diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml
index a62defc..d1b8b97 100644
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml
index 1f8b576..a45d616 100644
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml
index 015f4ae..c276005 100644
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
name: 💙 Generating a PUBLIC Live ISO.
diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
index be862a5..1e36c9b 100644
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
- placeholder: "e.g., Master V9.14.016.2026.06.06"
+ placeholder: "e.g., Master V9.14.018.2026.06.07"
validations:
required: true
diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile
index 9119f08..e7ca750 100644
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
FROM debian:bookworm
diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml
index f079943..4916125 100644
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
name: 🔁 Render README.md to README.html.
diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
index 9e0d583..eaad4ac 100644
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V9.14.016.2026.06.06
+ version: V9.14.018.2026.06.07
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml
index 61bd308..632361f 100644
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V9.14.016.2026.06.06
+ version: V9.14.018.2026.06.07
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml
index 61bd308..632361f 100644
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
build:
counter: 1023
- version: V9.14.016.2026.06.06
+ version: V9.14.018.2026.06.07
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
index 355f380..d4d70ee 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index cacf3f5..aaa8b85 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
name: 🔐 Generating a Private Live ISO TRIXIE.
diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml
index 3b65c1b..9551ef3 100644
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
name: 💙 Generating a PUBLIC Live ISO.
diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml
index 9da7aca..4a1feaa 100644
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
# Gitea Workflow: Shell-Script Linting
#
diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml
index 1d2e423..cdaddf5 100644
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml
index 83eae0e..db56c74 100644
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
name: 🔁 Render Graphviz Diagrams.
diff --git a/.version.properties b/.version.properties
index 8b8a3cc..5fa44e7 100644
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.016.2026.06.06"
+properties_version="V9.14.018.2026.06.07"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx
index ce28d63..f326da8 100644
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.016.2026.06.06
+PackageVersion: Master V9.14.018.2026.06.07
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
diff --git a/README.md b/README.md
index dfcffab..c1e2a09 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
-[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[](https://eupl.eu/1.2/en/)
[](https://opensource.org/license/eupl-1-2)
@@ -27,7 +27,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
**CISS.debian.live.builder — First of its own.**
**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V9.14.016.2026.06.06`
+Example: `V9.14.018.2026.06.07`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.
diff --git a/REPOSITORY.md b/REPOSITORY.md
index 39f37e7..59a2550 100644
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder
**Branch:** `master`
-**Repository State:** Master Version **9.14**, Build **V9.14.016.2026.06.06** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.018.2026.06.07** (as of 2025-10-11)
## 3.1. Top-Level Layout
diff --git a/ciss.secureboot/private/README.md b/ciss.secureboot/private/README.md
index d004fb7..746dde0 100644
--- a/ciss.secureboot/private/README.md
+++ b/ciss.secureboot/private/README.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. CISS Secure Boot Private Material
diff --git a/ciss.secureboot/public/README.md b/ciss.secureboot/public/README.md
index 278bfe2..e973880 100644
--- a/ciss.secureboot/public/README.md
+++ b/ciss.secureboot/public/README.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. CISS Secure Boot Public Material
diff --git a/config/hooks/live/0022_dropbear_setup.chroot b/config/hooks/live/0022_dropbear_setup.chroot
index bcfddc9..d63f6b4 100644
--- a/config/hooks/live/0022_dropbear_setup.chroot
+++ b/config/hooks/live/0022_dropbear_setup.chroot
@@ -95,7 +95,7 @@ write_dropbear_conf() {
[[ -z "${sshport:-}" ]] && sshport="2222"
### CISS internal
- [[ "${sshport}" == "42137" ]] && sshport="44137"
+ [[ "${sshport}" == "42137" ]] && sshport="64137"
cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
# SPDX-Version: 3.0
diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts
index 4790590..3711073 100644
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config
index 669b9ab..36bc365 100644
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
diff --git a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
index bec0065..217fe58 100644
--- a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened
@@ -11,7 +11,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
index 27c2dcf..443f4a5 100644
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V9.14.016.2026.06.06"
+declare -gr VERSION="Master V9.14.018.2026.06.07"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then
diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg
index a4dcf76..5a61297 100644
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.016.2026.06.06 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.018.2026.06.07 at: 10:18:37.9542
diff --git a/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs
index 1da7893..3d8742c 100644
--- a/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs
+++ b/config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs
@@ -14,8 +14,10 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
-# Phase : premount (executed by live-boot inside the initramfs).
