diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml
index 4619fe6..0112836 100644
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
name: ๐ Generating a Private Live ISO TRIXIE.
diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml
index 57a6f11..fe23070 100644
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
name: ๐ Generating a Private Live ISO TRIXIE.
diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml
index 4e68263..ff3e465 100644
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
name: ๐ Generating a PUBLIC Live ISO.
diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
index 497cf9b..48d3c54 100644
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
- placeholder: "e.g., Master V8.13.768.2025.12.06"
+ placeholder: "e.g., Master V9.14.002.2026.05.13"
validations:
required: true
diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile
index dea3e3a..e41b1e2 100644
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
FROM debian:bookworm
diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml
index 6909d57..be815b0 100644
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
name: ๐ Render README.md to README.html.
diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
index cbb4681..703ddc1 100644
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.768.2025.12.06
+ version: V9.14.002.2026.05.13
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml
index c77c09b..f75d38a 100644
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.768.2025.12.06
+ version: V9.14.002.2026.05.13
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml
index c77c09b..f75d38a 100644
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.768.2025.12.06
+ version: V9.14.002.2026.05.13
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
index 2d249a4..f5b66d9 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
name: ๐ Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index 3101552..e9e481e 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
name: ๐ Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml
index ade71cf..c919486 100644
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
name: ๐ Generating a PUBLIC Live ISO.
diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml
index fd4b36e..b7113dc 100644
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
# Gitea Workflow: Shell-Script Linting
#
diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml
index c86d976..c689359 100644
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
name: ๐ก๏ธ Retrieve DNSSEC status of coresecret.dev.
diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml
index a5dd1a7..7f24cd5 100644
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
name: ๐ Render Graphviz Diagrams.
diff --git a/.version.properties b/.version.properties
index 6f2d7c6..a883fa9 100644
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.768.2025.12.06"
+properties_version="V9.14.002.2026.05.13"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx
index 687f1c8..3ae2730 100644
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.768.2025.12.06
+PackageVersion: Master V9.14.002.2026.05.13
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
diff --git a/README.md b/README.md
index b81dd48..2758db7 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
-[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[](https://eupl.eu/1.2/en/)
[](https://opensource.org/license/eupl-1-2)
@@ -11,10 +11,10 @@ include_toc: true
[](https://github.com/mvdan/sh)
[](https://google.github.io/styleguide/shellguide.html)
-[](https://docs.gitea.com/)
-[](https://docs.gitea.com/)
-[](https://www.jetbrains.com/store/?section=personal&billing=yearly)
-[](https://keepassxc.org/)
+[](https://docs.gitea.com/)
+[](https://docs.gitea.com/)
+[](https://www.jetbrains.com/store/?section=personal&billing=yearly)
+[](https://keepassxc.org/)
[](https://www.netcup.com/de)
[](https://coresecret.eu/)
[](https://x.com/coresecret_eu)
@@ -26,11 +26,11 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
**CISS.debian.live.builder โ First of its own.**
-**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
+**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed
to serve as a reference implementation for hardened, image-based Debian deployments.
@@ -175,7 +175,7 @@ installer toolchain.
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.768.2025.12.06`
+Example: `V9.14.002.2026.05.13`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -221,7 +221,7 @@ The parameters fall into several categories.
* The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
* The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
* Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
-* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough ``iommu.passthrough=0`` and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
+* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough, and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
* ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
* Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
* ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.
diff --git a/REPOSITORY.md b/REPOSITORY.md
index b231ec7..f5b8298 100644
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -7,14 +7,14 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) โ Debian Live Builder
**Branch:** `master`
-**Repository State:** Master Version **8.13**, Build **V8.13.768.2025.12.06** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.002.2026.05.13** (as of 2025-10-11)
