DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@aef00ec at 2025-10-26T18:19:48Z on 6f8f9a786bfa Generated at : 2025-10-26T18:19:48Z Runner Host : 6f8f9a786bfa Workflow ID : 🛡️ Shell Script Linting Git Commit : aef00ec HEAD -> master
V8.00.000.2025.06.17
2025-10-26 18:19:48 +00:00 · 2025-10-26 18:17:28 +00:00 · 2025-10-26 17:24:00 +00:00 · 2025-10-26 17:22:09 +00:00 · 2025-10-26 17:21:58 +00:00 · 2025-10-26 17:21:53 +00:00
149 changed files with 968 additions and 470 deletions
--- a/.archive/4620_installation_verification.sh
+++ b/.archive/4620_installation_verification.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules
@@ -402,7 +402,7 @@ EOF
  chroot_exec "${TARGET}" sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/.preseed/SECRETS.yaml
+++ b/.preseed/SECRETS.yaml
@@ -0,0 +1,115 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 #
 #
 # This file contains all required Secrets, Tokens and Public and Private Keys for the CISS.debian.installer
 # Master V8.00.000.2025.06.17
 # YAML specification: 1.2
 #
 secrets:
  description: "Secrets for automated installation of encrypted systems on this host via primordial-workflow™."
  created_at: "2025-10-23"
  created_for: "host_domain_tld"
  name: "CISS.debian.installer"
  version: "V8.00.000.2025.06.17"
  x_files: "false"
  ################################################################################################################################
  # Grub bootloader passphrase
  ################################################################################################################################
  grub:
    note: "Password used to unlock the GRUB bootloader before system initialization."
    scope: "grub"
    type: "plain"
    value: "PleASE_CHan3e_M!"
  ################################################################################################################################
  # LUKS and LUKS Nuke passphrase
  ################################################################################################################################
  luks:
    backup:
      note: "The value is [<share-identifier>:<password>] (colon-separated). Use the same dedicated destination and credentials across servers."
      scope: "offsite-backup"
      type: "plain"
      value: "NextcloudFolderNameOrShareID:SuperSecurePassword123!"
    boot:
      note: "Dedicated passphrase for the [/boot] partition; chosen for easy manual input via the VPS web console."
      scope: "luks"
      type: "plain"
      value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
    common:
      note: "Main LUKS passphrase baked into the installer for automated setup. For dropbear SSH input method only."
      scope: "luks"
      type: "plain"
      value: "Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!"
    nuke:
      note: "Special LUKS passphrase that triggers secure wipe of all volumes when entered."
      scope: "luks"
      type: "plain"
      value: "THIS_IS_THE_NUKE_PASSWORD!"
  ################################################################################################################################
  # TOTP MFA seed and salt and other seed variables
  ################################################################################################################################
  seeds:
    mfa:
      info:
        note: "MFA version identifier, e.g., [totp:v1] for seamless mfa secrets rollover."
        scope: "mfa"
        type: "plain"
        value: "totp:v1"
      salt:
        note: "Used to add a salt to the MFA seed to derive per-host MFA secrets for remote unlock authentication."
        scope: "mfa"
        type: "plain"
        value: "CISS:CDI:OTP"
      secret:
        note: "Master seed (hex) used to derive per-machine MFA secrets for remote unlock authentication."
        scope: "mfa"
        type: "plain"
        value: "7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda"
  ################################################################################################################################
  # User passwords and SSH keys
  ################################################################################################################################
  user:
    root:
      password:
        note: "Password-hash, YESCRYPT only, for the root user. Leave value empty if disabled password authentication."
        scope: "auth"
        type: "hash"
        value: "$y$jFT$7pQlcZrgTEGrzkEm7UQW/.$QoCamalYEAV5mN4QWIE.xpHo8kvXa9sym2Uz.9oELwA"
      sshpubkey:
        note: "SSH public key for the root user. This key is also used for dropbear SSH authentication."
        scope: "auth"
        type: "sshpubkey"
        value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
    user0:
      name: "user"
      password:
        note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
        scope: "auth"
        type: "hash"
        value: "$y$jFT$OGeZONH5ho2JSXvAbyIBQ1$5OhyHqOaMZ9BZcfMOYEwF.nMLFKd9ceiW2oNksPCHVB"
      sshpubkey:
        note: "SSH public key for the specified user."
        scope: "auth"
        type: "sshpubkey"
        value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
    user1:
      name: "ansible"
      password:
        note: "Password-hash, YESCRYPT only, for the specified user. Leave value empty if disabled password authentication."
        scope: "auth"
        type: "hash"
        value: ""
      sshpubkey:
        note: "SSH public key for the specified user."
        scope: "auth"
        type: "sshpubkey"
        value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.preseed/mfa_master.txt
+++ b/.preseed/mfa_master.txt
@@ -1 +0,0 @@
 7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda
--- a/.preseed/partitioning.yaml
+++ b/.preseed/partitioning.yaml
@@ -35,7 +35,7 @@ recipe:
      luks_backup: true        # Specify if LUKS Header backups should be created. If so, provide an external backup URL:
                               # luks_backup_url: "https://cloud.e2ee.li/" or leave empty for local backup.
                               # Also provide the cloud access token and access passwords via
-                               # ./.preseed/password_luks_backup.txt. Yet Nextcloud only is supported.
+                               # ./.preseed/SECRETS.yaml. Yet Nextcloud only is supported.
      luks_backup_url: "https://cloud.e2ee.li/"
      luks_backup_pgp: "ciss"  # Specify the trigger for use of the LUKS Header backup encryption key.
                               # Allowed values are: 'ciss', and 'physnet'. MUST be provided.
--- a/.preseed/password_grub.txt
+++ b/.preseed/password_grub.txt
@@ -1 +0,0 @@
 PleASE_CHan3e_M!
--- a/.preseed/password_luks_backup.txt
+++ b/.preseed/password_luks_backup.txt
@@ -1 +0,0 @@
 SJF3kOdvm0o9xwT:VdmXE^2w^VTFJeJPdHkd7qNwQVf^7SDmcyZKjcfadS
--- a/.preseed/password_luks_boot.txt
+++ b/.preseed/password_luks_boot.txt
@@ -1 +0,0 @@
 Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!
--- a/.preseed/password_luks_common.txt
+++ b/.preseed/password_luks_common.txt
@@ -1 +0,0 @@
 Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!
--- a/.preseed/password_luks_nuke.txt
+++ b/.preseed/password_luks_nuke.txt
@@ -1 +0,0 @@
 THIS_IS_THE_NUKE_PASSWORD!
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -10,14 +10,17 @@
 # SPDX-Security-Contact: security@coresecret.eu
 %YAML 1.2
 ---
-### This file contains configurations for the CISS.debian.installer
+# This file contains configurations for the CISS.debian.installer
-### Master V8.00.000.2025.06.17
+# Master V8.00.000.2025.06.17
-### YAML specification: 1.2
+# YAML specification: 1.2
-
+#
-installer:
+preseed:
  description: "Configuration values for automated installation of encrypted systems on this host via primordial-workflow™."
  created_at: "2025-10-23"
  created_for: "host_domain_tld"
  name: "CISS.debian.installer"
  version: "V8.00.000.2025.06.17"
-
+#
 ################################################################################################################################
 # APT settings
 ################################################################################################################################
@@ -133,7 +136,7 @@ grub_parameter:
  # undetected. During boot if audit=1, then the backlog will hold 64 records. If more than 64 records are created during boot,
  # auditd records will be lost, and potential malicious activity could go undetected.
  ##############################################################################################################################
-  - "audit_backlog_limit=16384"
+  - "audit_backlog_limit=262144"
  - "audit=1"
  ##############################################################################################################################
@@ -451,7 +454,7 @@ grub:
  other-os: true               # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds
                               # some other OS, which is less safe as it might not be able to boot that other OS.
  password: true               # If you want to set a password for GRUB. The password MUST be set at:
-                               # '/.preseed/password_grub.txt'.
+                               # '/.preseed/SECRETS.yaml'.
  prober: false                # OS-prober did not detect any other operating systems on your computer at this time, but you
                               # may still wish to enable it in case you install more in the future.
  skip: false                  # Skip installing grub.
@@ -836,9 +839,6 @@ ssh:
 # User settings
 ################################################################################################################################
 user:
  mfa:
    info: "totp:v1"
    salt: "CISS:CDI:OTP"       # + (Server_FQDN/Username)
  ##############################################################################################################################
  # Root: The superuser account (normally disabled for direct login).
  #       Key 'user.root.password' MUST contain a valid yescrypt hashed password string.
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,17 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 creation_rules:
  - path_regex: '(^|.*/)\.preseed/SECRETS\.yaml$'
    encrypted_regex: '^value$'
 stores:
  yaml:
    indent: 2
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-10-22T07:45:24Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-26T18:19:45Z".
