diff --git a/.archive/.0000_lib_usage.sh b/.archive/.0000_lib_usage.sh
index 7b55375..3af51ca 100644
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.016.2025.09.28\e[0m")
+$(echo -e "\e[92mMaster V8.13.032.2025.10.03\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
diff --git a/.archive/0003_install_backports.chroot b/.archive/0003_install_backports.chroot
index 109a484..7b47175 100644
--- a/.archive/0003_install_backports.chroot
+++ b/.archive/0003_install_backports.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
index 693b1b7..ebe1680 100644
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
- placeholder: "e.g., Master V8.13.016.2025.09.28"
+ placeholder: "e.g., Master V8.13.032.2025.10.03"
validations:
required: true
diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile
index fd4b9f8..fb5fa48 100644
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.016.2025.09.28
+### Version Master V8.13.032.2025.10.03
FROM debian:bookworm
diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml
index 91d4d8c..b79c3d2 100644
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.016.2025.09.28
+### Version Master V8.13.032.2025.10.03
name: 🔁 Render README.md to README.html.
diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
index a48bae9..ce18224 100644
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.016.2025.09.28
+ version: V8.13.032.2025.10.03
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
index a48bae9..ce18224 100644
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.016.2025.09.28
+ version: V8.13.032.2025.10.03
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml
index cb86b32..da1ee5d 100644
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.016.2025.09.28
+ version: V8.13.032.2025.10.03
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml
index cb86b32..da1ee5d 100644
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.016.2025.09.28
+ version: V8.13.032.2025.10.03
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
index eba3171..6969938 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.016.2025.09.28
+### Version Master V8.13.032.2025.10.03
name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -51,6 +51,7 @@ jobs:
gnupg \
openssh-client \
openssl \
+ perl \
sudo \
util-linux
@@ -93,6 +94,40 @@ jobs:
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
+ - name: 🔧 Render live hook with secrets.
+ shell: bash
+ env:
+ ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+ ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+ RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+ RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+ run: |
+ set -Ceuo pipefail
+ umask 077
+
+ tmpl="config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+ out="config/hooks/live/9935_hardening_ssh.chroot"
+
+ test -f "${tmpl}"
+
+ perl -0777 -pe '
+ BEGIN {
+ $ed = $ENV{ED25519_PRIV};
+ $edpub = $ENV{ED25519_PUB};
+ $rsa = $ENV{RSA_PRIV};
+ $rsapub = $ENV{RSA_PUB};
+ }
+ s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+ s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+ s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+ s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+ ' "$tmpl" >| "$out"
+
+ grep -q "ssh_host_ed25519_key" "${out}"
+ grep -q "ssh_host_rsa_key" "${out}"
+
+ chmod 0755 "${out}"
+
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
@@ -142,7 +177,7 @@ jobs:
set -euo pipefail
chmod 0755 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
- ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
+ ### Change "--autobuild=" to the specific kernel version you need: '6.12.48+deb13-amd64'.
./ciss_live_builder.sh \
--autobuild=6.12.48+deb13-amd64 \
--architecture amd64 \
@@ -155,6 +190,7 @@ jobs:
--root-password-file /opt/config/password.txt \
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
--ssh-pubkey /opt/config \
+ --sshfp \
--trixie
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index 68dadff..e2f7a81 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.016.2025.09.28
+### Version Master V8.13.032.2025.10.03
name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -51,6 +51,7 @@ jobs:
gnupg \
openssh-client \
openssl \
+ perl \
sudo \
util-linux
@@ -93,6 +94,41 @@ jobs:
git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+ - name: 🔧 Render live hook with secrets.
