V8.13.004.2025.08.21

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-08-21 22:30:29 +02:00
parent f56d2d3215
commit 62c2c971bd
43 changed files with 183 additions and 47 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.002.2025.08.11\e[0m")
+$(echo -e "\e[92mMaster V8.13.004.2025.08.21\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")

 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
--- a/.editorconfig
+++ b/.editorconfig
@@ -25,6 +25,10 @@ charset = utf-8
 insert_final_newline = true
 trim_trailing_whitespace = true

+[{makefile,*.mk}]
+indent_style = tab
+tab_width    = 8
+
 [*.md]
 end_of_line = lf
 # Markdown benefits from a final newline for POSIX tools
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.002.2025.08.11"
+      placeholder: "e.g., Master V8.13.004.2025.08.21"
    validations:
      required: true

--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.13.002.2025.08.11
+### Version Master V8.13.004.2025.08.21

 FROM debian:bookworm

--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.13.002.2025.08.11
+### Version Master V8.13.004.2025.08.21

 name: 🔁 Render README.md to README.html.

--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.002.2025.08.11
+  version: V8.13.004.2025.08.21
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.002.2025.08.11
+  version: V8.13.004.2025.08.21
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.002.2025.08.11
+  version: V8.13.004.2025.08.21
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.002.2025.08.11
+  version: V8.13.004.2025.08.21
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.13.002.2025.08.11
+### Version Master V8.13.004.2025.08.21

 name: 🔐 Generating a Private Live ISO FLV 0.

--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.13.002.2025.08.11
+### Version Master V8.13.004.2025.08.21

 name: 🔐 Generating a Private Live ISO FLV 1.

--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.13.002.2025.08.11
+### Version Master V8.13.004.2025.08.21

 name: 💙 Generating a PUBLIC Live ISO.

--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.13.002.2025.08.11
+### Version Master V8.13.004.2025.08.21

 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.13.002.2025.08.11
+### Version Master V8.13.004.2025.08.21

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.13.002.2025.08.11
+### Version Master V8.13.004.2025.08.21

 name: 🔁 Render Graphviz Diagrams.

--- a/.gitignore
+++ b/.gitignore
@@ -16,5 +16,6 @@ target/
 *.DS_Store
 *.log
 *.ps1
+config.mk
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.002.2025.08.11"
+properties_version="V8.13.004.2025.08.21"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.002.2025.08.11
+PackageVersion: Master V8.13.004.2025.08.21
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.002.2025.08.11-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.004.2025.08.21-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -89,7 +89,7 @@ or shell-access, also via the forthcoming `CISS.debian.installer`. Such a versio
 provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then 
 awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports
 without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of 
-`grub2 (2.12-1~bpo12+1)`.<br>
+`grub2 (2.12-9)`.<br>

 This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in 
 source-defined infrastructure logic.<br>
@@ -142,7 +142,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V8.13.002.2025.08.11`
+Example: `V8.13.004.2025.08.21`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -59,7 +59,7 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
  exit "${ERR_NOT_USER_0}"
 }

-### Not called by sh.
+### Check to be not called by sh.
 # shellcheck disable=2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
  . ./var/global.var.sh
@@ -67,7 +67,7 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
  exit "${ERR_UNSPPTBASH}"
 }

-### Not sourced.
+### Check to be not sourced.
 [[ "${BASH_SOURCE[0]}" != "$0" ]] && {
  . ./var/global.var.sh
  printf "\e[91m❌ This script must be executed, not sourced. Please run '%s' directly! Bye... \e[0m\n" "$0" >&2
@@ -107,13 +107,13 @@ for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh  ; usa
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done

 ### ALL CHECKS DONE. READY TO START THE SCRIPT
+source_guard "./var/bash.var.sh"
 check_git
 for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 declare -gx VAR_SETUP="true"

 ### SOURCING VARIABLES
 [[ "${VAR_SETUP}" == true ]] && {
-  source_guard "./var/bash.var.sh"
  source_guard "./var/color.var.sh"
  source_guard "./var/global.var.sh"
 }
--- a/config.mk.sample
+++ b/config.mk.sample
@@ -0,0 +1,21 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-21; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+BUILD_DIR            ?=
+PROVIDER_NETCUP_IPV6 ?=
+ROOT_PASSWORD_FILE   ?=
+SSH_PORT             ?=
+SSH_PUBKEY           ?=
+
+### Comma-separated jump hosts (can be empty):
+JUMP_HOSTS           ?=
+
+# vim: set ft=make noet ts=8 sw=8
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.13.002.2025.08.11
+### Version Master V8.13.004.2025.08.21

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.13.002.2025.08.11
+### Version Master V8.13.004.2025.08.21

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V8.13.002.2025.08.11"
+declare -gr VERSION="Master V8.13.004.2025.08.21"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.002.2025.08.11 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.004.2025.08.21 at: 10:18:37.9542
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. DNSSEC Status

--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. Lynis Audit:

--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. SSH Audit by ssh-audit.com

--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. TLS Audit:

--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. Hardened Kernel Boot Parameters

--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. Changelog

+## V8.13.004.2025.08.21
+* **Added**: [makefile](../makefile)
+
 ## V8.13.002.2025.08.11
 * **Added**: [lib_source_guard.sh](../lib/lib_source_guard.sh)
 * **Added**: [sources.list](../config/includes.chroot/etc/apt/sources.list)
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. Centurion Net - Developer Branch Overview

--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. Coding Style

--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. Contributing / participating

--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. Credits

--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.13.002.2025.08.11
+Master V8.13.004.2025.08.21
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.13.002.2025.08.11
+Master V8.13.004.2025.08.21
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.002.2025.08.11<br>
+**Build**: V8.13.004.2025.08.21<br>