 ⚠️ The last linter check was NOT successful. ⚠️
--- a/README.md
+++ b/README.md
@@ -11,8 +11,8 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.7-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -24,7 +24,7 @@
 # TODO: Copying Log Files to final System
 # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
 # TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount
-# TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh
+# TODO: Implement loop_pass() for other passwords 1257_yaml_xnuke.sh
 # TODO: Implement / Integrate IP, Port validation CDI_1200
 ### WHY BASH?
@@ -112,8 +112,8 @@ for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./meta_loader_cuv.sh; usa
 # shellcheck disable=SC2249
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./meta_loader_cuv.sh; version; exit 0;; esac; done
-### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO(), GUARD_SOURCING(), AND SOURCE_GUARD().
+### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO(), guard_sourcing || return "${ERR_GUARD_SOURCE}"(), AND SOURCE_GUARD().
-. ./lib/cdi_0005_guard/0005_guard_sourcing.sh # The function guard_sourcing MUST be present in each file to source.
+. ./lib/cdi_0005_guard/0005_guard_sourcing.sh # The function guard_sourcing || return "${ERR_GUARD_SOURCE}" MUST be present in each file to source.
 . ./lib/cdi_0005_guard/0006_source_guard.sh   # Wrapper for sourcing modules, libraries, variables.
 source_guard "./var/color.var.sh"
 source_guard "./var/early.var.sh"
@@ -198,10 +198,6 @@ arg_parser "$@"
 info_echo "0103_arg_priority_check.sh"
 arg_priority_check
 ### HASHING PASSWORDS.
 info_echo "0105_arg_nuke_converter.sh"
 nuke_passphrase
 ### CDI_1250
 info_echo "1250_yaml_parser.sh"
@@ -213,6 +209,12 @@ yaml_reader
 info_echo "1252_yaml_validator.sh"
 yaml_validator
 info_echo "1256_yaml_xfiles.sh"
 yaml_secret
 info_echo "1257_yaml_xnuke.sh"
 nuke_passphrase
 ### CDI_3200
 info_echo "3200_partitioning.sh"
--- a/func/cdi_1000_helper/1030_check_nic.sh
+++ b/func/cdi_1000_helper/1030_check_nic.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Specify the network interface card (NIC) interactively for setup.
@@ -39,7 +39,7 @@ check_nic() {
  clear
  do_log "info" "file_only" "1030() You have selected: '${var_nic}' - proceeding with setup."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_1000_helper/1080_helper_chroot.sh
+++ b/func/cdi_1000_helper/1080_helper_chroot.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Use chroot_exec() for:
--- a/func/cdi_1000_helper/1081_helper_grub.sh
+++ b/func/cdi_1000_helper/1081_helper_grub.sh
@@ -13,7 +13,7 @@
 ### Options in "GRUB_CMDLINE_LINUX" are always effective.
 ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Helper module to extract the current GRUB CMDLINE strings.
--- a/func/cdi_1000_helper/1082_helper_modules.sh
+++ b/func/cdi_1000_helper/1082_helper_modules.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Wrapper for preparing logfile inside chroot.
--- a/func/cdi_1000_helper/1084_helper_sanitizer.sh
+++ b/func/cdi_1000_helper/1084_helper_sanitizer.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Remove any leading or trailing whitespace.
--- a/func/cdi_1000_helper/1085_helper_secure_dl.sh
+++ b/func/cdi_1000_helper/1085_helper_secure_dl.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Wrapper for secure curl.
--- a/func/cdi_1000_helper/1086_helper_yaml.sh
+++ b/func/cdi_1000_helper/1086_helper_yaml.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # yq_val <YQ expression> <file> - Returns value, converts null to "".
--- a/func/cdi_1200_validation/1220_validation_element.sh
+++ b/func/cdi_1200_validation/1220_validation_element.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Checks if a search pattern / string / value is present in an array.
--- a/func/cdi_1200_validation/1221_validation_ip.sh
+++ b/func/cdi_1200_validation/1221_validation_ip.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # IPv4 validation.
--- a/func/cdi_1200_validation/1222_validation_preseed.sh
+++ b/func/cdi_1200_validation/1222_validation_preseed.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Validate all preseed network variables (IPv4 & IPv6)
--- a/func/cdi_1250_yaml/1250_yaml_parser.sh
+++ b/func/cdi_1250_yaml/1250_yaml_parser.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Parsing './.preseed/preseed.yaml' and './.preseed/partitioning.yaml'.
@@ -44,28 +44,36 @@ yaml_parser() {
  ### Generate Arrays for [Grub Parameter], [Locales], [NTPSec Server FQDN], [Software Packages].
  while IFS='=' read -r var_key var_value; do
    var_value=${var_value#\'}
    var_value=${var_value%\'}
    # shellcheck disable=SC2034,SC2249
    case "${var_key}" in
      grub_parameter_[0-9]*) ARY_BOOTPARAM+=("${var_value}")  ;;
      locale_locale_[0-9]*)  ARY_LOCALE+=("${var_value}")     ;;
      ntp_server_[0-9]*)     ARY_NTPSRVR+=("${var_value}")    ;;
      ssh_allow_ipv4_[0-9]*) ARY_ALLOW_IPV4+=("${var_value}") ;;
      ssh_allow_ipv6_[0-9]*) ARY_ALLOW_IPV6+=("${var_value}") ;;
      software_[0-9]*)       ARY_PACKAGES+=("${var_value}")   ;;
    esac
  done < "${VAR_PRESEED}"
  var_key=""
  ### Search all set variables for user_userN_name patterns.
  # shellcheck disable=SC2312
  while IFS='=' read -r var_key _; do
    ### Accept any of these keys: name, fullname, uid, gid, shell, password, sshpubkey, authentication_* and privileges_*
    if [[ "${var_key}" =~ ^user_user([0-9]+)_(name|fullname|uid|gid|shell|password|sshpubkey|authentication_[A-Za-z0-9_]+|privileges_[A-Za-z0-9_]+)$ ]]; then
      var_index=${BASH_REMATCH[1]}
      (( var_index > VAR_USER_MAX )) && VAR_USER_MAX=var_index
    fi
  done < "${VAR_PRESEED}"
  ### If nothing matched, default to 0 (only user 0).
@@ -87,12 +95,12 @@ yaml_parser() {
    # --- Quote unquoted values -------------------------------------------
    s/^(.*)=([^'\''"]+)/\1='\''\2'\''/ # wrap value in single quotes
-' "${VAR_PRESEED}"
+  ' "${VAR_PRESEED}"
  # shellcheck disable=SC1090
  . "${VAR_PRESEED}"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_1250_yaml/1251_yaml_reader.sh
+++ b/func/cdi_1250_yaml/1251_yaml_reader.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Reading and extracting variables from "${PRESEED}".
@@ -258,7 +258,7 @@ END { print max }
  # shellcheck disable=SC2034
  VAR_USER_ROOT_SPECIFIC="${user_root_specific,,}"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_1250_yaml/1252_yaml_validator.sh
+++ b/func/cdi_1250_yaml/1252_yaml_validator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Extended dynamic network variable checks and declarations depending on preseed.yaml.
@@ -219,7 +219,7 @@ yaml_validator() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_1250_yaml/1256_yaml_xfiles.sh
+++ b/func/cdi_1250_yaml/1256_yaml_xfiles.sh
@@ -0,0 +1,271 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Debug helper: list variable names (no values).
 # Globals:
 #   CISS_SECRETS_MAP
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 ciss_secrets_list_names() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_k=""
  for var_k in "${!CISS_SECRETS_MAP[@]}"; do
    printf '%s.value -> %s\n' "${var_k}" "${CISS_SECRETS_MAP[${var_k}]}"
  done
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f ciss_secrets_list_names
 #######################################
 # Unset all previously created secret variables.
 # Globals:
 #   CISS_SECRETS_MAP
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 ciss_secrets_unset() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_k="" var_v=""
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
  for var_k in "${!CISS_SECRETS_MAP[@]}"; do
    var_v="${CISS_SECRETS_MAP[${var_k}]}"
    if [[ -v "${var_v}" ]]; then
      unset -v "${var_v}" 2>/dev/null || true
    fi
  done
  CISS_SECRETS_MAP=()
  guard_trace off
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f ciss_secrets_unset
 #######################################
 # Build the canonical var name from a dotted path (without 'secrets.' and without '.value').
 # Globals:
 #   None
 # Arguments:
 #   1: Variable path
 # Returns:
 #   0: on success
 #######################################
 ciss_secret_varname_from_path() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_path="${1:-}"
  var_path="${var_path//[^A-Za-z0-9_]/_}"
  var_path="${var_path^^}"
  printf 'CISS_SECRET_%s' "${var_path}"
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f ciss_secret_varname_from_path
