diff --git a/.archive/.0000_lib_usage.sh b/.archive/.0000_lib_usage.sh
index 2d6e4cc..f40d394 100644
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.144.2025.10.16\e[0m")
+$(echo -e "\e[92mMaster V8.13.192.2025.10.18\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
index 65a1051..5cf0466 100644
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
- placeholder: "e.g., Master V8.13.144.2025.10.16"
+ placeholder: "e.g., Master V8.13.192.2025.10.18"
validations:
required: true
diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile
index 07742dd..fa77e72 100644
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.144.2025.10.16
+# Version Master V8.13.192.2025.10.18
FROM debian:bookworm
diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml
index 3e06e7f..82d993a 100644
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.144.2025.10.16
+# Version Master V8.13.192.2025.10.18
name: ๐ Render README.md to README.html.
diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml
index 2ba5a04..713379f 100644
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V8.13.144.2025.10.16
+ version: V8.13.192.2025.10.18
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
index 565da3c..904a4f1 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.144.2025.10.16
+# Version Master V8.13.192.2025.10.18
name: ๐ Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index bfc3fa8..da468c3 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.144.2025.10.16
+# Version Master V8.13.192.2025.10.18
name: ๐ Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml
index ae2fd33..44c45f8 100644
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.144.2025.10.16
+# Version Master V8.13.192.2025.10.18
name: ๐ Generating a PUBLIC Live ISO.
diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml
index 4b69f1e..600adcb 100644
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.144.2025.10.16
+# Version Master V8.13.192.2025.10.18
# Gitea Workflow: Shell-Script Linting
#
diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml
index e9d98cd..491ed6b 100644
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.144.2025.10.16
+# Version Master V8.13.192.2025.10.18
name: ๐ก๏ธ Retrieve DNSSEC status of coresecret.dev.
diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml
index f7a2c12..b0d4483 100644
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.144.2025.10.16
+# Version Master V8.13.192.2025.10.18
name: ๐ Render Graphviz Diagrams.
diff --git a/.version.properties b/.version.properties
index a0dfaac..5a7c267 100644
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.144.2025.10.16"
+properties_version="V8.13.192.2025.10.18"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx
index 181d61e..fe76d8f 100644
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.144.2025.10.16
+PackageVersion: Master V8.13.192.2025.10.18
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
diff --git a/README.md b/README.md
index c1a7a90..9f3dad0 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
-[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[](https://eupl.eu/1.2/en/)
[](https://opensource.org/license/eupl-1-2)
@@ -26,7 +26,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.144.2025.10.16`
+Example: `V8.13.192.2025.10.18`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -290,7 +290,7 @@ apply or revert these controls.
* **Description**: The SSH tunnel and access are secured through multiple layers of defense:
* **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
* **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
- * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host
+ * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/ciss-default.conf` immediately bans any host
that touches closed ports.
* Additionally, the `fail2ban` service is hardened as well according to:
[Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening)
diff --git a/REPOSITORY.md b/REPOSITORY.md
index 069b40f..2c1ffde 100644
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2.1. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) โ Debian Live Builder
**Branch:** `master`
-**Repository State:** Master Version **8.13**, Build **V8.13.144.2025.10.16** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.192.2025.10.18** (as of 2025-10-11)
## 2.2. Top-Level Layout
diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot
index ac2f3c6..8c4a619 100644
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -13,8 +13,190 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+#######################################
+# Generates '/etc/default/ciss-xdg-profile'
+# Globals:
+# None
+# Arguments:
+# None
+# Returns:
+# 0: on success
+#######################################
+generate_ciss_xdg_profile() {
+ cat << 'EOF' >> /etc/default/ciss-xdg-profile
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.;
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.;
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Default toggles for ciss-xdg-profile
+# 1 = enable, 0 = disable
+
+ENABLE_XDG_BASH_HISTORY=1
+ENABLE_XDG_LESS_HISTORY=1
+ENABLE_XDG_ZSH_HISTORY=1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+
+EOF
+
+ chmod 0644 /etc/default/ciss-xdg-profile
+
+ return 0
+}
+
+#######################################
+# Generates '/etc/profile.d/ciss-xdg.sh'
+# Globals:
+# None
+# Arguments:
+# None
+# Returns:
+# 0: on success
+#######################################
+generate_ciss_xdg_sh() {
+ cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.;
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.;
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# shellcheck shell=sh
+
+# This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
+
+### XDG variables (do not override if already set).