+# Module summary:
+# - Reserve a dedicated /run/live/overlay tmpfs with a configurable size limit.
+# - Mount it with restrictive flags and permissions before OverlayFS uses it.
+# - Prepare the upper and work directories required by the later live-boot overlay setup.
_SAVED_SET_OPTS="$(set +o)"
diff --git a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
index 894fe38..81bf303 100644
--- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
+++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
@@ -14,8 +14,12 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh'
-# Phase : premount (executed by live-boot inside the initramfs)
+# Module summary:
+# - Read CISS boot parameters for the encrypted root path and live ISO label.
+# - Mount the live medium read-only and locate the encrypted SquashFS container.
+# - Attach the encrypted container through a read-only loop device.
+# - Accept a LUKS passphrase from the local console or remotely unlock FIFO.
+# - Open the decrypted root mapper and expose the handoff state for later live-boot overlay processing.
_SAVED_SET_OPTS="$(set +o)"
diff --git a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
index 46059d5..8b94ecd 100644
--- a/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
+++ b/config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
@@ -14,8 +14,11 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Enforce early sysctls before services start.
-# Phase : premount (executed by live-boot inside the initramfs).
+# Module summary:
+# - Runs during live-boot premount while the system is still inside the initramfs.
+# - Applies early kernel hardening before the real root and regular services are active.
+# - Restricts ptrace, unprivileged BPF, core dumps, kexec, unsafe link handling, regular-file protections, and kernel pointer
+# exposure where supported.
_SAVED_SET_OPTS="$(set +o)"
diff --git a/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
index 17c3b18..63d9d29 100644
--- a/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
+++ b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
@@ -14,6 +14,14 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
+# Module summary:
+# This live-boot component implements the verify-checksums mode for the mounted live medium.
+# It reads the live-boot command line to decide whether checksum verification is enabled and which digests to accept.
+# It locates the pinned CISS GPG key material on the live medium, optionally verifies this script's signed hash,
+# optionally verifies signed checksum files, and checks the first matching checksum manifest with the matching digest tool. It
+# writes detailed checksum output to the verification TTY. It panics instead of continuing boot when integrity or
+# authenticity verification fails.
+
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
### If the offered checksum is successfully verified, proceed with booting. Otherwise, panic.
diff --git a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
index 9f878e3..878f1a7 100644
--- a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
+++ b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
@@ -14,8 +14,13 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Late rootfs attestation and dmsetup health checking.
-# Phase : executed by live-boot inside the 9990-main.sh.
+# Module summary:
+# - Runs after the encrypted live root filesystem has been decrypted.
+# - Requires the pinned public key, attestation hash file, and detached signature to exist as readable, non-empty regular files
+# inside the decrypted rootfs.
+# - Verifies the attestation signature with gpgv against the pinned key material.
+# - Confirms that the signature fingerprint matches the build-time expected rootfs fingerprint and panics on missing, malformed,
+# or mismatched evidence.
_SAVED_SET_OPTS="$(set +o)"
@@ -30,7 +35,7 @@ export CDLB_EXP_FPR="@EXP_FPR@"
export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ----------------------
-CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
+export CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt}"
@@ -66,33 +71,83 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
#######################################
log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
+#######################################
+# Validate a boot-time attestation input file.