 #######################################
 # Wipes the specified file securely.
 # Globals:
 #   None
 # Arguments:
 #   1: File to wipe
 # Returns:
 #   0: on success
 #######################################
 ciss_secrets_wiper() {
  ### Declare Arrays, HashMaps, and Variables.
  declare     var_file="${1:-}"
  if [[ -f "${var_file}" ]]; then
    : >| "${var_file}"
    shred -vfzu -n 5 "${var_file}" > /dev/null 2>&1 || rm -f -- "${var_file}"
  fi
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f ciss_secrets_wiper
 #######################################
 # Purpose:
 #   Parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
 #   If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass.
 #   No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls.
 # Conventions:
 #   Variables: CISS_SECRET_<UPPER_SNAKE_CASE_PATH> (PATH excludes "secrets." and trailing ".value")
 #   All with "declare -g" (no export).
 #   Mapping: CISS_SECRETS_MAP["foo.bar"]=CISS_SECRET_FOO_BAR
 # Globals:
 #   CISS_SECRETS_AGE
 #   CISS_SECRETS_MAP
 #   CISS_SECRETS_SOURCE
 #   DIR_CNF
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   ERR_DECRYPTION_SOPS: on failure
 #   ERR_MISSING_AGE_BIN: on failure
 #   ERR_MISSING_AGE_KEY: on failure
 #######################################
 yaml_secret() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  SOPS_AGE_KEY_FILE="${CISS_SECRETS_AGE}"
  declare -a  __names=()
  declare     secrets_encrypted="" secrets_if="${CISS_SECRETS_SOURCE}" secrets_of="${DIR_CNF}/SECRETS_DECRYPTED.yaml" \
              __SECRETS="${DIR_CNF}/SECRETS_BASH.var" \
              __base="" __name="" __umask="" __path_wo_prefix="" __val="" __varname=""
  __umask=$(umask)
  umask 0077
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
  secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false"
  do_log "debug" "file_only" "1256() 'secrets_encrypted' according to secrets.x_files: '${secrets_encrypted}'."
  if grep -qE '(^|\s)sops:\s*$' -- "${secrets_if}" 2>/dev/null || grep -q 'ENC\[' -- "${secrets_if}" 2>/dev/null; then
    secrets_encrypted="true"
    do_log "debug" "file_only" "1256() 'secrets_encrypted' according to heuristic mode: '${secrets_encrypted}'."
  fi
  if [[ "${secrets_encrypted}" == "true" ]]; then
    if ! command -v sops >/dev/null 2>&1; then
      do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed."
      return "${ERR_MISSING_AGE_BIN}"
    fi
    [[ -r "${SOPS_AGE_KEY_FILE}" ]] || return "${ERR_MISSING_AGE_KEY}"
    sops -d --input-type=yaml --output-type=yaml -- "${secrets_if}" >| "${secrets_of}"
    [[ -r "${secrets_of}" ]] || return "${ERR_DECRYPTION_SOPS}"
    ciss_secrets_wiper "${secrets_if}" && mv "${secrets_of}" "${secrets_if}"
  fi
  yq -o=shell "${secrets_if}" >| "${__SECRETS}" && ciss_secrets_wiper "${secrets_if}"
  ### Keep only '*_value=' lines, normalize empty RHS, quote unquoted simple RHS.
  LC_ALL=C sed -n -E '
    /^[[:space:]]*(#|$)/b
    s/^[[:space:]]*(export|declare[[:space:]]+-x)[[:space:]]+//;
    /^[[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value=/!b
    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=[[:space:]]*$/\1='\'''\''/; t print
    /^[[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value=[[:space:]]*('"'"'|\"|\$'"'"')/b print
    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=([^[[:space:]]'"'"'$][^[:space:]]*)[[:space:]]*$/\1='"'"'\2'"'"'/; t print
    s/^([[:space:]]*[A-Za-z_][A-Za-z0-9_]*_value)=[[:space:]]*(.+)[[:space:]]*$/\1='"'"'\2'"'"'/; t print
    :print
    p
  ' -- "${__SECRETS}" >| "${__SECRETS}.value_only"
  mv -f -- "${__SECRETS}.value_only" "${__SECRETS}"
  # shellcheck disable=SC1091 source=./${__SECRETS}
  source "${__SECRETS}"
  ciss_secrets_wiper "${__SECRETS}"
  # shellcheck disable=SC2312
  mapfile -t __names < <(printf '%s\n' "${!secrets_@}")
  for __name in "${__names[@]}"; do
    ### Keep only *_value variables
    [[ "${__name}" == *_value ]] || continue
    ### Validate strict Bash identifier (defensive: strip accidental CR).
    __name="${__name%$'\r'}"
    [[ "${__name}" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]] || continue
    ### Only read if actually set; indirect check without triggering nounset.
    if [[ -n "${!__name+x}" ]]; then
      __val="${!__name}"
    else
      __val=""
    fi
    ### Strip suffix/prefix for the map key.
    __base="${__name%_value}"
    __path_wo_prefix="${__base#secrets_}"
    ### Canonical CISS name.
    __varname="$(ciss_secret_varname_from_path "${__path_wo_prefix}")"
    ### Assign verbatim (preserves newlines).
    unset -v "${__varname}"
    declare -g "${__varname}"
    printf -v "${__varname}" '%s' "${__val}"
    CISS_SECRETS_MAP["${__path_wo_prefix}"]="${__varname}"
  done
  ### Hygiene: remove the intermediate variables to reduce secret surface, e.g., unset 'secrets_*_value' after transfer.
  for __name in "${__names[@]}"; do
    unset -v "${__name}"
  done
  umask "${__umask}"
  guard_trace off
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f yaml_secret
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0100_arg/0105_arg_nuke_converter.sh
+++ b/lib/cdi_0100_arg/0105_arg_nuke_converter.sh
@@ -10,23 +10,27 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Generates 'nuke=HASH' Bootparameter.
 # Globals:
 #   CISS_SECRET_LUKS_NUKE
 #   DIR_CNF
 #   VAR_NUKE_HASH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_GENERATE_SALT
+#   ERR_GENERATE_SALT: on failure
 #   ERR_READ_NUKE_FILE
 #######################################
 nuke_passphrase() {
-  declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
-  declare    var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt="" var_nuke_rounds=""
+  guard_trace on
  ### Declare Arrays, HashMaps, and Variables.
  declare    var_nuke_pwd="${CISS_SECRET_LUKS_NUKE}"
  declare    var_temp_nuke_hash="" var_salt="" var_nuke_rounds=""
  # shellcheck disable=SC2312
  var_nuke_rounds="$(
@@ -40,30 +44,30 @@ nuke_passphrase() {
  ' "${DIR_CNF}/partitioning.yaml" | head -n1
  )"
-  [[ ! -f "${var_nuke_pwd_file}" ]] && return 0
+  [[ -z "${var_nuke_pwd}" ]] && return 0
  guard_trace on
  if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
    return "${ERR_READ_NUKE_FILE}"
  fi
  guard_trace off
  if ! var_salt="$(generate_salt)"; then
    return "${ERR_GENERATE_SALT}"
  fi
  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_nuke_pwd}")
-  guard_trace on
+  # shellcheck disable=SC2034
  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_temp_plain_nuke_pwd}")
  guard_trace off
  declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
-  unset var_temp_nuke_hash var_temp_plain_nuke_pwd
+
  unset var_temp_nuke_hash var_nuke_pwd CISS_SECRET_LUKS_NUKE
  do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]"
-  guard_dir && return 0
+  guard_trace off
-}
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f nuke_passphrase
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_3200_partitioning/3200_partitioning.sh
+++ b/func/cdi_3200_partitioning/3200_partitioning.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # EFI System Partition | EF00 | UEFI Bootloader (ESP, FAT32)
@@ -402,7 +402,7 @@ partitioning() {
  printf "%s\n" "${ary_paths_unsorted[@]}" >| "${DIR_LOG}/3200_mount_paths_unsorted.log"
  printf "%s\n" "${ARY_PATHS_SORTED[@]}" >| "${DIR_LOG}/3200_mount_paths_sorted.log"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
+++ b/func/cdi_3200_partitioning/3210_benchmarking_encryption.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Benchmark cryptsetup KDF to determine pbkdf-memory and pbkdf-force-iterations for given pbkdf-threads.
@@ -27,7 +27,8 @@ guard_sourcing
 #   0: on success
 #######################################
 benchmarking_encryption() {
-  declare var_result=""
+  ### Declare Arrays, HashMaps, and Variables.
  declare       var_result=""
  # shellcheck disable=SC2155
  declare -girx VAR_KDF_THREADS=$(yq_val ".recipe.${VAR_RECIPE_STRING}.control.kdf.threads" "${VAR_SETUP_PART}")
  # shellcheck disable=SC2155
@@ -37,7 +38,7 @@ benchmarking_encryption() {
  sync
  echo "BENCHMARK CRYPTSETUP ARGON2ID KDF PARAMETER - DROPPING PAGES ..."
