diff --git a/.archive/.0000_lib_usage.sh b/.archive/.0000_lib_usage.sh
index 3296776..fb9ebe8 100644
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.224.2025.10.19\e[0m")
+$(echo -e "\e[92mMaster V8.13.256.2025.10.21\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
index b769ebb..c3d5754 100644
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
- placeholder: "e.g., Master V8.13.224.2025.10.19"
+ placeholder: "e.g., Master V8.13.256.2025.10.21"
validations:
required: true
diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile
index 62ca94f..d3f35ee 100644
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
FROM debian:bookworm
diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml
index bb27a04..3930765 100644
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
name: 🔁 Render README.md to README.html.
diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml
index 2c744e8..67bc211 100644
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.224.2025.10.19
+ version: V8.13.256.2025.10.21
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
index bb4808b..8eb81a2 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index 3c2b73f..72e611d 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml
index 0fec040..c533d61 100644
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
name: 💙 Generating a PUBLIC Live ISO.
diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml
index 2240651..267cb05 100644
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
# Gitea Workflow: Shell-Script Linting
#
diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml
index fe0de79..ed64c42 100644
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml
index d8490ee..13b2098 100644
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
name: 🔁 Render Graphviz Diagrams.
diff --git a/.version.properties b/.version.properties
index 663c9b0..b728254 100644
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.224.2025.10.19"
+properties_version="V8.13.256.2025.10.21"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx
index 82d1c84..07cca3a 100644
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.224.2025.10.19
+PackageVersion: Master V8.13.256.2025.10.21
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
diff --git a/README.md b/README.md
index 2325b46..e090db7 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
-[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[](https://eupl.eu/1.2/en/)
[](https://opensource.org/license/eupl-1-2)
@@ -26,7 +26,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.224.2025.10.19`
+Example: `V8.13.256.2025.10.21`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
diff --git a/REPOSITORY.md b/REPOSITORY.md
index bc3b41c..f2cf957 100644
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2.1. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder
**Branch:** `master`
-**Repository State:** Master Version **8.13**, Build **V8.13.224.2025.10.19** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.256.2025.10.21** (as of 2025-10-11)
## 2.2. Top-Level Layout
diff --git a/config/hooks/live/0007_update_logrotate.chroot b/config/hooks/live/0007_update_logrotate.chroot
index 298b963..4e86d79 100644
--- a/config/hooks/live/0007_update_logrotate.chroot
+++ b/config/hooks/live/0007_update_logrotate.chroot
@@ -20,27 +20,49 @@ rm -f "/etc/logrotate.conf"
cat << EOF >| "/etc/logrotate.conf"
# See "man logrotate" for details. Global options do not affect preceding include directives.
-# rotate log files daily
+# Rotate log files daily
daily
-# keep 384 daily worth of backlogs
+# Keep 384 daily worth of backlogs.
rotate 384
-# hard cap: delete rotated logs older than 384 days
+# Hard cap: delete rotated logs older than 384 days.
maxage 384
-# create new (empty) log files after rotating old ones
+# Do not rotate the log if it is empty (this overrides the ifempty option).
+notifempty
+
+# Create new (empty) log files after rotating old ones.
create
-# use date as a suffix of the rotated file
+# Use date as a suffix of the rotated file.
dateext
-# gzip older rotations
+# Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
+# that is the same as the timestamps within it.
+dateyesterday
+
+# Enable compression
compress
-# keep the most recent rotation uncompressed for one cycle
+# Use zstd instead of gzip.
+compresscmd /usr/bin/zstd
+
+# File extension for compressed logs.
+compressext .zst
+
+# Set zstd level 3 (default).
+compressoptions -20
+
+# How to decompress for 'logrotate -d' or similar.
+uncompresscmd /usr/bin/unzstd
+
+# Keep the most recent rotation uncompressed for one cycle.
delaycompress
+# Delete log files using shred -u instead of unlink().