+ shell: bash
+ env:
+ ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+ ED25519_PUB: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+ RSA_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+ RSA_PUB: ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+ run: |
+ set -Ceuo pipefail
+ umask 077
+
+ tmpl="config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+ out="config/hooks/live/9935_hardening_ssh.chroot"
+
+ test -f "${tmpl}"
+
+ perl -0777 -pe '
+ BEGIN {
+ $ed = $ENV{ED25519_PRIV};
+ $edpub = $ENV{ED25519_PUB};
+ $rsa = $ENV{RSA_PRIV};
+ $rsapub = $ENV{RSA_PUB};
+ }
+ s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+ s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+ s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+ s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+ ' "$tmpl" >| "$out"
+
+ grep -q "ssh_host_ed25519_key" "${out}"
+ grep -q "ssh_host_rsa_key" "${out}"
+
+ chmod 0755 "${out}"
+
- name: 🛠️ Cleaning the workspace.
shell: bash
run: |
@@ -152,6 +188,7 @@ jobs:
--root-password-file /opt/config/password.txt \
--ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
--ssh-pubkey /opt/config \
+ --sshfp \
--trixie
- name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml
index e0c65bf..31dad13 100644
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.016.2025.09.28
+### Version Master V8.13.032.2025.10.03
name: 💙 Generating a PUBLIC Live ISO.
diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml
index 20d7175..a52678f 100644
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.016.2025.09.28
+### Version Master V8.13.032.2025.10.03
# Gitea Workflow: Shell-Script Linting
#
diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml
index 967df7a..43401dc 100644
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.016.2025.09.28
+### Version Master V8.13.032.2025.10.03
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml
index 8df62a7..d0476f4 100644
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.016.2025.09.28
+### Version Master V8.13.032.2025.10.03
name: 🔁 Render Graphviz Diagrams.
diff --git a/.version.properties b/.version.properties
index f0967c5..38e772c 100644
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.016.2025.09.28"
+properties_version="V8.13.032.2025.10.03"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx
index 6d09c6e..c047af5 100644
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.016.2025.09.28
+PackageVersion: Master V8.13.032.2025.10.03
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
diff --git a/README.md b/README.md
index cb8dd3f..cc90ee5 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
-[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[](https://eupl.eu/1.2/en/)
[](https://opensource.org/license/eupl-1-2)
@@ -12,7 +12,7 @@ include_toc: true
[](https://google.github.io/styleguide/shellguide.html)
[](https://docs.gitea.com/)
-[](https://www.jetbrains.com/store/?section=personal&billing=yearly)
+[](https://www.jetbrains.com/store/?section=personal&billing=yearly)
[](https://keepassxc.org/)
[](https://www.netcup.com/de)
[](https://coresecret.eu/)
@@ -26,7 +26,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.016.2025.09.28`
+Example: `V8.13.032.2025.10.03`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
diff --git a/config/hooks/live/0000_generate_backup_dir.chroot b/config/hooks/live/0000_generate_backup_dir.chroot
index 4831c26..993f2ef 100644
--- a/config/hooks/live/0000_generate_backup_dir.chroot
+++ b/config/hooks/live/0000_generate_backup_dir.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0001_initramfs_modules.chroot b/config/hooks/live/0001_initramfs_modules.chroot
index 6ec84ae..e2d561a 100644
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0002_verify_checksums.chroot b/config/hooks/live/0002_verify_checksums.chroot
index b3eefc1..85c57c6 100644
--- a/config/hooks/live/0002_verify_checksums.chroot
+++ b/config/hooks/live/0002_verify_checksums.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0050_activate_root.chroot b/config/hooks/live/0050_activate_root.chroot
index 7e4a95e..0942fdc 100644
--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0080_keyboard_layout.chroot b/config/hooks/live/0080_keyboard_layout.chroot
index fc2d7b7..05af1e5 100644
--- a/config/hooks/live/0080_keyboard_layout.chroot
+++ b/config/hooks/live/0080_keyboard_layout.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0090_haveged.chroot b/config/hooks/live/0090_haveged.chroot
index 022815b..692ffaf 100644
--- a/config/hooks/live/0090_haveged.chroot
+++ b/config/hooks/live/0090_haveged.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0120_set_hostname.chroot b/config/hooks/live/0120_set_hostname.chroot
index f25af27..8fe2bd2 100644
--- a/config/hooks/live/0120_set_hostname.chroot
+++ b/config/hooks/live/0120_set_hostname.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0130_machineid.chroot b/config/hooks/live/0130_machineid.chroot
