login.
      password: true           # Allow password login. SSH password login is always disabled.
      2fa:
-        ssh: false             # Require 2FA for SSH access.
+        ssh: true              # Require 2FA for SSH access.
-        tty: false             # Require 2FA for TTY (local console) login.
+        tty: true              # Require 2FA for TTY (local console) login.
    privileges:
      description: "Primary admin user with full sudo access and interactive login."
      sudo: true               # Whether the user can escalate to root using sudo.
      system: false            # Whether this is a low-UID system user (e.g., for automation).
      restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
      shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
-    specific: "ciss"
+    specific: "ciss"           # Adjust the settings for the user account as required. Allowed values are 'none', 'ciss', and
                               # 'physnet'.
  ##############################################################################################################################
  # ansible – System user for automation, no interactive shell
@@ -895,7 +903,7 @@ user:
  user1:
    ensure: present            # "present" = create user; "absent" = remove user
    protected: true            # Prevent unintentional edits or deletions.
-    name: "ansible"            # The name of the user account.
+    name: "ansible"            # The name of the user account. No ":" allowed.
    fullname: "ansible"        # The full name of the user account holder.
    uid: 137                   # Ensures that the same user has the same UID on all systems.
    gid: 137                   # Ensures that the same user has the same GID on all systems.
@@ -916,6 +924,7 @@ user:
      system: true             # Whether this is a low-UID system user (e.g., for automation).
      restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
      shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
-    specific: "none"
+    specific: "none"           # Adjust the settings for the user account as required. Allowed values are 'none', 'ciss', and
                               # 'physnet'.
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,17 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 creation_rules:
  - path_regex: '(^|.*/)\.preseed/SECRETS\.yaml$'
    encrypted_regex: '^value$'
 stores:
  yaml:
    indent: 2
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-13; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,8 +9,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-10-13T19:16:07Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-26T18:19:45Z".
-✅ The last linter check was successful. ✅
+⚠️ The last linter check was NOT successful. ⚠️
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -11,8 +11,8 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.7-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -12,6 +12,7 @@
 ### Contributions so far see ./docs/CREDITS.md
 # TODO: Final warnings if interactive.
 # TODO: Update .dot files.
 # TODO: Update README.md for each lib and func dir.
 # TODO: Update MANPAGE.md for each func.
@@ -23,7 +24,7 @@
 # TODO: Copying Log Files to final System
 # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
 # TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount
-# TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh
+# TODO: Implement loop_pass() for other passwords 1257_yaml_xnuke.sh
 # TODO: Implement / Integrate IP, Port validation CDI_1200
 ### WHY BASH?
@@ -111,8 +112,8 @@ for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./meta_loader_cuv.sh; usa
 # shellcheck disable=SC2249
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./meta_loader_cuv.sh; version; exit 0;; esac; done
-### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO(), GUARD_SOURCING(), AND SOURCE_GUARD().
+### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO(), guard_sourcing || return "${ERR_GUARD_SOURCE}"(), AND SOURCE_GUARD().
-. ./lib/cdi_0005_guard/0005_guard_sourcing.sh # The function guard_sourcing MUST be present in each file to source.
+. ./lib/cdi_0005_guard/0005_guard_sourcing.sh # The function guard_sourcing || return "${ERR_GUARD_SOURCE}" MUST be present in each file to source.
 . ./lib/cdi_0005_guard/0006_source_guard.sh   # Wrapper for sourcing modules, libraries, variables.
 source_guard "./var/color.var.sh"
 source_guard "./var/early.var.sh"
@@ -197,10 +198,6 @@ arg_parser "$@"
 info_echo "0103_arg_priority_check.sh"
 arg_priority_check
 ### HASHING PASSWORDS.
 info_echo "0105_arg_nuke_converter.sh"
 nuke_passphrase
 ### CDI_1250
 info_echo "1250_yaml_parser.sh"
@@ -212,6 +209,12 @@ yaml_reader
 info_echo "1252_yaml_validator.sh"
 yaml_validator
 info_echo "1256_yaml_xfiles.sh"
 yaml_secret
 info_echo "1257_yaml_xnuke.sh"
 nuke_passphrase
 ### CDI_3200
 info_echo "3200_partitioning.sh"
@@ -243,6 +246,9 @@ check_debootstrap
 info_echo "4010_prepare_mounts.sh [${TARGET}]"
 prepare_mounts
 info_echo "4011_prepare_xdg_root.sh [${TARGET}]"
 prepare_xdg_root
 info_echo "4015_check_usr_merge.sh [${TARGET}]"
 check_usr_merge
@@ -379,8 +385,8 @@ hardening_fail2ban
 info_echo "4430_hardening_files.sh [${TARGET}]"
 hardening_files
-info_echo "4440_hardening_haveged.sh [${TARGET}]"
+info_echo "4442_hardening_jitterentropy.sh [${TARGET}]"
-hardening_haveged
+hardening_jitterentropy
 info_echo "4450_hardening_memory.sh [${TARGET}]"
 hardening_memory
@@ -411,13 +417,16 @@ accounts_hardening
 info_echo "4520_accounts_setup.sh [${TARGET}]"
 accounts_setup
 info_echo "4530_accounts_timings.sh [${TARGET}]"
 update_shadow
 ### CDI_4600
 info_echo "4600_installation_packages.sh [${TARGET}]"
 installation_packages
-#info_echo "4610_installation_security.sh [${TARGET}]"
+info_echo "4610_installation_security.sh [${TARGET}]"
-#installation_security
+installation_security
 info_echo "4620_installation_verification.sh [${TARGET}]"
 install_verification
@@ -426,6 +435,12 @@ info_echo "4630_auditing_packages.sh [${TARGET}]"
 auditing_packages
 ### CDI_4900
 info_echo "4900_final_command.sh [${TARGET}]"
 final_commands
 info_echo "4950_final_logrotate.sh [${TARGET}]"
 final_logrotate
 info_echo "4999_exiting_chroot_system.sh [${TARGET}]"
 exiting_chroot_system
--- a/func/cdi_1000_helper/1030_check_nic.sh
+++ b/func/cdi_1000_helper/1030_check_nic.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Specify the network interface card (NIC) interactively for setup.
@@ -39,7 +39,7 @@ check_nic() {
  clear
  do_log "info" "file_only" "1030() You have selected: '${var_nic}' - proceeding with setup."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_1000_helper/1080_helper_chroot.sh
+++ b/func/cdi_1000_helper/1080_helper_chroot.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Use chroot_exec() for:
--- a/func/cdi_1000_helper/1081_helper_grub.sh
+++ b/func/cdi_1000_helper/1081_helper_grub.sh
@@ -13,7 +13,7 @@
 ### Options in "GRUB_CMDLINE_LINUX" are always effective.
 ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Helper module to extract the current GRUB CMDLINE strings.
--- a/func/cdi_1000_helper/1082_helper_modules.sh
+++ b/func/cdi_1000_helper/1082_helper_modules.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Wrapper for preparing logfile inside chroot.
--- a/func/cdi_1000_helper/1084_helper_sanitizer.sh
+++ b/func/cdi_1000_helper/1084_helper_sanitizer.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Remove any leading or trailing whitespace.
--- a/func/cdi_1000_helper/1085_helper_secure_dl.sh
+++ b/func/cdi_1000_helper/1085_helper_secure_dl.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Wrapper for secure curl.
--- a/func/cdi_1000_helper/1086_helper_yaml.sh
+++ b/func/cdi_1000_helper/1086_helper_yaml.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # yq_val <YQ expression> <file> - Returns value, converts null to "".
--- a/func/cdi_1200_validation/1220_validation_element.sh
+++ b/func/cdi_1200_validation/1220_validation_element.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Checks if a search pattern / string / value is present in an array.
--- a/func/cdi_1200_validation/1221_validation_ip.sh
+++ b/func/cdi_1200_validation/1221_validation_ip.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # IPv4 validation.
--- a/func/cdi_1200_validation/1222_validation_preseed.sh
+++ b/func/cdi_1200_validation/1222_validation_preseed.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Validate all preseed network variables (IPv4 & IPv6)
--- a/func/cdi_1250_yaml/1250_yaml_parser.sh
+++ b/func/cdi_1250_yaml/1250_yaml_parser.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Parsing './.preseed/preseed.yaml' and './.preseed/partitioning.yaml'.
@@ -44,28 +44,36 @@ yaml_parser() {
  ### Generate Arrays for [Grub Parameter], [Locales], [NTPSec Server FQDN], [Software Packages].
  while IFS='=' read -r var_key var_value; do
    var_value=${var_value#\'}
    var_value=${var_value%\'}
    # shellcheck disable=SC2034,SC2249
    case "${var_key}" in
      grub_parameter_[0-9]*) ARY_BOOTPARAM+=("${var_value}")  ;;
      locale_locale_[0-9]*)  ARY_LOCALE+=("${var_value}")     ;;
      ntp_server_[0-9]*)     ARY_NTPSRVR+=("${var_value}")    ;;
      ssh_allow_ipv4_[0-9]*) ARY_ALLOW_IPV4+=("${var_value}") ;;
      ssh_allow_ipv6_[0-9]*) ARY_ALLOW_IPV6+=("${var_value}") ;;
      software_[0-9]*)       ARY_PACKAGES+=("${var_value}")   ;;
    esac
  done < "${VAR_PRESEED}"
  var_key=""
  ### Search all set variables for user_userN_name patterns.
  # shellcheck disable=SC2312
  while IFS='=' read -r var_key _; do
    ### Accept any of these keys: name, fullname, uid, gid, shell, password, sshpubkey, authentication_* and privileges_*
    if [[ "${var_key}" =~ ^user_user([0-9]+)_(name|fullname|uid|gid|shell|password|sshpubkey|authentication_[A-Za-z0-9_]+|privileges_[A-Za-z0-9_]+)$ ]]; then
      var_index=${BASH_REMATCH[1]}
      (( var_index > VAR_USER_MAX )) && VAR_USER_MAX=var_index
    fi
  done < "${VAR_PRESEED}"
  ### If nothing matched, default to 0 (only user 0).
@@ -87,12 +95,12 @@ yaml_parser() {
    # --- Quote unquoted values -------------------------------------------
    s/^(.*)=([^'\''"]+)/\1='\''\2'\''/ # wrap value in single quotes
-' "${VAR_PRESEED}"
+  ' "${VAR_PRESEED}"
  # shellcheck disable=SC1090
  . "${VAR_PRESEED}"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_1250_yaml/1251_yaml_reader.sh
+++ b/func/cdi_1250_yaml/1251_yaml_reader.sh
@@ -10,54 +10,38 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Reading and extracting variables from "${PRESEED}".
 # Globals:
 #   BASH_REMATCH
 #   HMP_RECIPE_DEV_PARTITIONS
-#   VAR_APT_FULL_UPGRADE
+#   VAR_APT_FULL_UPGRADE       VAR_ARCHITECTURE
-#   VAR_ARCHITECTURE
+#   VAR_CHROOT_DEBUG           VAR_CODENAME
-#   VAR_CHROOT_DEBUG
+#   VAR_DEB822                 VAR_DROPBEAR
-#   VAR_CODENAME
+#   VAR_GRUB_PASSWORD          VAR_LUKS_BACKUP
-#   VAR_DEB822
+#   VAR_LUKS_PGP               VAR_LUKS_URL
-#   VAR_DROPBEAR
+#   VAR_NEED_RUN_IN_TARGET     VAR_NUKE
-#   VAR_GRUB_PASSWORD
+#   VAR_NUKE_ROUNDS            VAR_PRESEED
-#   VAR_LUKS_BACKUP
+#   VAR_PROVIDER               VAR_RECIPE_FIRMWARE
-#   VAR_LUKS_URL
+#   VAR_RECIPE_HIGHEST_DEVICE  VAR_RECIPE_STRING
-#   VAR_NEED_RUN_IN_TARGET
+#   VAR_RECIPE_TABLE           VAR_RECOVERY
-#   VAR_NUKE
+#   VAR_SEC_FW                 VAR_SSH_CA
-#   VAR_NUKE_ROUNDS
+#   VAR_SSH_PORT               VAR_UFW_OUT
-#   VAR_PRESEED
+#   VAR_USER_ROOT_SPECIFIC
-#   VAR_PROVIDER
+#   apt_default_deb822         apt_full_upgrade
-#   VAR_RECIPE_FIRMWARE
+#   architecture               chroot_debug
-#   VAR_RECIPE_HIGHEST_DEVICE
+#   distribution               dropbear_boot
-#   VAR_RECIPE_STRING
+#   grub_password              needrun
-#   VAR_RECIPE_TABLE
+#   provider                   security_ext
-#   VAR_RECOVERY
+#   security_ufw_out           ssh_port
-#   VAR_SEC_FW
+#   ssh_root_ca                user_root_specific
 #   VAR_SSH_CA
 #   VAR_SSH_PORT
 #   VAR_UFW_OUT
 #   apt_default_deb822
 #   apt_full_upgrade
 #   architecture
 #   chroot_debug
 #   distribution
 #   dropbear_boot
 #   grub_password
 #   needrun
 #   provider
 #   security_ext
 #   security_ufw_out
 #   ssh_port
 #   ssh_root_ca
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_NO_VALID_RECIPE
+#   ERR_NO_VALID_RECIPE: on failure
 #######################################
 yaml_reader() {
  ### Declare Arrays, HashMaps, and Variables.
@@ -67,12 +51,12 @@ yaml_reader() {
              VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
              VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \
              VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true" VAR_LUKS_BACKUP="false" \
-              VAR_LUKS_URL=""
+              VAR_LUKS_URL="" VAR_LUKS_PGP="" VAR_USER_ROOT_SPECIFIC=""
  ### Declare and substitute input files.
  declare -r  var_if="${VAR_PRESEED}"
  declare     var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
              recipe_firmware_var="" recipe_nuke_var="" recipe_nuke_rounds_var="" recipe_table_var="" recipe_recovery_var="" \
-              recipe_luks_var="" recipe_luks_url=""
+              recipe_luks_var="" recipe_luks_url="" recipe_luks_pgp=""
  ### Read "${var_if}" line by line.
  while IFS= read -r var_line; do
@@ -209,12 +193,17 @@ END { print max }
  VAR_RECIPE_FIRMWARE="${!recipe_firmware_var,,}"
  ### Extract the chosen LUKS Backup strategy.
-  recipe_luks_var="recipe_${VAR_RECIPE_STRING}_control_luks_backup"
+    recipe_luks_var="recipe_${VAR_RECIPE_STRING}_control_luks_backup"
-  # shellcheck disable=SC2034
+    # shellcheck disable=SC2034
-  VAR_LUKS_BACKUP="${!recipe_luks_var,,}"
+    VAR_LUKS_BACKUP="${!recipe_luks_var,,}"
-  recipe_luks_url="recipe_${VAR_RECIPE_STRING}_control_luks_backup_url"
+
-  # shellcheck disable=SC2034
+    recipe_luks_pgp="recipe_${VAR_RECIPE_STRING}_control_luks_backup_pgp"
-  VAR_LUKS_URL="${!recipe_luks_url,,}"
+    # shellcheck disable=SC2034
    VAR_LUKS_PGP="${!recipe_luks_pgp,,}"
    recipe_luks_url="recipe_${VAR_RECIPE_STRING}_control_luks_backup_url"
    # shellcheck disable=SC2034
    VAR_LUKS_URL="${!recipe_luks_url,,}"
  ### Extract the chosen Nuke mechanism.
  recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
@@ -265,7 +254,11 @@ END { print max }
  # shellcheck disable=SC2034
  VAR_UFW_OUT="${security_ufw_out,,}"
-  guard_dir && return 0
+  ### Extract User Root Specific Branch.
  # shellcheck disable=SC2034
  VAR_USER_ROOT_SPECIFIC="${user_root_specific,,}"
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_1250_yaml/1252_yaml_validator.sh
+++ b/func/cdi_1250_yaml/1252_yaml_validator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Extended dynamic network variable checks and declarations depending on preseed.yaml.
@@ -219,7 +219,7 @@ yaml_validator() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_1250_yaml/1256_yaml_xfiles.sh
+++ b/func/cdi_1250_yaml/1256_yaml_xfiles.sh
@@ -0,0 +1,271 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Debug helper: list variable names (no values).
