V8.13.544.2025.12.05

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.archive/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.archive/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.archive/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 name: 💙 Generating a PUBLIC Live ISO.
 

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.536.2025.12.04"
+      placeholder: "e.g., Master V8.13.544.2025.12.05"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.536.2025.12.04
+  version: V8.13.544.2025.12.05
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1024
-  version: V8.13.536.2025.12.04
+  counter: 1023
+  version: V8.13.544.2025.12.05
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.536.2025.12.04
+  version: V8.13.544.2025.12.05
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.536.2025.12.04
+  version: V8.13.544.2025.12.05
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -65,6 +65,7 @@ jobs:
             bash \
             bat \
             ca-certificates \
+            cryptsetup \
             curl \
             debootstrap \
             git \

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -65,6 +65,7 @@ jobs:
             bash \
             bat \
             ca-certificates \
+            cryptsetup \
             curl \
             debootstrap \
             git \

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 name: 💙 Generating a PUBLIC Live ISO.
 
@@ -65,6 +65,7 @@ jobs:
             bash \
             bat \
             ca-certificates \
+            cryptsetup \
             curl \
             debootstrap \
             git \

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.536.2025.12.04"
+properties_version="V8.13.544.2025.12.05"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.536.2025.12.04
+PackageVersion: Master V8.13.544.2025.12.05
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.536.2025.12.04-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.544.2025.12.05-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.13.536.2025.12.04`
+Example: `V8.13.544.2025.12.05`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
@@ -250,18 +250,17 @@ kernels it runs with are compiled according to this hardening profile. I treat d
 
 ### 2.1.4. Local Kernel Hardening
 
-* **Description**: The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/99_local.hardened`:
+The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/90-ciss-local.hardened`:
 ````bash
-###########################################################################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
+#######################################
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
-#  none
-###########################################################################################
-# shellcheck disable=SC2317
+#   None
+#######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
-  # sleep 1
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  sysctl -p /etc/sysctl.d/90-ciss-local.hardened
+  # shellcheck disable=SC2312
+  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 ````
 * **Key measures loaded by this file include:**
@@ -277,6 +276,11 @@ Once applied, some hardening settings cannot be undone via `sysctl` without a re
 until the next boot. Automatic enforcement at startup is therefore omitted by design—run `sysp()` manually and plan a reboot to 
 apply or revert these controls.
 
+In case you provide the ``--cdi`` option to the installer, the ``sysp()`` function is automatically applied at the boot process via:
+[9999_cdi_starter.sh](scripts/usr/local/sbin/9999_cdi_starter.sh).
+
+For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
+
 ## 2.2. Module Blacklisting
 
 * **Description**: Disables and blacklists non-essential or insecure kernel modules.
@@ -284,9 +288,22 @@ apply or revert these controls.
 
 ## 2.3. Network Hardening
 
-* **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
-  inbound/outbound traffic behaviors.
-* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
+At the kernel level classical ``sysctl`` settings are applied that defend against spoofing and sloppy network behavior. Reverse path 
+filtering is enabled, ARP handling is pinned down, and loose binding of addresses is discouraged. Where appropriate, IPv6 
+receives the same level of attention as IPv4. The network stack is switched firmly to ``systemd-networkd`` and ``systemd-resolved``. 
+The hook [0000_basic_chroot_setup.chroot](config/hooks/live/0000_basic_chroot_setup.chroot) removes ``ifupdown``, wires up 
+``systemd-networkd`` and ``systemd-resolved`` via explicit WantedBy symlinks, and ensures that the stub resolver at ``127.0.0.53``
+is the canonical ``resolv.conf`` target. The same hook writes dedicated configuration snippets:
+
+``/etc/systemd/resolved.conf.d/10-ciss-dnssec.conf`` enforces opportunistic ``DNS-over-TLS`` and full ``DNSSEC`` validation 
+while disabling ``LLMNR`` and ``MulticastDNS``.
+
+This converges the system on a single, hardened DNS resolution path and avoids the common situation where multiple name 
+resolution mechanisms step on each other. Where desired, this resolution chain can be plugged into **CenturionDNS**, a resolver
+infrastructure that I control and that enforces DNSSEC validation, QNAME minimisation, and a curated blocklist. For sensitive 
+deployments, this stack is used as the default.
+
+For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
 
 ## 2.4. Core Dump & Kernel Hardening
 

REPOSITORY.md

@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2.1. Repository Structure
 
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.536.2025.12.04** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.544.2025.12.05** (as of 2025-10-11)
 
 ## 2.2. Top-Level Layout
 

config/includes.chroot/etc/ssh/ssh_known_hosts

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened

@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.536.2025.12.04
+# Version Master V8.13.544.2025.12.05
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.536.2025.12.04"
+declare -gr VERSION="Master V8.13.544.2025.12.05"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.536.2025.12.04 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.544.2025.12.05 at: 10:18:37.9542

config/includes.chroot/root/.ciss/alias

@@ -228,7 +228,7 @@ swget() {
 #   None
 #######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/90-ciss-local.hardened
   # shellcheck disable=SC2312
   sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. TLS Audit:
 ````text