+export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path.
+# shellcheck disable=SC2312
+if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then
+ # shellcheck disable=SC2155
+ export XDG_RUNTIME_DIR="/run/user/$(id -u)"
+fi
+
+### Create canonical directories idempotently with 0700.
+_xdg_umask="$(umask)"
+umask 077
+[ -d "${XDG_CONFIG_HOME}" ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
+[ -d "${XDG_DATA_HOME}" ] || install -d -m 0700 -- "${XDG_DATA_HOME}"
+[ -d "${XDG_CACHE_HOME}" ] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
+[ -d "${XDG_STATE_HOME}" ] || install -d -m 0700 -- "${XDG_STATE_HOME}"
+umask "${_xdg_umask}"
+unset _xdg_umask
+
+### Optional migrations (controlled via /'etc/default/ciss-xdg-profile').
+[ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then
+ [ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
+ export HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+### Zsh history -> XDG_STATE_HOME (best-effort; zsh might not read /etc/profile)
+if [ "${ENABLE_XDG_ZSH_HISTORY:-1}" = "1" ] && [ -n "${ZSH_VERSION:-}" ]; then
+ [ -d "${XDG_STATE_HOME}/zsh" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/zsh"
+ export HISTFILE="${XDG_STATE_HOME}/zsh/history"
+fi
+
+### Less history -> XDG_STATE_HOME
+if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then
+ [ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
+ export LESSHISTFILE="${XDG_STATE_HOME}/less/history"
+fi
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+ chmod 0755 /etc/profile.d/ciss-xdg.sh
+
+ return 0
+}
+
+#######################################
+# Generates '/root/ciss_xdg_tmp.sh'
+# Globals:
+# None
+# Arguments:
+# None
+# Returns:
+# 0: on success
+#######################################
+generate_ciss_xdg_tmp_sh() {
+ cat << 'EOF' >> /root/ciss_xdg_tmp.sh
+ #!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.;
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.;
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+### XDG variables (do not override if already set).
+
+set -a
+
+# shellcheck disable=SC2034
+XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+# shellcheck disable=SC2034
+XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+# shellcheck disable=SC2034
+XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+# shellcheck disable=SC2034
+XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+# shellcheck disable=SC2034
+XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+# shellcheck disable=SC2034
+XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### Optional migrations (controlled via /etc/default/ciss-xdg-profile).
+[[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then
+ HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+set +a
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+ chmod 0700 /root/ciss_xdg_tmp.sh
+
+ return 0
+}
+
+generate_ciss_xdg_profile
+generate_ciss_xdg_sh
+generate_ciss_xdg_tmp_sh
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
apt-get update -qq
+apt-get install -y --no-install-suggests libpam-systemd
mkdir -p /root/.ciss/dlb/{backup,log}
chmod 0700 /root/.ciss/dlb/{backup,log}
diff --git a/config/hooks/live/0001_initramfs_modules.chroot b/config/hooks/live/0001_initramfs_modules.chroot
index 70f6f8a..0a362a5 100644
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -53,6 +53,7 @@ grep_nic_driver_modules() {
return 0
}
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y intel-microcode amd64-microcode
diff --git a/config/hooks/live/0007_update_logrotate.chroot b/config/hooks/live/0007_update_logrotate.chroot
new file mode 100644
index 0000000..1db6f01
--- /dev/null
+++ b/config/hooks/live/0007_update_logrotate.chroot
@@ -0,0 +1,68 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.;
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.;
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+
+### Declare Arrays, HashMaps, and Variables.
+declare -ar ary_logrotate=( "alternatives" "apt" "btmp" "chrony" "dpkg" "fail2ban" "rkhunter" "ufw" "unattended-upgrades" "usbguard")
+declare var_file="" var_log=""
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+
+rm -f "/etc/logrotate.conf"
+cat << EOF >> "/etc/logrotate.conf"
+# See "man logrotate" for details. Global options do not affect preceding include directives.
+
+# rotate log files daily
+daily
+
+# keep 384 daily worth of backlogs
+rotate 384
+
+# hard cap: delete rotated logs older than 384 days
+maxage 384
+
+# create new (empty) log files after rotating old ones
+create
+
+# use date as a suffix of the rotated file
+dateext
+
+# gzip older rotations
+compress
+
+# keep the most recent rotation uncompressed for one cycle
+delaycompress
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# system-specific logs may also be configured here.