 # Globals:
 #   CISS_SECRETS_MAP
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 ciss_secrets_list_names() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_k=""
  for var_k in "${!CISS_SECRETS_MAP[@]}"; do
    printf '%s.value -> %s\n' "${var_k}" "${CISS_SECRETS_MAP[${var_k}]}"
  done
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f ciss_secrets_list_names
 #######################################
 # Unset all previously created secret variables.
 # Globals:
 #   CISS_SECRETS_MAP
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 ciss_secrets_unset() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_k="" var_v=""
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
  for var_k in "${!CISS_SECRETS_MAP[@]}"; do
    var_v="${CISS_SECRETS_MAP[${var_k}]}"
    if [[ -v "${var_v}" ]]; then
      unset -v "${var_v}" 2>/dev/null || true
    fi
  done
  CISS_SECRETS_MAP=()
  guard_trace off
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f ciss_secrets_unset
 #######################################
 # Build the canonical var name from a dotted path (without 'secrets.' and without '.value').
 # Globals:
 #   None
 # Arguments:
 #   1: Variable path
 # Returns:
 #   0: on success
 #######################################
 ciss_secret_varname_from_path() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_path="${1:-}"
  var_path="${var_path//[^A-Za-z0-9_]/_}"
  var_path="${var_path^^}"
  printf 'CISS_SECRET_%s' "${var_path}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f ciss_secret_varname_from_path
 #######################################
 # Wipes the specified file securely.
 # Globals:
 #   None
 # Arguments:
 #   1: File to wipe
 # Returns:
 #   0: on success
 #######################################
 ciss_secrets_wiper() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_file="${1:-}"
  if [[ -f "${var_file}" ]]; then
    : >| "${var_file}"
    shred -vfzu -n 5 "${var_file}" > /dev/null 2>&1 || rm -f -- "${var_file}"
  fi
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f ciss_secrets_wiper
 #######################################
 # Purpose:
 #   Parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
 #   If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass.
 #   No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls.
 # Conventions:
 #   Variables: CISS_SECRET_<UPPER_SNAKE_CASE_PATH> (PATH excludes "secrets." and trailing ".value")
 #   All with "declare -g" (no export).
 #   Mapping: CISS_SECRETS_MAP["foo.bar"]=CISS_SECRET_FOO_BAR
 # Globals:
 #   CISS_SECRETS_AGE
 #   CISS_SECRETS_MAP
 #   CISS_SECRETS_SOURCE
 #   DIR_CNF
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   ERR_DECRYPTION_SOPS: on failure
 #   ERR_MISSING_AGE_BIN: on failure
 #   ERR_MISSING_AGE_KEY: on failure
 #######################################
 yaml_secret() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  SOPS_AGE_KEY_FILE="${CISS_SECRETS_AGE}"
  declare -a  __names=()
  declare     secrets_encrypted="" secrets_if="${CISS_SECRETS_SOURCE}" secrets_of="${DIR_CNF}/SECRETS_DECRYPTED.yaml" \
              __SECRETS="${DIR_CNF}/SECRETS_BASH.var" \
              __base="" __name="" __umask="" __path_wo_prefix="" __val="" __varname=""
  __umask=$(umask)
  umask 0077
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
  secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false"
  do_log "debug" "file_only" "1256() 'secrets_encrypted' according to secrets.x_files: '${secrets_encrypted}'."
  if grep -qE '(^|\s)sops:\s*$' -- "${secrets_if}" 2>/dev/null || grep -q 'ENC\[' -- "${secrets_if}" 2>/dev/null; then
    secrets_encrypted="true"
    do_log "debug" "file_only" "1256() 'secrets_encrypted' according to heuristic mode: '${secrets_encrypted}'."
  fi
  if [[ "${secrets_encrypted}" == "true" ]]; then
    if ! command -v sops >/dev/null 2>&1; then
      do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed."
      return "${ERR_MISSING_AGE_BIN}"
    fi
    [[ -r "${SOPS_AGE_KEY_FILE}" ]] || return "${ERR_MISSING_AGE_KEY}"
    sops -d --input-type=yaml --output-type=yaml -- "${secrets_if}" >| "${secrets_of}"
    [[ -r "${secrets_of}" ]] || return "${ERR_DECRYPTION_SOPS}"
    ciss_secrets_wiper "${secrets_if}" && mv "${secrets_of}" "${secrets_if}"
  fi
  yq -o=shell "${secrets_if}" >| "${__SECRETS}" && ciss_secrets_wiper "${secrets_if}"
  ### Keep only '*_value=' lines, normalize empty RHS, quote unquoted simple RHS.
  LC_ALL=C sed -n -E '
    /^[[:space:]]*(#|$)/b
    s/^[[:space:]]*(export|declare[[:space:]]+-x)[[:space:]]+//;
    /^[[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value=/!b
    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=[[:space:]]*$/\1='\'''\''/; t print
    /^[[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value=[[:space:]]*('"'"'|\"|\$'"'"')/b print
    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=([^[[:space:]]'"'"'$][^[:space:]]*)[[:space:]]*$/\1='"'"'\2'"'"'/; t print
    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=[[:space:]]*(.+)[[:space:]]*$/\1='"'"'\2'"'"'/; t print
    :print
    p
  ' -- "${__SECRETS}" >| "${__SECRETS}.value_only"
  mv -f -- "${__SECRETS}.value_only" "${__SECRETS}"
  # shellcheck disable=SC1091 source=./${__SECRETS}
  source "${__SECRETS}"
  ciss_secrets_wiper "${__SECRETS}"
  # shellcheck disable=SC2312
  mapfile -t __names < <(printf '%s\n' "${!secrets_@}")
  for __name in "${__names[@]}"; do
    ### Keep only *_value variables
    [[ "${__name}" == *_value ]] || continue
    ### Validate strict Bash identifier (defensive: strip accidental CR).
    __name="${__name%$'\r'}"
    [[ "${__name}" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]] || continue
    ### Only read if actually set; indirect check without triggering nounset.
    if [[ -n "${!__name+x}" ]]; then
      __val="${!__name}"
    else
      __val=""
    fi
    ### Strip suffix/prefix for the map key.
    __base="${__name%_value}"
    __path_wo_prefix="${__base#secrets_}"
    ### Canonical CISS name.
    __varname="$(ciss_secret_varname_from_path "${__path_wo_prefix}")"
    ### Assign verbatim (preserves newlines).
    unset -v "${__varname}"
    declare -g "${__varname}"
    printf -v "${__varname}" '%s' "${__val}"
    CISS_SECRETS_MAP["${__path_wo_prefix}"]="${__varname}"
  done
  ### Hygiene: remove the intermediate variables to reduce secret surface, e.g., unset 'secrets_*_value' after transfer.
  for __name in "${__names[@]}"; do
    unset -v "${__name}"
  done
  umask "${__umask}"
  guard_trace off
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f yaml_secret
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0100_arg/0105_arg_nuke_converter.sh
+++ b/lib/cdi_0100_arg/0105_arg_nuke_converter.sh
@@ -10,23 +10,27 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Generates 'nuke=HASH' Bootparameter.
 # Globals:
 #   CISS_SECRET_LUKS_NUKE
 #   DIR_CNF
 #   VAR_NUKE_HASH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_GENERATE_SALT
+#   ERR_GENERATE_SALT: on failure
 #   ERR_READ_NUKE_FILE
 #######################################
 nuke_passphrase() {
-  declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
-  declare    var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt="" var_nuke_rounds=""
+  guard_trace on
  ### Declare Arrays, HashMaps, and Variables.
  declare    var_nuke_pwd="${CISS_SECRET_LUKS_NUKE}"
  declare    var_temp_nuke_hash="" var_salt="" var_nuke_rounds=""
  # shellcheck disable=SC2312
  var_nuke_rounds="$(
@@ -40,30 +44,30 @@ nuke_passphrase() {
  ' "${DIR_CNF}/partitioning.yaml" | head -n1
  )"
-  [[ ! -f "${var_nuke_pwd_file}" ]] && return 0
+  [[ -z "${var_nuke_pwd}" ]] && return 0
  guard_trace on
  if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
    return "${ERR_READ_NUKE_FILE}"
  fi
  guard_trace off
  if ! var_salt="$(generate_salt)"; then
    return "${ERR_GENERATE_SALT}"
  fi
  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_nuke_pwd}")
-  guard_trace on
+  # shellcheck disable=SC2034
  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_temp_plain_nuke_pwd}")
  guard_trace off
  declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
-  unset var_temp_nuke_hash var_temp_plain_nuke_pwd
+
  unset var_temp_nuke_hash var_nuke_pwd CISS_SECRET_LUKS_NUKE
  do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]"
-  guard_dir && return 0
+  guard_trace off
-}
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f nuke_passphrase
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_3200_partitioning/3200_partitioning.sh
+++ b/func/cdi_3200_partitioning/3200_partitioning.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # EFI System Partition | EF00 | UEFI Bootloader (ESP, FAT32)
@@ -402,7 +402,7 @@ partitioning() {
  printf "%s\n" "${ary_paths_unsorted[@]}" >| "${DIR_LOG}/3200_mount_paths_unsorted.log"
  printf "%s\n" "${ARY_PATHS_SORTED[@]}" >| "${DIR_LOG}/3200_mount_paths_sorted.log"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
+++ b/func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Benchmark cryptsetup KDF to determine pbkdf-memory and pbkdf-force-iterations for given pbkdf-threads.
@@ -27,7 +27,8 @@ guard_sourcing
 #   0: on success
 #######################################
 benchmarking_encryption() {
-  declare var_result=""
+  ### Declare Arrays, HashMaps, and Variables.
  declare       var_result=""
  # shellcheck disable=SC2155
  declare -girx VAR_KDF_THREADS=$(yq_val ".recipe.${VAR_RECIPE_STRING}.control.kdf.threads" "${VAR_SETUP_PART}")
  # shellcheck disable=SC2155
@@ -37,7 +38,7 @@ benchmarking_encryption() {
  sync
  echo "BENCHMARK CRYPTSETUP ARGON2ID KDF PARAMETER - DROPPING PAGES ..."
-  echo 3 >| /proc/sys/vm/drop_caches
+  echo 3 >| /proc/sys/vm/drop_caches || true
  # shellcheck disable=SC2312
  var_result=$(cryptsetup benchmark --pbkdf argon2id --iter-time "${VAR_ITER_TIME:-3000}" --pbkdf-parallel "${VAR_KDF_THREADS:-1}" 2>/dev/null \
@@ -53,7 +54,7 @@ benchmarking_encryption() {
  # shellcheck disable=SC2155
  declare -girx VAR_KDF_MEMORY=$(awk -F'[ ,]+' '{print $4}' <<<"${var_result}")
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_3200_partitioning/3220_partition_encryption.sh
+++ b/func/cdi_3200_partitioning/3220_partition_encryption.sh
@@ -10,12 +10,15 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Function to encrypt the respective partition on each entry of 'ARY_CRYPT_MOUNT_PATHS'.
 # Globals:
 #   ARY_CRYPT_MOUNT_PATHS
 #   CISS_SECRET_LUKS_BACKUP
 #   CISS_SECRET_LUKS_BOOT
 #   CISS_SECRET_LUKS_COMMON
 #   DIR_BAK
 #   DIR_CNF
 #   DIR_LOG
@@ -33,14 +36,16 @@ guard_sourcing
 #   VAR_KDF_MEMORY
 #   VAR_KDF_THREADS
 #   VAR_LUKS_BACKUP
 #   VAR_LUKS_PGP
 #   VAR_LUKS_URL
 #   VAR_RECIPE_STRING
 #   VAR_SETUP_PART
-#   VAR_TEMP_PLAIN_NC_AUTH
+#   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   ERR_LUKS_HEADER_ENC: on failure
 #######################################
 partition_encryption() {
  ### Declare Arrays, HashMaps, and Variables.
@@ -58,15 +63,31 @@ partition_encryption() {
              var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \
              var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
              var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \
-              var_luks_backup_file="" var_luks_backup_name=""
+              var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp="" \
              var_temp_plain_nc_auth=""
  declare -a  ary_luks_opts=()
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
  printf '%s' "${CISS_SECRET_LUKS_BOOT}" >| "${DIR_CNF}/password_luks_boot.txt" && chmod 0600 "${DIR_CNF}/password_luks_boot.txt"
  printf '%s' "${CISS_SECRET_LUKS_COMMON}" >| "${DIR_CNF}/password_luks_common.txt" && chmod 0600 "${DIR_CNF}/password_luks_common.txt"
  unset CISS_SECRET_LUKS_BOOT CISS_SECRET_LUKS_COMMON
  guard_trace on
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  if [[ -n "${VAR_LUKS_URL}" ]]; then
    VAR_LUKS_URL=${VAR_LUKS_URL%/}
-    read_luks_backup_token
+
-    do_log "debug" "file_only" "3220() Command: [read_luks_backup_token]"
+    ### SECRETS handling -------------------------------------------------------------------------------------------------------
    guard_trace on
    var_temp_plain_nc_auth="${CISS_SECRET_LUKS_BACKUP}"
    unset CISS_SECRET_LUKS_BACKUP
    guard_trace on
    ### SECRETS handling -------------------------------------------------------------------------------------------------------
    do_log "debug" "file_only" "3220() Var: [var_temp_plain_nc_auth] set."
  fi
@@ -171,45 +192,19 @@ partition_encryption() {
    fi
    if [[ "${VAR_LUKS_BACKUP}" == "true" ]]; then
      var_luks_backup_file="${DIR_BAK}/luks_header_${var_dev}.bak"
      var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak"
      cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"
      do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'."
      if [[ -n "${VAR_LUKS_URL}" ]]; then
        guard_trace on
        if curl --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
          --upload-file "${var_luks_backup_file}" --user "${VAR_TEMP_PLAIN_NC_AUTH}" > /dev/null 2>&1; then
          do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."
        else
          do_log "warn" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' failed."
        fi
        guard_trace off
        rm -f "${var_luks_backup_file}"
      fi
    fi
    ### Opening the encrypted container.
    if [[ "${var_encryption_path,,}" == "/boot" ]]; then
      cryptsetup luksOpen "/dev/${var_dev}" \
        --key-file="${DIR_CNF}/password_luks_boot.txt" \
        "${var_encryption_label}"
    else
      cryptsetup luksOpen "/dev/${var_dev}" \
        --key-file="${DIR_CNF}/password_luks_common.txt" \
        "${var_encryption_label}"
    fi
    do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."
@@ -229,45 +224,95 @@ partition_encryption() {
    do_log "debug" "file_only" "3220() [HMP_PATH_LUKSUUID]: '${var_encryption_path}' -> '${HMP_PATH_LUKSUUID["${var_encryption_path}"]}'"
    do_log "debug" "file_only" "3220() [HMP_PATH_ENCLABEL]: '${var_encryption_path}' -> '${HMP_PATH_ENCLABEL["${var_encryption_path}"]}'"
    ### Backup the LUKS Header.
    if [[ "${VAR_LUKS_BACKUP}" == "true" ]]; then
      var_luks_backup_file="${DIR_BAK}/luks_header_${var_dev}.bak"
      var_luks_backup_name="${VAR_FINAL_FQDN}_luks_header_${var_dev}.bak.pgp"
      var_luks_backup_pgp="${DIR_BAK}/luks_header_${var_dev}.bak.pgp"
      case "${VAR_LUKS_PGP}" in
        ciss)    var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc" ;;
        physnet) var_pgp_publickey="${VAR_SETUP_PATH}/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc" ;;
        none)    do_log "error" "file_only" "3220() No PGP public key for LUKS Header encryption provided."; continue ;;
        *)       do_log "fatal" "file_only" "3220() No valid PGP public key for LUKS Header encryption provided."; return "${ERR_LUKS_HEADER_ENC}" ;;
      esac
      if cryptsetup luksHeaderBackup --header-backup-file="${var_luks_backup_file}" "/dev/${var_dev}"; then
        do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header saved: '${var_luks_backup_file}'."
      else
        do_log "fatal" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header backup failed for: '${var_luks_backup_file}'."
        return "${ERR_LUKS_HEADER_ENC}"
      fi
      if gpg --batch --yes --no-tty --compress-level 0 \
        --recipient-file "${var_pgp_publickey}" \
        --encrypt -o "${var_luks_backup_pgp}" -- "${var_luks_backup_file}"; then
        do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header encrypted: '${var_luks_backup_pgp}'."
        if command -v shred >/dev/null 2>&1; then
          shred -vfzu -n 5 "${var_luks_backup_file}" || rm -f "${var_luks_backup_file}"
        else
          rm -f "${var_luks_backup_file}"
        fi
      else
        do_log "fatal" "file_only" "3220() GPG encryption failed for '${var_luks_backup_file}'. Keeping plaintext for diagnostics."
        return "${ERR_LUKS_HEADER_ENC}"
      fi
      if [[ -n "${VAR_LUKS_URL}" ]]; then
        ### SECRETS handling ---------------------------------------------------------------------------------------------------
        guard_trace on
        if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
          --upload-file "${var_luks_backup_pgp}" --user "${var_temp_plain_nc_auth}" > /dev/null 2>&1; then
          do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."
          rm -f "${var_luks_backup_pgp}"
        else
          do_log "warn" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' failed."
        fi
        guard_trace off
        ### SECRETS handling ---------------------------------------------------------------------------------------------------
      fi
    fi
  done
-  [[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
  [[ -n "${VAR_LUKS_URL}" ]] && unset var_temp_plain_nc_auth
  guard_trace off
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
-  guard_dir && return 0
+  ciss_secrets_wiper "${DIR_CNF}/password_luks_boot.txt"
  ciss_secrets_wiper "${DIR_CNF}/password_luks_common.txt"
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f partition_encryption
 #######################################
 # Reads the Nextcloud auth token from '${DIR_CNF}/password_luks_backup.txt' into VAR_TEMP_PLAIN_NC_AUTH
 # Globals:
 #   DIR_CNF
 #   VAR_TEMP_PLAIN_NC_AUTH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   ERR_READ_AUTH_FILE: on failure
 #######################################
 read_luks_backup_token(){
  ### Declare Arrays, HashMaps, and Variables.
  declare -r var_luks_backup_auth="${DIR_CNF}/password_luks_backup.txt"
  declare -g VAR_TEMP_PLAIN_NC_AUTH=""
  guard_trace on
  if ! read_password_file "${var_luks_backup_auth}" VAR_TEMP_PLAIN_NC_AUTH; then
    return "${ERR_READ_AUTH_FILE}"
  fi
  guard_trace off
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f read_luks_backup_token
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_3200_partitioning/3240_partition_formatting.sh
+++ b/func/cdi_3200_partitioning/3240_partition_formatting.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Function to format the respective partition on each entry of 'ARY_FORMT_MOUNT_PATHS'.