## 3.1. Top-Level Layout
diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh
index fff3ef0..abe4af8 100644
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -15,7 +15,7 @@
### WHY BASH?
# Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
# and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
-# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
+# are available natively; no external binaries are required. Cross-platform consistency. '/bin/bash' is the default shell on most
# Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
# default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
# or Cygwin on Windows systems.
diff --git a/config.mk.sample b/config.mk.sample
index 2988156..e45a21d 100644
--- a/config.mk.sample
+++ b/config.mk.sample
@@ -10,6 +10,9 @@
# SPDX-Security-Contact: security@coresecret.eu
BUILD_DIR ?=
+
+### Optional Dropbear source override; empty uses VAR_DROPBEAR_VERSION from var/global.var.sh:
+DROPBEAR_VERSION ?=
PROVIDER_NETCUP_IPV6 ?=
ROOT_PASSWORD_FILE ?=
SSH_PORT ?=
diff --git a/config/hooks/live/0020_dropbear_build.chroot b/config/hooks/live/0020_dropbear_build.chroot
index 63d8047..aaf810a 100644
--- a/config/hooks/live/0020_dropbear_build.chroot
+++ b/config/hooks/live/0020_dropbear_build.chroot
@@ -18,14 +18,33 @@ export DEBIAN_FRONTEND="noninteractive"
export INITRD="No"
### Declare Arrays, HashMaps, and Variables.
-declare var_dropbear_version="2025.88"
+declare var_dropbear_env="/root/dropbear.env"
+[[ -r "${var_dropbear_env}" ]] || {
+ printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+ exit 43
+}
+
+# shellcheck disable=SC1090
+. "${var_dropbear_env}"
+declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
+[[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
+ printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+ exit 43
+}
+
declare var_tar="/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
declare var_build_dir="/root/build/dropbear-${var_dropbear_version}"
declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"
mkdir -p "/root/build"
+
+[[ -r "${var_tar}" ]] || {
+ printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2
+ exit 43
+}
+
cp "${var_tar}" "/root/build"
-tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
+tar xjf "${var_tar}" -C "/root/build"
cp "/root/dropbear/localoptions.h" "${var_build_dir}"
cd "${var_build_dir}"
diff --git a/config/hooks/live/0021_dropbear_initramfs.chroot b/config/hooks/live/0021_dropbear_initramfs.chroot
index d30d8fd..cf25484 100644
--- a/config/hooks/live/0021_dropbear_initramfs.chroot
+++ b/config/hooks/live/0021_dropbear_initramfs.chroot
@@ -13,13 +13,28 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
-### Declare Arrays, HashMaps, and Variables.
-declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
-
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export INITRD="No"
+### Declare Arrays, HashMaps, and Variables.
+declare var_dropbear_env="/root/dropbear.env"
+[[ -r "${var_dropbear_env}" ]] || {
+ printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+ exit 43
+}
+
+# shellcheck disable=SC1090
+. "${var_dropbear_env}"
+declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
+[[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
+ printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+ exit 43
+}
+
+declare var_dropbear_build_dir="/root/build/dropbear-${var_dropbear_version}"
+declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
+
apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
@@ -32,16 +47,18 @@ rm -f /root/dropbear.file
mkdir -p /root/.ciss/cdlb/backup/usr/sbin
mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
-install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
+install -m 0755 -o root -g root "${var_dropbear_build_dir}/dropbear" /usr/sbin/
mkdir -p /root/.ciss/cdlb/backup/usr/bin
for var_file in dbclient dropbearconvert dropbearkey; do
mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
- install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
+ install -m 0755 -o root -g root "${var_dropbear_build_dir}/${var_file}" /usr/bin/
done
+rm -f "${var_dropbear_env}"
+
mkdir -p /etc/initramfs-tools/scripts/init-bottom
cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
diff --git a/config/hooks/live/0860_sops.chroot b/config/hooks/live/0860_sops.chroot
index c639a69..b1f5e48 100644
--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -17,7 +17,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "
export DEBIAN_FRONTEND="noninteractive"
export INITRD="No"
-SOPS_VER="v3.11.0"
+SOPS_VER="v3.13.0"
ARCH="$(dpkg --print-architecture)"
case "${ARCH}" in
amd64) SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
diff --git a/config/hooks/live/9935_hardening_ssl.chroot b/config/hooks/live/9935_hardening_ssl.chroot
index b3e145a..1ff3b34 100644
--- a/config/hooks/live/9935_hardening_ssl.chroot
+++ b/config/hooks/live/9935_hardening_ssl.chroot
@@ -122,7 +122,7 @@ x509_extensions = usr_cert # The extensions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
-# Extension copying option: use with caution.