docs/BOOTPARAMS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. Hardened Kernel Boot Parameters
 

docs/CHANGELOG.md

@@ -8,10 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. Changelog
 
+## V8.13.544.2025.12.05
+* **Added**: [90-ciss-local.hardened.md](documentation/90-ciss-local.hardened.md)
+
 ## V8.13.536.2025.12.04
 * **Added**: [ciss_live_builder.sh.md](documentation/ciss_live_builder.sh.md)
 * **Bugfixes**: Unified network management via ``systemd-networkd``
@@ -251,7 +254,7 @@ include_toc: true
 * **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc) added HISTIGNORE and EDITOR
 
 ## V8.13.144.2025.10.16
-* **Bugfixes**: [99_local.hardened](../config/includes.chroot/etc/sysctl.d/99_local.hardened)
+* **Bugfixes**: [99_local.hardened](../config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened)
 * **Updated**:  [check_chrony.sh](../config/includes.chroot/root/.ciss/check_chrony.sh)
 * **Changed**:  [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
 

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2.1. Usage
 ````text
                         CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.536.2025.12.04
+Master V8.13.544.2025.12.05
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
@@ -146,7 +146,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
 
-                        V8.13.536.2025.12.04                        2025-11-06                         CDLB(1)
+                        V8.13.544.2025.12.05                        2025-11-06                         CDLB(1)
 ````
 
 # 3. Booting

docs/MAN_CISS_ISO_BOOT_CHAIN.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
 

docs/MAN_SSH_Host_Key_Policy.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
 