-  echo 3 >| /proc/sys/vm/drop_caches
+  echo 3 >| /proc/sys/vm/drop_caches || true
  # shellcheck disable=SC2312
  var_result=$(cryptsetup benchmark --pbkdf argon2id --iter-time "${VAR_ITER_TIME:-3000}" --pbkdf-parallel "${VAR_KDF_THREADS:-1}" 2>/dev/null \
@@ -53,7 +54,7 @@ benchmarking_encryption() {
  # shellcheck disable=SC2155
  declare -girx VAR_KDF_MEMORY=$(awk -F'[ ,]+' '{print $4}' <<<"${var_result}")
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_3200_partitioning/3220_partition_encryption.sh
+++ b/func/cdi_3200_partitioning/3220_partition_encryption.sh
@@ -10,12 +10,15 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Function to encrypt the respective partition on each entry of 'ARY_CRYPT_MOUNT_PATHS'.
 # Globals:
 #   ARY_CRYPT_MOUNT_PATHS
 #   CISS_SECRET_LUKS_BACKUP
 #   CISS_SECRET_LUKS_BOOT
 #   CISS_SECRET_LUKS_COMMON
 #   DIR_BAK
 #   DIR_CNF
 #   DIR_LOG
@@ -38,7 +41,6 @@ guard_sourcing
 #   VAR_RECIPE_STRING
 #   VAR_SETUP_PART
 #   VAR_SETUP_PATH
 #   VAR_TEMP_PLAIN_NC_AUTH
 # Arguments:
 #   None
 # Returns:
@@ -61,15 +63,31 @@ partition_encryption() {
              var_encryption_ephemeral="" var_encryption_integrity="" var_encryption_cipher="" var_encryption_hash="" \
              var_encryption_key="" var_encryption_label="" var_encryption_meta="" var_encryption_slot="" \
              var_encryption_pbkdf="" var_encryption_rng="" var_filesystem_label="" var_mount_path="" var_uuid="" var_fs="" \
-              var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp=""
+              var_luks_backup_file="" var_luks_backup_name="" var_pgp_publickey="" var_luks_backup_pgp="" \
              var_temp_plain_nc_auth=""
  declare -a  ary_luks_opts=()
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
  printf '%s' "${CISS_SECRET_LUKS_BOOT}" >| "${DIR_CNF}/password_luks_boot.txt" && chmod 0600 "${DIR_CNF}/password_luks_boot.txt"
  printf '%s' "${CISS_SECRET_LUKS_COMMON}" >| "${DIR_CNF}/password_luks_common.txt" && chmod 0600 "${DIR_CNF}/password_luks_common.txt"
  unset CISS_SECRET_LUKS_BOOT CISS_SECRET_LUKS_COMMON
  guard_trace on
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  if [[ -n "${VAR_LUKS_URL}" ]]; then
    VAR_LUKS_URL=${VAR_LUKS_URL%/}
-    read_luks_backup_token
+
-    do_log "debug" "file_only" "3220() Command: [read_luks_backup_token]"
+    ### SECRETS handling -------------------------------------------------------------------------------------------------------
    guard_trace on
    var_temp_plain_nc_auth="${CISS_SECRET_LUKS_BACKUP}"
    unset CISS_SECRET_LUKS_BACKUP
    guard_trace on
    ### SECRETS handling -------------------------------------------------------------------------------------------------------
    do_log "debug" "file_only" "3220() Var: [var_temp_plain_nc_auth] set."
  fi
@@ -176,13 +194,17 @@ partition_encryption() {
    ### Opening the encrypted container.
    if [[ "${var_encryption_path,,}" == "/boot" ]]; then
      cryptsetup luksOpen "/dev/${var_dev}" \
        --key-file="${DIR_CNF}/password_luks_boot.txt" \
        "${var_encryption_label}"
    else
      cryptsetup luksOpen "/dev/${var_dev}" \
        --key-file="${DIR_CNF}/password_luks_common.txt" \
        "${var_encryption_label}"
    fi
    do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' opened as '/dev/mapper/${var_encryption_label}'."
@@ -254,10 +276,11 @@ partition_encryption() {
      if [[ -n "${VAR_LUKS_URL}" ]]; then
        ### SECRETS handling ---------------------------------------------------------------------------------------------------
        guard_trace on
        if curl --silent --show-error --fail --retry 2 "${VAR_LUKS_URL}/public.php/webdav/${var_luks_backup_name}" \
-          --upload-file "${var_luks_backup_pgp}" --user "${VAR_TEMP_PLAIN_NC_AUTH}" > /dev/null 2>&1; then
+          --upload-file "${var_luks_backup_pgp}" --user "${var_temp_plain_nc_auth}" > /dev/null 2>&1; then
          do_log "info" "file_only" "3220() Partition: '/dev/${var_dev}' LUKS Header upload: '${VAR_LUKS_URL}' successful."
@@ -270,6 +293,7 @@ partition_encryption() {
        fi
        guard_trace off
        ### SECRETS handling ---------------------------------------------------------------------------------------------------
      fi
@@ -277,43 +301,18 @@ partition_encryption() {
  done
-  [[ -n "${VAR_LUKS_URL}" ]] && unset VAR_TEMP_PLAIN_NC_AUTH
+  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
  [[ -n "${VAR_LUKS_URL}" ]] && unset var_temp_plain_nc_auth
  guard_trace off
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
-  guard_dir && return 0
+  ciss_secrets_wiper "${DIR_CNF}/password_luks_boot.txt"
  ciss_secrets_wiper "${DIR_CNF}/password_luks_common.txt"
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f partition_encryption
 #######################################
 # Reads the Nextcloud auth token from '${DIR_CNF}/password_luks_backup.txt' into VAR_TEMP_PLAIN_NC_AUTH
 # Globals:
 #   DIR_CNF
 #   VAR_TEMP_PLAIN_NC_AUTH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   ERR_READ_AUTH_FILE: on failure
 #######################################
 read_luks_backup_token(){
  ### Declare Arrays, HashMaps, and Variables.
  declare -r var_luks_backup_auth="${DIR_CNF}/password_luks_backup.txt"
  declare -g VAR_TEMP_PLAIN_NC_AUTH=""
  guard_trace on
  if ! read_password_file "${var_luks_backup_auth}" VAR_TEMP_PLAIN_NC_AUTH; then
    return "${ERR_READ_AUTH_FILE}"
  fi
  guard_trace off
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f read_luks_backup_token
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_3200_partitioning/3240_partition_formatting.sh
+++ b/func/cdi_3200_partitioning/3240_partition_formatting.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Function to format the respective partition on each entry of 'ARY_FORMT_MOUNT_PATHS'.
@@ -138,7 +138,7 @@ partition_formatting() {
  done
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_3200_partitioning/3280_mount_partition.sh
+++ b/func/cdi_3200_partitioning/3280_mount_partition.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Function to create the mount command, incl. mount path and options, and mount the respective device.
@@ -384,7 +384,7 @@ mount_partition() {
  done
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_3200_partitioning/3290_uuid_logger.sh
+++ b/func/cdi_3200_partitioning/3290_uuid_logger.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Logger for all generated partition, LUKS container and file system UUIDs.
@@ -61,7 +61,7 @@ uuid_logger() {
  done
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_3200_partitioning/3295_get_label.sh
+++ b/func/cdi_3200_partitioning/3295_get_label.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Returns standardized labels for the provided mount path depending on filesystem and art of label.
--- a/func/cdi_4000_debootstrap/4000_debootstrap.sh
+++ b/func/cdi_4000_debootstrap/4000_debootstrap.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install a minimal Debian environment using the 'debootstrap' command.
@@ -71,7 +71,7 @@ func_debootstrap() {
    chmod 0700 "${var_target}/root/.ciss/cdi"
    chmod 0700 "${var_target}/root/.ciss/cdi/debootstrap"
-    guard_dir && return 0
+    guard_dir; return 0
  else
--- a/func/cdi_4000_debootstrap/4005_debootstrap_checks.sh
+++ b/func/cdi_4000_debootstrap/4005_debootstrap_checks.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Preliminary post debootstrap checks.
@@ -84,7 +84,7 @@ check_debootstrap() {
    } >> ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4010_prepare_mounts.sh
+++ b/func/cdi_4000_debootstrap/4010_prepare_mounts.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Configure the target system for chroot.
@@ -124,7 +124,7 @@ prepare_mounts() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh
+++ b/func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Prepare '/root' for XDG framework.
@@ -54,7 +54,7 @@ prepare_xdg_root() {
    unset _xdg_umask
    '
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4015_check_usr_merge.sh
+++ b/func/cdi_4000_debootstrap/4015_check_usr_merge.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Check if the target system is not 'tainted: unmerged-usr'.
@@ -48,7 +48,7 @@ check_usr_merge() {
    "
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4020_remove_x509.sh
+++ b/func/cdi_4000_debootstrap/4020_remove_x509.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Chroot hook for deleting all expired X.509 certificates in the target system.
@@ -44,7 +44,7 @@ remove_x509() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4030_setup_hostname.sh
+++ b/func/cdi_4000_debootstrap/4030_setup_hostname.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Configure the '/etc/hostname' | '/etc/hosts' | '/etc/mailname' files.
