V8.13.256.2025.10.21

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-21 20:52:39 +01:00
parent 343ae97968
commit 2a866d7520
40 changed files with 200 additions and 116 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.224.2025.10.19\e[0m")
+$(echo -e "\e[92mMaster V8.13.256.2025.10.21\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.224.2025.10.19"
+      placeholder: "e.g., Master V8.13.256.2025.10.21"
    validations:
      required: true
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 name: 🔁 Render README.md to README.html.
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.224.2025.10.19
+  version: V8.13.256.2025.10.21
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 name: 💙 Generating a PUBLIC Live ISO.
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 name: 🔁 Render Graphviz Diagrams.
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.224.2025.10.19"
+properties_version="V8.13.256.2025.10.21"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.224.2025.10.19
+PackageVersion: Master V8.13.256.2025.10.21
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.224.2025.10.19-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.256.2025.10.21-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.224.2025.10.19`
+Example: `V8.13.256.2025.10.21`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2.1. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.224.2025.10.19** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.256.2025.10.21** (as of 2025-10-11)
 ## 2.2. Top-Level Layout
--- a/config/hooks/live/0007_update_logrotate.chroot
+++ b/config/hooks/live/0007_update_logrotate.chroot
@@ -20,27 +20,49 @@ rm -f         "/etc/logrotate.conf"
 cat << EOF >| "/etc/logrotate.conf"
 # See "man logrotate" for details. Global options do not affect preceding include directives.
-# rotate log files daily
+# Rotate log files daily
 daily
-# keep 384 daily worth of backlogs
+# Keep 384 daily worth of backlogs.
 rotate 384
-# hard cap: delete rotated logs older than 384 days
+# Hard cap: delete rotated logs older than 384 days.
 maxage 384
-# create new (empty) log files after rotating old ones
+# Do not rotate the log if it is empty (this overrides the ifempty option).
 notifempty
 # Create new (empty) log files after rotating old ones.
 create
-# use date as a suffix of the rotated file
+# Use date as a suffix of the rotated file.
 dateext
-# gzip older rotations
+# Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
 # that is the same as the timestamps within it.
 dateyesterday
 # Enable compression
 compress
-# keep the most recent rotation uncompressed for one cycle
+# Use zstd instead of gzip.
 compresscmd /usr/bin/zstd
 # File extension for compressed logs.
 compressext .zst
 # Set zstd level 3 (default).
 compressoptions -20
 # How to decompress for 'logrotate -d' or similar.
 uncompresscmd /usr/bin/unzstd
 # Keep the most recent rotation uncompressed for one cycle.
 delaycompress
 # Delete log files using shred -u instead of unlink().
 shred
 # packages drop log rotation information into this directory
 include /etc/logrotate.d
--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -24,7 +24,7 @@ sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
 mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
 chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak
-cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf
+cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
@@ -37,69 +37,106 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf
 # SPDX-Security-Contact: security@coresecret.eu
 [DEFAULT]
-usedns    = yes
+dbpurgeage            = 384d
-# 127.0.0.1/8  – IPv4 loopback range (local host)
+#                       127.0.0.1/8 - IPv4 loopback range (local host)
-# ::1/128      – IPv6 loopback
+#                       ::1/128     - IPv6 loopback
-# fe80::/10    – IPv6 link-local (on-link only; NDP/RA/DAD)
+#                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
-# fc00::/7     – IPv6 ULA (private LAN addresses)
+#                       ff00::/8    - IPv6 multicast (not an unicast host)
-# ff00::/8     – IPv6 multicast (not an unicast host)
+#                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
-# ::/128       – IPv6 unspecified (all zeros; never a real peer)
+ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 MUST_BE_SET
 ignoreip  = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128 MUST_BE_SET
 maxretry  = 8
 findtime  = 24h
 bantime   = 24h
 [recidive]
-enabled   = true
+enabled               = true
-filter    = recidive
+banaction             = ufw[blocktype=deny]
-logpath   = /var/log/fail2ban/fail2ban.log*
+bantime               = 8d
-banaction = iptables-allports
+bantime.increment     = true
-bantime   = 32d
+bantime.factor        = 1
-findtime  = 384d
+bantime.maxtime       = 128d
-maxretry  = 4
+bantime.multipliers   = 1 2 4 8 16
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = recidive
 findtime              = 16d
 logpath               = /var/log/fail2ban/fail2ban.log*
 maxretry              = 3
 ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
 ###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
 [sshd]
-enabled   = true
+enabled               = true
-backend   = systemd
+backend               = systemd
-filter    = sshd
+bantime               = 1h
-mode      = normal
+bantime.increment     = true
-port      = MUST_BE_SET
+bantime.factor        = 1
-protocol  = tcp
+bantime.maxtime       = 16d
-logpath   = /var/log/auth.log
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
-maxretry  = 4
+bantime.overalljails  = true
-findtime  = 24h
+bantime.rndtime       = 877s
-bantime   = 24h
+filter                = sshd
 findtime              = 16m
 maxretry              = 4
 mode                  = aggressive
 port                  = MUST_BE_SET
 protocol              = tcp
 [sshd-refused]
-enabled   = true
+enabled               = true
-filter    = ciss-sshd-refused
+bantime               = 1h
-port      = MUST_BE_SET
+bantime.increment     = true
-protocol  = tcp
+bantime.factor        = 1
-logpath   = /var/log/auth.log
+bantime.maxtime       = 16d
-maxretry  = 1
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
-findtime  = 24h
+bantime.overalljails  = true
-bantime   = 24h
+bantime.rndtime       = 877s
 filter                = ciss-sshd-refused
 findtime              = 16m
 logpath               = /var/log/auth.log
 maxretry              = 1
 port                  = MUST_BE_SET
 protocol              = tcp
-# ufw aggressive approach:
+#
-# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
+# CISS aggressive approach:
-# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
 # There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
 #
 [icmp]
 enabled               = true
 banaction             = ufw[blocktype=deny]
 bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 16d
 bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = ciss-icmp
 findtime              = 16m
 logpath               = /var/log/ufw.log
 maxretry              = 1
 [ufw]
-enabled   = true
+enabled               = true
-filter    = ciss-ufw
+banaction             = ufw[blocktype=deny]
-action    = iptables-allports
+bantime               = 1h
-logpath   = /var/log/ufw.log
+bantime.increment     = true
-maxretry  = 1
+bantime.factor        = 1
-bantime   = 24h
+bantime.maxtime       = 16d
-findtime  = 24h
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = ciss-ufw
 findtime              = 16m
 logpath               = /var/log/ufw.log
 maxretry              = 1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
+cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-icmp.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
@@ -112,7 +149,29 @@ cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
 # SPDX-Security-Contact: security@coresecret.eu
 [Definition]
-failregex = \[UFW BLOCK\].+SRC=<HOST> DST
+# Generic ICMP/ICMPv6 blocks
 failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\b.*$
                        ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMPv6\b.*$
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [Definition]
 # Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
 failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
 ignoreregex           =
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
@@ -169,33 +228,36 @@ EOF
 cat << 'EOF' >> /etc/fail2ban/fail2ban.local
 [Definition]
-logtarget = /var/log/fail2ban/fail2ban.log
+logtarget             = /var/log/fail2ban/fail2ban.log
 [Database]
