V9.14.018.2026.06.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-07 07:24:22 +01:00
parent 8b6731f1be
commit 9cdcc0a9ec
56 changed files with 204 additions and 97 deletions
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 name: 💙 Generating a PUBLIC Live ISO.
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V9.14.016.2026.06.06"
+      placeholder: "e.g., Master V9.14.018.2026.06.07"
    validations:
      required: true
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 FROM debian:bookworm
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 name: 🔁 Render README.md to README.html.
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.016.2026.06.06
+  version: V9.14.018.2026.06.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.016.2026.06.06
+  version: V9.14.018.2026.06.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.016.2026.06.06
+  version: V9.14.018.2026.06.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 name: 💙 Generating a PUBLIC Live ISO.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 name: 🔁 Render Graphviz Diagrams.
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.016.2026.06.06"
+properties_version="V9.14.018.2026.06.07"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.016.2026.06.06
+PackageVersion: Master V9.14.018.2026.06.07
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.016.2026.06.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.018.2026.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V9.14.016.2026.06.06`
+Example: `V9.14.018.2026.06.07`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **9.14**, Build **V9.14.016.2026.06.06** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.018.2026.06.07** (as of 2025-10-11)
 ## 3.1. Top-Level Layout
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. CISS Secure Boot Private Material
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. CISS Secure Boot Public Material
@@ -95,7 +95,7 @@ write_dropbear_conf() {
  [[ -z "${sshport:-}" ]] && sshport="2222"
  ### CISS internal
-  [[ "${sshport}" == "42137" ]] && sshport="44137"
+  [[ "${sshport}" == "42137" ]] && sshport="64137"
  cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
 # SPDX-Version: 3.0
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V9.14.016.2026.06.06"
+declare -gr VERSION="Master V9.14.018.2026.06.07"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.016.2026.06.06 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.018.2026.06.07 at: 10:18:37.9542
@@ -14,8 +14,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
+# Module summary:
-# Phase  : premount (executed by live-boot inside the initramfs).
+# - Reserve a dedicated /run/live/overlay tmpfs with a configurable size limit.
 # - Mount it with restrictive flags and permissions before OverlayFS uses it.
 # - Prepare the upper and work directories required by the later live-boot overlay setup.
 _SAVED_SET_OPTS="$(set +o)"
@@ -14,8 +14,12 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh'
+# Module summary:
-# Phase  : premount (executed by live-boot inside the initramfs)
+# - Read CISS boot parameters for the encrypted root path and live ISO label.
 # - Mount the live medium read-only and locate the encrypted SquashFS container.
 # - Attach the encrypted container through a read-only loop device.
 # - Accept a LUKS passphrase from the local console or remotely unlock FIFO.
 # - Open the decrypted root mapper and expose the handoff state for later live-boot overlay processing.
 _SAVED_SET_OPTS="$(set +o)"
@@ -14,8 +14,11 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Enforce early sysctls before services start.
+# Module summary:
-# Phase  : premount (executed by live-boot inside the initramfs).
+# - Runs during live-boot premount while the system is still inside the initramfs.
 # - Applies early kernel hardening before the real root and regular services are active.
 # - Restricts ptrace, unprivileged BPF, core dumps, kexec, unsafe link handling, regular-file protections, and kernel pointer
 #   exposure where supported.
 _SAVED_SET_OPTS="$(set +o)"
@@ -14,6 +14,14 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Module summary:
 # This live-boot component implements the verify-checksums mode for the mounted live medium.
 # It reads the live-boot command line to decide whether checksum verification is enabled and which digests to accept.
 # It locates the pinned CISS GPG key material on the live medium, optionally verifies this script's signed hash,
 # optionally verifies signed checksum files, and checks the first matching checksum manifest with the matching digest tool. It
 # writes detailed checksum output to the verification TTY. It panics instead of continuing boot when integrity or
 # authenticity verification fails.
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
 ### If the offered checksum is successfully verified, proceed with booting. Otherwise, panic.
@@ -14,8 +14,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Late rootfs attestation and dmsetup health checking.
+# Module summary:
-# Phase  : executed by live-boot inside the 9990-main.sh.
+# - Runs after the encrypted live root filesystem has been decrypted.