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. Resources
 

docs/documentation/90-ciss-local.hardened.md

@@ -0,0 +1,109 @@
+---
+gitea: none
+include_toc: true
+-----------------
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.544.2025.12.05<br>
+
+# 2. 90-ciss-local.hardened
+
+The configuration fragment ``90-ciss-local.hardened`` defines the local kernel and network hardening baseline that CISS systems 
+apply via the Linux ``sysctl`` mechanism. It is written as a conventional ``sysctl.d`` drop-in and is meant to be consumed by early 
+userspace tooling such as ``systemd-sysctl``, which imports the settings into ``/proc/sys`` during boot.
+
+At a high level, the file does not contain executable shell logic. It consists exclusively of documented key–value assignments 
+in the sysctl namespace plus a number of commented candidates that serve as a catalogue of optional hardening toggles. 
+The numeric prefix ``90-`` places it late in the ``sysctl.d`` processing order, so its values override both distribution defaults 
+and any earlier CISS baseline fragments. Error handling and reporting are delegated to the standard sysctl loader: unknown or
+unsupported keys will be rejected and logged, but the configuration itself does not implement any conditional fallback paths.
+
+The first block targets kernel level attack surface and introspection capabilities. By setting ``kernel.modules_disabled=1`` 
+the configuration irrevocably closes the in-kernel module loader once the sysctl is applied, which prevents any further ``insmod``
+or ``modprobe`` operations and thereby cuts off an entire class of kernel code injection vectors. The embedded warning comments 
+ point out that this implies a very rigid boot pipeline: any device drivers, filesystems, or network stack components that are 
+not built in or preloaded before this switch is flipped will simply never appear, which would otherwise lead to a dead network 
+stack and loss of remote access. Additional restrictions such as ``kernel.unprivileged_bpf_disabled=1``, ``net.core.bpf_jit_harden=2``, 
+``dev.tty.ldisc_autoload=0``, ``vm.unprivileged_userfaultfd=0``, ``kernel.kexec_load_disabled=1`` and ``kernel.unprivileged_userns_clone=0`` 
+collectively neutralize typical exploitation primitives. They disable unprivileged BPF program loading, force the BPF JIT into 
+its hardened mode, prevent automatic loading of TTY line discipline modules, restrict ``userfaultfd`` to privileged callers, 
+shut off in-kernel kexec, and forbid unprivileged user namespace creation. Taken together, these choices assume a server or 
+appliance workload that does not need container-style unprivileged namespaces, local kexec reseating, or dynamic TTY plumbing 
+and is willing to trade flexibility for a markedly smaller attack surface.
+
+A second cluster tightens diagnostic visibility and process inspection. The settings ``kernel.kptr_restrict=2`` and 
+``kernel.dmesg_restrict=1`` remove kernel pointer values and log contents from unprivileged users, while ``kernel.printk=3 3 3 3`` 
+drastically reduces what is emitted on the console during and after boot. TTY injection via the historical TIOCSTI ioctl is 
+disabled with ``dev.tty.legacy_tiocsti=0``, which the comments correctly note may break some screen readers but eliminates a 
+convenient path to smuggle keystrokes into another session. Process debugging is gated using the Yama LSM control 
+``kernel.yama.ptrace_scope=2``, which only permits ``ptrace`` attach operations from processes that hold ``CAP_SYS_PTRACE``; 
+unprivileged users can no longer freely attach debuggers to sibling processes. This aligns the system strongly towards a 
+production profile in which on-host debugging is effectively a privileged maintenance activity rather than a normal user 
+capability.
+
+Crash handling and memory layout are hardened in a deliberate, multistep fashion. Classic process core dumps are effectively 
+disabled by ``fs.suid_dumpable=0`` and ``kernel.core_pattern=|/bin/false``, so even privileged processes do not leave crash images 
+lying around on persistent storage. ``kernel.core_uses_pid=1`` is kept consistent with this policy but has no practical effect 
+once the core pattern is redirected into ``false``. The mapping base randomization knobs ``kernel.randomize_va_space=2``, 
+``vm.mmap_rnd_bits=32`` and ``vm.mmap_rnd_compat_bits=16`` increase address space layout randomization for both native and compat 
+processes, raising the entropy available for exploit mitigation. The comments explicitly point out that the chosen bit widths 
+are tuned for x86 type architectures, and that other CPU families may require different values, so the configuration implicitly 
+assumes a modern x86_64 kernel that implements these sysctls. The pair ``kernel.warn_limit=1`` and ``kernel.oops_limit=1`` 
+introduces an extremely low tolerance for kernel anomalies: in combination with a build that enables ``CONFIG_PANIC_ON_OOPS``, 
+which the commentary references, even a single WARN, BUG, or oops will trigger a reboot cycle rather than allow the kernel to 
+limp along in a potentially corrupted state.
+
+Filesystem-related sysctls are used to close off classes of symlink and hardlink-based attacks against privileged processes. The
+combination of ``fs.protected_symlinks=1``, ``fs.protected_hardlinks=1``, ``fs.protected_fifos=2`` and ``fs.protected_regular=2`` 
+changes how the kernel resolves symbolic links, hardlinks, and special files in world-writable directories. Access is 
+constrained so that following such references across user boundaries or into attacker-controlled locations is significantly more 
+difficult. This is particularly relevant for services that operate within shared directories such as ``/tmp`` and that 
+historically have been exploitable through TOCTOU race conditions on links.
+
+The networking section establishes a host profile that behaves explicitly as an end system, not as a router, and that is hostile
+to in-band reconfiguration from the network. Source routing is disabled for both IPv4 and IPv6 through 
+``net.ipv4.conf.*.accept_source_route=0`` and ``net.ipv6.conf.*.accept_source_route=0``. Redirects are neither accepted nor sent,
+using the cluster ``net.ipv4.conf.*.accept_redirects=0``, ``net.ipv4.conf.*.secure_redirects=0``, ``net.ipv6.conf.*.accept_redirects=0``, 
+and ``net.ipv4.conf.*.send_redirects=0``. Reverse path filtering is enabled with ``net.ipv4.conf.all.rp_filter=1`` and 
+``net.ipv4.conf.default.rp_filter=1``, which offers a basic defense against address spoofing. Logging of martian packets is 
+activated by ``net.ipv4.conf.*.log_martians=1``, so the system will record traffic with obviously bogus source addresses. IP 
+forwarding is forcibly disabled via ``net.ipv4.conf.all.forwarding=0``, reinforcing the assumption that these machines are not 
+supposed to forward traffic between interfaces.
+
+On the IPv6 side, router advertisements are turned off by ``net.ipv6.conf.all.accept_ra=0`` and ``net.ipv6.conf.default.accept_ra=0``, 
+which means that global IPv6 addressing and routing information must be configured statically or via a trusted configuration 
+mechanism. ARP resilience is improved by setting ``net.ipv4.conf.all.arp_ignore=1`` and ``net.ipv4.conf.default.arp_ignore=1``, so 
+the kernel only replies to ARP requests that match the target IP address on the receiving interface; this shrinks the surface 
+for ARP spoofing and gratuitous replies. ICMP behavior is made highly conservative: ``net.ipv4.icmp_echo_ignore_all=1`` and 
+``net.ipv4.icmp_echo_ignore_broadcasts=1`` effectively suppress echo replies entirely and ignore directed broadcasts, which 
+hinders network scanning and mitigates certain amplification attacks at the cost of losing simple ``ping`` diagnostics.
+
+Transport level settings are focused on resilience against SYN flood type denial of service and fingerprinting noise. The switch
+``net.ipv4.tcp_syncookies=1`` activates SYN cookies, ``net.ipv4.tcp_rfc1337=1`` instructs the kernel to protect against time-wait 
+assassination, and ``net.ipv4.tcp_max_syn_backlog=4096`` enlarges the queue for half-open connections, so the system can sustain 
+more parallel handshake attempts before dropping them. ``net.ipv4.tcp_synack_retries=2`` it reduces the number of retransmissions for
+SYN-ACK packets, which shortens the time wasted on unreachable peers and malicious scanners but can marginally penalize very 
+lossy networks. Finally, ``net.ipv4.tcp_timestamps=0`` disables TCP timestamps, which otherwise leak information about host uptime
+and clock behavior and can be abused for subtle fingerprinting.
+
+Beyond the active values, the module also documents several tunables that are intentionally left commented out. These include 
+sysctls for IO_uring disablement, performance event restrictions, memory overcommit policy, dirty page ratios, and swap 
+aggressiveness. Their presence turns the file into a compact reference of hardened defaults that the CISS ecosystem considers 
+defensible, while still leaving room for operator-specific adjustments when hardware constraints or workload characteristics 
+demand different trade-offs.
+
+In terms of preconditions, the configuration assumes a Linux kernel new enough to understand the modern hardening knobs it 
+targets, and a deployment model where almost all required modules and capabilities are either built into the kernel or loaded 
+before sysctl application. It does not itself coordinate with the live boot or initramfs stages: instead, it defines the 
+steady-state behavior of a system that has already pivoted into its real root filesystem. Within the overall 
+**CISS.debian.live.builder** architecture, ``90-ciss-local.hardened`` therefore functions as the final, host level enforcement layer 
+that aligns runtime behavior with the hardened kernel command line and build time options defined elsewhere in the project, 
+closing off residual dynamic features and network behaviors that would otherwise remain available after boot.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