+# Globals:
+# None
+# Arguments:
+# 1: Human-readable artifact label
+# 2: Absolute artifact path
+# Returns:
+# 0: on success
+#######################################
+require_attestation_file() {
+ artifact_label="${1}"
+ artifact_path="${2}"
+
+ if [ ! -e "${artifact_path}" ]; then
+
+ if [ -L "${artifact_path}" ]; then
+
+ log_er "0042() : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]"
+ panic "0042() : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]"
+
+ fi
+
+ log_er "0042() : ${artifact_label} missing: [${artifact_path}]"
+ panic "0042() : ${artifact_label} missing: [${artifact_path}]"
+
+ fi
+
+ if [ -L "${artifact_path}" ] || [ ! -f "${artifact_path}" ]; then
+
+ log_er "0042() : ${artifact_label} is not a regular file: [${artifact_path}]"
+ panic "0042() : ${artifact_label} is not a regular file: [${artifact_path}]"
+
+ fi
+
+ if [ ! -s "${artifact_path}" ]; then
+
+ log_er "0042() : ${artifact_label} is empty: [${artifact_path}]"
+ panic "0042() : ${artifact_label} is empty: [${artifact_path}]"
+
+ fi
+
+ if [ ! -r "${artifact_path}" ]; then
+
+ log_er "0042() : ${artifact_label} is not readable: [${artifact_path}]"
+ panic "0042() : ${artifact_label} is not readable: [${artifact_path}]"
+
+ fi
+
+ return 0
+}
+
HASH_FILE="${CDLB_ATTEST_FPR_SHA}"
SIGN_FILE="${CDLB_ATTEST_FPR_SIG}"
KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
-if [ -s "${KEYFILE}" ]; then
-
- log_er "0042() : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
- panic "0042() : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
-
-fi
-
-if [ -s "${HASH_FILE}" ]; then
-
- log_er "0042() : Attestation data missing: [${HASH_FILE}]"
- panic "0042() : Attestation data missing: [${HASH_FILE}]"
-
-fi
-
-if [ -s "${SIGN_FILE}" ]; then
-
- log_er "0042() : Attestation signature missing: [${SIGN_FILE}]"
- panic "0042() : Attestation signature missing: [${SIGN_FILE}]"
-
-fi
+require_attestation_file "Public key" "${KEYFILE}"
+require_attestation_file "Attestation data" "${HASH_FILE}"
+require_attestation_file "Attestation signature" "${SIGN_FILE}"
log_in "0042() : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
-_STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}")"
+
+if ! _STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}" 2>&1)"; then
+
+ log_er "0042() : gpgv verification failed for signature: [${SIGN_FILE}]"
+
+ if [ -n "${_STATUS}" ]; then
+
+ printf '%s\n' "${_STATUS}" >&2
+
+ fi
+
+ sleep 8
+ panic "0042() : gpgv verification failed for signature: [${SIGN_FILE}]"
+
+fi
+
_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
diff --git a/config/includes.chroot/usr/lib/live/boot/9990-main.sh b/config/includes.chroot/usr/lib/live/boot/9990-main.sh
index 50f7e8d..dfa8e67 100644
--- a/config/includes.chroot/usr/lib/live/boot/9990-main.sh
+++ b/config/includes.chroot/usr/lib/live/boot/9990-main.sh
@@ -14,9 +14,18 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-main.sh'
-### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+# Modified Version of the original file:
+# https://salsa.debian.org/live-team/live-boot 'components/9990-main.sh'
+# Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+
+# Module summary:
+# - Run early cryptroot handling before live filesystem discovery.
+# - Parse live-boot parameters, apply debug/read-only/network setup, and load initramfs configuration.
+# - Locate or reuse the live filesystem from network, iSCSI, plain root, memdisk, LVM-backed media, or the
+# CISS encrypted SquashFS preseed.
+# - Verify checksums, optionally copy live media to RAM or disk, and mount the final live root via unionfs or image stacking.
+# - Transfer selected runtime configuration into the target root, validate the mounted root, configure fstab/netbase/swap, and
+# preserve boot logs.
# set -e
diff --git a/config/includes.chroot/usr/lib/live/boot/9990-networking.sh b/config/includes.chroot/usr/lib/live/boot/9990-networking.sh
index 4f18ab1..97a9fb9 100644
--- a/config/includes.chroot/usr/lib/live/boot/9990-networking.sh
+++ b/config/includes.chroot/usr/lib/live/boot/9990-networking.sh
@@ -14,9 +14,16 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-networking.sh'
-### Change the behavior so that the systemd-networkd stack '/etc/resolv.conf' is not overwritten.
+# Modified Version of the original file:
+# https://salsa.debian.org/live-team/live-boot 'components/9990-networking.sh'
+# Change the behavior so that the systemd-networkd stack '/etc/resolv.conf' is not overwritten.