 # - Requires the pinned public key, attestation hash file, and detached signature to exist as readable, non-empty regular files
 #   inside the decrypted rootfs.
 # - Verifies the attestation signature with gpgv against the pinned key material.
 # - Confirms that the signature fingerprint matches the build-time expected rootfs fingerprint and panics on missing, malformed,
 #   or mismatched evidence.
 _SAVED_SET_OPTS="$(set +o)"
@@ -30,7 +35,7 @@ export CDLB_EXP_FPR="@EXP_FPR@"
 export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
 ### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ----------------------
-CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
+export CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
 ### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
 CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt}"
@@ -66,33 +71,83 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
 #######################################
 log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
 #######################################
 # Validate a boot-time attestation input file.
 # Globals:
 #   None
 # Arguments:
 #   1: Human-readable artifact label
 #   2: Absolute artifact path
 # Returns:
 #   0: on success
 #######################################
 require_attestation_file() {
  artifact_label="${1}"
  artifact_path="${2}"
  if [ ! -e "${artifact_path}" ]; then
    if [ -L "${artifact_path}" ]; then
      log_er "0042()              : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]"
      panic  "0042()              : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]"
    fi
    log_er "0042()              : ${artifact_label} missing: [${artifact_path}]"
    panic  "0042()              : ${artifact_label} missing: [${artifact_path}]"
  fi
  if [ -L "${artifact_path}" ] || [ ! -f "${artifact_path}" ]; then
    log_er "0042()              : ${artifact_label} is not a regular file: [${artifact_path}]"
    panic  "0042()              : ${artifact_label} is not a regular file: [${artifact_path}]"
  fi
  if [ ! -s "${artifact_path}" ]; then
    log_er "0042()              : ${artifact_label} is empty: [${artifact_path}]"
    panic  "0042()              : ${artifact_label} is empty: [${artifact_path}]"
  fi
  if [ ! -r "${artifact_path}" ]; then
    log_er "0042()              : ${artifact_label} is not readable: [${artifact_path}]"
    panic  "0042()              : ${artifact_label} is not readable: [${artifact_path}]"
  fi
  return 0
 }
 HASH_FILE="${CDLB_ATTEST_FPR_SHA}"
 SIGN_FILE="${CDLB_ATTEST_FPR_SIG}"
 KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
-if [ -s "${KEYFILE}" ]; then
+require_attestation_file "Public key"            "${KEYFILE}"
-
+require_attestation_file "Attestation data"      "${HASH_FILE}"
-  log_er "0042()              : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
+require_attestation_file "Attestation signature" "${SIGN_FILE}"
  panic  "0042()              : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
 fi
 if [ -s "${HASH_FILE}" ]; then
  log_er "0042()              : Attestation data missing: [${HASH_FILE}]"
  panic  "0042()              : Attestation data missing: [${HASH_FILE}]"
 fi
 if [ -s "${SIGN_FILE}" ]; then
  log_er "0042()              : Attestation signature missing: [${SIGN_FILE}]"
  panic  "0042()              : Attestation signature missing: [${SIGN_FILE}]"
 fi
 log_in "0042()               : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
-_STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}")"
+
 if ! _STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}" 2>&1)"; then
  log_er "0042()              : gpgv verification failed for signature: [${SIGN_FILE}]"
  if [ -n "${_STATUS}" ]; then
    printf '%s\n' "${_STATUS}" >&2
  fi
  sleep 8
  panic  "0042()              : gpgv verification failed for signature: [${SIGN_FILE}]"
 fi
 _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
 ### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
@@ -14,9 +14,18 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Modified Version of the original file:
+# Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-main.sh'
+# https://salsa.debian.org/live-team/live-boot 'components/9990-main.sh'
-### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+# Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
 # Module summary:
 # - Run early cryptroot handling before live filesystem discovery.
 # - Parse live-boot parameters, apply debug/read-only/network setup, and load initramfs configuration.
 # - Locate or reuse the live filesystem from network, iSCSI, plain root, memdisk, LVM-backed media, or the
 #   CISS encrypted SquashFS preseed.
 # - Verify checksums, optionally copy live media to RAM or disk, and mount the final live root via unionfs or image stacking.
 # - Transfer selected runtime configuration into the target root, validate the mounted root, configure fstab/netbase/swap, and
 #   preserve boot logs.
 # set -e
@@ -14,9 +14,16 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Modified Version of the original file:
+# Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-networking.sh'
+# https://salsa.debian.org/live-team/live-boot 'components/9990-networking.sh'
-### Change the behavior so that the systemd-networkd stack '/etc/resolv.conf' is not overwritten.
+# Change the behavior so that the systemd-networkd stack '/etc/resolv.conf' is not overwritten.
