V8.13.520.2025.12.02

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.archive/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.archive/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.archive/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 name: 💙 Generating a PUBLIC Live ISO.
 

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.512.2025.11.28"
+      placeholder: "e.g., Master V8.13.520.2025.12.02"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.512.2025.11.28
+  version: V8.13.520.2025.12.02
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.512.2025.11.28
+  version: V8.13.520.2025.12.02
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.512.2025.11.28
+  version: V8.13.520.2025.12.02
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.512.2025.11.28
+  version: V8.13.520.2025.12.02
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 name: 💙 Generating a PUBLIC Live ISO.
 

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.512.2025.11.28"
+properties_version="V8.13.520.2025.12.02"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.512.2025.11.28
+PackageVersion: Master V8.13.520.2025.12.02
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.512.2025.11.28-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.520.2025.12.02-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -152,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.13.512.2025.11.28`
+Example: `V8.13.520.2025.12.02`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 

REPOSITORY.md

@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2.1. Repository Structure
 
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.512.2025.11.28** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.520.2025.12.02** (as of 2025-10-11)
 
 ## 2.2. Top-Level Layout
 

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -236,13 +236,27 @@ rm -f /etc/cron.daily/apt-show-versions || true
 [[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums
 
 ### Ensure proper 0755 rights for CISS initramfs scripts  ----------------------------------------------------------------------
-[[ -x /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh ]] \
+[[ -x /usr/lib/live/boot/0042_ciss_post_decrypt_attest ]] \
-  && chmod 0755 /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh
+  && chmod 0755 /usr/lib/live/boot/0042_ciss_post_decrypt_attest
+
 [[ -x /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \
   && chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
+
 [[ -x /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \
   && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 
+### Ensure proper systemd directories exist ------------------------------------------------------------------------------------
+mkdir -p /etc/systemd/system/multi-user.target.wants
+mkdir -p /etc/systemd/system/sockets.target.wants
+mkdir -p /etc/systemd/system
+
+### Enable clean systemd-networkd stack ----------------------------------------------------------------------------------------
+ln -sf /lib/systemd/system/systemd-networkd.service /etc/systemd/system/multi-user.target.wants/systemd-networkd.service
+
+ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
+
+ln -sf /lib/systemd/system/systemd-resolved.socket  /etc/systemd/system/sockets.target.wants/systemd-resolved.socket
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/includes.chroot/etc/ssh/ssh_known_hosts

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.28
+# Version Master V8.13.520.2025.12.02
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.512.2025.11.28"
+declare -gr VERSION="Master V8.13.520.2025.12.02"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.512.2025.11.28 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.520.2025.12.02 at: 10:18:37.9542

config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest

@@ -15,13 +15,13 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 # Purpose: Late rootfs attestation and dmsetup health checking.
-# Phase  : bottom (executed by live-boot inside the initramfs).
+# Phase  : executed by live-boot inside the 9990-main.sh.
 
 _SAVED_SET_OPTS="$(set +o)"
 
 set -eu
 
-printf "\e[95m[INFO] Starting             : [/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh] \n\e[0m"
+printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m"
 
 ### Declare variables ----------------------------------------------------------------------------------------------------------
 
@@ -176,6 +176,6 @@ fi
 
 eval "${_SAVED_SET_OPTS}"
 
-printf "\e[92m[INFO] Successfully applied : [/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh] \n\e[0m"
+printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/usr/lib/live/boot/9990-main.sh

@@ -234,18 +234,20 @@ Live ()
     log_end_msg
   fi
 
-  if [ -L /root/etc/resolv.conf ] ; then
+  ### CISS override for systemd-networkd stack ---------------------------------------------------------------------------------
-    # assume we have resolvconf
+  #if [ -L /root/etc/resolv.conf ] ; then
-    DNSFILE="${rootmnt}/etc/resolvconf/resolv.conf.d/base"
+  #  # assume we have resolvconf
-  else
+  #  DNSFILE="${rootmnt}/etc/resolvconf/resolv.conf.d/base"
-    DNSFILE="${rootmnt}/etc/resolv.conf"
+  #else
-  fi
+  #  DNSFILE="${rootmnt}/etc/resolv.conf"
-  if [ -f /etc/resolv.conf ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${DNSFILE}"
+  #fi
-  then
+  #if [ -f /etc/resolv.conf ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${DNSFILE}"
-    log_begin_msg "Copying /etc/resolv.conf to ${DNSFILE}"
+  #then
-    cp -v /etc/resolv.conf "${DNSFILE}"
+  #  log_begin_msg "Copying /etc/resolv.conf to ${DNSFILE}"
-    log_end_msg
+  #  cp -v /etc/resolv.conf "${DNSFILE}"
-  fi
+  #  log_end_msg
+  #fi
+  ### CISS override for systemd-networkd stack ---------------------------------------------------------------------------------
 
   if ! [ -d "/lib/live/boot" ]
   then
@@ -264,5 +266,11 @@ Live ()
     cp boot.log "${rootmnt}/var/log/live" 2>/dev/null; \
     cp fsck.log "${rootmnt}/var/log/live" 2>/dev/null )
 