+
+# Module summary:
+# - Resolve the boot interface from Syslinux/PXELINUX BOOTIF metadata when available.
+# - Bring up live-boot networking for local, netboot, fetch, HTTPFS, and FTPFS paths.
+# - Probe configured or discovered interfaces with ipconfig and export the selected device.
+# - Populate hostname, hosts, DNS, and HWADDR data only where needed by later boot stages.
+# - Preserve an existing /etc/resolv.conf so systemd-networkd ownership is not overwritten.
# set -e
diff --git a/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh b/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh
index 7d9293a..ce406dc 100644
--- a/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh
+++ b/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh
@@ -14,9 +14,16 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
-### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+# Modified Version of the original file:
+# https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
+# Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+
+# Module summary:
+# This live-boot overlay module prepares the root filesystem view during boot. It accepts the CISS decrypted root
+# device override from /run/ciss-rootdev, mounts the read-only root image set or plain-mapped root, applies dm-verity
+# options where available, prepares the writable overlay backing store from tmpfs, persistence, or NFS_COW, creates the
+# final union mounts, activates custom persistence mounts, normalizes key permissions, and invokes the CISS post-decrypt
+# attestation hook after the overlay is in place.
#set -e
@@ -152,7 +159,7 @@ setup_unionfs ()
rootfslist="${mpoint} ${rootfslist}"
mount_options=""
- # Setup dm-verity support if a device has it supported
+ # Set up dm-verity support if a device has it supported
hash_device="${image}.verity"
# shellcheck disable=SC2086
if [ -f ${hash_device} ]
@@ -434,7 +441,7 @@ setup_unionfs ()
fi || panic "mount ${UNIONTYPE} on ${unionmountpoint} failed with option ${unionmountopts}"
done
- # Remove persistence depending on boot parameter
+ # Remove persistence depending on the boot parameter
Remove_persistence
# Correct the permissions of /:
diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md
index 36233f0..eb3a7bd 100644
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. DNSSEC Status
diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md
index 7245a79..8e04efa 100644
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Haveged Audit on Netcup RS 2000 G11
diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md
index 290b72e..4fbbe31 100644
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Lynis Audit:
diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md
index 7ae707b..5acbda9 100644
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. SSH Audit by ssh-audit.com
diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md
index 5a3f164..7d55a39 100644
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. TLS Audit:
````text
diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md
index 761221d..fff91f2 100644
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Hardened Kernel Boot Parameters
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 50e9355..8391c20 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,22 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Changelog
+## V9.14.018.2026.06.07
+* **Added**: [0022-ciss-overlay-tmpfs](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) Module summary
+* **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) Module summary
+* **Added**: [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) Module summary
+* **Added**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Module summary
+* **Added**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) Module summary
+* **Added**: [9990-main.sh](../config/includes.chroot/usr/lib/live/boot/9990-main.sh) Module summary
+* **Added**: [9990-networking.sh](../config/includes.chroot/usr/lib/live/boot/9990-networking.sh) Module summary
+* **Added**: [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh) Module summary
+* **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) Fixed: ``sysctl -p /etc/sysctl.d/90-ciss-local.hardened``
+* **Changed**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) Fixed: Signature checksum verification.