@@ -80,7 +80,7 @@ EOF
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4035_setup_resolv.sh
+++ b/func/cdi_4000_debootstrap/4035_setup_resolv.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Configure the '/etc/resolv.conf' file.
@@ -87,7 +87,7 @@ EOF
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4040_setup_timezone.sh
+++ b/func/cdi_4000_debootstrap/4040_setup_timezone.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Configure the '/etc/timezone' | '/etc/localtime' files.
@@ -42,7 +42,7 @@ EOF
  chroot_exec "${var_target}" dpkg-reconfigure -f noninteractive tzdata
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4000_debootstrap/4050_setup_locales.sh
+++ b/func/cdi_4000_debootstrap/4050_setup_locales.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Set locale, locale overrides and configure keyboard layout.
@@ -140,7 +140,7 @@ EOF
  chmod 0644 "${var_target}/etc/default/keyboard"
  do_log "info" "file_only" "4050() Keyboard layout updated: 'XKBLAYOUT=${locale_keyboard_xkb_keymap}' -> '${var_target}/etc/default/keyboard'."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4100_generate_sources.sh
+++ b/func/cdi_4100_base/4100_generate_sources.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Generate target '/etc/apt/sources.list' entries.
@@ -187,7 +187,7 @@ Acquire::Retries "3";
 EOF
  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/91-acquire"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4105_generate_sources_822.sh
+++ b/func/cdi_4100_base/4105_generate_sources_822.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Generate target '/etc/apt/sources.list.d/' deb.822 entries.
@@ -184,7 +184,7 @@ Acquire::Retries "3";
 EOF
  sed -i -E 's|^([[:space:]]*)#+|\1//|' "${var_target}/etc/apt/apt.conf.d/91-acquire"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4110_update_sources.sh
+++ b/func/cdi_4100_base/4110_update_sources.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Update generated sources.
@@ -78,7 +78,7 @@ update_sources() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4120_installation_kernel.sh
+++ b/func/cdi_4100_base/4120_installation_kernel.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Installation of the specified kernel.
@@ -42,7 +42,7 @@ installation_kernel() {
    do_log "info" "file_only" "4120() Kernel image: '${VAR_KERNEL}' installed successfully."
-    guard_dir && return 0
+    guard_dir; return 0
  else
@@ -54,7 +54,7 @@ installation_kernel() {
    do_log "info" "file_only" "4120() Kernel image: '${image}' installed successfully."
-    guard_dir && return 0
+    guard_dir; return 0
  fi
 }
--- a/func/cdi_4100_base/4121_installation_initramfs.sh
+++ b/func/cdi_4100_base/4121_installation_initramfs.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Installation of 'initramfs'-environment.
@@ -98,7 +98,7 @@ EOF
 RESUME=none
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4130_installation_toolset.sh
+++ b/func/cdi_4100_base/4130_installation_toolset.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Check and set up the minimum required tools for the next installation steps.
@@ -103,7 +103,7 @@ installation_toolset() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4131_installation_systemd.sh
+++ b/func/cdi_4100_base/4131_installation_systemd.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Ensure systemd is in place.
@@ -49,7 +49,7 @@ installation_systemd() {
    systemctl --version 2>&1 | tee -a ${var_logfile} | grep -qi 'systemd' || echo '[WARN]: systemd not verifiable' >> ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4132_installation_machineid.sh
+++ b/func/cdi_4100_base/4132_installation_machineid.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Generate machine-id if missing.
@@ -33,7 +33,7 @@ installation_machineid() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4133_installation_masking.sh
+++ b/func/cdi_4100_base/4133_installation_masking.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Turn off Energy saving mode and ctrl-alt-del.
@@ -32,7 +32,7 @@ installation_masking() {
  "
  do_log "info" "file_only" "4133() Masked: [plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service]"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4140_installation_microcode.sh
+++ b/func/cdi_4100_base/4140_installation_microcode.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
@@ -76,7 +76,7 @@ installation_microcode() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4145_installation_firmware.sh
+++ b/func/cdi_4100_base/4145_installation_firmware.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
@@ -298,7 +298,7 @@ installation_firmware() {
    apt-get install -y --no-install-recommends --no-install-suggests ${ary_pkgs_resolved[*]} 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4150_installation_chrony.sh
+++ b/func/cdi_4100_base/4150_installation_chrony.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Setup chrony NTPSec client.
@@ -77,7 +77,7 @@ installation_chrony() {
  rm -f "${var_of}"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4160_installation_eza.sh
+++ b/func/cdi_4100_base/4160_installation_eza.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install Cisofy Lynis.
@@ -54,7 +54,7 @@ EOF
    apt-get install -y --no-install-recommends --no-install-suggests eza 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4100_base/4170_installation_lynis.sh
+++ b/func/cdi_4100_base/4170_installation_lynis.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install Cisofy Lynis.
@@ -54,7 +54,7 @@ EOF
    apt-get install -y --no-install-recommends --no-install-suggests lynis 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4200_boot/4200_generate_fstab.sh
+++ b/func/cdi_4200_boot/4200_generate_fstab.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Wrapper to write '/etc/fstab' entries.
@@ -169,11 +169,10 @@ EOF
  mkdir -p "${TARGET}/media/cdrom0"
  cat << 'EOF' >> "${TARGET}/etc/fstab"
-/dev/sr0                                   /media/cdrom0               auto              noauto,nofail,ro,user,x-systemd.automount,x-systemd.device-timeout=0                                0 0
+# /dev/sr0                                 /media/cdrom0               auto              noauto,nofail,ro,user,x-systemd.automount,x-systemd.device-timeout=0                                0 0                                                                                        0 0
 #/dev/sr0                                  /media/cdrom0               udf,iso9660       user,noauto                                                                                         0 0
 EOF
-  do_log "info" "file_only" "4200() fstab entry generated: '/dev/sr0  /media/cdrom0  udf,iso9660  user,noauto  0 0'."
+  do_log "info" "file_only" "4200() fstab entry generated: '/dev/sr0  /media/cdrom0  auto  noauto,nofail,ro,user,x-systemd.automount,x-systemd.device-timeout=0  0 0'."
  cat << 'EOF' >> "${TARGET}/etc/fstab"
 ### Secure tmpfs mounts for a hardened system
@@ -191,7 +190,7 @@ tmpfs                                      /run                        tmpfs
 # vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4200_boot/4205_check_fstab.sh
+++ b/func/cdi_4200_boot/4205_check_fstab.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Basic '/etc/fstab' checks inside chroot.
@@ -48,7 +48,7 @@ check_fstab() {
    } 2>&1 | tee -a '"${var_logfile}"'
  '
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4200_boot/4210_generate_crypttab.sh
+++ b/func/cdi_4200_boot/4210_generate_crypttab.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # '/etc/crypttab' entry writer and logger.
@@ -152,7 +152,7 @@ EOF
 # vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4200_boot/4220_installation_cryptsetup.sh
+++ b/func/cdi_4200_boot/4220_installation_cryptsetup.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Installation of 'cryptsetup' and 'cryptsetup-initramfs' after '/etc/crypttab' generation.
@@ -36,7 +36,7 @@ installation_cryptsetup() {
    apt-get install -y --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4200_boot/4230_installation_grub.sh
+++ b/func/cdi_4200_boot/4230_installation_grub.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # --- UEFI GRUB Installation Strategy ---
@@ -209,7 +209,7 @@ EOF
  fi
  chmod -R 0700 "${TARGET}/etc/grub.d"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
@@ -266,7 +266,6 @@ readonly -f install_grub_bios
 # Globals:
 #   TARGET
 #   VAR_MODINFO_PATH
 #   grub_bootdev
 #   grub_update_nvram
 #   var_update_grub_required
 # Arguments:
@@ -300,8 +299,8 @@ install_grub_uefi() {
  [[ "${grub_update_nvram}" == "false" ]] && ary_uefi_arg+=( --no-nvram )
-  chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
+  chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" || return "${ERR_GRUB_INSTALL}"
-  do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI]."
+  do_log "info" "file_only" "4230() Installed: GRUB on [ESP]."
  var_update_grub_required="true"
  return 0
--- a/func/cdi_4200_boot/4240_update_grub_password.sh
+++ b/func/cdi_4200_boot/4240_update_grub_password.sh
@@ -10,31 +10,34 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Append the GRUB superuser block to '/etc/grub.d/40_custom'.