 # 2. Resources

--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -35,13 +35,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CLB(1)                        CISS.debian.live.builder                        CLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.002.2025.08.11                        2025-08-11                        CLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.004.2025.08.21                        2025-08-11                        CLB(1)" "${var_cols}")

  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.002.2025.08.11\e[0m"
+    echo -e "\e[92mMaster V8.13.004.2025.08.21\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
--- a/107
+++ b/107
@@ -0,0 +1,107 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-21; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Use Bash for recipe shells (not /bin/sh)
+SHELL                := /usr/bin/bash
+.SHELLFLAGS          := -CEeuTo pipefail -O failglob -c
+.ONESHELL            :
+.DELETE_ON_ERROR     :
+.RECIPEPREFIX        :=	### Tabstopp
+.DEFAULT_GOAL        := live
+
+### Local, unversioned overrides (optional):
+-include config.mk
+
+### Timestamp at parse time (UTC); can be overridden:
+TIMESTAMP            ?= $(shell date -u +%Y-%m-%dT%H-%M-%S)
+
+### Core parameters (safe defaults; override in config.mk or via CLI):
+ARCH                 ?= amd64
+AUTOBUILD            ?= 6.12.41+deb13-amd64
+CONTROL              ?= $(TIMESTAMP)
+
+### Nice/ionice settings:
+RENICE               ?= -19
+REIONICE_CLASS       ?= 1
+REIONICE_PRIO        ?= 2
+
+### Feature flags (set to empty to disable):
+FLAG_CDI             ?= 1
+FLAG_DEBUG           ?= 1
+FLAG_DHCP_CENTURION  ?= 1
+FLAG_TRIXIE          ?= 1
+
+### Reusable canned recipe:
+### Usage: $(call COMPOSE_AND,print) -> prints the fully quoted command
+###        $(call COMPOSE_AND,exec)  -> execs the command
+define COMPOSE_AND
+	### Build command as a robust array to avoid word-splitting and globbing issues:
+	cmd=( ./ciss_live_builder.sh )
+	cmd+=( --architecture '$(ARCH)' )
+	cmd+=( --build-directory '$(BUILD_DIR)' )
+	cmd+=( --control '$(CONTROL)' )
+	cmd+=( --root-password-file '$(ROOT_PASSWORD_FILE)' )
+	cmd+=( --ssh-port '$(SSH_PORT)' )
+	cmd+=( --ssh-pubkey '$(SSH_PUBKEY)' )
+	### Optional flags:
+	[[ -n '$(AUTOBUILD)'            ]] && cmd+=( --autobuild=$(AUTOBUILD) )
+	[[ -n '$(FLAG_CDI)'             ]] && cmd+=( --cdi )
+	[[ -n '$(FLAG_DEBUG)'           ]] && cmd+=( --debug )
+	[[ -n '$(FLAG_DHCP_CENTURION)'  ]] && cmd+=( --dhcp-centurion )
+	[[ -n '$(FLAG_TRIXIE)'          ]] && cmd+=( --trixie )
+	[[ -n '$(PROVIDER_NETCUP_IPV6)' ]] && cmd+=( --provider-netcup-ipv6 '$(PROVIDER_NETCUP_IPV6)' )
+	[[ -n '$(RENICE)'               ]] && cmd+=( --renice-priority '$(RENICE)' )
+	if [[ -n '$(REIONICE_CLASS)' && -n '$(REIONICE_PRIO)' ]]; then
+	                                      cmd+=( --reionice-priority '$(REIONICE_CLASS)' '$(REIONICE_PRIO)' )
+	fi
+	### Only add the flag if there is actually at least one host:
+	jh_csv='$(strip $(JUMP_HOSTS))'
+	if [[ -n "$$jh_csv" ]]; then
+	 	### Disable globbing so [fe80::1] isn't treated as a pattern:
+	 	set -f
+	 	IFS=',' read -r -a jh <<< "$$jh_csv"
+		set +f
+		### Emit a single --jump-host followed by N addresses:
+		cmd+=( --jump-host )
+		for h in "$${jh[@]}"; do
+			[[ -n "$$h" ]] && cmd+=( "$$h" )
+		done
+	fi
+	## Act according to the requested mode ($(1) = print|exec):
+	 case "$(1)" in
+		print)
+			printf '\e[92mCommand to run:\e[0m\n'
+			printf '\e[95m%s ' "$${cmd[@]@Q}"; printf '\e[0m\n'
+			;;
+		exec|"")
+			printf '\e[92mThe following command is executed: \e[0m\n'
+			printf '\n'
+			printf '\e[95m%s ' "$${cmd[@]@Q}"; printf '\e[0m\n'
+			printf '\n'
+			printf '\e[92mScript is loading ... \e[0m\n'
+			exec "$${cmd[@]}"
+			;;
+		*)
+			printf 'Unknown mode: %s\n' "$(1)" >&2; exit 2
+			;;
+	esac
+endef
+
+### Targets that reuse the block:
+.PHONY: dry-run live
+
+dry-run:
+	@$(call COMPOSE_AND,print)
+
+live:
+	@$(call COMPOSE_AND,exec)
+
+# vim: set ft=make noet ts=8 sw=8
--- a/scripts/9000-cdi-starter
+++ b/scripts/9000-cdi-starter
@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1

 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.13.002.2025.08.11 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.13.004.2025.08.21 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log

 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
  chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -14,7 +14,7 @@

 # shellcheck disable=SC2155
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.13.002.2025.08.11"
+declare -grx VAR_VERSION="Master V8.13.004.2025.08.21"
 declare -grx VAR_SYSTEM="$(uname -a)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"