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+for var_log in "${ary_logrotate[@]}"; do
+ var_file="$/etc/logrotate.d/${var_log}"
+ [[ -e "${var_file}" ]] || continue
+ ### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
+ sed -E -i \
+ -e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
+ -e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 384\3\4/' \
+ "${var_file}"
+done
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/0010_install_apparmor.chroot b/config/hooks/live/0010_install_apparmor.chroot
index 116e0fd..dd91d28 100644
--- a/config/hooks/live/0010_install_apparmor.chroot
+++ b/config/hooks/live/0010_install_apparmor.chroot
@@ -13,6 +13,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
diff --git a/config/hooks/live/0080_keyboard_layout.chroot b/config/hooks/live/0080_keyboard_layout.chroot
index feb0577..9807e1b 100644
--- a/config/hooks/live/0080_keyboard_layout.chroot
+++ b/config/hooks/live/0080_keyboard_layout.chroot
@@ -21,6 +21,8 @@ XKBOPTIONS=""
BACKSPACE="guess"
EOF
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
dpkg-reconfigure -f noninteractive keyboard-configuration
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
diff --git a/config/hooks/live/0090_jitterentropy.chroot b/config/hooks/live/0090_jitterentropy.chroot
index 26b8a21..08992f4 100644
--- a/config/hooks/live/0090_jitterentropy.chroot
+++ b/config/hooks/live/0090_jitterentropy.chroot
@@ -13,6 +13,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y --no-install-recommends jitterentropy-rngd
diff --git a/config/hooks/live/0120_set_hostname.chroot b/config/hooks/live/0120_set_hostname.chroot
index 91e7ff7..d04672d 100644
--- a/config/hooks/live/0120_set_hostname.chroot
+++ b/config/hooks/live/0120_set_hostname.chroot
@@ -12,7 +12,6 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak
mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak
@@ -28,7 +27,6 @@ localhost.local
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/0130_machineid.chroot b/config/hooks/live/0130_machineid.chroot
index 91596fc..8f52be2 100644
--- a/config/hooks/live/0130_machineid.chroot
+++ b/config/hooks/live/0130_machineid.chroot
@@ -12,7 +12,6 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
cd /root
if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -22,7 +21,7 @@ fi
cat << 'EOF' >| /var/lib/dbus/machine-id
b08dfa6083e7567a1921a715000001fb
EOF
-chmod 644 /var/lib/dbus/machine-id
+chmod 0644 /var/lib/dbus/machine-id
if [[ -f /etc/machine-id ]]; then
rm /etc/machine-id
@@ -34,7 +33,6 @@ EOF
chmod 644 /etc/machine-id
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/0400_eza_install.chroot b/config/hooks/live/0400_eza_install.chroot
index 3fd3e76..3c76c59 100644
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -23,8 +23,9 @@ wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg
echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
-apt-get update
+apt-get update -qq
apt-get install -y eza
git clone https://github.com/eza-community/eza-themes.git
diff --git a/config/hooks/live/0800_lynis_setup.chroot b/config/hooks/live/0800_lynis_setup.chroot
index e23dfa0..7d86cdc 100644
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -16,8 +16,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "
curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
-apt-get update
+apt-get update -qq
apt-get install -y lynis
lynis show version
diff --git a/config/hooks/live/0810_chrony_setup.chroot b/config/hooks/live/0810_chrony_setup.chroot
index 2415168..52146ac 100644
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -15,6 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "
mkdir -p /var/log/chrony
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
export TZ="Etc/UTC"
@@ -50,13 +51,13 @@ log tracking measurements statistics
authselectmode require
-server ntp.ripe.net iburst nts minpoll 5 maxpoll 9
+# server ntp.ripe.net iburst nts minpoll 5 maxpoll 9
server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9
server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9
server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9
-server ntp13.metas.ch iburst nts minpoll 5 maxpoll 9
-server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
-server sth1.ntp.se iburst nts minpoll 5 maxpoll 9
+# server ntp13.metas.ch iburst nts minpoll 5 maxpoll 9
+# server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
+# server sth1.ntp.se iburst nts minpoll 5 maxpoll 9
server ntp0.fau.de iburst nts minpoll 5 maxpoll 9
leapsectz right/UTC
diff --git a/config/hooks/live/0822_ssh_restart_hook.chroot b/config/hooks/live/0822_ssh_restart_hook.chroot
index 9415d62..20db279 100644
--- a/config/hooks/live/0822_ssh_restart_hook.chroot
+++ b/config/hooks/live/0822_ssh_restart_hook.chroot
@@ -20,7 +20,7 @@ cat << 'EOF' >| "${target_script}"
@reboot root /usr/local/bin/restart-ssh.sh
EOF
-chmod 0644 "${target_script}"