 # Globals:
-#   DIR_CNF
+#   CISS_SECRET_GRUB
 #   TARGET
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_READ_GRUB_FILE
+#   ERR_READ_GRUB_FILE: on failure
 #######################################
 update_grub_password() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \
+  declare var_username="superadmin" var_password="" \
          var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
-  var_password=$(<"${var_password_file}") || return "${ERR_READ_GRUB_FILE}"
+  var_password="${CISS_SECRET_GRUB}" || return "${ERR_READ_GRUB_FILE}"
  unset CISS_SECRET_GRUB
  var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
  guard_trace off
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  ### Append if not already present.
  if ! grep -q "set superusers=" "${var_of}"; then
@@ -48,7 +51,7 @@ update_grub_password() {
  chroot_exec "${TARGET}" update-grub
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
@@ -56,6 +59,8 @@ readonly -f update_grub_password
 #######################################
 # Generate PBKDF2 password hash for GRUB.
 # Globals:
 #   None
 # Arguments:
 #   1: Username (default to superadmin).
 #   2: User password.
--- a/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
+++ b/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
@@ -13,7 +13,7 @@
 ### Options in "GRUB_CMDLINE_LINUX" are always effective, (incl. recovery).
 ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening: update the Grub boot parameter and the Dropbear and Nuke parameters if opted in.
@@ -83,7 +83,7 @@ update_grub_bootparameter() {
  chroot_exec "${TARGET}" update-grub
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4300_installation_network.sh
+++ b/func/cdi_4300_network/4300_installation_network.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Setup network.
@@ -235,7 +235,7 @@ EOF
    dhcpcd -T ${VAR_FINAL_NIC} | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4305_installation_netsec.sh
+++ b/func/cdi_4300_network/4305_installation_netsec.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Installation of packages 'fail2ban' and 'ufw'.
@@ -33,7 +33,7 @@ installation_netsec() {
    apt-get install -y --no-install-suggests fail2ban ufw 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4310_dropbear_build.sh
+++ b/func/cdi_4300_network/4310_dropbear_build.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Build Ultra Hardened dropbear-2025.88 from sources.
@@ -71,7 +71,7 @@ dropbear_build() {
  guard_trace off
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4311_dropbear_initramfs.sh
+++ b/func/cdi_4300_network/4311_dropbear_initramfs.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install the 'dropbear-initramfs' and replace the binaries with those from the previous Ultra Hardened build.
@@ -127,7 +127,7 @@ EOF
  chroot_script "${var_target}" "systemctl mask dropbear.service dropbear.socket"
  do_log "info" "file_only" "4311() Masked: [dropbear.service dropbear.socket]"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4312_dropbear_setup.sh
+++ b/func/cdi_4300_network/4312_dropbear_setup.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Set up the 'dropbear-initramfs' environment.
@@ -140,7 +140,7 @@ EOF
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4320_update_initramfs.sh
+++ b/func/cdi_4300_network/4320_update_initramfs.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Deploy all changes made using the 'update-grub' and 'update-initramfs' commands.
@@ -45,7 +45,7 @@ update_initramfs() {
  chmod 0400 "${TARGET}/boot/grub/grub.cfg"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4300_network/4330_installation_ssh.sh
+++ b/func/cdi_4300_network/4330_installation_ssh.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Setup ssh server.
@@ -94,6 +94,12 @@ EOF
    fi
  done
  chroot_script "${var_target}" "
    awk '\$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
    rm -rf /etc/ssh/moduli
    mv /etc/ssh/moduli.safe /etc/ssh/moduli
  "
  rm -rf "${var_target}"/etc/ssh/ssh_host_*key*
  if [[ -f "${var_target}/etc/dropbear/initramfs/dropbear_ed25519_host_key" ]]; then
@@ -201,7 +207,7 @@ esac
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4400_kernel_modules.sh
+++ b/func/cdi_4400_hardening/4400_kernel_modules.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Entropy collection improvements '/usr/lib/modules-load.d/30_security-misc.conf'.
@@ -47,7 +47,7 @@ EOF
  do_log "info" "file_only" "4400() Installed: '/usr/lib/modules-load.d/30_security-misc.conf'."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
@@ -71,7 +71,7 @@ kernel_modprobe() {
  do_log "info" "file_only" "4400() Installed: '/etc/modprobe.d/0000_ciss_debian_installer.conf'."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4410_kernel_sysctl.sh
+++ b/func/cdi_4400_hardening/4410_kernel_sysctl.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install Kernel Hardening-Presets '/etc/sysctl.d/9999_ciss_debian_installer.hardened'.
@@ -30,7 +30,7 @@ kernel_sysctl() {
  do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/9999_ciss_debian_installer.hardened'."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4420_hardening_fail2ban.sh
+++ b/func/cdi_4400_hardening/4420_hardening_fail2ban.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening 'fail2ban'.
@@ -62,6 +62,8 @@ EOF
    ### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 [DEFAULT]
 banaction             = nftables-multiport
 banaction_allports    = nftables-allports
 dbpurgeage            = 384d
 #                       127.0.0.1/8 - IPv4 loopback range (local host)
 #                       ::1/128     - IPv6 loopback
@@ -97,7 +99,7 @@ usedns                = yes
 [recidive]
 enabled               = true
-banaction             = ufw[blocktype=deny]
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
@@ -131,27 +133,11 @@ maxretry              = 4
 # CISS aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
 # There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
 #
 [icmp]
 enabled               = true
 banaction             = ufw[blocktype=deny]
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 16d
 bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = ciss-icmp
 findtime              = 16m
 logpath               = /var/log/ufw.log
 maxretry              = 1
 [ufw]
 enabled               = true
-banaction             = ufw[blocktype=deny]
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
@@ -172,6 +158,8 @@ EOF
    ### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration.
    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 [DEFAULT]
 banaction             = nftables-multiport
 banaction_allports    = nftables-allports
 dbpurgeage            = 384d
 #                       127.0.0.1/8 - IPv4 loopback range (local host)
 #                       ::1/128     - IPv6 loopback
@@ -195,7 +183,7 @@ usedns                = yes
 [recidive]
 enabled               = true
-banaction             = ufw[blocktype=deny]
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
@@ -229,27 +217,11 @@ maxretry              = 4
 # CISS aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 3 attempts.
 # There is no necessity to ping our servers excessively. Any client pinging us more than 3 times will be blocked.
 #
 [icmp]
 enabled               = true
 banaction             = ufw[blocktype=deny]
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 16d
 bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = ciss-icmp
 findtime              = 16m
 logpath               = /var/log/ufw.log
 maxretry              = 3
 [ufw]
 enabled               = true
-banaction             = ufw[blocktype=deny]
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
@@ -274,17 +246,6 @@ EOF
  fi
  insert_header   "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
  insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
  cat << EOF >>   "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
 [Definition]
 # Generic ICMP/ICMPv6 blocks
 failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\b.*$
                        ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMPv6\b.*$
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  insert_header   "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
  insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
  cat << EOF >>   "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
@@ -376,7 +337,7 @@ EOF
    fail2ban-client -d >> ${var_logfile} && echo "OK: config parsed" >> ${var_logfile} || echo "ERROR: config invalid" >> ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4430_hardening_files.sh
+++ b/func/cdi_4400_hardening/4430_hardening_files.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening files and directories.
@@ -67,7 +67,7 @@ uname -snrm
 EOF
  chmod 0755 /etc/update-motd.d/10-uname
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4440_hardening_haveged.sh
+++ b/func/cdi_4400_hardening/4440_hardening_haveged.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening haveged.
@@ -44,7 +44,7 @@ DAEMON_ARGS="-w 2048 -v 1"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4442_hardening_jitterentropy.sh
+++ b/func/cdi_4400_hardening/4442_hardening_jitterentropy.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening hardening_jitterentropy.
@@ -37,7 +37,7 @@ ExecStart=
 ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4445_hardening_logrotate.sh
+++ b/func/cdi_4400_hardening/4445_hardening_logrotate.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening '/etc/logrotate'.
@@ -87,7 +87,7 @@ include /etc/logrotate.d
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4450_hardening_memory.sh
+++ b/func/cdi_4400_hardening/4450_hardening_memory.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # NOTE:
@@ -111,7 +111,7 @@ EOF
  #   - write_pam_sudo-i()
  # guard_pam_limits
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
@@ -177,7 +177,7 @@ guard_pam_limits() {
  (( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4460_hardening_openssl.sh
+++ b/func/cdi_4400_hardening/4460_hardening_openssl.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening OpenSSL library defaults (system-wide), TLSv1.2-, TLSv1.3-, AES-256-only.
@@ -30,7 +30,7 @@ hardening_openssl() {
  insert_comments "${TARGET}/etc/ssl/openssl.cnf"
  cat "${VAR_SETUP_PATH}/includes/target/etc/ssl/openssl.cnf" >> "${TARGET}/etc/ssl/openssl.cnf"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4470_hardening_ufw.sh
+++ b/func/cdi_4400_hardening/4470_hardening_ufw.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening 'ufw'.
@@ -102,7 +102,7 @@ hardening_ufw() {
  chroot_script "${var_target}" "ufw status verbose >> ${var_logfile}"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4480_hardening_usb.sh
+++ b/func/cdi_4400_hardening/4480_hardening_usb.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening 'usb-guard'.
@@ -55,7 +55,7 @@ hardening_usb() {
    #sed -i 's/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/' /etc/usbguard/usbguard-daemon.conf
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4400_hardening/4490_hardening_virus.sh
+++ b/func/cdi_4400_hardening/4490_hardening_virus.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Installing anti-rootkit and antivirus packages.