index 4de2ecc..f88ad36 100644
--- a/config/hooks/live/0130_machineid.chroot
+++ b/config/hooks/live/0130_machineid.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0400_eza_install.chroot b/config/hooks/live/0400_eza_install.chroot
index 7e7ee0b..d60c503 100644
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0800_lynis_setup.chroot b/config/hooks/live/0800_lynis_setup.chroot
index c6f465f..43c78d9 100644
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0810_chrony_setup.chroot b/config/hooks/live/0810_chrony_setup.chroot
index 9275a2a..593655d 100644
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0820_kernel_hardening_checker.chroot b/config/hooks/live/0820_kernel_hardening_checker.chroot
index eeccd34..447a710 100644
--- a/config/hooks/live/0820_kernel_hardening_checker.chroot
+++ b/config/hooks/live/0820_kernel_hardening_checker.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0822_ssh_restart_hook.chroot b/config/hooks/live/0822_ssh_restart_hook.chroot
index 096005b..0073f65 100644
--- a/config/hooks/live/0822_ssh_restart_hook.chroot
+++ b/config/hooks/live/0822_ssh_restart_hook.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0825_my_sqltuner_perl.chroot b/config/hooks/live/0825_my_sqltuner_perl.chroot
index 8ad3849..7ddfd3f 100644
--- a/config/hooks/live/0825_my_sqltuner_perl.chroot
+++ b/config/hooks/live/0825_my_sqltuner_perl.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0830_download_yq.chroot b/config/hooks/live/0830_download_yq.chroot
index a919417..aa00cce 100644
--- a/config/hooks/live/0830_download_yq.chroot
+++ b/config/hooks/live/0830_download_yq.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0835_testssl.sh.chroot b/config/hooks/live/0835_testssl.sh.chroot
index 61181a5..c80bf98 100644
--- a/config/hooks/live/0835_testssl.sh.chroot
+++ b/config/hooks/live/0835_testssl.sh.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
index 703cc15..8320d4a 100644
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0845_harbian_audit.chroot b/config/hooks/live/0845_harbian_audit.chroot
index 4188f20..5c243c7 100644
--- a/config/hooks/live/0845_harbian_audit.chroot
+++ b/config/hooks/live/0845_harbian_audit.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0850_ssh_audit.chroot b/config/hooks/live/0850_ssh_audit.chroot
index 689fad4..6b3c94d 100644
--- a/config/hooks/live/0850_ssh_audit.chroot
+++ b/config/hooks/live/0850_ssh_audit.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0855_dnsviz.chroot b/config/hooks/live/0855_dnsviz.chroot
index 8642137..f7ccf0e 100644
--- a/config/hooks/live/0855_dnsviz.chroot
+++ b/config/hooks/live/0855_dnsviz.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/0900_ufw_setup.chroot b/config/hooks/live/0900_ufw_setup.chroot
index 26ecc92..ec0cea8 100644
--- a/config/hooks/live/0900_ufw_setup.chroot
+++ b/config/hooks/live/0900_ufw_setup.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot b/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot
index 3ec8974..9206eec 100644
--- a/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot
+++ b/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9900_process_accounting.chroot b/config/hooks/live/9900_process_accounting.chroot
index 0f3b861..c8a7ed1 100644
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9910_motd.chroot b/config/hooks/live/9910_motd.chroot
index 25762d7..e357573 100644
--- a/config/hooks/live/9910_motd.chroot
+++ b/config/hooks/live/9910_motd.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9920_deleting_invalid_x509.chroot b/config/hooks/live/9920_deleting_invalid_x509.chroot
index b124220..3030dea 100644
--- a/config/hooks/live/9920_deleting_invalid_x509.chroot
+++ b/config/hooks/live/9920_deleting_invalid_x509.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9930_hardening_ssh.chroot b/config/hooks/live/9930_hardening_ssh.chroot
index 260d656..b7f4a1a 100644
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -9,17 +9,18 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
cd /etc/ssh || {
printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
}
rm -rf ssh_host_*key*
+# shellcheck disable=SC2312
ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
+# shellcheck disable=SC2312
ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
@@ -44,7 +45,26 @@ ssh-keygen -r @ >| /root/sshfp
# The chmod +x command ensures that the file is executed in every shell session. #
###########################################################################################
cat << 'EOF' >| /etc/profile.d/idle-users.sh
-declare -girx TMOUT=14400
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.;
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.;
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+case $- in
+ *i*)
+ TMOUT=14400
+ export TMOUT
+ readonly TMOUT
+ ;;
+esac
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod +x /etc/profile.d/idle-users.sh
@@ -58,7 +78,6 @@ EOF
chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/9935_hardening_ssh.chroot.tmpl b/config/hooks/live/9935_hardening_ssh.chroot.tmpl
new file mode 100644
index 0000000..56baa4c
--- /dev/null
+++ b/config/hooks/live/9935_hardening_ssh.chroot.tmpl
@@ -0,0 +1,94 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.;
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.;
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+cd /etc/ssh || {
+ printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
+}
+
+cat << 'EOF' >| ssh_host_ed25519_key
+{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+EOF
+
+cat << 'EOF' >| ssh_host_ed25519_key.pub
+{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+EOF
+
+cat << 'EOF' >| ssh_host_rsa_key
+{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+EOF
+
+cat << 'EOF' >| ssh_host_rsa_key.pub
+{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+EOF
+
+awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
+rm -rf /etc/ssh/moduli
+mv /etc/ssh/moduli.safe /etc/ssh/moduli
+
+chmod 0600 /etc/ssh/ssh_host_*_key
+chown root:root /etc/ssh/ssh_host_*_key
+chmod 0644 /etc/ssh/ssh_host_*_key.pub
+chown root:root /etc/ssh/ssh_host_*_key.pub
+
+chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
+
+touch /root/sshfp
+ssh-keygen -r @ >| /root/sshfp
+
+###########################################################################################
+# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only #
+# environment variables: TMOUT and HISTFILE. #
+# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
+# readonly HISTFILE ensures that the command history cannot be changed. #
+# The chmod +x command ensures that the file is executed in every shell session. #
+###########################################################################################
+cat << 'EOF' >| /etc/profile.d/idle-users.sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.;
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.;
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+case $- in
+ *i*)
+ TMOUT=14400
+ export TMOUT
+ readonly TMOUT
+ ;;
+esac
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+chmod +x /etc/profile.d/idle-users.sh
+
+mkdir -p /etc/systemd/system/ssh.service.d
+cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
+[Unit]
+After=ufw.service
+Requires=ufw.service
+EOF
+chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+# sleep 1
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/9940_hardening_memory.dump.chroot b/config/hooks/live/9940_hardening_memory.dump.chroot
index c7294b0..e151ee4 100644
--- a/config/hooks/live/9940_hardening_memory.dump.chroot
+++ b/config/hooks/live/9940_hardening_memory.dump.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9950_fail2ban_hardening.chroot b/config/hooks/live/9950_fail2ban_hardening.chroot
index 82b7a13..42521fc 100644
--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9960_disable_services.chroot b/config/hooks/live/9960_disable_services.chroot
index e6a7857..dbaacf3 100644
--- a/config/hooks/live/9960_disable_services.chroot
+++ b/config/hooks/live/9960_disable_services.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9970_remove_exim.chroot b/config/hooks/live/9970_remove_exim.chroot
index e1692df..8212e5b 100644
--- a/config/hooks/live/9970_remove_exim.chroot
+++ b/config/hooks/live/9970_remove_exim.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9980_usb_guard.chroot b/config/hooks/live/9980_usb_guard.chroot
index d6cce7b..a4ce582 100644
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9985_clamav.chroot b/config/hooks/live/9985_clamav.chroot
index 083a220..dd06215 100644
--- a/config/hooks/live/9985_clamav.chroot
+++ b/config/hooks/live/9985_clamav.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9990_final_purge.chroot b/config/hooks/live/9990_final_purge.chroot
index 7ed8340..cb93e74 100644
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9991_file_permissions.chroot b/config/hooks/live/9991_file_permissions.chroot
index cfdf0b2..18925d4 100644
--- a/config/hooks/live/9991_file_permissions.chroot
+++ b/config/hooks/live/9991_file_permissions.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9992_password_expiration.chroot b/config/hooks/live/9992_password_expiration.chroot
index c3e3b16..565cc73 100644
--- a/config/hooks/live/9992_password_expiration.chroot
+++ b/config/hooks/live/9992_password_expiration.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9993_aide.chroot b/config/hooks/live/9993_aide.chroot
index 124b0e9..17c63aa 100644
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9994_password_policy.chroot b/config/hooks/live/9994_password_policy.chroot
index d8f73a4..4dd0b9c 100644
--- a/config/hooks/live/9994_password_policy.chroot
+++ b/config/hooks/live/9994_password_policy.chroot
@@ -13,7 +13,7 @@
### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9995_sysstat.chroot b/config/hooks/live/9995_sysstat.chroot