+chmod 0444 "${target_script}"
cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
#!/bin/bash
diff --git a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
index d0ce898..de2bdac 100644
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -13,6 +13,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
apt-get install -y nodejs
diff --git a/config/hooks/live/0845_harbian_audit.chroot b/config/hooks/live/0845_harbian_audit.chroot
index 4cdf3ca..bdf97bc 100644
--- a/config/hooks/live/0845_harbian_audit.chroot
+++ b/config/hooks/live/0845_harbian_audit.chroot
@@ -12,13 +12,11 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
cd /root/git
git clone https://github.com/hardenedlinux/harbian-audit.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/0850_ssh_audit.chroot b/config/hooks/live/0850_ssh_audit.chroot
index 4f1e8c1..d6acf41 100644
--- a/config/hooks/live/0850_ssh_audit.chroot
+++ b/config/hooks/live/0850_ssh_audit.chroot
@@ -12,13 +12,11 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
cd /root/git
git clone https://github.com/jtesta/ssh-audit.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
-sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/0855_dnsviz.chroot b/config/hooks/live/0855_dnsviz.chroot
index df16783..c475adb 100644
--- a/config/hooks/live/0855_dnsviz.chroot
+++ b/config/hooks/live/0855_dnsviz.chroot
@@ -12,13 +12,11 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
cd /root/git
git clone https://github.com/dnsviz/dnsviz.git
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
-sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/0860_sops.chroot b/config/hooks/live/0860_sops.chroot
index 17db725..701a17d 100644
--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -13,7 +13,8 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
-export DEBIAN_FRONTEND=noninteractive
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
SOPS_VER="v3.11.0"
ARCH="$(dpkg --print-architecture)"
diff --git a/config/hooks/live/0900_ufw_setup.chroot b/config/hooks/live/0900_ufw_setup.chroot
index 97aa502..5ae19ba 100644
--- a/config/hooks/live/0900_ufw_setup.chroot
+++ b/config/hooks/live/0900_ufw_setup.chroot
@@ -12,7 +12,6 @@
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
declare -r UFW_OUT_POLICY="deny"
declare -r SSHPORT="MUST_BE_SET"
@@ -51,6 +50,7 @@ if [[ ${UFW_OUT_POLICY,,} == "deny" ]]; then
ufw allow out 853/udp comment 'Outgoing DoQ'
fi
+### Allowing ICMP IPv4 outgoing per default.
sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" /etc/ufw/before.rules
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" /etc/ufw/before.rules
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" /etc/ufw/before.rules
@@ -61,7 +61,6 @@ sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/9900_process_accounting.chroot b/config/hooks/live/9900_process_accounting.chroot
index e03bae7..fd47497 100644
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -13,6 +13,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y acct
diff --git a/config/hooks/live/9950_fail2ban_hardening.chroot b/config/hooks/live/9950_fail2ban_hardening.chroot
index 0aadbc6..d3f3ac7 100644
--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -16,15 +16,15 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "
cd /root
cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak
+chmod 0400 /root/.ciss/dlb/backup/fail2ban.conf.bak
### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak
+chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak
-cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
+cat << 'EOF' >| /etc/fail2ban/jail.d/ciss-default.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.;
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
@@ -61,7 +61,7 @@ bantime = 24h
[sshd-refused]
enabled = true
-filter = sshd-refused
+filter = ciss-sshd-refused
port = MUST_BE_SET
protocol = tcp
logpath = /var/log/auth.log
@@ -75,22 +75,30 @@ bantime = 24h
[ufw]
enabled = true
-filter = ufw.aggressive
+filter = ciss-ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 1
-findtime = 24h
bantime = 24h
-protocol = tcp,udp
+findtime = 24h
+
+[recidive]
+enabled = true
+filter = recidive
+logpath = /var/log/fail2ban/fail2ban.log*
+banaction = iptables-allports
+bantime = 32d
+findtime = 384d
+maxretry = 4
EOF
-cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf
+cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
[Definition]
-failregex = ^.*UFW BLOCK.* SRC= .*DPT=\d+ .*
+failregex = \[UFW BLOCK\].+SRC= DST
EOF
-cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf
+cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
[Definition]
failregex = ^refused connect from \S+ \(\)
EOF
@@ -130,15 +138,41 @@ EOF
cat << 'EOF' >> /etc/fail2ban/fail2ban.local
[Definition]
logtarget = /var/log/fail2ban/fail2ban.log
+
+[Database]
+# Keep entries for at least 384 days to cover recidive findtime.