+# Extension copying option: use it with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
@@ -232,7 +232,7 @@ basicConstraints=CA:FALSE
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
@@ -282,7 +282,7 @@ basicConstraints = critical,CA:true
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
-# Where 'obj' is a standard or added object
+# Where 'obj' is a standard or added object.
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
@@ -305,7 +305,7 @@ basicConstraints=CA:FALSE
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
@@ -418,33 +418,24 @@ ssl_conf = ssl_sect
system_default = system_default_sect
[system_default_sect]
-# Protocol floor / ceiling:
-# - only TLS 1.2 and 1.3.
-# - TLS 1.3 is FS by design;
-# - TLS 1.2 FS enforced via the cipher list.
MinProtocol = TLSv1.2
MaxProtocol = TLSv1.3
-# TLS 1.2 cipher policy:
-# - Forward secrecy only: ECDHE or DHE (no static RSA kx);
-# - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
-# - Keep distro default SECLEVEL=2 explicitly.
-CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
+# TLS 1.2: FS only, AEAD only, no AES128, no static RSA negotiation, no DHE negotiation.
+CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:!AES128:!kRSA:!DHE:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
-# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
+# TLS 1.3: only AES-256-GCM and ChaCha20-Poly1305.
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-# Prefer strong, widely supported ECDHE groups (first = most preferred):
+# Preferred ECDHE groups.
Groups = X448:P-521:P-384
-SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
-
-# Operational flags:
-# -SessionTicket : disable TLS session tickets (TLS 1.2 + 1.3)
-# ServerPreference: honor server cipher order (TLS 1.2)
-# NoRenegotiation : disallow TLS 1.2 renegotiation
+# Flags: Tickets off, servers order, renegotiation off.
Options = -SessionTicket,ServerPreference,NoRenegotiation
+# Permitted signature algorithms.
+SignatureAlgorithms = ecdsa_secp521r1_sha512:ecdsa_secp384r1_sha384:ed448:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
+
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
diff --git a/config/hooks/live/9999_zzzz_secure_boot.chroot b/config/hooks/live/9999_zzzz_secure_boot.chroot
new file mode 100644
index 0000000..a9e5bd3
--- /dev/null
+++ b/config/hooks/live/9999_zzzz_secure_boot.chroot
@@ -0,0 +1,19 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-05-16; WEIDNER, Marc S.;
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.;
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
index 404519e..7ccc8f2 100644
--- a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
+++ b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
@@ -11,6 +11,8 @@
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
+# ToDo: Unify --integrity hmac-sha512 mode for standalone and runner mode.
+
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
__umask=$(umask)
diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts
index 365ac57..92870e6 100644
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config
index f8ecec7..090fe35 100644
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
diff --git a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
index b06d48f..e7fa47f 100644
--- a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
@@ -11,7 +11,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.002.2026.05.13
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
index 65af06b..7e87f44 100644
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.768.2025.12.06"
+declare -gr VERSION="Master V9.14.002.2026.05.13"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then
diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg
index d616207..4dd0a53 100644
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.768.2025.12.06 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.002.2026.05.13 at: 10:18:37.9542
diff --git a/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear b/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear
index 50ff764..3ce28cf 100644
--- a/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear
+++ b/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear
@@ -22,7 +22,7 @@ esac
run_dropbear() {
### CISS.debian.live.builder
- ### Remove old flags for dropbear version 2025.88-2.
+ ### Remove old flags from the Debian dropbear-initramfs wrapper.