index 11823a8..727c1eb 100644
--- a/config/hooks/live/9995_sysstat.chroot
+++ b/config/hooks/live/9995_sysstat.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9996_auditd.chroot b/config/hooks/live/9996_auditd.chroot
index 2b82d8b..252280b 100644
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -12,7 +12,7 @@
### https://github.com/linux-audit/audit-userspace/tree/master/rules
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9997_debsums.chroot b/config/hooks/live/9997_debsums.chroot
index 59b1175..e57918f 100644
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
@@ -33,4 +33,4 @@ printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e
# sleep 1
exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
\ No newline at end of file
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/9998_sources_list_bookworm.chroot b/config/hooks/live/9998_sources_list_bookworm.chroot
index 906655a..498e81b 100644
--- a/config/hooks/live/9998_sources_list_bookworm.chroot
+++ b/config/hooks/live/9998_sources_list_bookworm.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9998_sources_list_trixie.chroot b/config/hooks/live/9998_sources_list_trixie.chroot
index f9437e0..51fc98c 100644
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/config/hooks/live/9999_interfaces_update.chroot b/config/hooks/live/9999_interfaces_update.chroot
index 154c2cf..aca191d 100644
--- a/config/hooks/live/9999_interfaces_update.chroot
+++ b/config/hooks/live/9999_interfaces_update.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
@@ -62,4 +62,4 @@ printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e
# sleep 1
exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
\ No newline at end of file
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config
index 54758ed..8d82c8b 100644
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.016.2025.09.28
+### Version Master V8.13.032.2025.10.03
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened
index 7014712..db7d67f 100644
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.016.2025.09.28
+### Version Master V8.13.032.2025.10.03
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
diff --git a/config/includes.chroot/preseed/.iso/iso.sh b/config/includes.chroot/preseed/.iso/iso.sh
index 3d6c8c6..ec01f06 100644
--- a/config/includes.chroot/preseed/.iso/iso.sh
+++ b/config/includes.chroot/preseed/.iso/iso.sh
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
# The example names get mapped to their roles here
declare timestamp
diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
index e68d762..fe21f0d 100644
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.016.2025.09.28"
+declare -gr VERSION="Master V8.13.032.2025.10.03"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then
diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg
index 848a2ce..839c873 100644
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.016.2025.09.28 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.032.2025.10.03 at: 10:18:37.9542
diff --git a/config/package-lists/live.list.common.chroot b/config/package-lists/live.list.common.chroot
index a6cefef..51ea5ce 100644
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -21,6 +21,7 @@ bash-completion
bat
bc
bind9-dnsutils
+bison
bsdmainutils
btrfs-progs
build-essential
@@ -28,6 +29,7 @@ bzip2
ca-certificates
clamav
clamav-daemon
+clang-18
console-setup
cpuid
cryptsetup
@@ -47,6 +49,7 @@ dirmngr
dmsetup
dnsviz
dosfstools
+dpkg-dev
e2fsprogs
efibootmgr
expect
@@ -54,6 +57,7 @@ fail2ban
fdisk
figlet
fio
+flex
fzf
gawk
gdisk
@@ -80,6 +84,7 @@ linux-source
live-boot
live-config
live-config-systemd
+lld-18
locate
logrotate
lsb-release
diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md
index 14149e8..4436ea9 100644
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. DNSSEC Status
diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md
index 63afaed..4aa91bd 100644
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Haveged Audit on Netcup RS 2000 G11
diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md
index e725a32..896fd0e 100644
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Lynis Audit:
diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md
index cf498ff..f2580a4 100644
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. SSH Audit by ssh-audit.com
diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md
index cadf7b7..d6ee107 100644
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. TLS Audit:
````text
diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md
index 9cb5102..515d7dd 100644
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Hardened Kernel Boot Parameters
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index f044f94..2412e20 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Changelog
+## V8.13.032.2025.10.03
+* **Added**: Internal Gitea Action Runner switch for static SSHFP records.