+dbpurgeage = 384d
EOF
###########################################################################################
# Remarks: Logrotate must be updated either #
###########################################################################################
cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
-sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
+#sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
+cat << EOF >| /etc/logrotate.d/fail2ban
+/var/log/fail2ban/fail2ban.log {
+
+ daily
+ rotate 384
+ compress
+ # Do not rotate if empty
+ notifempty
+
+ delaycompress
+ missingok
+ postrotate
+ fail2ban-client flushlogs 1>/dev/null
+ endscript
+
+ # If fail2ban runs as non-root it still needs to have write access
+ # to logfiles.
+ # create 640 fail2ban adm
+ create 640 root adm
+}
+EOF
+
touch /var/log/fail2ban/fail2ban.log
-chmod 640 /var/log/fail2ban/fail2ban.log
+chmod 0640 /var/log/fail2ban/fail2ban.log
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
diff --git a/config/hooks/live/9970_remove_exim.chroot b/config/hooks/live/9970_remove_exim.chroot
index 75ec33a..37b768e 100644
--- a/config/hooks/live/9970_remove_exim.chroot
+++ b/config/hooks/live/9970_remove_exim.chroot
@@ -13,16 +13,19 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+
cd /etc
-apt-get purge exim4 exim4-base exim4-config -y
+apt-get purge exim4 exim4-base exim4-config -y
apt-get autoremove -y
apt-get autoclean -y
apt-get autopurge -y
apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config
-apt-get update
+apt-get update -qq
apt-get upgrade -y
if [[ -d /etc/exim4 ]]; then
diff --git a/config/hooks/live/9980_usb_guard.chroot b/config/hooks/live/9980_usb_guard.chroot
index 883ace7..63c913b 100644
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -13,6 +13,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y usbguard
diff --git a/config/hooks/live/9990_final_purge.chroot b/config/hooks/live/9990_final_purge.chroot
index 697de7e..b412f9d 100644
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -13,6 +13,8 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+
export DEBIAN_FRONTEND="noninteractive"
apt-get update -qq
diff --git a/config/hooks/live/9993_aide.chroot b/config/hooks/live/9993_aide.chroot
index 7658a63..194c7a8 100644
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -13,6 +13,7 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y aide > /dev/null 2>&1
diff --git a/config/hooks/live/9996_auditd.chroot b/config/hooks/live/9996_auditd.chroot
index 289f633..6211c5d 100644
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -25,6 +25,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "
cd /root
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y auditd
diff --git a/config/hooks/live/9997_debsums.chroot b/config/hooks/live/9997_debsums.chroot
index 1ec3545..e9d32e3 100644
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -15,6 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "
cd /root
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
apt-get install -y --no-install-recommends debsums
diff --git a/config/hooks/live/9998_sources_list_bookworm.chroot b/config/hooks/live/9998_sources_list_bookworm.chroot
index 586323b..65df88d 100644
--- a/config/hooks/live/9998_sources_list_bookworm.chroot
+++ b/config/hooks/live/9998_sources_list_bookworm.chroot
@@ -55,7 +55,6 @@ deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/hooks/live/9998_sources_list_trixie.chroot b/config/hooks/live/9998_sources_list_trixie.chroot
index 58a86b4..3a5009c 100644
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -13,6 +13,9 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
@@ -121,6 +124,12 @@ Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
EOF
fi
+apt-get update -qq
+apt-get upgrade -y
+apt-get autoclean -y
+apt-get autopurge -y
+apt-get autoremove -y
+
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
exit 0
diff --git a/config/hooks/live/9999_zzzz.chroot b/config/hooks/live/9999_zzzz.chroot
new file mode 100644
index 0000000..1d7cc52
--- /dev/null
+++ b/config/hooks/live/9999_zzzz.chroot
@@ -0,0 +1,21 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.;
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.;
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐งช '%s' starting ... \e[0m\n" "${0}"
+
+rm -f /root/ciss_xdg_tmp.sh
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โ
'%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts
index b1f29ae..8c28286 100644
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.144.2025.10.16
+# Version Master V8.13.192.2025.10.18
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config
index 6f4ee70..c83e0aa 100644
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.144.2025.10.16
+# Version Master V8.13.192.2025.10.18
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -43,12 +43,12 @@ PermitRootLogin prohibit-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
-LoginGraceTime 2m
+LoginGraceTime 30s
MaxAuthTries 3
MaxSessions 2
-### Begin randomly dropping new unauthenticated connections after the 8th attempt,
-### with a 64% chance to drop each additional connection, up to a hard limit of 16.
