diff --git a/.archive/.0000_lib_usage.sh b/.archive/.0000_lib_usage.sh
index fb9ebe8..8a5f55b 100644
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.256.2025.10.21\e[0m")
+$(echo -e "\e[92mMaster V8.13.272.2025.10.22\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
index c3d5754..7bd3241 100644
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
- placeholder: "e.g., Master V8.13.256.2025.10.21"
+ placeholder: "e.g., Master V8.13.272.2025.10.22"
validations:
required: true
diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile
index d3f35ee..2f2db14 100644
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.256.2025.10.21
+# Version Master V8.13.272.2025.10.22
FROM debian:bookworm
diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml
index 3930765..d0eb8a6 100644
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.256.2025.10.21
+# Version Master V8.13.272.2025.10.22
name: ๐ Render README.md to README.html.
diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
index 09ddc27..908c799 100644
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.256.2025.10.21
+ version: V8.13.272.2025.10.22
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
index 09ddc27..908c799 100644
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.256.2025.10.21
+ version: V8.13.272.2025.10.22
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml
index 67bc211..10b3565 100644
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.256.2025.10.21
+ version: V8.13.272.2025.10.22
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml
index 67bc211..10b3565 100644
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.256.2025.10.21
+ version: V8.13.272.2025.10.22
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
index 8eb81a2..994dd00 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.256.2025.10.21
+# Version Master V8.13.272.2025.10.22
name: ๐ Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index 72e611d..b92fc4e 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.256.2025.10.21
+# Version Master V8.13.272.2025.10.22
name: ๐ Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml
index c533d61..3284301 100644
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.256.2025.10.21
+# Version Master V8.13.272.2025.10.22
name: ๐ Generating a PUBLIC Live ISO.
diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml
index 267cb05..a6d8725 100644
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.256.2025.10.21
+# Version Master V8.13.272.2025.10.22
# Gitea Workflow: Shell-Script Linting
#
diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml
index ed64c42..f7f67f1 100644
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.256.2025.10.21
+# Version Master V8.13.272.2025.10.22
name: ๐ก๏ธ Retrieve DNSSEC status of coresecret.dev.
diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml
index 13b2098..ea83bb9 100644
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.256.2025.10.21
+# Version Master V8.13.272.2025.10.22
name: ๐ Render Graphviz Diagrams.
diff --git a/.version.properties b/.version.properties
index b728254..7698483 100644
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.256.2025.10.21"
+properties_version="V8.13.272.2025.10.22"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx
index 07cca3a..74bb09c 100644
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.256.2025.10.21
+PackageVersion: Master V8.13.272.2025.10.22
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
diff --git a/README.md b/README.md
index e090db7..8d5ecbd 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
-[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[](https://eupl.eu/1.2/en/)
[](https://opensource.org/license/eupl-1-2)
@@ -26,7 +26,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.256.2025.10.21`
+Example: `V8.13.272.2025.10.22`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
diff --git a/REPOSITORY.md b/REPOSITORY.md
index f2cf957..9b00bed 100644
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2.1. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) โ Debian Live Builder
**Branch:** `master`
-**Repository State:** Master Version **8.13**, Build **V8.13.256.2025.10.21** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.272.2025.10.22** (as of 2025-10-11)
## 2.2. Top-Level Layout
diff --git a/config/hooks/live/0090_jitterentropy.chroot b/config/hooks/live/0090_jitterentropy.chroot
index 08992f4..e9635bc 100644
--- a/config/hooks/live/0090_jitterentropy.chroot
+++ b/config/hooks/live/0090_jitterentropy.chroot
@@ -24,7 +24,7 @@ mkdir -p /etc/systemd/system/jitterentropy-rngd.service.d
cat << 'EOF' >> /etc/systemd/system/jitterentropy-rngd.service.d/override.conf
[Service]
ExecStart=
-ExecStart=/usr/sbin/jitterentropy-rngd --sp800-90b --osr=7
+ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
diff --git a/config/hooks/live/9996_auditd.chroot b/config/hooks/live/9996_auditd.chroot
index 6211c5d..f49498c 100644
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -40,13 +40,16 @@ cat << EOF >| /etc/audit/rules.d/10-base-config.rules
-D
## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
--b 8192
+## Make this bigger for busy systems.
+-b 16384
-## This determine how long to wait in burst of events
---backlog_wait_time 60000
+## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
+-r 200
-## Set failure mode to syslog
+## This determine how long to wait in burst of events. How long to wait in bursts (ยตs).
+--backlog_wait_time 1024
+
+## Set failure mode to syslog.
-f 1
EOF
@@ -92,6 +95,17 @@ cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
EOF
+############################################################### /etc/audit/rules.d/25-ciss-exec.rules
+cat << EOF >| /etc/audit/rules.d/25-ciss-exec.rules
+## Focus on privileged exec, not every user command
+-a always,exit -F arch=b64 -S execve -F euid=0 -k exec_root
+-a always,exit -F arch=b32 -S execve -F euid=0 -k exec_root
+-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k exec_sudo
+-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/sudo -k exec_sudo
+-a always,exit -F arch=b64 -S execve -C uid!=euid -k exec_suid_sgid
+-a always,exit -F arch=b32 -S execve -C uid!=euid -k exec_suid_sgid
+EOF
+
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
## Unsuccessful file creation (open with O_CREAT)
@@ -109,17 +123,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
EOF
-############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-## Successful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-EOF
-
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
## Unsuccessful file modifications (open for write or truncate)
@@ -137,17 +140,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
EOF
-############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-## Successful file modifications (open for write or truncate)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-EOF
-
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
## Unsuccessful file access (any other opens) This has to go last.
@@ -157,14 +149,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
EOF
-############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-## Successful file access (any other opens) This has to go last.