@@ -138,7 +138,7 @@ partition_formatting() {
  done
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_3200_partitioning/3280_mount_partition.sh
+++ b/func/cdi_3200_partitioning/3280_mount_partition.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Function to create the mount command, incl. mount path and options, and mount the respective device.
@@ -384,7 +384,7 @@ mount_partition() {
  done
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_3200_partitioning/3290_uuid_logger.sh
+++ b/func/cdi_3200_partitioning/3290_uuid_logger.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Logger for all generated partition, LUKS container and file system UUIDs.
@@ -61,7 +61,7 @@ uuid_logger() {
  done
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_3200_partitioning/3295_get_label.sh
+++ b/func/cdi_3200_partitioning/3295_get_label.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Returns standardized labels for the provided mount path depending on filesystem and art of label.
--- a/func/cdi_4000_debootstrap/4000_debootstrap.sh
+++ b/func/cdi_4000_debootstrap/4000_debootstrap.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install a minimal Debian environment using the 'debootstrap' command.
@@ -63,6 +63,7 @@ func_debootstrap() {
    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/hooks"
    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/keys"
    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log"
    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log/pre-env"
    mv -T "${var_target}/debootstrap" "${var_target}/root/.ciss/cdi/debootstrap"
@@ -70,7 +71,7 @@ func_debootstrap() {
    chmod 0700 "${var_target}/root/.ciss/cdi"
    chmod 0700 "${var_target}/root/.ciss/cdi/debootstrap"
-    guard_dir && return 0
+    guard_dir; return 0
  else
--- a/func/cdi_4000_debootstrap/4005_debootstrap_checks.sh
+++ b/func/cdi_4000_debootstrap/4005_debootstrap_checks.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Preliminary post debootstrap checks.
@@ -84,7 +84,7 @@ check_debootstrap() {
    } >> ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4010_prepare_mounts.sh
+++ b/func/cdi_4000_debootstrap/4010_prepare_mounts.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Configure the target system for chroot.
@@ -64,7 +64,6 @@ prepare_mounts() {
  done
  for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
    IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
@@ -87,7 +86,6 @@ prepare_mounts() {
  done
  if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
    mkdir -p "${var_target}/run"
@@ -103,7 +101,6 @@ prepare_mounts() {
  fi
  if ! chroot_exec "${var_target}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
    do_log "emergency" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
@@ -115,8 +112,6 @@ prepare_mounts() {
  mkdir -p "${var_target}/media/cdrom0"
  # shellcheck disable=SC2034
  if   [[ "${VAR_RUN_RECOVERY}" == "false" ]]; then
    declare -gx VAR_CHROOT_ACTIVATED="system"
@@ -129,7 +124,7 @@ prepare_mounts() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh
+++ b/func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh
@@ -0,0 +1,62 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Prepare '/root' for XDG framework.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 prepare_xdg_root() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/profile.d/ciss-xdg.sh" "${var_target}/etc/profile.d/"
  install -m 0444 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/default/ciss-xdg-profile" "${var_target}/etc/default/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/ciss_xdg_tmp.sh" "${var_target}/root/"
  # shellcheck disable=SC2016
  chroot_script "${var_target}" '
    install -d -m 0755 /etc/xdg
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    ### Create canonical directories.
    _xdg_umask="$(umask)"
    umask 0077
    [[ -d "${XDG_CONFIG_HOME}"     ]] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
    [[ -d "${XDG_DATA_HOME}"       ]] || install -d -m 0700 -- "${XDG_DATA_HOME}"
    [[ -d "${XDG_CACHE_HOME}"      ]] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
    [[ -d "${XDG_STATE_HOME}"      ]] || install -d -m 0700 -- "${XDG_STATE_HOME}"
    [[ -d "${XDG_STATE_HOME}/bash" ]] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
    [[ -d "${XDG_STATE_HOME}/less" ]] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
    umask "$_xdg_umask"
    unset _xdg_umask
    '
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f prepare_xdg_root
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4000_debootstrap/4015_check_usr_merge.sh
+++ b/func/cdi_4000_debootstrap/4015_check_usr_merge.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Check if the target system is not 'tainted: unmerged-usr'.
@@ -48,7 +48,7 @@ check_usr_merge() {
    "
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4020_remove_x509.sh
+++ b/func/cdi_4000_debootstrap/4020_remove_x509.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Chroot hook for deleting all expired X.509 certificates in the target system.
@@ -44,7 +44,7 @@ remove_x509() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4030_setup_hostname.sh
+++ b/func/cdi_4000_debootstrap/4030_setup_hostname.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
@@ -80,7 +80,7 @@ EOF
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4035_setup_resolv.sh
+++ b/func/cdi_4000_debootstrap/4035_setup_resolv.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Configure the '/etc/resolv.conf' file.
@@ -87,7 +87,7 @@ EOF
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4040_setup_timezone.sh
+++ b/func/cdi_4000_debootstrap/4040_setup_timezone.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Configure the '/etc/timezone' | '/etc/localtime' files.
@@ -42,7 +42,7 @@ EOF
  chroot_exec "${var_target}" dpkg-reconfigure -f noninteractive tzdata
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4050_setup_locales.sh
+++ b/func/cdi_4000_debootstrap/4050_setup_locales.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Set locale, locale overrides and configure keyboard layout.
@@ -140,7 +140,7 @@ EOF
  chmod 0644 "${var_target}/etc/default/keyboard"
  do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${var_target}/etc/default/keyboard'."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4100_generate_sources.sh
+++ b/func/cdi_4100_base/4100_generate_sources.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Generate target '/etc/apt/sources.list' entries.
@@ -187,7 +187,7 @@ Acquire::Retries "3";
 EOF
  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/91-acquire"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4105_generate_sources_822.sh
+++ b/func/cdi_4100_base/4105_generate_sources_822.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Generate target '/etc/apt/sources.list.d/' deb.822 entries.
@@ -184,7 +184,7 @@ Acquire::Retries "3";
 EOF
  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/91-acquire"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4110_update_sources.sh
+++ b/func/cdi_4100_base/4110_update_sources.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Update generated sources.
@@ -40,6 +40,7 @@ update_sources() {
  ### Update generated sources.
  # shellcheck disable=SC2312
  chroot_script "${var_target}" "
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get update 2>&1 | tee -a ${var_logfile}
  "
  do_log "info" "file_only" "4110() Sources lists: updated successfully."
@@ -50,6 +51,7 @@ update_sources() {
    chroot_script "${var_target}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
    "
    do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
@@ -58,6 +60,7 @@ update_sources() {
    chroot_script "${var_target}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
    "
@@ -75,7 +78,7 @@ update_sources() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4120_installation_kernel.sh
+++ b/func/cdi_4100_base/4120_installation_kernel.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Installation of the specified kernel.
@@ -36,26 +36,27 @@ installation_kernel() {
    chroot_script "${TARGET}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get install -y --no-install-recommends --no-install-suggests ${VAR_KERNEL} initramfs-tools 2>&1 | tee -a ${var_logfile}
    "
    do_log "info" "file_only" "4120() Kernel image: '${VAR_KERNEL}' installed successfully."
-    guard_dir && return 0
+    guard_dir; return 0
  else
    chroot_script "${TARGET}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get install -y --no-install-recommends --no-install-suggests ${image} initramfs-tools 2>&1 | tee -a ${var_logfile}
    "
    do_log "info" "file_only" "4120() Kernel image: '${image}' installed successfully."
-    guard_dir && return 0
+    guard_dir; return 0
  fi
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4121_installation_initramfs.sh
+++ b/func/cdi_4100_base/4121_installation_initramfs.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Installation of 'initramfs'-environment.
@@ -98,7 +98,7 @@ EOF
 RESUME=none
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4130_installation_toolset.sh
+++ b/func/cdi_4100_base/4130_installation_toolset.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Check and set up the minimum required tools for the next installation steps.
@@ -49,8 +49,8 @@ installation_toolset() {
    [awk]="gawk"
    [gdisk]="gdisk"
    [gnupg]="gnupg"
    [haveged]="haveged"
    [update-initramfs]="initramfs-tools"
    [jitterentropy-rngd]="jitterentropy-rngd"
    [jq]="jq"
    [loadkeys]="kbd"
    [setfont]="kbd"
@@ -62,6 +62,7 @@ installation_toolset() {
    [pwgen]="pwgen"
    [rsyslogd]="rsyslog"
    [sudo]="sudo"
    [pam_systemd]="libpam-systemd"
    [tree]="tree"
    [unzip]="unzip"
    [lsusb]="usbutils"
@@ -96,12 +97,13 @@ installation_toolset() {
    chroot_script "${TARGET}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
    "
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4131_installation_systemd.sh
+++ b/func/cdi_4100_base/4131_installation_systemd.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Ensure systemd is in place.
@@ -35,6 +35,7 @@ installation_systemd() {
    chroot_script "${TARGET}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
      apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
    "
@@ -48,7 +49,7 @@ installation_systemd() {
    systemctl --version 2>&1 | tee -a ${var_logfile} | grep -qi 'systemd' || echo '[WARN]: systemd not verifiable' >> ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4132_installation_machineid.sh
+++ b/func/cdi_4100_base/4132_installation_machineid.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Generate machine-id if missing.
@@ -33,6 +33,9 @@ installation_machineid() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f installation_machineid
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4100_base/4133_installation_masking.sh
+++ b/func/cdi_4100_base/4133_installation_masking.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Turn off Energy saving mode and ctrl-alt-del.
@@ -28,11 +28,11 @@ installation_masking() {
  do_log "info" "file_only" "4133() Masked: [ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target]"
  chroot_script "${TARGET}" "
-      systemctl mask plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service
+    systemctl mask plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service
  "
  do_log "info" "file_only" "4133() Masked: [plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service]"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4140_installation_microcode.sh
+++ b/func/cdi_4100_base/4140_installation_microcode.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
@@ -56,6 +56,7 @@ installation_microcode() {
      chroot_script "${TARGET}" "
        export INITRD=No
        [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
        apt-get install -y --no-install-recommends --no-install-suggests ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
      "
@@ -63,6 +64,7 @@ installation_microcode() {
      chroot_script "${TARGET}" "
        export INITRD=No
        [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
        apt-get install -y --no-install-recommends --no-install-suggests --only-upgrade ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
      "
@@ -74,7 +76,7 @@ installation_microcode() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4145_installation_firmware.sh
+++ b/func/cdi_4100_base/4145_installation_firmware.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
@@ -294,10 +294,11 @@ installation_firmware() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests ${ary_pkgs_resolved[*]} 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4150_installation_chrony.sh
+++ b/func/cdi_4100_base/4150_installation_chrony.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Setup chrony NTPSec client.
@@ -49,6 +49,7 @@ installation_chrony() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests chrony 2>&1 | tee -a ${var_logfile}
  "
@@ -76,6 +77,9 @@ installation_chrony() {
  rm -f "${var_of}"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f installation_chrony
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4100_base/4160_installation_eza.sh
+++ b/func/cdi_4100_base/4160_installation_eza.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install Cisofy Lynis.
@@ -49,11 +49,12 @@ EOF
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get update
    apt-get install -y --no-install-recommends --no-install-suggests eza 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4170_installation_lynis.sh
+++ b/func/cdi_4100_base/4170_installation_lynis.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install Cisofy Lynis.
@@ -49,11 +49,12 @@ EOF
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get update
    apt-get install -y --no-install-recommends --no-install-suggests lynis 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4200_boot/4200_generate_fstab.sh
+++ b/func/cdi_4200_boot/4200_generate_fstab.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Wrapper to write '/etc/fstab' entries.
@@ -169,11 +169,10 @@ EOF
  mkdir -p "${TARGET}/media/cdrom0"
  cat << 'EOF' >> "${TARGET}/etc/fstab"
-/dev/sr0                                   /media/cdrom0               auto              noauto,nofail,ro,user,x-systemd.automount,x-systemd.device-timeout=0                                0 0
+# /dev/sr0                                 /media/cdrom0               auto              noauto,nofail,ro,user,x-systemd.automount,x-systemd.device-timeout=0                                0 0                                                                                        0 0
 #/dev/sr0                                  /media/cdrom0               udf,iso9660       user,noauto                                                                                         0 0
 EOF
-  do_log "info" "file_only" "4200() fstab entry generated: '/dev/sr0  /media/cdrom0  udf,iso9660  user,noauto  0 0'."
+  do_log "info" "file_only" "4200() fstab entry generated: '/dev/sr0  /media/cdrom0  auto  noauto,nofail,ro,user,x-systemd.automount,x-systemd.device-timeout=0  0 0'."
  cat << 'EOF' >> "${TARGET}/etc/fstab"
 ### Secure tmpfs mounts for a hardened system
@@ -191,7 +190,7 @@ tmpfs                                      /run                        tmpfs
 # vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4200_boot/4205_check_fstab.sh
+++ b/func/cdi_4200_boot/4205_check_fstab.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Basic '/etc/fstab' checks inside chroot.
@@ -48,7 +48,7 @@ check_fstab() {
    } 2>&1 | tee -a '"${var_logfile}"'
  '
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4200_boot/4210_generate_crypttab.sh
+++ b/func/cdi_4200_boot/4210_generate_crypttab.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # '/etc/crypttab' entry writer and logger.
@@ -90,19 +90,19 @@ EOF
      case  "${var_key,,}" in
        "/")
-          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_main" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,same-cpu-crypt,tries=1"
+          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_main" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,noauto,same-cpu-crypt,tries=1"
          ;;
        "/usr")
-          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_main" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,same-cpu-crypt,tries=1"
+          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_main" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,noauto,same-cpu-crypt,tries=1"
          ;;
        "/boot")
-          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_boot" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,same-cpu-crypt,tries=1"
+          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_boot" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,noauto,same-cpu-crypt,tries=1"
          ;;
        *)
-          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_main" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,same-cpu-crypt,tries=1"
+          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_main" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,noauto,same-cpu-crypt,tries=1"
          ;;
      esac
@@ -125,11 +125,11 @@ EOF
    case "${var_key,,}" in
      swap)
-        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "cipher=aes-xts-plain64,size=512,discard,loud,swap"
+        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "cipher=aes-xts-plain64,size=512,discard,swap"
        ;;
      /tmp)
-        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "cipher=aes-xts-plain64,size=512,discard,loud,tmp=ext4"
+        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "cipher=aes-xts-plain64,size=512,discard,tmp=ext4"
        mkdir -p "${TARGET}/etc/tmpfiles.d"
        insert_header   "${TARGET}/etc/tmpfiles.d/10-tmp.conf"
        insert_comments "${TARGET}/etc/tmpfiles.d/10-tmp.conf"
@@ -152,7 +152,7 @@ EOF
 # vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4200_boot/4220_installation_cryptsetup.sh
+++ b/func/cdi_4200_boot/4220_installation_cryptsetup.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Installation of 'cryptsetup' and 'cryptsetup-initramfs' after '/etc/crypttab' generation.