-MaxStartups 08:64:16
+### Begin randomly dropping new unauthenticated connections after the 2nd attempt,
+### with a 64% chance to drop each additional connection, up to a hard limit of 08.
+MaxStartups 02:64:08
### Restrict each individual source IP to only 4 unauthenticated connection slot
### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
PerSourceMaxStartups 8
diff --git a/config/includes.chroot/etc/sysctl.d/99_local.hardened b/config/includes.chroot/etc/sysctl.d/99_local.hardened
index db2f376..508ce35 100644
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.144.2025.10.16
+# Version Master V8.13.192.2025.10.18
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
index 5cae72d..c0dbad7 100644
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.144.2025.10.16"
+declare -gr VERSION="Master V8.13.192.2025.10.18"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then
diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg
index 4dbc718..de6326a 100644
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.144.2025.10.16 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.192.2025.10.18 at: 10:18:37.9542
diff --git a/config/includes.chroot/root/.bashrc b/config/includes.chroot/root/.bashrc
index 478e9b0..96f165b 100644
--- a/config/includes.chroot/root/.bashrc
+++ b/config/includes.chroot/root/.bashrc
@@ -14,15 +14,31 @@
### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
set +o errexit +o nounset +o pipefail
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+ umask 0022
+ PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+ umask 0077
+ PATH="/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' EXIT
source /root/.ciss/alias
source /root/.ciss/f2bchk.sh
source /root/.ciss/shortcuts
source /root/.ciss/scan_libwrap
+### Preferred editor for local and remote sessions.
+export EDITOR="nano"
+
+# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
+export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*'
+
### History
touch /tmp/.bash_history
-chmod 0660 /tmp/.bash_history
+chmod 0600 /tmp/.bash_history
chown root:root /tmp/.bash_history
export HISTFILE=/tmp/.bash_history
export HISTSIZE=2048
diff --git a/config/includes.chroot/root/.ciss/alias b/config/includes.chroot/root/.ciss/alias
index f2e04d8..9c65d27 100644
--- a/config/includes.chroot/root/.ciss/alias
+++ b/config/includes.chroot/root/.ciss/alias
@@ -10,9 +10,6 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-########################################################################################### Alpha
-alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
-
########################################################################################### Bash
alias clear="printf '\033c'"
alias c='clear'
diff --git a/config/includes.chroot/root/.ciss/shortcuts b/config/includes.chroot/root/.ciss/shortcuts
index 7496b2c..71f786b 100644
--- a/config/includes.chroot/root/.ciss/shortcuts
+++ b/config/includes.chroot/root/.ciss/shortcuts
@@ -41,7 +41,6 @@ declare -ga shortcuts=(
"f2bubn: f2b unban --all"
"f2bufw: f2b status ufw"
"free: free -m"
- "genkeyfile: 1MiBi"
"genpasswd: PWD"
"genpasswdhash: PWD Hash"
"genstring: Random String"
diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md
index 5583b7b..a2d6c94 100644
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. DNSSEC Status
diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md
index 9ae80bd..cb6c80b 100644
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. Haveged Audit on Netcup RS 2000 G11
diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md
index 1a94872..96911c0 100644
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. Lynis Audit:
diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md
index b5b67d6..6313f03 100644
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. SSH Audit by ssh-audit.com
diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md
index 06f43cd..9c67071 100644
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. TLS Audit:
````text
diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md
index 056ae18..d744a00 100644
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. Hardened Kernel Boot Parameters
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 836dac8..4763921 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,20 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. Changelog
+## V8.13.192.2025.10.18