+shred
+
# packages drop log rotation information into this directory
include /etc/logrotate.d
diff --git a/config/hooks/live/9950_fail2ban_hardening.chroot b/config/hooks/live/9950_fail2ban_hardening.chroot
index a6e531d..ef6ca59 100644
--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -24,7 +24,7 @@ sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak
-cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf
+cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.;
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
@@ -37,69 +37,106 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf
# SPDX-Security-Contact: security@coresecret.eu
[DEFAULT]
-usedns = yes
-# 127.0.0.1/8 – IPv4 loopback range (local host)
-# ::1/128 – IPv6 loopback
-# fe80::/10 – IPv6 link-local (on-link only; NDP/RA/DAD)
-# fc00::/7 – IPv6 ULA (private LAN addresses)
-# ff00::/8 – IPv6 multicast (not an unicast host)
-# ::/128 – IPv6 unspecified (all zeros; never a real peer)
-ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 MUST_BE_SET
-maxretry = 8
-findtime = 24h
-bantime = 24h
+dbpurgeage = 384d
+# 127.0.0.1/8 - IPv4 loopback range (local host)
+# ::1/128 - IPv6 loopback
+# fe80::/10 - IPv6 link-local (on-link only; NDP/RA/DAD)
+# ff00::/8 - IPv6 multicast (not an unicast host)
+# ::/128 - IPv6 unspecified (all zeros; never a real peer)
+ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 MUST_BE_SET
[recidive]
-enabled = true
-filter = recidive
-logpath = /var/log/fail2ban/fail2ban.log*
-banaction = iptables-allports
-bantime = 32d
-findtime = 384d
-maxretry = 4
+enabled = true
+banaction = ufw[blocktype=deny]
+bantime = 8d
+bantime.increment = true
+bantime.factor = 1
+bantime.maxtime = 128d
+bantime.multipliers = 1 2 4 8 16
+bantime.overalljails = true
+bantime.rndtime = 877s
+filter = recidive
+findtime = 16d
+logpath = /var/log/fail2ban/fail2ban.log*
+maxretry = 3
### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
### Jump host mistyped 1-3 times: no ban, only after four attempts [sshd]
[sshd]
-enabled = true
-backend = systemd
-filter = sshd
-mode = normal
-port = MUST_BE_SET
-protocol = tcp
-logpath = /var/log/auth.log
-maxretry = 4
-findtime = 24h
-bantime = 24h
+enabled = true
+backend = systemd
+bantime = 1h
+bantime.increment = true
+bantime.factor = 1
+bantime.maxtime = 16d
+bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails = true
+bantime.rndtime = 877s
+filter = sshd
+findtime = 16m
+maxretry = 4
+mode = aggressive
+port = MUST_BE_SET
+protocol = tcp
[sshd-refused]
-enabled = true
-filter = ciss-sshd-refused
-port = MUST_BE_SET
-protocol = tcp
-logpath = /var/log/auth.log
-maxretry = 1
-findtime = 24h
-bantime = 24h
+enabled = true
+bantime = 1h
+bantime.increment = true
+bantime.factor = 1
+bantime.maxtime = 16d
+bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails = true
+bantime.rndtime = 877s
+filter = ciss-sshd-refused
+findtime = 16m
+logpath = /var/log/auth.log
+maxretry = 1
+port = MUST_BE_SET
+protocol = tcp
-# ufw aggressive approach:
-# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
-# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
+#
+# CISS aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
+# There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
+#
+
+[icmp]
+enabled = true
+banaction = ufw[blocktype=deny]
+bantime = 1h
+bantime.increment = true
+bantime.factor = 1
+bantime.maxtime = 16d
+bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails = true
+bantime.rndtime = 877s
+filter = ciss-icmp
+findtime = 16m
+logpath = /var/log/ufw.log
+maxretry = 1
[ufw]
-enabled = true
-filter = ciss-ufw
-action = iptables-allports
-logpath = /var/log/ufw.log
-maxretry = 1
-bantime = 24h
-findtime = 24h
+enabled = true
+banaction = ufw[blocktype=deny]
+bantime = 1h
+bantime.increment = true
+bantime.factor = 1
+bantime.maxtime = 16d
+bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails = true
+bantime.rndtime = 877s
+filter = ciss-ufw
+findtime = 16m
+logpath = /var/log/ufw.log
+maxretry = 1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
-cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
+cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-icmp.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.;
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
@@ -112,7 +149,29 @@ cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
# SPDX-Security-Contact: security@coresecret.eu
[Definition]
-failregex = \[UFW BLOCK\].+SRC= DST
+# Generic ICMP/ICMPv6 blocks
+failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=\b.*?\bPROTO=ICMP\b.*$
+ ^.*UFW (?:BLOCK|REJECT).*?\bSRC=\b.*?\bPROTO=ICMPv6\b.*$
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.;
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.;
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Definition]
+# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
+failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
+ignoreregex =
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
@@ -169,33 +228,36 @@ EOF
cat << 'EOF' >> /etc/fail2ban/fail2ban.local
[Definition]
-logtarget = /var/log/fail2ban/fail2ban.log
+logtarget = /var/log/fail2ban/fail2ban.log
[Database]