+
## V8.13.016.2025.09.28
* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64``
diff --git a/docs/CNET.md b/docs/CNET.md
index e5610df..79b886e 100644
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Centurion Net - Developer Branch Overview
diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md
index 06214a3..2360693 100644
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Coding Style
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 52f0251..88e6bf4 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Contributing / participating
diff --git a/docs/CREDITS.md b/docs/CREDITS.md
index fafbbed..2eadfa3 100644
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Credits
diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md
index f79b4d3..e854f68 100644
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Download the latest PUBLIC CISS.debian.live.ISO
diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md
index d82cb31..c48494d 100644
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2.1. Usage
````text
CISS.debian.live.builder
-Master V8.13.016.2025.09.28
+Master V8.13.032.2025.10.03
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
# 2.2. Contact
````text
CISS.debian.live.builder
-Master V8.13.016.2025.09.28
+Master V8.13.032.2025.10.03
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md
index d5b7ac9..86d2015 100644
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.016.2025.09.28
+**Build**: V8.13.032.2025.10.03
# 2. Resources
diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh
index 9633012..5fe99b8 100644
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -95,6 +95,7 @@ arg_parser() {
--architecture)
if [[ "${2}" == "amd64" || "${2}" == "arm64" ]]; then
+ # shellcheck disable=SC2034
declare -gx VAR_ARCHITECTURE="${2}"
shift 2
else
@@ -124,12 +125,14 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
- declare -g VAR_HANDLER_CDI=true
+ # shellcheck disable=SC2034
+ declare -g VAR_HANDLER_CDI="true"
shift 1
;;
--change-splash )
if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then
+ # shellcheck disable=SC2034
declare -g VAR_HANDLER_SPLASH="${2}"
shift 2
else
@@ -143,6 +146,7 @@ arg_parser() {
--control)
if [[ -n "${2-}" ]]; then
+ # shellcheck disable=SC2034
declare -g VAR_HANDLER_ISO_COUNTER="${2}"
shift 2
else
@@ -171,6 +175,7 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
+ # shellcheck disable=SC2034
declare -gi VAR_HANDLER_DHCP=1
shift 1
;;
@@ -180,6 +185,7 @@ arg_parser() {
declare -i count=0
shift
while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do
+ # shellcheck disable=SC2034
declare -g ARY_HANDLER_JUMPHOST+=("$1")
count=$((count + 1))
shift
@@ -202,6 +208,7 @@ arg_parser() {
read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
exit "${ERR_ARG_MSMTCH}"
fi
+ # shellcheck disable=SC2034
declare -gi VAR_HANDLER_STA=1
shift 1
;;
@@ -209,10 +216,12 @@ arg_parser() {
--provider-netcup-ipv6)
if [[ -n "${2-}" && "${2}" != -* ]]; then
declare -i count=0
- declare -g VAR_HANDLER_NETCUP_IPV6=true
+ # shellcheck disable=SC2034
+ declare -g VAR_HANDLER_NETCUP_IPV6="true"
shift
while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 1 ]]; do
declare cleaned="${1//[\[\]]/}"
+ # shellcheck disable=SC2034
declare -g ARY_HANDLER_NETCUP_IPV6+=("${cleaned}")
count=$((count + 1))
shift
@@ -230,6 +239,7 @@ arg_parser() {
--renice-priority)
if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
+ # shellcheck disable=SC2034
VAR_HANDLER_PRIORITY="$2"
shift 2
else
@@ -249,6 +259,7 @@ arg_parser() {
exit "${ERR_REIONICE_P}"
else
if [[ "${2}" =~ ^[1-3]$ ]]; then
+ # shellcheck disable=SC2034
VAR_REIONICE_CLASS="${2}"
if [[ -z "${3-}" ]]; then
:
@@ -359,6 +370,7 @@ arg_parser() {
hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+ # shellcheck disable=SC2034
declare -g VAR_HASHED_PWD="${hash_temp}"
unset hash_temp plaintext_pw
@@ -375,6 +387,7 @@ arg_parser() {
--ssh-port)
if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
+ # shellcheck disable=SC2034
declare -gi VAR_SSHPORT="${2}"
shift 2
else
@@ -385,12 +398,20 @@ arg_parser() {
fi
;;
+ --sshfp)
+ # shellcheck disable=SC2034
+ declare -g VAR_SSHFP="true"
+ shift 1
+ ;;
+
--ssh-pubkey)
+ # shellcheck disable=SC2034
declare -g VAR_SSHPUBKEY="${2}"
shift 2
;;
--trixie)
+ # shellcheck disable=SC2034
declare -g VAR_SUITE="trixie"
shift 1
;;
diff --git a/lib/lib_hardening_ultra.sh b/lib/lib_hardening_ultra.sh
index b448d82..fdafe6f 100644
--- a/lib/lib_hardening_ultra.sh
+++ b/lib/lib_hardening_ultra.sh
@@ -166,7 +166,23 @@ hardening_ultra() {
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
+
+
+ ### Updating SSH Keys, Ports.