+* **Added**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
+* **Added**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)
+* **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) XDG Base Directory Support
+* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot)
+* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) hardened MaxStartups
+* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) removed haveged alias
+* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts) removed haveged entry
+* **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc) added HISTIGNORE and EDITOR
+
## V8.13.144.2025.10.16
* **Bugfixes**: [99_local.hardened](../config/includes.chroot/etc/sysctl.d/99_local.hardened)
* **Updated**: [check_chrony.sh](../config/includes.chroot/root/.ciss/check_chrony.sh)
@@ -24,7 +34,6 @@ include_toc: true
* **Added**: [REPOSITORY.md](../REPOSITORY.md)
## V8.13.128.2025.10.10
-
* **Added**: Packages ``age``, ``cosign``
* **Added**: Repository https://github.com/getsops/sops.git
* **Added**: [0040_ssh_config_setup.chroot](../config/hooks/live/0040_ssh_config_setup.chroot)
diff --git a/docs/CNET.md b/docs/CNET.md
index 85018d5..faeccf6 100644
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. Centurion Net - Developer Branch Overview
diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md
index d5ee392..86c8db3 100644
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. Coding Style
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index da9e55f..b8a70e0 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. Contributing / participating
diff --git a/docs/CREDITS.md b/docs/CREDITS.md
index 6dc8d11..81f39ea 100644
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. Credits
diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md
index 29eed35..aed6c2c 100644
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. Download the latest PUBLIC CISS.debian.live.ISO
diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md
index 419a797..c4e6c4a 100644
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2.1. Usage
````text
CISS.debian.live.builder
-Master V8.13.144.2025.10.16
+Master V8.13.192.2025.10.18
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
# 2.2. Contact
````text
CISS.debian.live.builder
-Master V8.13.144.2025.10.16
+Master V8.13.192.2025.10.18
A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md
index aaecb85..c4e21ac 100644
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 8.13
-**Build**: V8.13.144.2025.10.16
+**Build**: V8.13.192.2025.10.18
# 2. Resources
diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh
index 6a55abb..9c59a75 100644
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -35,13 +35,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CLB(1) CISS.debian.live.builder CLB(1)" "${var_cols}")
# shellcheck disable=SC2155
- declare var_footer=$(center "V8.13.144.2025.10.16 2025-10-07 CLB(1)" "${var_cols}")
+ declare var_footer=$(center "V8.13.192.2025.10.18 2025-10-07 CLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
- echo -e "\e[92mMaster V8.13.144.2025.10.16\e[0m"
+ echo -e "\e[92mMaster V8.13.192.2025.10.18\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
diff --git a/scripts/9999-cdi-starter b/scripts/9999-cdi-starter
index 2b917e9..fa969ba 100644
--- a/scripts/9999-cdi-starter
+++ b/scripts/9999-cdi-starter
@@ -66,7 +66,7 @@ main() {
# shellcheck disable=SC2312
exec > >(tee -a "${log}") 2>&1
- printf "CISS.debian.installer Master V8.13.144.2025.10.16 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+ printf "CISS.debian.installer Master V8.13.192.2025.10.18 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
net_wait
@@ -87,7 +87,7 @@ main() {
# --reionice-priority 1 0 \
# --renice-priority "-19"
- printf "CISS.debian.installer Master V8.13.144.2025.10.16 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+ printf "CISS.debian.installer Master V8.13.192.2025.10.18 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
exit 0
}
diff --git a/var/early.var.sh b/var/early.var.sh
index 0d1af6c..ee7d656 100644
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -14,7 +14,7 @@
# shellcheck disable=SC2155
declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.13.144.2025.10.16"
+declare -grx VAR_VERSION="Master V8.13.192.2025.10.18"
declare -grx VAR_SYSTEM="$(uname -mnosv)"
declare -gx VAR_EARLY_DEBUG="false"
declare -gx VAR_HANDLER_AUTOBUILD="false"