# Keep entries for at least 384 days to cover recidive findtime.
-dbpurgeage = 384d
+dbpurgeage = 384d
EOF
###########################################################################################
# Remarks: Logrotate must be updated either #
###########################################################################################
cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
-#sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
cat << EOF >| /etc/logrotate.d/fail2ban
/var/log/fail2ban/fail2ban.log {
-
daily
rotate 384
- compress
- # Do not rotate if empty
+ maxage 384
notifempty
-
+ dateext
+ dateyesterday
+ compress
+ compresscmd /usr/bin/zstd
+ compressext .zst
+ compressoptions -20
+ uncompresscmd /usr/bin/unzstd
delaycompress
+ shred
missingok
postrotate
fail2ban-client flushlogs 1>/dev/null
endscript
-
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts
index 710ab18..b88454c 100644
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config
index 76c0310..3aab4e0 100644
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened
index c3980ab..8aa4f1d 100644
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
index c3cdb21..2afb85b 100644
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.224.2025.10.19"
+declare -gr VERSION="Master V8.13.256.2025.10.21"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then
diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg
index 0b3a539..600f4c9 100644
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.224.2025.10.19 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.256.2025.10.21 at: 10:18:37.9542
diff --git a/config/includes.chroot/root/.zshenv b/config/includes.chroot/root/.zshenv
index afd1d52..56553d5 100644
--- a/config/includes.chroot/root/.zshenv
+++ b/config/includes.chroot/root/.zshenv
@@ -13,15 +13,10 @@
: "${XDG_CACHE_HOME:=${HOME}/.cache}"
: "${XDG_DATA_HOME:=${HOME}/.local/share}"
: "${XDG_STATE_HOME:=${HOME}/.local/state}"
-if [ -z "${XDG_RUNTIME_DIR:-}" ]; then
- if [ -d "/run/user/$(id -u)" ]; then
- XDG_RUNTIME_DIR="/run/user/$(id -u)"
- else
- XDG_RUNTIME_DIR="/tmp/xdg-runtime-$(id -u)"
- fi
-fi
-export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME XDG_RUNTIME_DIR
+# Do NOT set XDG_RUNTIME_DIR here.
+
+export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME
### Zsh history -> XDG_STATE_HOME (best-effort; zsh might not read /etc/profile)
if [ "${ENABLE_XDG_ZSH_HISTORY:-1}" = "1" ] && [ -n "${ZSH_VERSION:-}" ]; then
diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md
index b7419a1..501a6b0 100644
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. DNSSEC Status
diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md
index 7fea557..4436db2 100644
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Haveged Audit on Netcup RS 2000 G11
diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md
index 2199571..1c357df 100644
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Lynis Audit:
diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md
index 3d7eb2f..e302cfb 100644
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. SSH Audit by ssh-audit.com
diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md
index adebaf7..244f308 100644
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. TLS Audit:
````text
diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md
index 8b92c35..3c0477f 100644
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Hardened Kernel Boot Parameters
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 9589e57..45713c7 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,15 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Changelog
+## V8.13.256.2025.10.21
+* **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
+* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot)
+* **Updated**: [.zshenv](../config/includes.chroot/root/.zshenv)
+
## V8.13.224.2025.10.19
* **Added**: [.zshenv](../config/includes.chroot/root/.zshenv)
* **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
diff --git a/docs/CNET.md b/docs/CNET.md
index 249ecd6..90e8154 100644
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Centurion Net - Developer Branch Overview
diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md
index 6cb39d7..896aa4d 100644
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Coding Style
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index e2d2c3b..1d6f50a 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Contributing / participating
diff --git a/docs/CREDITS.md b/docs/CREDITS.md
index f736784..3827036 100644
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Credits
diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md
index d863db1..3a6b0ed 100644
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Download the latest PUBLIC CISS.debian.live.ISO
diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md
index 4478969..e980381 100644
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2.1. Usage
````text
CISS.debian.live.builder
-Master V8.13.224.2025.10.19
+Master V8.13.256.2025.10.21
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
# 2.2. Contact
````text
CISS.debian.live.builder
-Master V8.13.224.2025.10.19
+Master V8.13.256.2025.10.21
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md
index 8239391..a26d8fe 100644
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.224.2025.10.19
+**Build**: V8.13.256.2025.10.21
# 2. Resources
diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh
index 9455cf0..02da999 100644
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -35,13 +35,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}")
# shellcheck disable=SC2155
- declare var_footer=$(center "V8.13.224.2025.10.19 2025-10-07 CLB(1)" "${var_cols}")
+ declare var_footer=$(center "V8.13.256.2025.10.21 2025-10-07 CLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
- echo -e "\e[92mMaster V8.13.224.2025.10.19\e[0m"
+ echo -e "\e[92mMaster V8.13.256.2025.10.21\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
diff --git a/scripts/9999-cdi-starter b/scripts/9999-cdi-starter
index f9f7547..3395d12 100644
--- a/scripts/9999-cdi-starter
+++ b/scripts/9999-cdi-starter
@@ -66,7 +66,7 @@ main() {
# shellcheck disable=SC2312
exec > >(tee -a "${log}") 2>&1
- printf "CISS.debian.installer Master V8.13.224.2025.10.19 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+ printf "CISS.debian.installer Master V8.13.256.2025.10.21 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
net_wait
@@ -87,7 +87,7 @@ main() {
# --reionice-priority 1 0 \
# --renice-priority "-19"
- printf "CISS.debian.installer Master V8.13.224.2025.10.19 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+ printf "CISS.debian.installer Master V8.13.256.2025.10.21 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
exit 0
}
diff --git a/var/early.var.sh b/var/early.var.sh
index 4922538..e834143 100644
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -14,7 +14,7 @@
# shellcheck disable=SC2155
declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.13.224.2025.10.19"
+declare -grx VAR_VERSION="Master V8.13.256.2025.10.21"
declare -grx VAR_SYSTEM="$(uname -mnosv)"
declare -gx VAR_EARLY_DEBUG="false"
declare -gx VAR_HANDLER_AUTOBUILD="false"