@@ -33,7 +33,7 @@ hardening_virus() {
    apt-get install -y --no-install-recommends --no-install-suggests rkhunter 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4500_user/4500_accounts_preparation.sh
+++ b/func/cdi_4500_user/4500_accounts_preparation.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Account generation preparation.
@@ -54,7 +54,7 @@ accounts_preparation() {
  esac
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4500_user/4501_accounts_preparation_ciss.sh
+++ b/func/cdi_4500_user/4501_accounts_preparation_ciss.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Account preparation CISS specific.
@@ -58,7 +58,7 @@ accounts_preparation_ciss() {
  insert_comments "${var_target}/etc/skel/.ciss/scan_libwrap"
  insert_comments "${var_target}/etc/skel/.ciss/shortcuts"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4500_user/4502_accounts_preparation_physnet.sh
+++ b/func/cdi_4500_user/4502_accounts_preparation_physnet.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Account preparation PHYSNET specific.
@@ -57,7 +57,7 @@ accounts_preparation_physnet() {
  insert_comments "${var_target}/etc/skel/.ciss/scan_libwrap"
  insert_comments "${var_target}/etc/skel/.ciss/shortcuts"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4500_user/4510_accounts_hardening.sh
+++ b/func/cdi_4500_user/4510_accounts_hardening.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Hardening accounts: Google TOTP, Wordlists, masking ttys, expiration of accounts.
@@ -109,7 +109,7 @@ accounts_hardening() {
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -10,11 +10,14 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Updating root account and generation user accounts.
 # Globals:
 #   CISS_SECRET_USER_ROOT_PASSWORD
 #   CISS_SECRET_USER_ROOT_SSHPUBKEY
 #   LOG_ERR
 #   RECOVERY
 #   TARGET
 #   VAR_RUN_RECOVERY
@@ -27,8 +30,6 @@ guard_sourcing
 #   user_root_authentication_access_ssh
 #   user_root_authentication_access_tty
 #   user_root_authentication_password
 #   user_root_password
 #   user_root_sshpubkey
 # Arguments:
 #   None
 # Returns:
@@ -62,6 +63,7 @@ accounts_setup() {
  write_pam_login       "${var_target}"
  write_pam_sshd        "${var_target}"
  write_pam_su          "${var_target}"
  write_pam_su-l        "${var_target}"
  write_pam_sudo        "${var_target}"
  write_pam_sudo-i      "${var_target}"
@@ -95,9 +97,19 @@ accounts_setup() {
      ;;
    true)
-      ### SSH Public Key per default, only.
+      if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
-      sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
+
-      do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
+        ### SSH Public Key per default, only.
        sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'yes')|" "${var_target}/etc/ssh/sshd_config"
        do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin yes]"
      else
        ### SSH Public Key per default, only.
        sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
        do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
      fi
      ;;
    *)
@@ -141,7 +153,9 @@ EOF
  esac
  ### 4) Check the password policy for the 'root' account.
-  chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${user_root_password}' | /usr/sbin/chpasswd -e"
+  chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${CISS_SECRET_USER_ROOT_PASSWORD}' | /usr/sbin/chpasswd -e"
  do_log "info" "file_only" "4520() User: 'root' password: inserted."
  unset CISS_SECRET_USER_ROOT_PASSWORD
  case "${user_root_authentication_password,,}" in
@@ -163,9 +177,10 @@ EOF
  esac
  ### 5) Update the 'root' SSH pubkey, if provided via 'preseed.yaml'.
-  if [[ -n "${user_root_sshpubkey:-}" ]]; then
+  if [[ -n "${CISS_SECRET_USER_ROOT_SSHPUBKEY:-}" ]]; then
-    printf "%s\n" "${user_root_sshpubkey}" >| "${var_target}/root/.ssh/authorized_keys"
+    printf "%s\n" "${CISS_SECRET_USER_ROOT_SSHPUBKEY}" >| "${var_target}/root/.ssh/authorized_keys"
    unset CISS_SECRET_USER_ROOT_SSHPUBKEY
    do_log "info" "file_only" "4520() User: 'root' SSH public key: inserted."
  fi
@@ -220,8 +235,8 @@ EOF
    tmp_uid="user_user${i}_uid"
    tmp_gid="user_user${i}_gid"
    tmp_shell="user_user${i}_shell"
-    tmp_password="user_user${i}_password"
+    tmp_password="CISS_SECRET_USER_USER${i}_PASSWORD"
-    tmp_sshpubkey="user_user${i}_sshpubkey"
+    tmp_sshpubkey="CISS_SECRET_USER_USER${i}_SSHPUBKEY"
    tmp_access_tty="user_user${i}_authentication_access_tty"
    tmp_auth_pwd="user_user${i}_authentication_password"
    tmp_2fa_ssh="user_user${i}_authentication_2fa_ssh"
@@ -251,6 +266,7 @@ EOF
    if ! chroot_exec "${var_target}" getent group "${var_username}" >/dev/null; then
      chroot_exec "${var_target}" groupadd --gid "${var_gid}" "${var_username}"
    fi
    sed -i '/getent[[:space:]]\+group/d' -- "${LOG_ERR}"
    ### 0) B) Generates the user account.
    ###       If the 'user' is not restricted in scope, then generate the account accordingly, with a predefined expiry date.
@@ -438,6 +454,7 @@ EOF
    find "${var_target}/home/${var_username}" -xdev -exec chown -h "${var_uid}:${var_gid}" {} +
    ### 9) Final status logging.
    unset var_password var_sshpubkey
    do_log "info" "file_only" "4520() Created user: [${var_username}] UID: [${var_uid}] GID: [${var_gid}]"
  done
@@ -448,8 +465,6 @@ EOF
  fi
  unset VAR_TEMP_PLAIN_MFA_SEED
  if ! grep -Fqx -- '-: ALL:ALL' "${var_target}/etc/security/access.conf"; then
    printf '%s\n' '-: ALL:ALL' >> "${var_target}/etc/security/access.conf"
@@ -459,7 +474,9 @@ EOF
  printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/security/access.conf"
  printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_target}/etc/ssh/sshd_config"
-  guard_dir && return 0
+  unset VAR_TEMP_PLAIN_MFA_SEED
  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
@@ -499,12 +516,12 @@ readonly -f eza_installer
 #######################################
 # Generates a deterministic TOTP secret based on:
-# Username, FQDN, MFA salt, MFA master seed
+#   Username, FQDN, MFA salt, MFA master seed
 # Globals:
 #   CISS_SECRET_SEEDS_MFA_INFO
 #   CISS_SECRET_SEEDS_MFA_SALT
 #   VAR_FINAL_FQDN
 #   VAR_TEMP_PLAIN_MFA_SEED
 #   user_mfa_info
 #   user_mfa_salt
 # Arguments:
 #   1: Username
 # Returns:
@@ -514,10 +531,11 @@ generate_totp_secret() {
  ### Declare Arrays, HashMaps, and Variables.
  declare  var_user="${1}"
  declare  var_host_id="${VAR_FINAL_FQDN}"
-  declare  var_salt="${user_mfa_salt}:${var_host_id}:${var_user}"
+  declare  var_salt="${CISS_SECRET_SEEDS_MFA_SALT}:${var_host_id}:${var_user}"
-  declare  var_info="${user_mfa_info}"
+  declare  var_info="${CISS_SECRET_SEEDS_MFA_INFO}"
  declare  var_secret=""
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
  ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
@@ -538,6 +556,7 @@ generate_totp_secret() {
  printf '%s\n' "${var_secret}"
  guard_trace off
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  return 0
 }
@@ -705,33 +724,31 @@ EOF
 readonly -f hardening_sudo
 #######################################
-# Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
+# Reads a 256-bit seed from '${CISS_SECRET_SEEDS_MFA_SECRET}' '(64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
 # Globals:
-#   DIR_CNF
+#   CISS_SECRET_SEEDS_MFA_SECRET
 #   VAR_TEMP_PLAIN_MFA_SEED
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_READ_SEED_FILE
+#   ERR_READ_SEED_FILE: on failure
 #######################################
 read_totp_seed(){
  ### Declare Arrays, HashMaps, and Variables.
  declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
  declare -g VAR_TEMP_PLAIN_MFA_SEED=""
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
-  if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
+  VAR_TEMP_PLAIN_MFA_SEED="${CISS_SECRET_SEEDS_MFA_SECRET}"
-
+  unset CISS_SECRET_SEEDS_MFA_SECRET
    return "${ERR_READ_SEED_FILE}"
  fi
  ### Validate: exactly 64 hex.
  [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
  guard_trace off
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  return 0
 }
@@ -877,14 +894,17 @@ readonly -f write_ciss_2fa_user
 write_google_authenticator_file() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_user="${1}" var_user_id="${2}" var_group_id="${3}" var_target="${4}"
-  declare     var_secret=""
+  declare -i  i=0
  declare     var_secret="" __umask=""
  __umask=$(umask)
  case "${1}" in
    root) declare var_base="${var_target}/root"             ;;
    *)    declare var_base="${var_target}/home/${var_user}" ;;
  esac
  declare -i  i=0
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  guard_trace on
  var_secret="$(generate_totp_secret "${var_user}")"
@@ -895,12 +915,12 @@ write_google_authenticator_file() {
    printf '%s\n' "${var_secret}"
    printf '" RATE_LIMIT 3 30\n'
-    printf '" WINDOW_SIZE 10\n'
+    printf '" WINDOW_SIZE 04\n'
    printf '" DISALLOW_REUSE\n'
    printf '" TOTP_AUTH\n'
-    ### Emergency Codes (8x unbiased 8-digit, CSPRNG via OpenSSL).