 # Keep entries for at least 384 days to cover recidive findtime.
-dbpurgeage = 384d
+dbpurgeage            = 384d
 EOF
 ###########################################################################################
 # Remarks: Logrotate must be updated either                                               #
 ###########################################################################################
 cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
 #sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
 cat << EOF >| /etc/logrotate.d/fail2ban
 /var/log/fail2ban/fail2ban.log {
    daily
    rotate 384
-    compress
+    maxage 384
    # Do not rotate if empty
    notifempty
-
+    dateext
    dateyesterday
    compress
    compresscmd /usr/bin/zstd
    compressext .zst
    compressoptions -20
    uncompresscmd /usr/bin/unzstd
    delaycompress
    shred
    missingok
    postrotate
        fail2ban-client flushlogs 1>/dev/null
    endscript
    # If fail2ban runs as non-root it still needs to have write access
    # to logfiles.
    # create 640 fail2ban adm
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.224.2025.10.19
+# Version Master V8.13.256.2025.10.21
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.224.2025.10.19"
+declare -gr VERSION="Master V8.13.256.2025.10.21"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.224.2025.10.19 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.256.2025.10.21 at: 10:18:37.9542
--- a/config/includes.chroot/root/.zshenv
+++ b/config/includes.chroot/root/.zshenv
@@ -13,15 +13,10 @@
 : "${XDG_CACHE_HOME:=${HOME}/.cache}"
 : "${XDG_DATA_HOME:=${HOME}/.local/share}"
 : "${XDG_STATE_HOME:=${HOME}/.local/state}"
 if [ -z "${XDG_RUNTIME_DIR:-}" ]; then
  if [ -d "/run/user/$(id -u)" ]; then
    XDG_RUNTIME_DIR="/run/user/$(id -u)"
  else
    XDG_RUNTIME_DIR="/tmp/xdg-runtime-$(id -u)"
  fi
 fi
-export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME XDG_RUNTIME_DIR
+# Do NOT set XDG_RUNTIME_DIR here.
 export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME
 ### Zsh history -> XDG_STATE_HOME (best-effort; zsh might not read /etc/profile)
 if [ "${ENABLE_XDG_ZSH_HISTORY:-1}" = "1" ] && [ -n "${ZSH_VERSION:-}" ]; then
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. DNSSEC Status
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. TLS Audit:
 ````text
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. Hardened Kernel Boot Parameters
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,15 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. Changelog
 ## V8.13.256.2025.10.21
 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
 * **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot)
 * **Updated**: [.zshenv](../config/includes.chroot/root/.zshenv)
 ## V8.13.224.2025.10.19
 * **Added**: [.zshenv](../config/includes.chroot/root/.zshenv)
 * **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. Centurion Net - Developer Branch Overview
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. Coding Style
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. Contributing / participating
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. Credits
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.13.224.2025.10.19
+Master V8.13.256.2025.10.21
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.13.224.2025.10.19
+Master V8.13.256.2025.10.21
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.224.2025.10.19<br>
+**Build**: V8.13.256.2025.10.21<br>
 # 2. Resources
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -35,13 +35,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CLB(1)                        CISS.debian.live.builder                        CLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.224.2025.10.19                        2025-10-07                        CLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.256.2025.10.21                        2025-10-07                        CLB(1)" "${var_cols}")
  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.224.2025.10.19\e[0m"
+    echo -e "\e[92mMaster V8.13.256.2025.10.21\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
--- a/scripts/9999-cdi-starter
+++ b/scripts/9999-cdi-starter
@@ -66,7 +66,7 @@ main() {
  # shellcheck disable=SC2312
  exec > >(tee -a "${log}") 2>&1
-  printf "CISS.debian.installer Master V8.13.224.2025.10.19 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+  printf "CISS.debian.installer Master V8.13.256.2025.10.21 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
  net_wait
@@ -87,7 +87,7 @@ main() {
 #  --reionice-priority 1 0 \
 #  --renice-priority "-19"
-  printf "CISS.debian.installer Master V8.13.224.2025.10.19 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+  printf "CISS.debian.installer Master V8.13.256.2025.10.21 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
  exit 0
 }
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -14,7 +14,7 @@
 # shellcheck disable=SC2155
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.13.224.2025.10.19"
+declare -grx VAR_VERSION="Master V8.13.256.2025.10.21"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"