+
## V9.14.016.2026.06.06
* **Changed**: [zzzz_ciss_uki_build.hook.binary](../config/hooks/live/zzzz_ciss_uki_build.hook.binary)
* **Changed**: [zzzz_ciss_uki_install.hook.binary](../config/hooks/live/zzzz_ciss_uki_install.hook.binary)
diff --git a/docs/CNET.md b/docs/CNET.md
index 04b146a..e5f2682 100644
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Centurion Net - Developer Branch Overview
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 18c05fb..416ea6f 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Contributing / participating
diff --git a/docs/CREDITS.md b/docs/CREDITS.md
index a8a29a4..0de29aa 100644
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Credits
diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md
index 5fab688..7114707 100644
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Download the latest PUBLIC CISS.debian.live.ISO
diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md
index 912f403..4b534e8 100644
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,14 +8,14 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2.1. Usage
````text
CDLB(1) CISS.debian.live.builder CDLB(1)
CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.016.2026.06.06
+Master V9.14.018.2026.06.07
A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
(c) Marc S. Weidner, 2018 - 2026
@@ -168,7 +168,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
💷 Please consider donating to my work at:
🌐 https://coresecret.eu/spenden/
- V9.14.016.2026.06.06 2026-05-17 CDLB(1)
+ V9.14.018.2026.06.07 2026-05-17 CDLB(1)
````
# 3. Booting
diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
index 7073289..5b83815 100644
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
diff --git a/docs/MAN_SSH_Host_Key_Policy.md b/docs/MAN_SSH_Host_Key_Policy.md
index 6daf3d4..098fe91 100644
--- a/docs/MAN_SSH_Host_Key_Policy.md
+++ b/docs/MAN_SSH_Host_Key_Policy.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md
index bc7b1f8..e755440 100644
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. Resources
diff --git a/docs/documentation/30-ciss-hardening.conf.md b/docs/documentation/30-ciss-hardening.conf.md
index 5fbb3cd..338257b 100644
--- a/docs/documentation/30-ciss-hardening.conf.md
+++ b/docs/documentation/30-ciss-hardening.conf.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. ``30-ciss-hardening.conf``
diff --git a/docs/documentation/90-ciss-local.hardened.md b/docs/documentation/90-ciss-local.hardened.md
index b4fd766..50a1915 100644
--- a/docs/documentation/90-ciss-local.hardened.md
+++ b/docs/documentation/90-ciss-local.hardened.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. ``90-ciss-local.hardened``
diff --git a/docs/documentation/ciss_live_builder.sh.md b/docs/documentation/ciss_live_builder.sh.md
index a3f8967..e4bd378 100644
--- a/docs/documentation/ciss_live_builder.sh.md
+++ b/docs/documentation/ciss_live_builder.sh.md
@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.016.2026.06.06
+**Build**: V9.14.018.2026.06.07
# 2. ``ciss_live_builder.sh``
diff --git a/lib/lib_usage.sh b/lib/lib_usage.sh
index 0d3fe6d..3f9e786 100644
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -39,13 +39,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}")
# shellcheck disable=SC2155
- declare var_footer=$(center "V9.14.016.2026.06.06 2026-06-04 CDLB(1)" "${var_cols}")
+ declare var_footer=$(center "V9.14.018.2026.06.07 2026-06-04 CDLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
- echo -e "\e[92mMaster V9.14.016.2026.06.06\e[0m"
+ echo -e "\e[92mMaster V9.14.018.2026.06.07\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
diff --git a/scripts/usr/local/sbin/9999_cdi_starter.sh b/scripts/usr/local/sbin/9999_cdi_starter.sh
index 73002df..2d5da28 100644
--- a/scripts/usr/local/sbin/9999_cdi_starter.sh
+++ b/scripts/usr/local/sbin/9999_cdi_starter.sh
@@ -100,7 +100,7 @@ readonly -f net_wait
# 0: on success
#######################################
sysp() {
- sysctl -p /etc/sysctl.d/99_local.hardened
+ sysctl -p /etc/sysctl.d/90-ciss-local.hardened
# shellcheck disable=SC2312
sysctl -a | grep -E '^(kernel|vm|net)\.' >| "/var/log/sysctl_check_$(date +'%Y-%m-%d_%H-%M-%S').log"
@@ -130,7 +130,7 @@ main() {
touch "${var_log}"
- printf "CISS.debian.installer Master V9.14.016.2026.06.06 is up! \n" >> "${var_log}"
+ printf "CISS.debian.installer Master V9.14.018.2026.06.07 is up! \n" >> "${var_log}"
### Sleep a moment to settle boot artifacts.
sleep 8
@@ -209,7 +209,7 @@ main() {
### Timeout reached without acceptable semaphore.
logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
- printf "CISS.debian.installer Master V9.14.016.2026.06.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+ printf "CISS.debian.installer Master V9.14.018.2026.06.07: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
exit 0
}
diff --git a/var/early.var.sh b/var/early.var.sh
index 907d181..799d490 100644
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
declare -grx VAR_HOST="$(uname -n)"
declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.016.2026.06.06"
+declare -grx VAR_VERSION="Master V9.14.018.2026.06.07"
declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
# Print $4 and $5; include $6 only if it exists
out = $4