@@ -32,10 +32,11 @@ installation_cryptsetup() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4200_boot/4230_installation_grub.sh
+++ b/func/cdi_4200_boot/4230_installation_grub.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # --- UEFI GRUB Installation Strategy ---
@@ -78,6 +78,7 @@ installation_grub() {
        amd64)
          chroot_script "${TARGET}" "
            export INITRD=No
            [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
            apt-get install -y --no-install-recommends grub2-common grub-efi-amd64 grub-efi-amd64-bin 2>&1 | tee -a ${var_logfile}
          "
          ;;
@@ -85,6 +86,7 @@ installation_grub() {
        arm64)
          chroot_script "${TARGET}" "
            export INITRD=No
            [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
            apt-get install -y --no-install-recommends grub2-common grub-efi-arm64 grub-efi-arm64-bin 2>&1 | tee -a ${var_logfile}
          "
          ;;
@@ -99,6 +101,7 @@ installation_grub() {
      chroot_script "${TARGET}" "
        export INITRD=No
        [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
        apt-get install -y --no-install-recommends grub2-common grub-pc grub-pc-bin 2>&1 | tee -a ${var_logfile}
      "
@@ -206,7 +209,7 @@ EOF
  fi
  chmod -R 0700 "${TARGET}/etc/grub.d"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
@@ -263,7 +266,6 @@ readonly -f install_grub_bios
 # Globals:
 #   TARGET
 #   VAR_MODINFO_PATH
 #   grub_bootdev
 #   grub_update_nvram
 #   var_update_grub_required
 # Arguments:
@@ -297,8 +299,8 @@ install_grub_uefi() {
  [[ "${grub_update_nvram}" == "false" ]] && ary_uefi_arg+=( --no-nvram )
-  chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
+  chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" || return "${ERR_GRUB_INSTALL}"
-  do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI]."
+  do_log "info" "file_only" "4230() Installed: GRUB on [ESP]."
  var_update_grub_required="true"
  return 0
--- a/func/cdi_4200_boot/4240_update_grub_password.sh
+++ b/func/cdi_4200_boot/4240_update_grub_password.sh
@@ -10,31 +10,34 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Append the GRUB superuser block to '/etc/grub.d/40_custom'.
 # Globals:
-#   DIR_CNF
+#   CISS_SECRET_GRUB
 #   TARGET
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_READ_GRUB_FILE
+#   ERR_READ_GRUB_FILE: on failure
 #######################################
 update_grub_password() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \
+  declare var_username="superadmin" var_password="" \
          var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
-  var_password=$(<"${var_password_file}") || return "${ERR_READ_GRUB_FILE}"
+  var_password="${CISS_SECRET_GRUB}" || return "${ERR_READ_GRUB_FILE}"
  unset CISS_SECRET_GRUB
  var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
  guard_trace off
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  ### Append if not already present.
  if ! grep -q "set superusers=" "${var_of}"; then
@@ -48,11 +51,16 @@ update_grub_password() {
  chroot_exec "${TARGET}" update-grub
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f update_grub_password
 #######################################
 # Generate PBKDF2 password hash for GRUB.
 # Globals:
 #   None
 # Arguments:
 #   1: Username (default to superadmin).
 #   2: User password.
@@ -79,4 +87,7 @@ EOF
 return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f generate_grub_password_pbkdf2
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
+++ b/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
@@ -13,7 +13,7 @@
 ### Options in "GRUB_CMDLINE_LINUX" are always effective, (incl. recovery).
 ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening: update the Grub boot parameter and the Dropbear and Nuke parameters if opted in.
@@ -83,7 +83,7 @@ update_grub_bootparameter() {
  chroot_exec "${TARGET}" update-grub
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4300_installation_network.sh
+++ b/func/cdi_4300_network/4300_installation_network.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Setup network.
@@ -24,9 +24,9 @@ guard_sourcing
 #   VAR_FINAL_IPV6_CIDR
 #   VAR_FINAL_IPV6_GW
 #   VAR_FINAL_NIC
 #   VAR_LINK_IPV6
 #   network_autoconfig_enable
 #   network_choose_interface_auto
 #   network_static_dns_dhcp_override
 #   network_static_ipv4nameserver_0
 #   network_static_ipv6address
 #   network_static_ipv6nameserver_0
@@ -45,16 +45,19 @@ installation_network() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get purge -y dhcpcd isc-dhcp-client 2>&1 | tee -a ${var_logfile}
  "
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-suggests dhcpcd-base ifupdown 2>&1 | tee -a ${var_logfile}
  "
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    systemctl disable systemd-networkd NetworkManager 2>/dev/null | tee -a ${var_logfile} || true
  "
@@ -74,7 +77,7 @@ installation_network() {
  # For servers or systems with static interfaces that should always be available (e.g., eth0 on a server).
  # For configurations where the interface should be active regardless of the cable status.
  # allow-hotplug:
-  # For systems with dynamic or removable network devices (e.g., laptops or USB adapters).
+  # For systems with dynamic or removable network devices (e.g., laptops, USB adapters, VMs).
  # To avoid boot delays when interfaces are unavailable.
  insert_header   "${TARGET}/etc/network/interfaces"
@@ -83,8 +86,6 @@ installation_network() {
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 source-directory /etc/network/interfaces.d
 # The loopback network interface
 auto lo
 iface lo inet loopback
@@ -100,8 +101,6 @@ EOF
    cat << EOF >>   "${TARGET}/etc/network/interfaces"
 # The primary network interface: IPv4 via DHCP
 auto ${VAR_FINAL_NIC}
 allow-hotplug ${VAR_FINAL_NIC}
 iface ${VAR_FINAL_NIC} inet dhcp
 EOF
@@ -112,8 +111,6 @@ EOF
    cat << EOF >>   "${TARGET}/etc/network/interfaces"
 # The primary network interface: IPv4 via DHCP
 auto ${VAR_FINAL_NIC}
 allow-hotplug ${VAR_FINAL_NIC}
 iface ${VAR_FINAL_NIC} inet dhcp
 EOF
@@ -126,8 +123,6 @@ EOF
    cat << EOF >>   "${TARGET}/etc/network/interfaces"
 # The primary network interface: IPv4 via static IP
 auto ${VAR_FINAL_NIC}
 allow-hotplug ${VAR_FINAL_NIC}
 iface ${VAR_FINAL_NIC} inet static
  address ${VAR_FINAL_IPV4}
  netmask ${VAR_FINAL_IPV4_SUBNET}
@@ -156,6 +151,8 @@ EOF
 iface ${VAR_FINAL_NIC} inet6 static
  address ${VAR_FINAL_IPV6_CIDR}
  gateway ${VAR_FINAL_IPV6_GW}
  ### Optional harden, no RA on static v6
  pre-up sysctl -w net.ipv6.conf.ens3.accept_ra=0
 EOF
    do_log "info" "file_only" "4300() IPv6 on the primary NIC: '${VAR_FINAL_NIC}' configured statically."
@@ -176,6 +173,9 @@ EOF
  insert_header   "${TARGET}/etc/dhcpcd.conf"
  insert_comments "${TARGET}/etc/dhcpcd.conf"
  cat << 'EOF' >> "${TARGET}/etc/dhcpcd.conf"
 ### No Global APIPA-Fallback.
 noipv4ll
 ### A ServerID is required by RFC2131.
 require dhcp_server_identifier
@@ -187,6 +187,7 @@ option host_name
 option domain_name
 option domain_search
 option domain_name_servers
 option rapid_commit
 ### Most distributions have NTP support.
 option ntp_servers
@@ -201,7 +202,7 @@ EOF
  [[ -n "${network_static_ipv4nameserver_0:-}" ]] && ary_dns_supersede+=( "${ARY_IPV4_NS[@]}" )
  [[ -n "${network_static_ipv6nameserver_0:-}" ]] && ary_dns_supersede+=( "${ARY_IPV6_NS[@]}" )
-  if [[ "${#ary_dns_supersede[@]}" -gt 0 ]]; then
+  if [[ "${#ary_dns_supersede[@]}" -gt 0 && "${network_static_dns_dhcp_override}" == "true" ]]; then
    cat << EOF >>   "${TARGET}/etc/dhcpcd.conf"
 ### Enforce static DNS
@@ -220,6 +221,11 @@ EOF
  fi
  if [[ "${VAR_LINK_IPV6}" == "true" && -n "${network_static_ipv6address}" ]]; then
    echo "  noipv6rs" >> "${TARGET}/etc/dhcpcd.conf"
  fi
  ### Footer (always).
  echo '' >> "${TARGET}/etc/dhcpcd.conf"
  echo '# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf' >> "${TARGET}/etc/dhcpcd.conf"
@@ -229,7 +235,7 @@ EOF
    dhcpcd -T ${VAR_FINAL_NIC} | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4305_installation_netsec.sh
+++ b/func/cdi_4300_network/4305_installation_netsec.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Installation of packages 'fail2ban' and 'ufw'.
@@ -29,10 +29,11 @@ installation_netsec() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-suggests fail2ban ufw 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4310_dropbear_build.sh
+++ b/func/cdi_4300_network/4310_dropbear_build.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Build Ultra Hardened dropbear-2025.88 from sources.
@@ -71,7 +71,7 @@ dropbear_build() {
  guard_trace off
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4311_dropbear_initramfs.sh
+++ b/func/cdi_4300_network/4311_dropbear_initramfs.sh
@@ -10,13 +10,15 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install the 'dropbear-initramfs' and replace the binaries with those from the previous Ultra Hardened build.
 # Globals:
 #   DIR_TMP
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
@@ -26,46 +28,83 @@ dropbear_initramfs() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_file=""
  declare -r  var_logfile="/root/.ciss/cdi/log/4311_dropbear_initramfs.log"
  declare     var_target="${TARGET}"
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
-  chroot_script "${TARGET}" "
+  chroot_logger "${var_target}${var_logfile}"
  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a ${var_logfile}
  "
-  chroot_script "${TARGET}" "
+  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get purge -y dropbear dropbear-run || true
  "
-  chroot_script "${TARGET}" "
+  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a ${var_logfile}
  "
-  chroot_script "${TARGET}" "
+  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a ${var_logfile}
  "
-  mv "${TARGET}/usr/sbin/dropbear" "${TARGET}/usr/sbin/dropbear.trixie"
+  mv "${var_target}/usr/sbin/dropbear" "${var_target}/usr/sbin/dropbear.trixie"
-  install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${TARGET}/usr/sbin/"
+  install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${var_target}/usr/sbin/"
  do_log "debug" "file_only" "4311() Installation [dropbear] successful."
  for var_file in dbclient dropbearconvert dropbearkey; do
-    mv "${TARGET}/usr/bin/${var_file}" "${TARGET}/usr/bin/${var_file}.trixie"
+    mv "${var_target}/usr/bin/${var_file}" "${var_target}/usr/bin/${var_file}.trixie"
-    install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${TARGET}/usr/bin/"
+    install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${var_target}/usr/bin/"
    do_log "debug" "file_only" "4311() Installation [${var_file}] successful."
  done
  mkdir -p "${var_target}/etc/initramfs-tools/scripts/init-bottom"
-  insert_header   "${TARGET}/etc/apt/preferences.d/99-mask-dropbear"
+  cat << 'EOF' >| "${var_target}/etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill"
-  insert_comments "${TARGET}/etc/apt/preferences.d/99-mask-dropbear"
+#!/bin/sh
-  cat << 'EOF' >> "${TARGET}/etc/apt/preferences.d/99-mask-dropbear"
+
 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
 # shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
 ### Stop dropbear shipped in the initramfs after root pivot.
 [ -x /bin/pidof ] || exit 0
 P=$(/bin/pidof dropbear 2>/dev/null) || true
 [ -n "${P}" ] || exit 0
 /bin/kill -TERM "${P}" 2>/dev/null || true
 /bin/sleep 1
 /bin/kill -KILL "${P}" 2>/dev/null || true
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
  chmod 0755 "${var_target}/etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill"
  insert_header   "${var_target}/etc/apt/preferences.d/99-mask-dropbear"
  insert_comments "${var_target}/etc/apt/preferences.d/99-mask-dropbear"
  cat << 'EOF' >> "${var_target}/etc/apt/preferences.d/99-mask-dropbear"
 # Never install the dropbear daemon package at all.
 Package: dropbear
 Pin: release *
@@ -74,9 +113,9 @@ Pin-Priority: -1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-  insert_header   "${TARGET}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
+  insert_header   "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
-  insert_comments "${TARGET}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
+  insert_comments "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
-  cat << 'EOF' >> "${TARGET}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
+  cat << 'EOF' >> "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
 # Keep the currently installed initramfs integration; never upgrade it.
 Package: dropbear-initramfs
 Pin: release *
@@ -85,10 +124,10 @@ Pin-Priority: -1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-  chroot_script "${TARGET}" "systemctl mask dropbear.service dropbear.socket"
+  chroot_script "${var_target}" "systemctl mask dropbear.service dropbear.socket"
  do_log "info" "file_only" "4311() Masked: [dropbear.service dropbear.socket]"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4312_dropbear_setup.sh
+++ b/func/cdi_4300_network/4312_dropbear_setup.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Set up the 'dropbear-initramfs' environment.
@@ -140,7 +140,7 @@ EOF
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4320_update_initramfs.sh
+++ b/func/cdi_4300_network/4320_update_initramfs.sh
@@ -10,12 +10,12 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Deploy all changes made using the 'update-grub' and 'update-initramfs' commands.
 # Globals:
-#   VAR_CHROOT_SYS_MASK_HELPER
+#   TARGET
 #   VAR_KERNEL
 # Arguments:
 #   None
@@ -45,7 +45,7 @@ update_initramfs() {
  chmod 0400 "${TARGET}/boot/grub/grub.cfg"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4330_installation_ssh.sh
+++ b/func/cdi_4300_network/4330_installation_ssh.sh
@@ -10,20 +10,25 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Setup ssh server.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_DROPBEAR
 #   VAR_FINAL_FQDN
 #   VAR_FINAL_IPV4
 #   VAR_FINAL_IPV6
 #   VAR_FINAL_NIC
 #   VAR_LINK_IPV6
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 #   VAR_SSH_CA
 #   VAR_SSH_PORT
 #   VAR_USER_MAX
 #   network_static_ipv6address
 # Arguments:
 #   None
 # Returns:
@@ -31,16 +36,52 @@ guard_sourcing
 #######################################
 installation_ssh() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare -a ary_user=()
+  declare -a  ary_user=()
-  declare -i i=0
+  declare -i  i=0
-  declare    var_auth="" var_name="" var_ca="" var_pub=""
+  declare -r  var_logfile="/root/.ciss/cdi/log/4330_installation_ssh.log"
  declare     var_auth="" var_name="" var_ca="" var_pub=""
  declare     var_target="${TARGET}"
-  chroot_exec "${TARGET}" apt-get install -y --no-install-recommends --no-install-suggests ssh
+  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
-  mkdir -p "${TARGET}/etc/systemd/system/ssh.service.d"
+  chroot_logger "${var_target}${var_logfile}"
-  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/"
+  chroot_script "${var_target}" "
-  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/motd" "${TARGET}/etc/"
+    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests ssh 2>&1 | tee -a ${var_logfile}
  "
  mkdir -p "${var_target}/etc/systemd/system/ssh.service.d"
  if [[ "${VAR_LINK_IPV6}" == "true" && -n "${network_static_ipv6address}" ]]; then
    # shellcheck disable=SC2312
    cat << EOF >| "${var_target}/etc/systemd/system/ssh.service.d/override.conf"
 [Unit]
 After=ifup@${VAR_FINAL_NIC}.service network.target
 Wants=ifup@${VAR_FINAL_NIC}.service
 [Service]
 ### Block until the exact v6 address is present and not tentative.
 ### If any tentative IPv6 address exists on the device, wait and retry.
 ### Check for the exact global address (fixed-string match, include trailing "/").
 ExecStartPre=/bin/sh -c '\
  for i in \$(seq 1 60); do \
    ip -6 addr show dev ${VAR_FINAL_NIC} tentative | grep -q "inet6" && { sleep 0.5; continue; }; \
    ip -6 addr show dev ${VAR_FINAL_NIC} scope global | grep -Fq " ${VAR_FINAL_IPV6}/" && exit 0; \
    sleep 0.5; \
  done; \
  echo "IPv6 address ${VAR_FINAL_IPV6} on ${VAR_FINAL_NIC} not ready"; exit 1'
 TimeoutStartSec=40s
 Restart=on-failure
 RestartSec=2s
 EOF
  fi
  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${var_target}/etc/"
  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/motd" "${var_target}/etc/"
  do_log "info" "file_only" "4420() Installed SSH '/etc/banner' and '/etc/motd'."