 # Module summary:
 # - Resolve the boot interface from Syslinux/PXELINUX BOOTIF metadata when available.
 # - Bring up live-boot networking for local, netboot, fetch, HTTPFS, and FTPFS paths.
 # - Probe configured or discovered interfaces with ipconfig and export the selected device.
 # - Populate hostname, hosts, DNS, and HWADDR data only where needed by later boot stages.
 # - Preserve an existing /etc/resolv.conf so systemd-networkd ownership is not overwritten.
 # set -e
@@ -14,9 +14,16 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Modified Version of the original file:
+# Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
+# https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
-### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+# Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
 # Module summary:
 # This live-boot overlay module prepares the root filesystem view during boot. It accepts the CISS decrypted root
 # device override from /run/ciss-rootdev, mounts the read-only root image set or plain-mapped root, applies dm-verity
 # options where available, prepares the writable overlay backing store from tmpfs, persistence, or NFS_COW, creates the
 # final union mounts, activates custom persistence mounts, normalizes key permissions, and invokes the CISS post-decrypt
 # attestation hook after the overlay is in place.
 #set -e
@@ -152,7 +159,7 @@ setup_unionfs ()
        rootfslist="${mpoint} ${rootfslist}"
        mount_options=""
-        # Setup dm-verity support if a device has it supported
+        # Set up dm-verity support if a device has it supported
        hash_device="${image}.verity"
        # shellcheck disable=SC2086
        if [ -f ${hash_device} ]
@@ -434,7 +441,7 @@ setup_unionfs ()
    fi || panic "mount ${UNIONTYPE} on ${unionmountpoint} failed with option ${unionmountopts}"
  done
-  # Remove persistence depending on boot parameter
+  # Remove persistence depending on the boot parameter
  Remove_persistence
  # Correct the permissions of /:
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. DNSSEC Status
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. Lynis Audit:
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. SSH Audit by ssh-audit.com
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. TLS Audit:
 ````text
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. Hardened Kernel Boot Parameters
@@ -8,10 +8,22 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. Changelog
 ## V9.14.018.2026.06.07
 * **Added**: [0022-ciss-overlay-tmpfs](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) Module summary
 * **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) Module summary
 * **Added**: [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) Module summary
 * **Added**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Module summary
 * **Added**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) Module summary
 * **Added**: [9990-main.sh](../config/includes.chroot/usr/lib/live/boot/9990-main.sh) Module summary
 * **Added**: [9990-networking.sh](../config/includes.chroot/usr/lib/live/boot/9990-networking.sh) Module summary
 * **Added**: [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh) Module summary
 * **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) Fixed: ``sysctl -p /etc/sysctl.d/90-ciss-local.hardened``
 * **Changed**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) Fixed: Signature checksum verification.
 ## V9.14.016.2026.06.06
 * **Changed**: [zzzz_ciss_uki_build.hook.binary](../config/hooks/live/zzzz_ciss_uki_build.hook.binary)
 * **Changed**: [zzzz_ciss_uki_install.hook.binary](../config/hooks/live/zzzz_ciss_uki_install.hook.binary)
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. Centurion Net - Developer Branch Overview
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. Contributing / participating
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. Credits
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.016.2026.06.06
+Master V9.14.018.2026.06.07
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2026
@@ -168,7 +168,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
-                        V9.14.016.2026.06.06                        2026-05-17                         CDLB(1)
+                        V9.14.018.2026.06.07                        2026-05-17                         CDLB(1)
 ````
 # 3. Booting
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. Resources
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. ``30-ciss-hardening.conf``
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. ``90-ciss-local.hardened``
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>
 # 2. ``ciss_live_builder.sh``
@@ -39,13 +39,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V9.14.016.2026.06.06                        2026-06-04                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V9.14.018.2026.06.07                        2026-06-04                         CDLB(1)" "${var_cols}")
  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V9.14.016.2026.06.06\e[0m"
+    echo -e "\e[92mMaster V9.14.018.2026.06.07\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
@@ -100,7 +100,7 @@ readonly -f net_wait
 #   0: on success
 #######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/90-ciss-local.hardened
  # shellcheck disable=SC2312
  sysctl -a | grep -E '^(kernel|vm|net)\.' >| "/var/log/sysctl_check_$(date +'%Y-%m-%d_%H-%M-%S').log"
@@ -130,7 +130,7 @@ main() {
  touch "${var_log}"
-  printf "CISS.debian.installer Master V9.14.016.2026.06.06 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.018.2026.06.07 is up! \n" >> "${var_log}"
  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -209,7 +209,7 @@ main() {
  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V9.14.016.2026.06.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.018.2026.06.07: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
  exit 0
 }
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.016.2026.06.06"
+declare -grx VAR_VERSION="Master V9.14.018.2026.06.07"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4