### Only accepts flags from '/etc/dropbear/dropbear.conf'.
#local flags="Fs"
diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md
index f5f58c0..cda8deb 100644
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. DNSSEC Status
diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md
index 6d7baa1..bb28751 100644
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. Haveged Audit on Netcup RS 2000 G11
diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md
index bd2f7f3..bc17bf3 100644
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. Lynis Audit:
diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md
index a139f3a..db49d9c 100644
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. SSH Audit by ssh-audit.com
diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md
index 6605cf5..1e5f24d 100644
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. TLS Audit:
````text
diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md
index d2f88b8..19c0464 100644
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. Hardened Kernel Boot Parameters
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 9ccea6e..86e0c75 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -7,11 +7,20 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. Changelog
+## V9.14.002.2026.05.13
+* **Added**: [9935_hardening_ssl.chroot](../config/hooks/live/9935_hardening_ssl.chroot)
+* **Added**: [dropbear-2026.91.tar.bz2](../upgrades/dropbear/dropbear-2026.91.tar.bz2)
+* **Added**: [dropbear-2026.91.tar.bz2.asc](../upgrades/dropbear/dropbear-2026.91.tar.bz2.asc)
+* **Added**: Dropbear Version Argument ``--dropbear-version=*`` and ``--dropbear-version ``
+* **Changed**: [SHA512SUM.asc](../upgrades/dropbear/SHA512SUM.asc)
+* **Changed**: ``dropbear 2025.88`` to ``dropbear 2026.91``
+* **Changed**: ``sops 3.11.0`` to ``sops 3.13.0``
+
## V8.13.768.2025.12.06
* **Global**: Stable Release
@@ -119,13 +128,13 @@ include_toc: true
* **Updated**: [AUDIT_LYNIS.md](AUDIT_LYNIS.md) + updated: Lynis Version 3.1.6
## V8.13.400.2025.11.08
-* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) - GPG key handling
-* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme
-* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) - Unified naming scheme
-* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) - Unified naming scheme, added verbosity output
-* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) - added verbosity output
-* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) - bugfixes
-* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) - moved ``update-initramfs`` to:
+* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) : GPG key handling
+* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) : Unified naming scheme
+* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) : Unified naming scheme
+* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) : Unified naming scheme, added verbosity output
+* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) : added verbosity output
+* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) : bugfixes
+* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) : moved ``update-initramfs`` to:
* **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)
## V8.13.392.2025.11.07
@@ -221,7 +230,7 @@ include_toc: true
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) changed var injection
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) changed var injection
* **Updated**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) changed var injection
-* **Removed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - yq
+* **Removed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) : yq
## V8.13.280.2025.10.23
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) + 10-ciss-noise-floor.rules
@@ -244,8 +253,8 @@ include_toc: true
* **Added**: [.zshenv](../config/includes.chroot/root/.zshenv)
* **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) updated ignoreip
-* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) + rsyslog
-* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - haveged, + jitterentropy-rngd
+* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) added: rsyslog
+* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) removed: haveged, added: jitterentropy-rngd
## V8.13.192.2025.10.18
* **Added**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
diff --git a/docs/CNET.md b/docs/CNET.md
index e40c7bc..692c24d 100644
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. Centurion Net - Developer Branch Overview
diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md
index f1e1566..fc7bd8e 100644
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. Coding Style
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 7608be0..bd80a75 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. Contributing / participating
diff --git a/docs/CREDITS.md b/docs/CREDITS.md
index eb94594..d5422e9 100644
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. Credits
diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md
index 7709c07..3d132cd 100644
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. Download the latest PUBLIC CISS.debian.live.ISO
diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md
index ef7737f..579e85c 100644
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -7,15 +7,15 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2.1. Usage
````text
CDLB(1) CISS.debian.live.builder CDLB(1)
CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.768.2025.12.06
+Master V9.14.002.2026.05.13
A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
@@ -64,6 +64,12 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
- https://dns01.eddns.eu/
- https://dns02.eddns.de/
- https://dns03.eddns.eu/
+
+ --dropbear-version
+ Selects the bundled Dropbear source tarball version used for the hardened initramfs build.
+ The matching file MUST exist as:
+ <./upgrades/dropbear/dropbear-.tar.bz2>
+ If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>.