  ### Only process those for which both *_name and *_authentication_access_ssh are set.
@@ -53,85 +94,95 @@ installation_ssh() {
    fi
  done
-  rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
+  chroot_script "${var_target}" "
    awk '\$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
    rm -rf /etc/ssh/moduli
    mv /etc/ssh/moduli.safe /etc/ssh/moduli
  "
-  if [[ -f "${TARGET}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then
+  rm -rf "${var_target}"/etc/ssh/ssh_host_*key*
-    chroot_script "${TARGET}" "
+  if [[ -f "${var_target}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then
      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key"
-    chroot_script "${TARGET}" "
+    chroot_script "${var_target}" "
-      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key"
+      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key
    "
-    chroot_script "${TARGET}" "
+    chroot_script "${var_target}" "
-      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key.pub"
+      dropbearconvert dropbear openssh /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key
    "
-    chroot_script "${TARGET}" "
+    chroot_script "${var_target}" "
-      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key.pub"
+      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/ssh/ssh_host_ed25519_key.pub
    "
    chroot_script "${var_target}" "
      dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/ssh/ssh_host_rsa_key.pub
    "
  else
    # shellcheck disable=SC2312
-    chroot_exec "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
+    chroot_exec "${var_target}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
    # shellcheck disable=SC2312
-    chroot_exec "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
+    chroot_exec "${var_target}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
  fi
-  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssh"
+  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/ssh"
-  cp "${TARGET}/etc/ssh/sshd_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak"
+  cp "${var_target}/etc/ssh/sshd_config" "${var_target}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak"
-  cp "${TARGET}/etc/ssh/ssh_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/ssh_config.bak"
+  cp "${var_target}/etc/ssh/ssh_config" "${var_target}/root/.ciss/cdi/backup/etc/ssh/ssh_config.bak"
-  rm -f "${TARGET}/etc/ssh/sshd_config"
+  rm -f "${var_target}/etc/ssh/sshd_config"
-  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/ssh/sshd_config" "${TARGET}/etc/ssh/sshd_config"
+  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/ssh/sshd_config" "${var_target}/etc/ssh/sshd_config"
-  chmod 0600 "${TARGET}/etc/ssh/ssh_config"
+  chmod 0600 "${var_target}/etc/ssh/ssh_config"
-  insert_comments "${TARGET}/etc/ssh/sshd_config"
+  insert_comments "${var_target}/etc/ssh/sshd_config"
  # shellcheck disable=SC2153
-  sed -i -E "s|^[[:space:]]*ListenAddressIPV4[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config"
+  sed -i -E "s|^[[:space:]]*ListenAddressIPV4[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${var_target}/etc/ssh/sshd_config"
  if [[ -n "${VAR_FINAL_IPV6}" ]]; then
-    sed -i -E "s|^[[:space:]]*ListenAddressIPV6[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config"
+    sed -i -E "s|^[[:space:]]*ListenAddressIPV6[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${var_target}/etc/ssh/sshd_config"
  else
-    sed -i "/^[[:space:]]*ListenAddressIPV6[[:space:]]*/d" "${TARGET}/etc/ssh/sshd_config"
+    sed -i "/^[[:space:]]*ListenAddressIPV6[[:space:]]*/d" "${var_target}/etc/ssh/sshd_config"
  fi
-  sed -i -E "s|^[[:space:]]*Port[[:space:]]+.*$|$(printf '%-29s%s' 'Port' "${VAR_SSH_PORT}")|" "${TARGET}/etc/ssh/sshd_config"
+  sed -i -E "s|^[[:space:]]*Port[[:space:]]+.*$|$(printf '%-29s%s' 'Port' "${VAR_SSH_PORT}")|" "${var_target}/etc/ssh/sshd_config"
  if (( ${#ary_user[@]} > 0 )); then
-    sed -i -E "s|^\s*AllowUsers\s+.*$|$(printf '%-29s%s' 'AllowUsers' "root ${ary_user[*]}")|" "${TARGET}/etc/ssh/sshd_config"
+    sed -i -E "s|^\s*AllowUsers\s+.*$|$(printf '%-29s%s' 'AllowUsers' "root ${ary_user[*]}")|" "${var_target}/etc/ssh/sshd_config"
  fi
  if [[ -n "${VAR_SSH_CA}" ]]; then
    var_ca="${VAR_SSH_CA##*/}"
-    install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${VAR_SSH_CA}" "${TARGET}/etc/ssh/"
+    install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${VAR_SSH_CA}" "${var_target}/etc/ssh/"
-    sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-29s%s' 'TrustedUserCAKeys' "/etc/ssh/${var_ca}")|" "${TARGET}/etc/ssh/sshd_config"
+    sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-29s%s' 'TrustedUserCAKeys' "/etc/ssh/${var_ca}")|" "${var_target}/etc/ssh/sshd_config"
  fi
  ### Preparing the test environment in chroot.
-  chroot_exec "${TARGET}" install -d -o root -g root -m 0755 /run/sshd
+  chroot_exec "${var_target}" install -d -o root -g root -m 0755 /run/sshd
  ### Syntax test (hard).
-  if ! chroot_script "${TARGET}" "sshd -t -f /etc/ssh/sshd_config"; then
+  if ! chroot_script "${var_target}" "sshd -t -f /etc/ssh/sshd_config"; then
    do_log "emergency" "file_only" "4420() [sshd -t -f /etc/ssh/sshd_config] failed."
    return "${ERR_CONF_VALIDATION}"
  fi
  ### Effective configuration (soft, purely informative).
-  if ! chroot_script "${TARGET}" "sshd -T -f /etc/ssh/sshd_config >| /root/.ciss/cdi/log/sshd_config.log"; then
+  if ! chroot_script "${var_target}" "sshd -T -f /etc/ssh/sshd_config >| /root/.ciss/cdi/log/sshd_config.log"; then
    do_log "warn" "file_only" "4420() [sshd -T -f /etc/ssh/sshd_config] failed. Likely env. Continuing."
  fi
-  chroot_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"
+  chroot_script "${var_target}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"
  if [[ "${VAR_DROPBEAR}" == "true" ]]; then
-    printf "### Dropbear SSHFP RR: \n" >> "${TARGET}/root/.ciss/cdi/log/SSHFP.log"
+    printf "### Dropbear SSHFP RR: \n" >> "${var_target}/root/.ciss/cdi/log/SSHFP.log"
-    for var_pub in "${TARGET}"/etc/dropbear/initramfs/dropbear*.pub; do
+    for var_pub in "${var_target}"/etc/dropbear/initramfs/dropbear*.pub; do
-      chroot_script "${TARGET}" "ssh-keygen -E sha256 -r ${VAR_FINAL_FQDN}. -f ${var_pub#/target} >> /root/.ciss/cdi/log/SSHFP.log"
+      chroot_script "${var_target}" "ssh-keygen -E sha256 -r ${VAR_FINAL_FQDN}. -f ${var_pub#/target} >> /root/.ciss/cdi/log/SSHFP.log"
    done
@@ -142,9 +193,9 @@ installation_ssh() {
  # environment variables: TMOUT                                                            #
  # TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
  ###########################################################################################
-  insert_header   "${TARGET}/etc/profile.d/idle-users.sh"
+  insert_header   "${var_target}/etc/profile.d/idle-users.sh"
-  insert_comments "${TARGET}/etc/profile.d/idle-users.sh"
+  insert_comments "${var_target}/etc/profile.d/idle-users.sh"
-  cat << EOF >>   "${TARGET}/etc/profile.d/idle-users.sh"
+  cat << EOF >>   "${var_target}/etc/profile.d/idle-users.sh"
 case $- in
  *i*)
    TMOUT=14400
@@ -156,7 +207,7 @@ esac
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4400_kernel_modules.sh
+++ b/func/cdi_4400_hardening/4400_kernel_modules.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Entropy collection improvements '/usr/lib/modules-load.d/30_security-misc.conf'.
@@ -47,8 +47,11 @@ EOF
  do_log "info" "file_only" "4400() Installed: '/usr/lib/modules-load.d/30_security-misc.conf'."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f kernel_modules
 #######################################
 # Blacklist some kind of potential hazardous modules via '/etc/modprobe.d/0000_ciss_debian_installer.conf'.
@@ -68,6 +71,9 @@ kernel_modprobe() {
  do_log "info" "file_only" "4400() Installed: '/etc/modprobe.d/0000_ciss_debian_installer.conf'."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f kernel_modprobe
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4410_kernel_sysctl.sh
+++ b/func/cdi_4400_hardening/4410_kernel_sysctl.sh
@@ -10,10 +10,10 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
-# Install Kernel Hardening-Presets '/etc/sysctl.d/99_local.hardened'.
+# Install Kernel Hardening-Presets '/etc/sysctl.d/9999_ciss_debian_installer.hardened'.
 # Globals:
 #   TARGET
 #   VAR_SETUP_PATH
@@ -23,13 +23,16 @@ guard_sourcing
 #   0: on success
 #######################################
 kernel_sysctl() {
-  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/99_local.hardened" \
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/9999_ciss_debian_installer.hardened" \
-    "${TARGET}/etc/sysctl.d/99_local.hardened"
+    "${TARGET}/etc/sysctl.d/9999_ciss_debian_installer.hardened"
-  insert_comments "${TARGET}/etc/sysctl.d/99_local.hardened"
+  insert_comments "${TARGET}/etc/sysctl.d/9999_ciss_debian_installer.hardened"
-  do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/99_local.hardened'."
+  do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/9999_ciss_debian_installer.hardened'."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f kernel_sysctl
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4420_hardening_fail2ban.sh
+++ b/func/cdi_4400_hardening/4420_hardening_fail2ban.sh
@@ -10,19 +10,21 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening 'fail2ban'.
 # Globals:
 #   ARY_ALLOW_IPV4
 #   ARY_ALLOW_IPV6
 #   RECOVERY
 #   TARGET
 #   VAR_FINAL_FQDN
 #   VAR_FINAL_IPV4
 #   VAR_FINAL_IPV6
 #   VAR_LINK_IPV6
 #   VAR_PROVIDER
 #   VAR_RUN_RECOVERY
 #   VAR_SSH_PORT
 # Arguments:
 #   None
@@ -32,87 +34,121 @@ guard_sourcing
 hardening_fail2ban() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_logfile="/root/.ciss/cdi/log/4420_hardening_fail2ban.log"
  declare     var_target="${TARGET}"
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
-  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/jail.d"
+  chroot_logger "${var_target}${var_logfile}"
-  cp "${TARGET}/etc/fail2ban/fail2ban.conf" "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/fail2ban.conf.bak"
+
-  mv "${TARGET}/etc/fail2ban/jail.d/defaults-debian.conf" "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/jail.d/defaults-debian.conf.bak"
+  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/jail.d"
  cp "${var_target}/etc/fail2ban/fail2ban.conf" "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/fail2ban.conf.bak"
  mv "${var_target}/etc/fail2ban/jail.d/defaults-debian.conf" "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/jail.d/defaults-debian.conf.bak"
  # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
-  insert_header   "${TARGET}/etc/fail2ban/fail2ban.local"
+  insert_header   "${var_target}/etc/fail2ban/fail2ban.local"
-  insert_comments "${TARGET}/etc/fail2ban/fail2ban.local"
+  insert_comments "${var_target}/etc/fail2ban/fail2ban.local"
-  cat << 'EOF' >> "${TARGET}/etc/fail2ban/fail2ban.local"
+  cat << 'EOF' >> "${var_target}/etc/fail2ban/fail2ban.local"
 [DEFAULT]
-allowipv6 = auto
+allowipv6             = auto
 EOF
-  insert_header   "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+  insert_header   "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
-  insert_comments "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+  insert_comments "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
  if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then
    ### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 [DEFAULT]
-usedns    = yes
+banaction             = nftables-multiport
-ignoreip  = 127.0.0.0/8 ::1
+banaction_allports    = nftables-allports
 dbpurgeage            = 384d
 #                       127.0.0.1/8 - IPv4 loopback range (local host)
 #                       ::1/128     - IPv6 loopback
 #                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
 #                       ff00::/8    - IPv6 multicast (not an unicast host)
 #                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
 ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128
 # ${VAR_FINAL_FQDN}
  ${VAR_FINAL_IPV4}
 EOF
    if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
-      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+      cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
  ${VAR_FINAL_IPV6}/64
 EOF
    fi
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 # Jumphost
  ${ARY_ALLOW_IPV4[*]}
 EOF
    if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
-      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+      cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
  ${ARY_ALLOW_IPV6[*]}
 EOF
    fi
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
-maxretry  = 8
+usedns                = yes
-findtime  = 12h
+
-bantime   = 12h
+[recidive]
 enabled               = true
 banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 128d
 bantime.multipliers   = 1 2 4 8 16
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = recidive
 findtime              = 16d
 logpath               = /var/log/fail2ban/fail2ban.log*
 maxretry              = 3
 [sshd]
-enabled   = true
+enabled               = true
-backend   = systemd
+backend               = systemd
-filter    = sshd
+bantime               = 1h
-mode      = normal
+bantime.increment     = true
-port      = ${VAR_SSH_PORT}
+bantime.factor        = 1
-protocol  = tcp
+bantime.maxtime       = 16d
-logpath   = /var/log/auth.log
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
-maxretry  = 3
+bantime.overalljails  = true
-findtime  = 1d
+bantime.rndtime       = 877s
-bantime   = 1d
+filter                = sshd
 findtime              = 16m
 mode                  = aggressive
 port                  = ${VAR_SSH_PORT}
 protocol              = tcp
 maxretry              = 4
 #
-# ufw aggressive approach:
+# CISS aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
-# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 1 attempt.
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
 #
 [ufw]
-enabled   = true
+enabled               = true
-filter    = ufw.aggressive
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
-action    = iptables-allports
+bantime               = 1h
-logpath   = /var/log/ufw.log
+bantime.increment     = true
-maxretry  = 1
+bantime.factor        = 1
-findtime  = 1d
+bantime.maxtime       = 16d
-bantime   = 1d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
-protocol  = tcp,udp
+bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = ciss-ufw
 findtime              = 16m
 logpath               = /var/log/ufw.log
 maxretry              = 1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
@@ -120,53 +156,83 @@ EOF
  else
    ### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration.
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 [DEFAULT]
-usedns    = yes
+banaction             = nftables-multiport
-ignoreip  = 127.0.0.0/8 ::1
+banaction_allports    = nftables-allports
 dbpurgeage            = 384d
 #                       127.0.0.1/8 - IPv4 loopback range (local host)
 #                       ::1/128     - IPv6 loopback
 #                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
 #                       ff00::/8    - IPv6 multicast (not an unicast host)
 #                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
 ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128
 # ${VAR_FINAL_FQDN}
  ${VAR_FINAL_IPV4}
 EOF
    if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
-      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+      cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
  ${VAR_FINAL_IPV6}/64
 EOF
    fi
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
-maxretry  = 8
+usedns                = yes
-findtime  = 12h
+
-bantime   = 12h
+[recidive]
 enabled               = true
 banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 128d
 bantime.multipliers   = 1 2 4 8 16
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = recidive
 findtime              = 16d
 logpath               = /var/log/fail2ban/fail2ban.log*
 maxretry              = 3
 [sshd]
-enabled   = true
+enabled               = true
-backend   = systemd
+backend               = systemd
-filter    = sshd
+bantime               = 1h
-mode      = normal
+bantime.increment     = true
-port      = ${VAR_SSH_PORT}
+bantime.factor        = 1
-protocol  = tcp
+bantime.maxtime       = 16d
-logpath   = /var/log/auth.log
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
-maxretry  = 3
+bantime.overalljails  = true
-findtime  = 1d
+bantime.rndtime       = 877s
-bantime   = 1d
+filter                = sshd
 findtime              = 16m
 mode                  = normal
 port                  = ${VAR_SSH_PORT}
 protocol              = tcp
 maxretry              = 4
 #
-# ufw aggressive approach:
+# CISS aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
-# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 32 attempts.
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 3 attempts.
 #
 [ufw]
-enabled   = true
+enabled               = true
-filter    = ufw.aggressive
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
-action    = iptables-allports
+bantime               = 1h
-logpath   = /var/log/ufw.log
+bantime.increment     = true
-maxretry  = 32
+bantime.factor        = 1
-findtime  = 1d
+bantime.maxtime       = 16d
-bantime   = 1d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
-protocol  = tcp,udp
+bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = ciss-ufw
 findtime              = 16m
 logpath               = /var/log/ufw.log
 maxretry              = 3
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
@@ -176,16 +242,19 @@ EOF
  ### Provider Hetzner needs special ignoreip rules.
  if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then
-    sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n  172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
+    sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n  172.31.1.1\/16\n&/}' "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
  fi
-  insert_header   "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
+  insert_header   "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
-  insert_comments "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
+  insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
-  cat << EOF >>   "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
+  cat << EOF >>   "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
 [Definition]
-failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
+# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
-ignoreregex =
+failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
 ignoreregex           =
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  # Hardening of fail2ban systemd: https://wiki.archlinux.org/title/fail2ban#Service_hardening
@@ -193,12 +262,12 @@ EOF
  # file. "CAP_NET_ADMIN" and "CAP_NET_RAW" allow fail2ban to operate on any firewall that has a command-line shell interface.