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
+
+ ### Check for static SSHFP key material via Gitea Actions Runner Secrets injection.
+ if [[ "${VAR_SSHFP}" == "true" ]]; then
+
+ rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9930_hardening_ssh.chroot"
+
+ else
+
+ rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+
+ fi
+
+
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh
index c509a61..75a9da6 100644
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -35,13 +35,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}")
# shellcheck disable=SC2155
- declare var_footer=$(center "V8.13.016.2025.09.28 2025-08-11 CLB(1)" "${var_cols}")
+ declare var_footer=$(center "V8.13.032.2025.10.03 2025-08-11 CLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
- echo -e "\e[92mMaster V8.13.016.2025.09.28\e[0m"
+ echo -e "\e[92mMaster V8.13.032.2025.10.03\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
diff --git a/scripts/0010_dhcp_supersede.sh b/scripts/0010_dhcp_supersede.sh
index dd33979..c36f85e 100644
--- a/scripts/0010_dhcp_supersede.sh
+++ b/scripts/0010_dhcp_supersede.sh
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
diff --git a/scripts/0100_centurion_dns.sh b/scripts/0100_centurion_dns.sh
index 1c4d6bf..52787e5 100644
--- a/scripts/0100_centurion_dns.sh
+++ b/scripts/0100_centurion_dns.sh
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/scripts/9000-cdi-starter b/scripts/9000-cdi-starter
index 7c3b089..2c1f630 100644
--- a/scripts/9000-cdi-starter
+++ b/scripts/9000-cdi-starter
@@ -9,13 +9,13 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
[[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.13.016.2025.09.28 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.13.032.2025.10.03 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
diff --git a/scripts/etc/network/9999_interfaces_update_netcup.chroot b/scripts/etc/network/9999_interfaces_update_netcup.chroot
index ad1b0ea..6c316e8 100644
--- a/scripts/etc/network/9999_interfaces_update_netcup.chroot
+++ b/scripts/etc/network/9999_interfaces_update_netcup.chroot
@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# sleep 1
diff --git a/var/early.var.sh b/var/early.var.sh
index acae11a..2580aca 100644
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -14,7 +14,7 @@
# shellcheck disable=SC2155
declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.13.016.2025.09.28"
+declare -grx VAR_VERSION="Master V8.13.032.2025.10.03"
declare -grx VAR_SYSTEM="$(uname -a)"
declare -gx VAR_EARLY_DEBUG="false"
declare -gx VAR_HANDLER_AUTOBUILD="false"
diff --git a/var/global.var.sh b/var/global.var.sh
index 2314a76..9f6c133 100644
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -38,6 +38,7 @@ declare -g VAR_SCRIPT_SUCCESS="false"
declare -g VAR_SUITE="bookworm"
declare -g VAR_HANDLER_NETCUP_IPV6="false"
declare -g VAR_HASHED_PWD=""
+declare -g VAR_SSHFP="false"
declare -gi VAR_HANDLER_STA=0
declare -gi VAR_HANDLER_PRIORITY=0
declare -gi VAR_REIONICE_CLASS=2