--jump-host
Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6
@@ -146,7 +152,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
๐ท Please consider donating to my work at:
๐ https://coresecret.eu/spenden/
- V8.13.768.2025.12.06 2025-11-06 CDLB(1)
+ V9.14.002.2026.05.13 2025-11-06 CDLB(1)
````
# 3. Booting
diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
index f8a861a..97388d6 100644
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. CISS.debian.live.builder โ Boot & Trust Chain (Technical Documentation)
@@ -220,7 +220,7 @@ cryptsetup luksFormat \
* Root FS (for 0042): `/etc/ciss/keys/.gpg`
* **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
-# 13. Diagram: CISS Live ISO Build, Boot and Run Time Trust Chain & Verification Paths
+# 13. Diagram: CISS Live ISO Build, Boot, and Run Time Trust Chain & Verification Paths
```mermaid
flowchart TD
@@ -261,7 +261,7 @@ I -- FAIL --> X;
# 14. Closing Remarks
-This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases make the state transparent and deterministic.
+This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot, and active attacks **both before and after decryption**. The dual-verification phases make the state transparent and deterministic.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
diff --git a/docs/MAN_SSH_Host_Key_Policy.md b/docs/MAN_SSH_Host_Key_Policy.md
index 72b6e43..10c1034 100644
--- a/docs/MAN_SSH_Host_Key_Policy.md
+++ b/docs/MAN_SSH_Host_Key_Policy.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. SSH Host Key Policy โ CISS.debian.live.builder / CISS.debian.installer
diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md
index 4a567a6..e718afe 100644
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. Resources
diff --git a/docs/documentation/30-ciss-hardening.conf.md b/docs/documentation/30-ciss-hardening.conf.md
index ef054ae..abfc699 100644
--- a/docs/documentation/30-ciss-hardening.conf.md
+++ b/docs/documentation/30-ciss-hardening.conf.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. ``30-ciss-hardening.conf``
diff --git a/docs/documentation/90-ciss-local.hardened.md b/docs/documentation/90-ciss-local.hardened.md
index 644c6f4..90745f3 100644
--- a/docs/documentation/90-ciss-local.hardened.md
+++ b/docs/documentation/90-ciss-local.hardened.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. ``90-ciss-local.hardened``
diff --git a/docs/documentation/ciss_live_builder.sh.md b/docs/documentation/ciss_live_builder.sh.md
index 3593fe6..3dbf5d1 100644
--- a/docs/documentation/ciss_live_builder.sh.md
+++ b/docs/documentation/ciss_live_builder.sh.md
@@ -7,8 +7,8 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
-**Master Version**: 8.13
-**Build**: V8.13.768.2025.12.06
+**Master Version**: 9.14
+**Build**: V9.14.002.2026.05.13
# 2. ``ciss_live_builder.sh``
diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh
index 1b8eae1..8eaac6a 100644
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -21,7 +21,9 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# VAR_AGE_KEY
# VAR_ARCHITECTURE
# VAR_BUILD_LOG
+# VAR_DROPBEAR_VERSION
# VAR_EARLY_DEBUG
+# VAR_GITEA_RUNNER
# VAR_HANDLER_AUTOBUILD
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_CDI
@@ -38,6 +40,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# VAR_REIONICE_CLASS
# VAR_REIONICE_PRIORITY
# VAR_SIGNER
+# VAR_SIGNING_CA
# VAR_SIGNING_KEY
# VAR_SIGNING_KEY_FPR
# VAR_SIGNING_KEY_PASS
@@ -51,6 +54,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# 0: on success
# ERR_ARG_MSMTCH: on failure
# ERR_CONTROL_CT: on failure
+# ERR_DROPBEAR_V: on failure
# ERR_MISS_PWD_F: on failure
# ERR_MISS_PWD_P: on failure
# ERR_NOTABSPATH: on failure
@@ -205,6 +209,32 @@ arg_parser() {
shift 1
;;
+ --dropbear-version)
+ if [[ -n "${2-}" && "${2}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+ # shellcheck disable=SC2034
+ declare -gx VAR_DROPBEAR_VERSION="${2}"
+ shift 2
+ else
+ if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+ printf "\e[91mโ ERROR: --dropbear-version MUST match '.'.\e[0m\n" >&2
+ read -p -r $'\e[92mโ
Press \'ENTER\' to exit the script ... \e[0m'
+ exit "${ERR_DROPBEAR_V}"
+ fi
+ ;;
+