-## These next two are likely to result in a whole lot of events
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-EOF
-
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
## Unsuccessful file delete
@@ -174,13 +158,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
EOF
-############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-## Successful file delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-EOF
-
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
## Unsuccessful permission change
@@ -190,13 +167,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
EOF
-############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-## Successful permission change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-EOF
-
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
## Unsuccessful ownership change
@@ -206,13 +176,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
EOF
-############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-## Successful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-EOF
-
############################################################### /etc/audit/rules.d/30-ospp-v42.rules
cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules
## The purpose of these rules is to meet the requirements for Operating
diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts
index b88454c..7716e5f 100644
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.256.2025.10.21
+# Version Master V8.13.272.2025.10.22
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config
index 3aab4e0..e3fd73e 100644
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.256.2025.10.21
+# Version Master V8.13.272.2025.10.22
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -43,7 +43,7 @@ PermitRootLogin prohibit-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
-LoginGraceTime 30s
+LoginGraceTime 2m
MaxAuthTries 3
MaxSessions 2
### Begin randomly dropping new unauthenticated connections after the 2nd attempt,
diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened
index 8aa4f1d..2c1d5f2 100644
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.256.2025.10.21
+# Version Master V8.13.272.2025.10.22
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
index 2afb85b..d8bdc8e 100644
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.256.2025.10.21"
+declare -gr VERSION="Master V8.13.272.2025.10.22"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then
diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg
index 600f4c9..790467c 100644
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.256.2025.10.21 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.272.2025.10.22 at: 10:18:37.9542
diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md
index 501a6b0..2ba6611 100644
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. DNSSEC Status
diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md
index 4436db2..6f3e37e 100644
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. Haveged Audit on Netcup RS 2000 G11
diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md
index 1c357df..6099f1a 100644
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. Lynis Audit:
diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md
index e302cfb..7ec0a9d 100644
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. SSH Audit by ssh-audit.com
diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md
index 244f308..5e23e63 100644
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. TLS Audit:
````text
diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md
index 3c0477f..81ac474 100644
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. Hardened Kernel Boot Parameters
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 45713c7..cff4d98 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,14 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. Changelog
+## V8.13.272.2025.10.22
+* **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot) removed --sp800-90b
+* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) unified auditd configuration, removed success rules
+
## V8.13.256.2025.10.21
* **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot)
diff --git a/docs/CNET.md b/docs/CNET.md
index 90e8154..1172674 100644
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. Centurion Net - Developer Branch Overview
diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md
index 896aa4d..695b377 100644
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. Coding Style
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 1d6f50a..43d6bb4 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. Contributing / participating
diff --git a/docs/CREDITS.md b/docs/CREDITS.md
index 3827036..50f265c 100644
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. Credits
diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md
index 3a6b0ed..b74d3e7 100644
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. Download the latest PUBLIC CISS.debian.live.ISO
diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md
index e980381..f65192d 100644
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2.1. Usage
````text
CISS.debian.live.builder
-Master V8.13.256.2025.10.21
+Master V8.13.272.2025.10.22
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
# 2.2. Contact
````text
CISS.debian.live.builder
-Master V8.13.256.2025.10.21
+Master V8.13.272.2025.10.22
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md
index a26d8fe..1078057 100644
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.256.2025.10.21
+**Build**: V8.13.272.2025.10.22
# 2. Resources
diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh
index 02da999..f9690c1 100644
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -35,13 +35,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}")
# shellcheck disable=SC2155
- declare var_footer=$(center "V8.13.256.2025.10.21 2025-10-07 CLB(1)" "${var_cols}")
+ declare var_footer=$(center "V8.13.272.2025.10.22 2025-10-07 CLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
- echo -e "\e[92mMaster V8.13.256.2025.10.21\e[0m"
+ echo -e "\e[92mMaster V8.13.272.2025.10.22\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
diff --git a/scripts/9999-cdi-starter b/scripts/9999-cdi-starter
index 3395d12..eaffdfb 100644
--- a/scripts/9999-cdi-starter
+++ b/scripts/9999-cdi-starter
@@ -66,7 +66,7 @@ main() {
# shellcheck disable=SC2312
exec > >(tee -a "${log}") 2>&1
- printf "CISS.debian.installer Master V8.13.256.2025.10.21 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+ printf "CISS.debian.installer Master V8.13.272.2025.10.22 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
net_wait
@@ -87,7 +87,7 @@ main() {
# --reionice-priority 1 0 \
# --renice-priority "-19"
- printf "CISS.debian.installer Master V8.13.256.2025.10.21 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+ printf "CISS.debian.installer Master V8.13.272.2025.10.22 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
exit 0
}
diff --git a/var/early.var.sh b/var/early.var.sh
index e834143..d6914de 100644
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -14,7 +14,7 @@
# shellcheck disable=SC2155
declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.13.256.2025.10.21"
+declare -grx VAR_VERSION="Master V8.13.272.2025.10.22"
declare -grx VAR_SYSTEM="$(uname -mnosv)"
declare -gx VAR_EARLY_DEBUG="false"
declare -gx VAR_HANDLER_AUTOBUILD="false"