  # By using 'ProtectSystem=strict' the filesystem hierarchy will only be read-only; 'ReadWritePaths' allows Fail2ban to have
  # write access on required paths.
-  mkdir -p "${TARGET}/etc/systemd/system/fail2ban.service.d"
+  mkdir -p "${var_target}/etc/systemd/system/fail2ban.service.d"
-  mkdir -p "${TARGET}/var/log/fail2ban"
+  mkdir -p "${var_target}/var/log/fail2ban"
-  insert_header   "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf"
+  insert_header   "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
-  insert_comments "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf"
+  insert_comments "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
-  cat << EOF >>   "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf"
+  cat << EOF >>   "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
@@ -214,33 +283,61 @@ ProtectClock=true
 ProtectHostname=true
 EOF
-  cat << 'EOF' >> "${TARGET}/etc/fail2ban/fail2ban.local"
+  cat << 'EOF' >> "${var_target}/etc/fail2ban/fail2ban.local"
 [Definition]
-logtarget = /var/log/fail2ban/fail2ban.log
+logtarget             = /var/log/fail2ban/fail2ban.log
 [Database]
 # Keep entries for at least 384 days to cover recidive findtime.
 dbpurgeage            = 384d
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  ### Logrotate must be updated too.
-  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/logrotate.d"
+  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/logrotate.d"
-  cp "${TARGET}/etc/logrotate.d/fail2ban" "${TARGET}/root/.ciss/cdi/backup/etc/logrotate.d/fail2ban.bak"
+  cp "${var_target}/etc/logrotate.d/fail2ban" "${var_target}/root/.ciss/cdi/backup/etc/logrotate.d/fail2ban.bak"
-  sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' "${TARGET}/etc/logrotate.d/fail2ban"
+  cat << EOF >| "${var_target}/etc/logrotate.d/fail2ban"
-  touch "${TARGET}/var/log/fail2ban/fail2ban.log"
+/var/log/fail2ban/fail2ban.log {
-  chmod 640 "${TARGET}/var/log/fail2ban/fail2ban.log"
+    daily
    rotate 384
    maxage 384
    notifempty
    dateext
    dateyesterday
    compress
    compresscmd /usr/bin/zstd
    compressext .zst
    compressoptions -20
    uncompresscmd /usr/bin/unzstd
    delaycompress
    shred
    missingok
    postrotate
        fail2ban-client flushlogs 1>/dev/null
    endscript
    # If fail2ban runs as non-root it still needs to have write access
    # to logfiles.
    # create 640 fail2ban adm
    create 640 root adm
 }
 EOF
  touch "${var_target}/var/log/fail2ban/fail2ban.log"
  chmod 0640 "${var_target}/var/log/fail2ban/fail2ban.log"
-  if [[ ! -f "${TARGET}/var/log/ufw.log" ]]; then
+  if [[ ! -f "${var_target}/var/log/ufw.log" ]]; then
-    install -d -m 0755 "${TARGET}/var/log"
+    install -d -m 0755 "${var_target}/var/log"
-    : >| "${TARGET}/var/log/ufw.log"
+    : >| "${var_target}/var/log/ufw.log"
-    chmod 0640 "${TARGET}/var/log/ufw.log"
+    chmod 0640 "${var_target}/var/log/ufw.log"
  fi
  ### Merge / Dump-Parse via 'fail2ban-client -d'. All '*.conf', '*.local', and 'jail.*'-files are read, inherited, and merged.
  ### Syntax, path, and key errors result in a non-zero exit.
-  chroot_script "${TARGET}" "
+  chroot_script "${var_target}" "
    fail2ban-client -d >> ${var_logfile} && echo "OK: config parsed" >> ${var_logfile} || echo "ERROR: config invalid" >> ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4430_hardening_files.sh
+++ b/func/cdi_4400_hardening/4430_hardening_files.sh
@@ -10,12 +10,15 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening files and directories.
 # Globals:
-#   None
+#   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
@@ -23,22 +26,29 @@ guard_sourcing
 #######################################
 hardening_files() {
  declare     var_bin="" var_binary=""
  declare     var_target="${TARGET}"
-  chmod 0700 "${TARGET}/etc/cron.d" "${TARGET}/etc/cron.daily" "${TARGET}/etc/cron.hourly" "${TARGET}/etc/cron.monthly" \
+  ### Check for TARGET / RECOVERY.
-             "${TARGET}/etc/cron.weekly"
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  chmod 0700 "${TARGET}/etc/sudoers.d"
  chmod 0700 "${TARGET}/etc/crontab"
-  [[ -f "${TARGET}/etc/cron.deny" ]] && rm "${TARGET}/etc/cron.deny"
+  chmod 0700 "${var_target}/etc/cron.d" "${var_target}/etc/cron.daily" "${var_target}/etc/cron.hourly" "${var_target}/etc/cron.monthly" \
             "${var_target}/etc/cron.weekly"
  chmod 0700 "${var_target}/etc/sudoers.d"
  chmod 0700 "${var_target}/etc/crontab"
-  rm -f "${TARGET}/etc/issue" "${TARGET}/etc/issue.net"
+  [[ -f "${var_target}/etc/cron.deny" ]] && rm "${var_target}/etc/cron.deny"
  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${TARGET}/etc/issue"
  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${TARGET}/etc/issue.net"
-  install -d -m 0700 -o root -g root "${TARGET}/root/.ansible"
+  ### /etc/issue ---------------------------------------------------------------------------------------------------------------
  rm -f "${var_target}/etc/issue" "${var_target}/etc/issue.net"
  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${var_target}/etc/issue"
  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${var_target}/etc/issue.net"
  ### /root/.ansible -----------------------------------------------------------------------------------------------------------
  install -d -m 0700 -o root -g root "${var_target}/root/.ansible"
  ### /usr/bin/compiler --------------------------------------------------------------------------------------------------------
  for var_bin in as gcc g++ cc clang; do
-    var_binary=$(readlink -f "${TARGET}/usr/bin/${var_bin}") || {
+    var_binary=$(readlink -f "${var_target}/usr/bin/${var_bin}") || {
      do_log "info" "file_only" "4430() Binary: '${var_bin}' not found, skipping."
      continue
    }
@@ -47,7 +57,17 @@ hardening_files() {
    }
  done
-  guard_dir && return 0
+  ### /etc/update-motd.d/10-uname ----------------------------------------------------------------------------------------------
  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/update-motd.d"
  cp -af "${var_target}/etc/update-motd.d/10-uname" "${var_target}/root/.ciss/cdi/backup/etc/update-motd.d/10-uname"
  cat << 'EOF' >| "${var_target}/etc/update-motd.d/10-uname"
 #!/bin/sh
 uname -snrm
 EOF
  chmod 0755 /etc/update-motd.d/10-uname
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4440_hardening_haveged.sh
+++ b/func/cdi_4400_hardening/4440_hardening_haveged.sh
@@ -10,21 +10,29 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening haveged.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 hardening_haveged() {
-  insert_header   "${TARGET}/etc/default/haveged"
+  ### Declare Arrays, HashMaps, and Variables.
-  insert_comments "${TARGET}/etc/default/haveged"
+  declare    var_target="${TARGET}"
-  cat << EOF >>   "${TARGET}/etc/default/haveged"
+
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  insert_header   "${var_target}/etc/default/haveged"
  insert_comments "${var_target}/etc/default/haveged"
  cat << EOF >>   "${var_target}/etc/default/haveged"
 # Configuration file for haveged
 # Minimal, sane defaults for server/headless systems.
 # -w <bits> : target entropy level in bits; 1024 ensures fast pool fill on boot
@@ -36,6 +44,9 @@ DAEMON_ARGS="-w 2048 -v 1"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_haveged
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4442_hardening_jitterentropy.sh
+++ b/func/cdi_4400_hardening/4442_hardening_jitterentropy.sh
@@ -0,0 +1,45 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening hardening_jitterentropy.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 hardening_jitterentropy() {
  declare    var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  mkdir -p "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d"
  cat << EOF >> "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d/override.conf"
 [Service]
 ExecStart=
 ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
 EOF
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_jitterentropy
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4445_hardening_logrotate.sh
+++ b/func/cdi_4400_hardening/4445_hardening_logrotate.sh
@@ -10,12 +10,14 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
-# Hardening logrotate.
+# Hardening '/etc/logrotate'.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
@@ -23,36 +25,60 @@ guard_sourcing
 #######################################
 hardening_logrotate() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare -ar  ary_logrotate=( "alternatives" "apt" "btmp" "chrony" "dpkg" "fail2ban" "rkhunter" "ufw" "unattended-upgrades" "usbguard")
+  declare     var_target="${TARGET}"
  declare      var_file="" var_log=""
-  rm -f           "${TARGET}/etc/logrotate.conf"
+  ### Check for TARGET / RECOVERY.
-  insert_header   "${TARGET}/etc/logrotate.conf"
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
-  insert_comments "${TARGET}/etc/logrotate.conf"
+
-  cat << EOF >>   "${TARGET}/etc/logrotate.conf"
+  rm -f           "${var_target}/etc/logrotate.conf"
  insert_header   "${var_target}/etc/logrotate.conf"
  insert_comments "${var_target}/etc/logrotate.conf"
  cat << EOF >>   "${var_target}/etc/logrotate.conf"
 # See "man logrotate" for details. Global options do not affect preceding include directives.
-# rotate log files daily
+# Rotate log files daily
 daily
-# keep 128 daily worth of backlogs
+# Keep 384 daily worth of backlogs.
-rotate 128
+rotate 384
-# hard cap: delete rotated logs older than 384 days
+# Hard cap: delete rotated logs older than 384 days.
 maxage 384
-# create new (empty) log files after rotating old ones
+# Do not rotate the log if it is empty (this overrides the ifempty option).
 notifempty
 # Create new (empty) log files after rotating old ones.
 create
-# use date as a suffix of the rotated file
+# Use date as a suffix of the rotated file.
 dateext
-# gzip older rotations
+# Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
 # that is the same as the timestamps within it.
 dateyesterday
 # Enable compression
 compress
-# keep the most recent rotation uncompressed for one cycle
+# Use zstd instead of gzip.
 compresscmd /usr/bin/zstd
 # File extension for compressed logs.
 compressext .zst
 # Set zstd level 3 (default).
 compressoptions -20
 # How to decompress for 'logrotate -d' or similar.
 uncompresscmd /usr/bin/unzstd
 # Keep the most recent rotation uncompressed for one cycle.
 delaycompress
 # Delete log files using shred -u instead of unlink().
 shred
 # packages drop log rotation information into this directory
 include /etc/logrotate.d
@@ -61,16 +87,9 @@ include /etc/logrotate.d
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-  for var_log in "${ary_logrotate[@]}"; do
+  guard_dir; return 0
    var_file="${TARGET}/etc/logrotate.d/${var_log}"
    [[ -e "${var_file}" ]] || continue
    ### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
    sed -E -i \
      -e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
      -e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 128\3\4/' \
      "${var_file}"
  done
  guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_logrotate
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4450_hardening_memory.sh
+++ b/func/cdi_4400_hardening/4450_hardening_memory.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # NOTE:
@@ -43,22 +43,27 @@ guard_sourcing
 #   '/etc/pam.d/common-session'
 #   '/etc/pam.d/common-session-noninteractive'
 # Globals:
 #   RECOVERY
 #   TARGET
-#   VAR_ARCHITECTURE
+#   VAR_RUN_RECOVERY
 #   VAR_CODENAME
 #   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 hardening_memory() {
-  mkdir -p "${TARGET}/etc/systemd/coredump.conf.d"
+  ### Declare Arrays, HashMaps, and Variables.
-  mkdir -p "${TARGET}/etc/systemd/system.conf.d"
+  declare     var_target="${TARGET}"
-  insert_header   "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
+  ### Check for TARGET / RECOVERY.
-  insert_comments "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
-  cat << 'EOF' >> "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
+
  mkdir -p "${var_target}/etc/systemd/coredump.conf.d"
  mkdir -p "${var_target}/etc/systemd/system.conf.d"
  insert_header   "${var_target}/etc/security/limits.d/99-ciss-core.conf"
  insert_comments "${var_target}/etc/security/limits.d/99-ciss-core.conf"
  cat << 'EOF' >> "${var_target}/etc/security/limits.d/99-ciss-core.conf"
 # Enforce: no core dumps for all logins by default.
 # Format: <domain> <type> <item> <value>
 *     hard core 0
@@ -70,9 +75,9 @@ root  soft core 0
 EOF
-  insert_header   "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
+  insert_header   "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
-  insert_comments "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
+  insert_comments "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
-  cat << 'EOF' >> "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
+  cat << 'EOF' >> "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
 ### Do not store core images anywhere, keep the at most minimal metadata.
 [Coredump]
@@ -85,30 +90,41 @@ JournalSizeMax=0
 EOF
-  [[ -f  "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf" ]] && \
+  [[ -f  "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf" ]] && \
-    mv "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf" "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf.bak"
+    mv "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf" "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf.bak"
-  insert_header   "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
+  insert_header   "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
-  insert_comments "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
+  insert_comments "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
-  cat << 'EOF' >> "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
+  cat << 'EOF' >> "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
 [Manager]
 DefaultLimitCORE=0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-  guard_pam_limits
+  ### Unified in 4520()
  #   - write_pam_login()
  #   - write_pam_sshd()
  #   - write_pam_su()
  #   - write_pam_sudo()
  #   - write_pam_sudo-i()
  # guard_pam_limits
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_memory
 #######################################
 # Ensure 'pam_limits.so' is activated in:
 #   '/etc/pam.d/common-session'
 #   '/etc/pam.d/common-session-noninteractive'
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
@@ -116,8 +132,13 @@ EOF
 #######################################
 guard_pam_limits() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare     var_file_0="${TARGET}/etc/pam.d/common-session"
+  declare     var_target="${TARGET}"
-  declare     var_file_1="${TARGET}/etc/pam.d/common-session-noninteractive"
+
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  declare     var_file_0="${var_target}/etc/pam.d/common-session"
  declare     var_file_1="${var_target}/etc/pam.d/common-session-noninteractive"
  declare     var_line='session required pam_limits.so' var_file=""
  declare -i  var_changed=0
@@ -156,6 +177,9 @@ guard_pam_limits() {
  (( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f guard_pam_limits
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4460_hardening_openssl.sh
+++ b/func/cdi_4400_hardening/4460_hardening_openssl.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening OpenSSL library defaults (system-wide), TLSv1.2-, TLSv1.3-, AES-256-only.
@@ -30,6 +30,9 @@ hardening_openssl() {
  insert_comments "${TARGET}/etc/ssl/openssl.cnf"
  cat "${VAR_SETUP_PATH}/includes/target/etc/ssl/openssl.cnf" >> "${TARGET}/etc/ssl/openssl.cnf"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_openssl
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4470_hardening_ufw.sh
+++ b/func/cdi_4400_hardening/4470_hardening_ufw.sh
@@ -10,12 +10,15 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening 'ufw'.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_FINAL_NIC
 #   VAR_RUN_RECOVERY
 #   VAR_SSH_PORT
 #   VAR_UFW_OUT
 # Arguments:
@@ -26,15 +29,22 @@ guard_sourcing
 hardening_ufw() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_logfile="/root/.ciss/cdi/log/4470_hardening_ufw.log"
  declare     var_target="${TARGET}"
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
-  if [[ ! -f "${TARGET}/var/log/ufw.log" ]]; then
+  declare -r  var_rules="${var_target}/etc/ufw/before6.rules"
-    touch "${TARGET}/var/log/ufw.log"
+
-    chmod 0640 "${TARGET}/var/log/ufw.log"
+
  chroot_logger "${var_target}${var_logfile}"
  if [[ ! -f "${var_target}/var/log/ufw.log" ]]; then
    touch "${var_target}/var/log/ufw.log"
    chmod 0640 "${var_target}/var/log/ufw.log"
  fi
-  chroot_script "${TARGET}" "
+  chroot_script "${var_target}" "
    ufw --force reset
    ufw logging medium
    ufw default deny incoming
@@ -47,7 +57,7 @@ hardening_ufw() {
  ### Ensure that a standard set of the most commonly used ports are open if a default-'deny'-outbound policy is selected.
  if [[ "${VAR_UFW_OUT}" = "deny" ]]; then
-    chroot_script "${TARGET}" "
+    chroot_script "${var_target}" "
      ufw allow out   21/tcp comment 'Outgoing FTP'
      ufw allow out   22/tcp comment 'Outgoing SSH'
      ufw allow out   25/tcp comment 'Outgoing SMTP'
@@ -70,16 +80,31 @@ hardening_ufw() {
  fi
  ### Allowing ICMP IPv4 outgoing per default.
-  sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${TARGET}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${var_target}/etc/ufw/before.rules"
-  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${var_target}/etc/ufw/before.rules"
-  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${var_target}/etc/ufw/before.rules"
-  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${var_target}/etc/ufw/before.rules"
-  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${var_target}/etc/ufw/before.rules"
-  chroot_script "${TARGET}" "echo 'y' | ufw enable 2>&1"
+  ### Remove previous custom blocks (idempotent).
  sed -i "/^# BEGIN custom MLD rules/,/^# END custom MLD rules/d" "${var_rules}"
  sed -i "/^# BEGIN custom MLD OUTPUT rules/,/^# END custom MLD OUTPUT rules/d" "${var_rules}"
-  chroot_script "${TARGET}" "ufw status verbose >> ${var_logfile}"
+  ### Inbound MLD (INPUT chain), insert before the existing echo-request rule.