+ --dropbear-version=*)
+ if [[ "${1#*=}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+ # shellcheck disable=SC2034
+ declare -gx VAR_DROPBEAR_VERSION="${1#*=}"
+ shift 1
+ else
+ if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+ printf "\e[91mโ ERROR: --dropbear-version MUST match '.'.\e[0m\n" >&2
+ read -p -r $'\e[92mโ
Press \'ENTER\' to exit the script ... \e[0m'
+ exit "${ERR_DROPBEAR_V}"
+ fi
+ ;;
+
--jump-host)
if [[ -n "${2-}" && "${2}" != -* ]]; then
declare -i count=0
diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh
index 00a84ed..e5595d7 100644
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -72,8 +72,8 @@ lb_config_write_trixie() {
--initramfs-compression gzip \
--initsystem systemd \
--iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20250505 - Debian-Installer: trixie" \
- --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
- --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
+ --iso-preparer '(C) 2018-2026, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
+ --iso-publisher '(P) 2018-2026, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
--iso-volume 'CISS.debian.live' \
--linux-flavours "${VAR_KERNEL}" \
--linux-packages linux-image \
@@ -108,11 +108,9 @@ lb_config_write_trixie() {
sleep 1
-
sed -i 's/^LB_CHECKSUMS=.*/LB_CHECKSUMS="sha512 sha384 sha256"/' ./config/binary
sed -i 's/^LB_DM_VERITY=.*/LB_DM_VERITY="false"/' ./config/binary
-
### https://wiki.debian.org/ReproducibleInstalls/LiveImages
### https://reproducible-builds.org/docs/system-images/
### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh
index 7dc2e30..70d0c96 100644
--- a/lib/lib_primordial.sh
+++ b/lib/lib_primordial.sh
@@ -18,6 +18,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# BASH_SOURCE
# VAR_AGE
# VAR_AGE_KEY
+# VAR_DROPBEAR_VERSION
# VAR_HANDLER_BUILD_DIR
# VAR_SSHFP
# VAR_TMP_SECRET
@@ -31,13 +32,32 @@ init_primordial() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### Prepare CISS dropbear integration ----------------------------------------------------------------------------------------
- declare var_dropbear_version="2025.88"
+ declare var_dropbear_version="${VAR_DROPBEAR_VERSION}"
+ declare var_dropbear_tar="${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
+
+ if [[ ! "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]]; then
+
+ printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+ return "${ERR_DROPBEAR_V}"
+
+ fi
+
+ if [[ ! -r "${var_dropbear_tar}" ]]; then
+
+ printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ โ ERROR: Dropbear tarball not found: [%s] \e[0m\n" "${var_dropbear_tar}" >&2
+ return "${ERR_DROPBEAR_V}"
+
+ fi
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/files"
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build"
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear"
- install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2" \
+ printf 'DROPBEAR_VERSION="%s"\n' "${var_dropbear_version}" \
+ >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.env"
+ chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.env"
+
+ install -m 0444 "${var_dropbear_tar}" \
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
install -m 0444 "${VAR_WORKDIR}/upgrades/dropbear/localoptions.h" \
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear/localoptions.h"
diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh
index efca074..823de3b 100644
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -39,17 +39,17 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}")
# shellcheck disable=SC2155
- declare var_footer=$(center "V8.13.768.2025.12.06 2025-12-05 CDLB(1)" "${var_cols}")
+ declare var_footer=$(center "V9.14.002.2026.05.13 2026-05-13 CDLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
- echo -e "\e[92mMaster V8.13.768.2025.12.06\e[0m"
+ echo -e "\e[92mMaster V9.14.002.2026.05.13\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
- echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
- echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
+ echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
+ echo -e "\e[97m(p) Centurion Press, 2024 - 2026 \e[0m"
echo
echo -e "\e[97m${0}