+  ### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
+  sleep 3
+
+  [ -x /usr/lib/live/boot/0042_ciss_post_decrypt_attest ] && /usr/lib/live/boot/0042_ciss_post_decrypt_attest
+  ### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
+
   printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"
 }

config/includes.chroot/usr/lib/systemd/.keep

@@ -1,10 +0,0 @@
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. TLS Audit:
 ````text

docs/BOOTPARAMS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. Hardened Kernel Boot Parameters
 

docs/CHANGELOG.md

@@ -8,17 +8,23 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. Changelog
 
+## V8.13.520.2025.12.02
+* **Bugfixes**: Unified network management via ``systemd-networkd``
+
+## V8.13.512.2025.11.28
+* **Bugfixes**: Unified network management via ``systemd-networkd``
+
 ## V8.13.512.2025.11.27
 * **Global**: Unified network management via ``systemd-networkd``
 * **Global**: Transition of license agreements to: 
   * [CCLA-1.1.txt](LICENSES/CCLA-1.1.txt)
   * [CNCL-1.1.txt](LICENSES/CNCL-1.1.txt)
 * **Added**: [90-ciss-ethernet.network](../config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network)
-* **Added**: [90-ciss-networkd.preset](../config/includes.chroot/usr/lib/systemd/system-preset/90-ciss-networkd.preset)
+* **Added**: [90-ciss-networkd.preset](../.archive/90-ciss-networkd.preset)
 * **Changed**: [unlock_wrapper.sh](../config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh)
 * **Changed**: [lib_provider_netcup.sh](../lib/lib_provider_netcup.sh)
 * **Changed**: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
@@ -32,7 +38,7 @@ include_toc: true
 * **Bugfixes**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash)
 * **Bugfixes**: [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl)
 * **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums)
-* **Bugfixes**: [0042_ciss_post_decrypt_attest.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh)
+* **Bugfixes**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest)
 
 ## V8.13.432.2025.11.18
 * **Bugfixes**: [0003_cdi_autostart.chroot](../config/hooks/live/0003_cdi_autostart.chroot)
@@ -48,7 +54,7 @@ include_toc: true
 * **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
 * **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``.
 * **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) + Enforce early sysctls before services start.
-* **Added**: [0042_ciss_post_decrypt_attest.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh) + Late rootfs attestation and dmsetup health checking.
+* **Added**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) + Late rootfs attestation and dmsetup health checking.
 * **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md)
 * **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection.
 * **Bugfixes**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot) + mv original files to a safe backup location.

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2.1. Usage
 ````text
                         CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.512.2025.11.28
+Master V8.13.520.2025.12.02
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
@@ -146,7 +146,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
 
-                        V8.13.512.2025.11.28                        2025-11-06                         CDLB(1)
+                        V8.13.520.2025.12.02                        2025-11-06                         CDLB(1)
 ````
 
 # 3. Booting

docs/MAN_CISS_ISO_BOOT_CHAIN.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
 

docs/MAN_SSH_Host_Key_Policy.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
 

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.28<br>
+**Build**: V8.13.520.2025.12.02<br>
 
 # 2. Resources
 

lib/lib_ciss_signatures.sh

@@ -17,7 +17,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 # Module to export GPG FPRs into scripts:
 #  - /etc/initramfs-tools/files/unlock_wrapper.sh
 #  - /usr/lib/live/boot/0030-ciss-verify-checksums
-#  - /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh
+#  - /usr/lib/live/boot/0042_ciss_post_decrypt_attest
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
@@ -34,8 +34,8 @@ ciss_signatures() {
 
   declare -ar _ary_target=(
     "/etc/initramfs-tools/files/unlock_wrapper.sh"
-    "/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh"
     "/usr/lib/live/boot/0030-ciss-verify-checksums"
+    "/usr/lib/live/boot/0042_ciss_post_decrypt_attest"
   )
 
   declare _target="" target=""

lib/lib_usage.sh

@@ -39,13 +39,13 @@ usage() {
   # shellcheck disable=SC2155
   declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
   # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.512.2025.11.28                        2025-11-06                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.520.2025.12.02                        2025-11-06                         CDLB(1)" "${var_cols}")
 
   {
     echo -e "\e[1;97m${var_header}\e[0m"
     echo
     echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.512.2025.11.28\e[0m"
+    echo -e "\e[92mMaster V8.13.520.2025.12.02\e[0m"
     echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
     echo
     echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"

scripts/usr/local/sbin/9999_cdi_starter.sh

@@ -130,7 +130,7 @@ main() {
   touch "${var_log}"
 
 
-  printf "CISS.debian.installer Master V8.13.512.2025.11.28 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.520.2025.12.02 is up! \n" >> "${var_log}"
 
   ### Sleep a moment to settle boot artifacts.
   sleep 8
@@ -209,7 +209,7 @@ main() {
 
   ### Timeout reached without acceptable semaphore.
   logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.512.2025.11.28: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.520.2025.12.02: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
 
   exit 0
 }

var/early.var.sh

@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.512.2025.11.28"
+declare -grx VAR_VERSION="Master V8.13.520.2025.12.02"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
   # Print $4 and $5; include $6 only if it exists
   out = $4