  ### Allows MLDv1 (130/131/132) and MLDv2 (143) to link-local multicast (ff02::/16)
  sed -i "/-A ufw6-before-input .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD rules\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 130 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 132 -d ff02::/16 -j ACCEPT\n-A ufw6-before-input -i ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD rules" "${var_rules}"
-  guard_dir && return 0
+  ### Outbound MLD (OUTPUT chain), insert before echo-request.
  ### Useful if local daemons join multicast groups, and you want clean logs.
  sed -i "/-A ufw6-before-output .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD OUTPUT rules\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD OUTPUT rules" "${var_rules}"
  chroot_script "${var_target}" "echo 'y' | ufw enable 2>&1"
  chroot_script "${var_target}" "ufw status verbose >> ${var_logfile}"
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f hardening_ufw
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4480_hardening_usb.sh
+++ b/func/cdi_4400_hardening/4480_hardening_usb.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening 'usb-guard'.
@@ -30,6 +30,7 @@ hardening_usb() {
  ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests usbguard 2>&1 | tee -a ${var_logfile}
    touch /tmp/rules.conf
@@ -54,7 +55,7 @@ hardening_usb() {
    #sed -i 's/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/' /etc/usbguard/usbguard-daemon.conf
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4490_hardening_virus.sh
+++ b/func/cdi_4400_hardening/4490_hardening_virus.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Installing anti-rootkit and antivirus packages.
@@ -29,10 +29,11 @@ hardening_virus() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests rkhunter 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4500_user/4500_accounts_preparation.sh
+++ b/func/cdi_4500_user/4500_accounts_preparation.sh
@@ -10,13 +10,15 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
-# Prepare '/etc/skel'-Directory.
+# Account generation preparation.
 # Globals:
 #   RECOVERY
 #   TARGET
-#   VAR_SETUP_PATH
+#   VAR_RUN_RECOVERY
 #   VAR_USER_ROOT_SPECIFIC
 # Arguments:
 #   None
 # Returns:
@@ -24,40 +26,35 @@ guard_sourcing
 #######################################
 accounts_preparation() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare -r  var_logfile="/root/.ciss/cdi/log/4130_installation_toolset.log"
+  declare -r  var_logfile="/root/.ciss/cdi/log/4500_accounts_preparation.sh.log"
  declare     var_target="${TARGET}"
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
-  chroot_script "${TARGET}" "
+  chroot_logger "${var_target}${var_logfile}"
  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests bash-completion fzf 2>&1 | tee -a ${var_logfile}
  "
-  mkdir -p "${TARGET}/etc/skel/.ciss"
+  mkdir -p "${var_target}/etc/skel/.ciss"
-  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"
+  case "${VAR_USER_ROOT_SPECIFIC}" in
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${TARGET}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${TARGET}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk.sh" "${TARGET}/etc/skel/.ciss/f2bchk.sh"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${TARGET}/etc/skel/.ciss/scan_libwrap"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts"
-  insert_comments "${TARGET}/etc/skel/.bashrc"
+    "ciss"   ) accounts_preparation_ciss ;;
  insert_comments "${TARGET}/etc/skel/.zshrc"
  insert_comments "${TARGET}/etc/skel/.ciss/alias"
  insert_comments "${TARGET}/etc/skel/.ciss/clean_logout.sh"
  insert_comments "${TARGET}/etc/skel/.ciss/f2bchk.sh"
  insert_comments "${TARGET}/etc/skel/.ciss/scan_libwrap"
  insert_comments "${TARGET}/etc/skel/.ciss/shortcuts"
-  ### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
+    "physnet") accounts_preparation_physnet ;;
  echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
  chmod 0600 "${TARGET}/etc/skel/.vimrc"
-  guard_dir && return 0
+    "none"   ) do_log "info" "file_only" "4500() Account preparation [none] selected." ;;
    *        ) do_log "warn" "file_only" "4500() Account preparation nothing selected. Keeping defaults." ;;
  esac
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4500_user/4501_accounts_preparation_ciss.sh
+++ b/func/cdi_4500_user/4501_accounts_preparation_ciss.sh
@@ -0,0 +1,66 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Account preparation CISS specific.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 accounts_preparation_ciss() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0755 -- "${var_target}/etc/skel/.cache"
  install -d -m 0755 -- "${var_target}/etc/skel/.config"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/share"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/state"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/state/bash"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/state/less"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.bashrc" "${var_target}/etc/skel/.bashrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.zshrc" "${var_target}/etc/skel/.zshrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshenv" "${var_target}/etc/skel/.zshenv"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/alias" "${var_target}/etc/skel/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${var_target}/etc/skel/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/clean_logout.sh" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/f2bchk" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/scan_libwrap" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/shortcuts" "${var_target}/etc/skel/.ciss/"
  insert_comments "${var_target}/etc/skel/.bashrc"
  insert_comments "${var_target}/etc/skel/.zshrc"
  insert_comments "${var_target}/etc/skel/.ciss/alias"
  insert_comments "${var_target}/etc/skel/.ciss/check_chrony.sh"
  insert_comments "${var_target}/etc/skel/.ciss/clean_logout.sh"
  insert_comments "${var_target}/etc/skel/.ciss/f2bchk"
  insert_comments "${var_target}/etc/skel/.ciss/scan_libwrap"
  insert_comments "${var_target}/etc/skel/.ciss/shortcuts"
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f accounts_preparation_ciss
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4500_user/4502_accounts_preparation_physnet.sh
+++ b/func/cdi_4500_user/4502_accounts_preparation_physnet.sh
@@ -0,0 +1,65 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Account preparation PHYSNET specific.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 accounts_preparation_physnet() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0755 -- "${var_target}/etc/skel/.cache"
  install -d -m 0755 -- "${var_target}/etc/skel/.config"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/share"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/state"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/state/bash"
  install -d -m 0755 -- "${var_target}/etc/skel/.local/state/less"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.bashrc" "${var_target}/etc/skel/.bashrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.zshrc" "${var_target}/etc/skel/.zshrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/alias" "${var_target}/etc/skel/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${var_target}/etc/skel/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/clean_logout.sh" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/f2bchk" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/scan_libwrap" "${var_target}/etc/skel/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/shortcuts" "${var_target}/etc/skel/.ciss/"
  insert_comments "${var_target}/etc/skel/.bashrc"
  insert_comments "${var_target}/etc/skel/.zshrc"
  insert_comments "${var_target}/etc/skel/.ciss/alias"
  insert_comments "${var_target}/etc/skel/.ciss/check_chrony.sh"
  insert_comments "${var_target}/etc/skel/.ciss/clean_logout.sh"
  insert_comments "${var_target}/etc/skel/.ciss/f2bchk"
  insert_comments "${var_target}/etc/skel/.ciss/scan_libwrap"
  insert_comments "${var_target}/etc/skel/.ciss/shortcuts"
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f accounts_preparation_physnet
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4500_user/4510_accounts_hardening.sh
+++ b/func/cdi_4500_user/4510_accounts_hardening.sh
@@ -10,12 +10,14 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening accounts: Google TOTP, Wordlists, masking ttys, expiration of accounts.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   None
@@ -26,24 +28,30 @@ accounts_hardening() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -a  ary_security_pkgs=()
  declare -r  var_logfile="/root/.ciss/cdi/log/4510_accounts_hardening.log"
  declare     var_target="${TARGET}"
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  chroot_logger "${var_target}${var_logfile}"
  ### Installing Google TOTP, Wordlists.
  ary_security_pkgs=( "libpam-google-authenticator" "wamerican" "wbritish" "wfrench" "wngerman" )
-  chroot_script "${TARGET}" "
+  chroot_script "${var_target}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests ${ary_security_pkgs[*]} 2>&1 | tee -a ${var_logfile}
  "
  ### Preparing 2fa hardening.
-  install -d -m 0755 -o root -g root "${TARGET}/etc/ciss"
+  install -d -m 0755 -o root -g root "${var_target}/etc/ciss"
-  touch "${TARGET}/etc/ciss/2fa.users"
+  insert_header   "${var_target}/etc/ciss/2fa.map"
-  chmod 0640 "${TARGET}/etc/ciss/2fa.users"
+  insert_comments "${var_target}/etc/ciss/2fa.map"
  chmod 0644      "${var_target}/etc/ciss/2fa.map"
  ### Keep 'tty1' active, disable the rest.
  # shellcheck disable=SC2016
-  chroot_script "${TARGET}" '
+  chroot_script "${var_target}" '
    systemctl unmask getty@tty1.service
    systemctl enable getty@tty1.service
    for t in tty2 tty3 tty4 tty5 tty6; do
@@ -52,7 +60,7 @@ accounts_hardening() {
    systemctl mask serial-getty@.service
  '
-  chroot_script "${TARGET}" "
+  chroot_script "${var_target}" "
    if [[ ! -f /etc/securetty ]]; then
      touch /etc/securetty
      chmod 0600 /etc/securetty
@@ -61,43 +69,47 @@ accounts_hardening() {
  "
  ### Hardening file permissions.
-  chown root:root   "${TARGET}/etc/passwd" "${TARGET}/etc/group"
+  chown root:root   "${var_target}/etc/passwd" "${var_target}/etc/group"
-  chown root:shadow "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
+  chown root:shadow "${var_target}/etc/shadow" "${var_target}/etc/gshadow"
-  chmod 0644 "${TARGET}/etc/passwd" "${TARGET}/etc/group"
+  chmod 0644        "${var_target}/etc/passwd" "${var_target}/etc/group"
-  chmod 0640 "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
+  chmod 0640        "${var_target}/etc/shadow" "${var_target}/etc/gshadow"
-  chmod 0600 "${TARGET}/etc/security/access.conf"
+  chmod 0600        "${var_target}/etc/security/access.conf"
  ### Hardening '/etc/login.defs'.
-  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc"
+  mkdir -p        "${var_target}/root/.ciss/cdi/backup/etc"
-  mv "${TARGET}/etc/login.defs" "${TARGET}/root/.ciss/cdi/backup/etc/login.defs.bak"
+  mv              "${var_target}/etc/login.defs" "${var_target}/root/.ciss/cdi/backup/etc/login.defs.bak"
-  insert_header   "${TARGET}/etc/login.defs"
+  insert_header   "${var_target}/etc/login.defs"
-  insert_comments "${TARGET}/etc/login.defs"
+  insert_comments "${var_target}/etc/login.defs"
-  cat "${VAR_SETUP_PATH}/includes/target/etc/login.defs" >> "${TARGET}/etc/login.defs"
+  cat             "${VAR_SETUP_PATH}/includes/target/etc/login.defs" >> "${var_target}/etc/login.defs"
  ### Hardening '/etc/security/pwquality.conf'.
-  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/security"
+  mkdir -p        "${var_target}/root/.ciss/cdi/backup/etc/security"
-  mv "${TARGET}/etc/security/pwquality.conf" "${TARGET}/root/.ciss/cdi/backup/etc/security/pwquality.conf.bak"
+  mv              "${var_target}/etc/security/pwquality.conf" "${var_target}/root/.ciss/cdi/backup/etc/security/pwquality.conf.bak"
-  insert_header   "${TARGET}/etc/security/pwquality.conf"
+  insert_header   "${var_target}/etc/security/pwquality.conf"
-  insert_comments "${TARGET}/etc/security/pwquality.conf"
+  insert_comments "${var_target}/etc/security/pwquality.conf"
-  cat "${VAR_SETUP_PATH}/includes/target/etc/security/pwquality.cnf" >> "${TARGET}/etc/security/pwquality.conf"
+  cat             "${VAR_SETUP_PATH}/includes/target/etc/security/pwquality.cnf" >> "${var_target}/etc/security/pwquality.conf"
  ### Hardening '/etc/security/access.conf'.
-  mv "${TARGET}/etc/security/access.conf" "${TARGET}/root/.ciss/cdi/backup/etc/security/access.conf.bak"
+  mv              "${var_target}/etc/security/access.conf" "${var_target}/root/.ciss/cdi/backup/etc/security/access.conf.bak"
-  insert_header   "${TARGET}/etc/security/access.conf"
+  insert_header   "${var_target}/etc/security/access.conf"
-  insert_comments "${TARGET}/etc/security/access.conf"
+  insert_comments "${var_target}/etc/security/access.conf"
-  cat "${VAR_SETUP_PATH}/includes/target/etc/security/access.cnf" >> "${TARGET}/etc/security/access.conf"
+  cat             "${VAR_SETUP_PATH}/includes/target/etc/security/access.cnf" >> "${var_target}/etc/security/access.conf"
  ### Hardening password expiration; defaults to 16,384 days.
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4510_password_expiration.hooks.sh" \
-    "${TARGET}/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh"
+    "${var_target}/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh"
  if ! chroot_script "${var_target}" "/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh" "emergency"; then
    do_log "warn" "file_only" "4510() Command: [chroot_script ${var_target} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] failed."
  if ! chroot_script "${TARGET}" "/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh" "emergency"; then
    do_log "warn" "file_only" "4510() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] failed."
  else
-    do_log "debug" "file_only" "4510() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] successful."
+
    do_log "debug" "file_only" "4510() Command: [chroot_script ${var_target} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] successful."
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
--- a/func/cdi_4500_user/4521_accounts_setup_ciss.sh
+++ b/func/cdi_4500_user/4521_accounts_setup_ciss.sh
@@ -0,0 +1,144 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Account setup CISS specific.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 #   user_root_shell
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 accounts_setup_ciss_root() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
  install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss.bashrc" "${var_target}/root/.bashrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/theme_eza_ciss.yml" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${var_target}/root/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/check_chrony.sh" "${var_target}/root/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${var_target}/root/.ciss/"
  insert_comments "${var_target}/root/.bashrc"
  insert_comments "${var_target}/root/.ciss/alias"
  insert_comments "${var_target}/root/.ciss/check_chrony.sh"
  insert_comments "${var_target}/root/.ciss/clean_logout.sh"
  insert_comments "${var_target}/root/.ciss/f2bchk"
  insert_comments "${var_target}/root/.ciss/scan_libwrap"
  insert_comments "${var_target}/root/.ciss/shortcuts"
  if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
    if [[ -x "${var_target}${user_root_shell}" ]]; then
      zsh_omz_installer "root" "${var_target}"
      mkdir -p "${var_target}/root/.ciss/cdi/backup/root"
      mv "${var_target}/root/.zshrc" "${var_target}/root/.ciss/cdi/backup/root/.zshrc.bak"
      install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss.zshrc" "${var_target}/root/.zshrc"
      install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.zshenv" "${var_target}/root/.zshenv"
      insert_comments "${var_target}/root/.zshrc"
      insert_comments "${var_target}/root/.zshenv"
      chroot_exec "${var_target}" chsh -s "${user_root_shell}" root
      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
    else
      chroot_exec "${var_target}" chsh -s /bin/bash root
      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
    fi
  fi
  do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f accounts_setup_ciss_root
 #######################################
 # Generates user account skeleton and activates chosen bash / zsh.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   1: var_uid
 #   2: var_gid
 #   3: var_username
 #   4: var_shell
 # Returns:
 #   0: on success
 #######################################
 accounts_setup_ciss_user() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_uid="${1}" var_gid="${2}" var_username="${3}" var_shell="${4}"
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${var_target}/home/${var_username}/.ssh"
  install -m 0600 -o "${var_uid}" -g "${var_gid}" /dev/null "${var_target}/home/${var_username}/.ssh/authorized_keys"
  install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.bashrc" "${var_target}/home/${var_username}/.bashrc"
  if [[ "${var_shell}" == "/bin/zsh" ]]; then
    if [[ -x "${var_target}${var_shell}" ]]; then
      zsh_omz_installer "${var_username}" "${var_target}"
      mv "${var_target}/home/${var_username}/.zshrc" "${var_target}/home/${var_username}/.zshrc.bak"
      install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.zshrc" "${var_target}/home/${var_username}/.zshrc"
      install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshenv" "${var_target}/home/${var_username}/.zshenv"
      insert_comments "${var_target}/home/${var_username}/.zshrc"
      insert_comments "${var_target}/home/${var_username}/.zshenv"
      chroot_exec "${var_target}" chsh -s "${var_shell}" "${var_username}"
      do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
    else
      chroot_exec "${var_target}" chsh -s /bin/bash "${var_username}"
      do_log "info" "file_only" "4520() Shell: '${var_shell}' not found for: '${var_username}'. Using '/bin/bash' instead."
    fi
  fi
  do_log "info" "file_only" "4520() Skeleton: '${var_username}' successfully generated."