docs/documentation/ciss_live_builder.sh.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.536.2025.12.04<br>
+**Build**: V8.13.544.2025.12.05<br>
 
 # 2. ciss_live_builder.sh
 

lib/lib_usage.sh

@@ -39,13 +39,13 @@ usage() {
   # shellcheck disable=SC2155
   declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
   # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.536.2025.12.04                        2025-11-06                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.544.2025.12.05                        2025-11-06                         CDLB(1)" "${var_cols}")
 
   {
     echo -e "\e[1;97m${var_header}\e[0m"
     echo
     echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.536.2025.12.04\e[0m"
+    echo -e "\e[92mMaster V8.13.544.2025.12.05\e[0m"
     echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
     echo
     echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"

scripts/usr/local/sbin/9999_cdi_starter.sh

@@ -130,7 +130,7 @@ main() {
   touch "${var_log}"
 
 
-  printf "CISS.debian.installer Master V8.13.536.2025.12.04 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.544.2025.12.05 is up! \n" >> "${var_log}"
 
   ### Sleep a moment to settle boot artifacts.
   sleep 8
@@ -209,7 +209,7 @@ main() {
 
   ### Timeout reached without acceptable semaphore.
   logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.536.2025.12.04: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.544.2025.12.05: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
 
   exit 0
 }

var/early.var.sh

@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.536.2025.12.04"
+declare -grx VAR_VERSION="Master V8.13.544.2025.12.05"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
   # Print $4 and $5; include $6 only if it exists
   out = $4