+    ### Emergency Codes (10x unbiased 8-digit, CSPRNG via OpenSSL).
-    for i in {1..8}; do
+    for i in {1..10}; do
      ### Draw 32 bits; rejection sampling to avoid modulo bias.
      while :; do
@@ -929,9 +949,10 @@ write_google_authenticator_file() {
  } >| "${DIR_TMP}/TOTP_${var_user}.secret"
  chmod 0400 "${DIR_TMP}/TOTP_${var_user}.secret"
  umask 0022
  guard_trace off
  ### SECRETS handling ---------------------------------------------------------------------------------------------------------
  umask "${__umask}"
  return 0
 }
@@ -1333,8 +1354,10 @@ auth     required   pam_google_authenticator.so
 # ===== CISS 2FA block end =====
-@include common-account
+@include            common-account
-@include common-session
+session  required   pam_env.so
 session  required   pam_env.so envfile=/etc/default/locale
@include            common-session
 # Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
 session  required   pam_limits.so
@@ -1356,6 +1379,45 @@ EOF
 # shellcheck disable=SC2034
 readonly -f write_pam_su
 #######################################
 # Writes CISS Header for '/etc/pam.d/su-l'.
 # Globals:
 #   None
 # Arguments:
 #   1: TARGET
 # Returns:
 #   0: on success
 #######################################
 write_pam_su-l() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_target="$1"
  mv "${var_target}/etc/pam.d/su-l" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/su-l"
  cat << EOF >|   "${var_target}/etc/pam.d/su-l"
 #%PAM-1.0
 # su-l: login-shell semantics; reuse 'su' stacks.
 # Reuse exactly the 'su' stacks (incl. CISS 2FA in auth):
 auth     include    su
 account  include    su
 password include    su
 # Login-shell extra, then reuse 'su' session (which already has pam_env):
 session  optional   pam_keyinit.so force revoke
 session  include    su
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  do_log "info" "file_only" "4520() Written: [/etc/pam.d/su-l]."
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f write_pam_su-l
 #######################################
 # Writes CISS Header for '/etc/pam.d/sudo'.
 # Globals:
@@ -1441,8 +1503,8 @@ auth     required   pam_google_authenticator.so
 # Accounts, sessions:
-@include common-account
+@include            common-account
-@include common-session
+@include            common-session
 # Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
 session  required   pam_limits.so
--- a/func/cdi_4500_user/4521_accounts_setup_ciss.sh
+++ b/func/cdi_4500_user/4521_accounts_setup_ciss.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Account setup CISS specific.
@@ -78,7 +78,7 @@ accounts_setup_ciss_root() {
  do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
@@ -136,7 +136,7 @@ accounts_setup_ciss_user() {
  do_log "info" "file_only" "4520() Skeleton: '${var_username}' successfully generated."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4500_user/4522_accounts_setup_physnet.sh
+++ b/func/cdi_4500_user/4522_accounts_setup_physnet.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Account setup PHYSNET specific.
@@ -76,7 +76,7 @@ accounts_setup_physnet_root() {
  do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
@@ -131,7 +131,7 @@ accounts_setup_physnet_user() {
  do_log "info" "file_only" "4520() Skeleton: '${var_username}' successfully generated."
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4500_user/4530_accounts_timings.sh
+++ b/func/cdi_4500_user/4530_accounts_timings.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Iterates all '/etc/shadow' entries and sets:
@@ -91,7 +91,7 @@ update_shadow() {
  ### Atomic replace.
  mv -f "${var_temp}" "${var_shadow}"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4600_packages/4600_installation_packages.sh
+++ b/func/cdi_4600_packages/4600_installation_packages.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Install Debian Packages as specified in 'preseed.yaml'.
@@ -32,8 +32,8 @@ installation_packages() {
    chroot_script "${TARGET}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-      apt-get update  -qq 2>&1 | tee -a ${var_logfile}
+      apt-get update -qq      2>&1 | tee -a ${var_logfile}
-      apt-get upgrade -y  2>&1 | tee -a ${var_logfile}
+      apt-get -y dist-upgrade 2>&1 | tee -a ${var_logfile}       # (= apt full-upgrade) allow installs/replacements/removals.
    "
  fi
@@ -46,12 +46,11 @@ installation_packages() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-    apt-get autoclean  -y 2>&1 | tee -a ${var_logfile}
+    apt-get autoremove --purge  -y 2>&1 | tee -a ${var_logfile}  # 'autopurge' == 'autoremove --purge'; don't run both.
-    apt-get autopurge  -y 2>&1 | tee -a ${var_logfile}
+    apt-get clean               -y 2>&1 | tee -a ${var_logfile}  # Stronger than autoclean: removes the entire '.deb'-cache.
    apt-get autoremove -y 2>&1 | tee -a ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4600_packages/4610_installation_security.sh
+++ b/func/cdi_4600_packages/4610_installation_security.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Installs the desired security extension framework.
@@ -98,7 +98,7 @@ EOF
  fi
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4600_packages/4620_installation_verification.sh
+++ b/func/cdi_4600_packages/4620_installation_verification.sh
@@ -10,12 +10,12 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules
 #######################################
-# Installs 'aide', 'audit', and 'debsums' audit and logging packages.
+# Installs 'acct', 'aide', 'audit', and 'debsums' audit and logging packages.
 # Finalizes 'rkhunter' baseline.
 # Globals:
 #   TARGET
@@ -53,8 +53,8 @@ install_verification() {
  rm -f "${TARGET}/etc/audit/rules.d/audit.rules"
-  ############################################################### /etc/audit/rules.d/10-base-config.rules
+  ############################################################### /etc/audit/rules.d/00-base-config.rules
-  cat << EOF >| "${TARGET}/etc/audit/rules.d/10-base-config.rules"
+  cat << EOF >| "${TARGET}/etc/audit/rules.d/00-base-config.rules"
 ## First rule - delete all
 -D
@@ -70,6 +70,20 @@ install_verification() {
 ## Set failure mode to syslog.
 -f 1
 EOF
  ############################################################### /etc/audit/rules.d/10-ciss-noise-floor.rules
  cat << EOF >| "${TARGET}/etc/audit/rules.d/10-ciss-noise-floor.rules"
 ## Ignore kernel/daemon noise without a loginuid (unset = 4294967295).
 -a never,exit -F auid=4294967295
 ## Make privileged exec tracing user-initiated only (no boot-time daemons).
 -a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
 -a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
 ## (Optional, same principle for suid/sgid transitions).
 -a always,exit -F arch=b64 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
 -a always,exit -F arch=b32 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
 EOF
  ############################################################### /etc/audit/rules.d/11-loginuid.rules
@@ -365,7 +379,7 @@ EOF
  chroot_exec "${TARGET}" sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4600_packages/4630_auditing_packages.sh
+++ b/func/cdi_4600_packages/4630_auditing_packages.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Final checks.
@@ -97,7 +97,7 @@ auditing_packages() {
    echo +++ >> ${var_logfile}
  "
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4900_xtended/4900_final_command.sh
+++ b/func/cdi_4900_xtended/4900_final_command.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Finalize the chroot system before exiting.
@@ -41,7 +41,7 @@ final_commands() {
  rm -f "${var_target}/root/ciss_xdg_tmp.sh"
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/func/cdi_4900_xtended/4950_final_logrotate.sh
+++ b/func/cdi_4900_xtended/4950_final_logrotate.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Final update '/etc/logrotate.d/*'.
@@ -58,7 +58,7 @@ final_logrotate() {
      "${var_file}"
  done
-  guard_dir && return 0
+  guard_dir; return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
--- a/Show More
+++ b/Show More
		`@@ -1 +0,0 @@`
			`7cad63da408c27b5121c89cdd0cf878b8f8df1f34bcc0a944152261ee1481fda`
		`@@ -1 +0,0 @@`
			`SJF3kOdvm0o9xwT:VdmXE^2w^VTFJeJPdHkd7qNwQVf^7SDmcyZKjcfadS`
		`@@ -1 +0,0 @@`
			`Ceterum_censeo_Bruxellam_et_Berolinum_delenda_esse!`