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f accounts_setup_ciss_user
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4500_user/4522_accounts_setup_physnet.sh
+++ b/func/cdi_4500_user/4522_accounts_setup_physnet.sh
@@ -0,0 +1,139 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Account setup PHYSNET specific.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 #   user_root_shell
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 accounts_setup_physnet_root() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
  install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.physnet.bashrc" "${var_target}/root/.bashrc"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/theme_eza_ciss.yml" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${var_target}/root/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/check_chrony.sh" "${var_target}/root/.ciss/"
  install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${var_target}/root/.ciss/"
  install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${var_target}/root/.ciss/"
  insert_comments "${var_target}/root/.bashrc"
  insert_comments "${var_target}/root/.ciss/alias"
  insert_comments "${var_target}/root/.ciss/check_chrony.sh"
  insert_comments "${var_target}/root/.ciss/clean_logout.sh"
  insert_comments "${var_target}/root/.ciss/f2bchk"
  insert_comments "${var_target}/root/.ciss/scan_libwrap"
  insert_comments "${var_target}/root/.ciss/shortcuts"
  if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
    if [[ -x "${var_target}${user_root_shell}" ]]; then
      zsh_omz_installer "root" "${var_target}"
      mkdir -p "${var_target}/root/.ciss/cdi/backup/root"
      mv "${var_target}/root/.zshrc" "${var_target}/root/.ciss/cdi/backup/root/.zshrc.bak"
      install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.physnet.zshrc" "${var_target}/root/.zshrc"
      insert_comments "${var_target}/root/.zshrc"
      chroot_exec "${var_target}" chsh -s "${user_root_shell}" root
      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
    else
      chroot_exec "${var_target}" chsh -s /bin/bash root
      do_log "info" "file_only" "4520() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
    fi
  fi
  do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f accounts_setup_physnet_root
 #######################################
 # Generates user account skeleton and activates chosen bash / zsh.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 #   VAR_SETUP_PATH
 # Arguments:
 #   1: var_uid
 #   2: var_gid
 #   3: var_username
 #   4: var_shell
 # Returns:
 #   0: on success
 #######################################
 accounts_setup_physnet_user() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_uid="${1}" var_gid="${2}" var_username="${3}" var_shell="${4}"
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${var_target}/home/${var_username}/.ssh"
  install -m 0600 -o "${var_uid}" -g "${var_gid}" /dev/null "${var_target}/home/${var_username}/.ssh/authorized_keys"
  install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.bashrc" "${var_target}/home/${var_username}/.bashrc"
  if [[ "${var_shell}" == "/bin/zsh" ]]; then
    if [[ -x "${var_target}${var_shell}" ]]; then
      zsh_omz_installer "${var_username}" "${var_target}"
      mv "${var_target}/home/${var_username}/.zshrc" "${var_target}/home/${var_username}/.zshrc.bak"
      install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.zshrc" "${var_target}/home/${var_username}/.zshrc"
      chroot_exec "${var_target}" chsh -s "${var_shell}" "${var_username}"
      do_log "info" "file_only" "4520() Shell: '${var_shell}' used for: '${var_username}'."
    else
      chroot_exec "${var_target}" chsh -s /bin/bash "${var_username}"
      do_log "info" "file_only" "4520() Shell: '${var_shell}' not found for: '${var_username}'. Using '/bin/bash' instead."
    fi
  fi
  do_log "info" "file_only" "4520() Skeleton: '${var_username}' successfully generated."
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f accounts_setup_physnet_user
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4500_user/4530_accounts_timings.sh
+++ b/func/cdi_4500_user/4530_accounts_timings.sh
@@ -0,0 +1,99 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Iterates all '/etc/shadow' entries and sets:
 #   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
 #   Safe: creates a timestamped backup and (if available) locks '/etc/.pwd.lock'.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 update_shadow() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  declare -r  var_shadow="${var_target}/etc/shadow"
  declare -r  var_backup="${var_target}/root/.ciss/cdi/backup/etc/shadow.$(date +%s).bak"
  declare -r  var_temp="${var_shadow}.new.$$"
  declare -r  var_exp_dt="17.09.2102"
  declare     var_exp_ds=""
  var_exp_ds="$(
    awk -v d="${var_exp_dt}" 'BEGIN{
      # Force UTC to avoid DST/timezone off-by-one errors
      ENVIRON["TZ"]="UTC";
      if (match(d, /^([0-9]{2})\.([0-9]{2})\.([0-9]{4})$/, a)) {
        dd=a[1]+0; mm=a[2]+0; yyyy=a[3]+0;
        sec = mktime(sprintf("%04d %02d %02d 00 00 00 0", yyyy, mm, dd));
        if (sec < 0) { print "ERR"; exit 1 }
        print int(sec/86400);
        exit 0
      } else { print "ERR"; exit 1 }
    }'
  )" || { do_log "info" "file_only" "4530() Date parse failed: '${var_exp_dt}'."; return 127; }
  # shellcheck disable=SC2249
  case "${var_exp_ds}" in
    ''|*ERR*) do_log "info" "file_only" "4530() Invalid date: '${var_exp_dt}'."
              return 127
              ;;
  esac
  umask 0077
  cp --preserve=mode,ownership "${var_shadow}" "${var_backup}"
  ### Rewrite fields 4..8 for every line
  ### Preserve fields 1..3 and 9, keep password hashes untouched.
  ### Pad to 9 fields if shorter; keep empty lines intact (rare but safe).
  awk -v FS=":" -v OFS=":" -v v_exp="${var_exp_ds}" '
    NF==0 { print; next }                      # preserve blank lines verbatim
    {
      # pad missing trailing fields to 9
      for (i=NF+1; i<=9; i++) $i="";
      $4=0; $5=16384; $6=128; $7=42; $8=v_exp; # set required fields
      print
    }
  ' "${var_backup}" >| "${var_temp}"
  ### Defensive: ensure non-empty output.
  if [[ ! -s "${var_temp}" ]]; then
    do_log "info" "file_only" "4530() Empty output, aborting."
    rm -f "${var_temp}"
    return 127
  fi
  ### Preserve owner/mode (fallback to 0640 root:shadow if reference fails).
  chown --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chown root:shadow "${var_temp}" 2>/dev/null || true
  chmod --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chmod 640 "${var_temp}" 2>/dev/null || true
  ### Atomic replace.
  mv -f "${var_temp}" "${var_shadow}"
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f update_shadow
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4600_packages/4600_installation_packages.sh
+++ b/func/cdi_4600_packages/4600_installation_packages.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install Debian Packages as specified in 'preseed.yaml'.
@@ -31,24 +31,26 @@ installation_packages() {
  if [[ "${VAR_APT_FULL_UPGRADE}" == "true" ]]; then
    chroot_script "${TARGET}" "
      export INITRD=No
-      apt-get update  -qq 2>&1 | tee -a ${var_logfile}
+      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-      apt-get upgrade -y  2>&1 | tee -a ${var_logfile}
+      apt-get update -qq      2>&1 | tee -a ${var_logfile}
      apt-get -y dist-upgrade 2>&1 | tee -a ${var_logfile}       # (= apt full-upgrade) allow installs/replacements/removals.
    "
  fi
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests ${ARY_PACKAGES[*]} 2>&1 | tee -a ${var_logfile}
  "
  chroot_script "${TARGET}" "
    export INITRD=No
-    apt-get autoclean  -y 2>&1 | tee -a ${var_logfile}
+    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-    apt-get autopurge  -y 2>&1 | tee -a ${var_logfile}
+    apt-get autoremove --purge  -y 2>&1 | tee -a ${var_logfile}  # 'autopurge' == 'autoremove --purge'; don't run both.
-    apt-get autoremove -y 2>&1 | tee -a ${var_logfile}
+    apt-get clean               -y 2>&1 | tee -a ${var_logfile}  # Stronger than autoclean: removes the entire '.deb'-cache.
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4600_packages/4610_installation_security.sh
+++ b/func/cdi_4600_packages/4610_installation_security.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Installs the desired security extension framework.
@@ -38,6 +38,7 @@ installation_security() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests ${ary_fw[*]} 2>&1 | tee -a ${var_logfile}
    if [[ ${VAR_SEC_FW} == apparmor ]]; then
@@ -97,7 +98,7 @@ EOF
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4600_packages/4620_installation_verification.sh
+++ b/func/cdi_4600_packages/4620_installation_verification.sh
@@ -10,12 +10,12 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules
 #######################################
-# Installs 'aide', 'audit', and 'debsums' audit and logging packages.
+# Installs 'acct', 'aide', 'audit', and 'debsums' audit and logging packages.
 # Finalizes 'rkhunter' baseline.
 # Globals:
 #   TARGET
@@ -33,25 +33,57 @@ install_verification() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests acct 2>&1 | tee -a ${var_logfile}
    mkdir -p /etc/systemd/system/multi-user.target.wants
    if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
      printf 'Process Accounting enabled successfully.'
    else
      printf 'Process Accounting already enabled.'
    fi
  "
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests auditd 2>&1 | tee -a ${var_logfile}
  "
  rm -f "${TARGET}/etc/audit/rules.d/audit.rules"
-  ############################################################### /etc/audit/rules.d/10-base-config.rules
+  ############################################################### /etc/audit/rules.d/00-base-config.rules
-  cat << EOF >| "${TARGET}/etc/audit/rules.d/10-base-config.rules"
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/00-base-config.rules"
 ## First rule - delete all
 -D
 ## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
+## Make this bigger for busy systems.
 -b 16384
-## This determine how long to wait in burst of events
+## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
 -r 200
 ## This determine how long to wait in burst of events. How long to wait in bursts (µs).
 --backlog_wait_time 1024
-## Set failure mode to syslog
+## Set failure mode to syslog.
 -f 1
 EOF
  ############################################################### /etc/audit/rules.d/10-ciss-noise-floor.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/10-ciss-noise-floor.rules"
 ## Ignore kernel/daemon noise without a loginuid (unset = 4294967295).
 -a never,exit -F auid=4294967295
 ## Make privileged exec tracing user-initiated only (no boot-time daemons).
 -a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
 -a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
 ## (Optional, same principle for suid/sgid transitions).
 -a always,exit -F arch=b64 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
 -a always,exit -F arch=b32 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
 EOF
  ############################################################### /etc/audit/rules.d/11-loginuid.rules
@@ -94,6 +126,17 @@ EOF
 ## This rule suppresses the time-change event when chrony does time updates
 -a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
 -a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF
  ############################################################### /etc/audit/rules.d/25-ciss-exec.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/25-ciss-exec.rules"
 ## Focus on privileged exec, not every user command
 -a always,exit -F arch=b64 -S execve -F euid=0 -k exec_root
 -a always,exit -F arch=b32 -S execve -F euid=0 -k exec_root
 -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k exec_sudo
 -a always,exit -F arch=b32 -S execve -F exe=/usr/bin/sudo -k exec_sudo
 -a always,exit -F arch=b64 -S execve -C uid!=euid -k exec_suid_sgid
 -a always,exit -F arch=b32 -S execve -C uid!=euid -k exec_suid_sgid
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
@@ -111,17 +154,6 @@ EOF
 -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-1-create-success.rules"
 ## Successful file creation (open with O_CREAT)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
@@ -139,17 +171,6 @@ EOF
 -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-2-modify-success.rules"
 ## Successful file modifications (open for write or truncate)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
@@ -159,14 +180,6 @@ EOF
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-3-access-success.rules"
 ## Successful file access (any other opens) This has to go last.
 ## These next two are likely to result in a whole lot of events
 -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
@@ -176,13 +189,6 @@ EOF
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules"
 ## Successful file delete
 -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
@@ -192,13 +198,6 @@ EOF
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules"
 ## Successful permission change
 -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
@@ -208,13 +207,6 @@ EOF
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules"
 ## Successful ownership change
 -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
 EOF
  ############################################################### /etc/audit/rules.d/30-ospp-v42.rules
@@ -360,6 +352,7 @@ EOF
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests aide aide-common 2>&1 | tee -a ${var_logfile}
    sed -i 's/Checksums = H/Checksums = sha512/' /etc/aide/aide.conf
@@ -368,18 +361,25 @@ EOF
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
    apt-get install -y --no-install-recommends --no-install-suggests debsums 2>&1 | tee -a ${var_logfile}
    if ! debsums -g >> ${var_logfile} 2>> ${var_logfile}; then
      printf 'Running debsums -g - encountered errors.' >> ${var_logfile}
    fi
    mkdir -p /root/.ciss/cdi/backup/etc/default
    cp -a /etc/default/debsums /root/.ciss/cdi/backup/etc/default/debsums.bak
    sed -i 's/CRON_CHECK=never/CRON_CHECK=monthly/' /etc/default/debsums
  "
  chroot_script "${TARGET}" "
    rkhunter --propupd 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  chroot_exec "${TARGET}" sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4600_packages/4630_auditing_packages.sh
+++ b/func/cdi_4600_packages/4630_auditing_packages.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Final checks.
@@ -97,6 +97,9 @@ auditing_packages() {
    echo +++ >> ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f auditing_packages
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4900_xtended/4900_final_command.sh
+++ b/func/cdi_4900_xtended/4900_final_command.sh
@@ -0,0 +1,136 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Finalize the chroot system before exiting.
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 final_commands() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_logfile="/root/.ciss/cdi/log/4900_final_command.log"
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  chroot_logger "${var_target}${var_logfile}"
  chroot_script "${var_target}" "
    updatedb | tee -a ${var_logfile}
  "
  ciss_enforce_multi_user_target
  rm -f "${var_target}/root/ciss_xdg_tmp.sh"
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f final_commands
 #######################################
 # description
 # Globals:
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 ciss_enforce_multi_user_target() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_target="${TARGET}"
  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
  # shellcheck disable=SC2016
  chroot_script "${var_target}" '
    declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
    ### Determine the canonical systemd unit dir inside TARGET.
    if [[ -d /lib/systemd/system ]]; then
      var_unit_dir=/lib/systemd/system
    elif [[ -d /usr/lib/systemd/system ]]; then
      var_unit_dir=/usr/lib/systemd/system
    fi
    ### Enforce default.target -> multi-user.target as a symlink.
    if [[ -e "${var_link}" ]] && [[ ! -L "${var_link}" ]]; then
      ### A regular file here is wrong; we remove it to avoid vendor fallback to graphical.
      rm -f -- "${var_link}"
    fi
    if [[ ! -L "${var_link}" ]]; then
      ln -s "${var_unit_dir}/multi-user.target" "${var_link}"
    else
      ### Ensure it points to multi-user.
      if [[ "$(readlink -f "${var_link}")" != "${var_unit_dir}/multi-user.target" ]]; then
        rm -f -- "${var_link}"
        ln -s "${var_unit_dir}/multi-user.target" "${var_link}"
      fi
    fi
    ### Hard-block any display manager (mask via /dev/null symlink). Include common DMs, and the generic alias:
    ary_dm_units=(
      "display-manager.service"
      "gdm.service"
      "gdm3.service"
      "sddm.service"
      "lightdm.service"
      "xdm.service"
      "lxdm.service"
      "slim.service"
    )
    for var_dm in "${ary_dm_units[@]}"; do
      if [[ ! -L "/etc/systemd/system/${var_dm}" ]]; then
        ln -s /dev/null "/etc/systemd/system/${var_dm}"
      fi
    done
  '
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f ciss_enforce_multi_user_target
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/Show More
+++ b/Show More
		`@@ -1 +0,0 @@`
			`7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda`
		`@@ -1 +0,0 @@`
			`SJF3kOdvm0o9xwT:VdmXE^2w^VTFJeJPdHkd7qNwQVf^7SDmcyZKjcfadS`
		`@@ -1 +0,0 @@`
			`Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!`