V8.03.912.2025.07.23

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-23 21:11:43 +02:00
parent c969ed6e88
commit a0140a7b53
43 changed files with 149 additions and 122 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.896.2025.07.22\e[0m")
+$(echo -e "\e[92mMaster V8.03.912.2025.07.23\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")

 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.896.2025.07.22"
+      placeholder: "e.g., Master V8.03.912.2025.07.23"
    validations:
      required: true

--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.896.2025.07.22
+### Version Master V8.03.912.2025.07.23

 FROM debian:bookworm

--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.896.2025.07.22
+### Version Master V8.03.912.2025.07.23

 name: 🔁 Render README.md to README.html.

--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.896.2025.07.22
+  version: V8.03.912.2025.07.23
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.896.2025.07.22
+  version: V8.03.912.2025.07.23
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.896.2025.07.22
+  version: V8.03.912.2025.07.23
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.896.2025.07.22
+  version: V8.03.912.2025.07.23
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.896.2025.07.22
+### Version Master V8.03.912.2025.07.23

 name: 🔐 Generating a Private Live ISO FLV 0.

--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.896.2025.07.22
+### Version Master V8.03.912.2025.07.23

 name: 🔐 Generating a Private Live ISO FLV 1.

--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.896.2025.07.22
+### Version Master V8.03.912.2025.07.23

 name: 💙 Generating a PUBLIC Live ISO.

--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.896.2025.07.22
+### Version Master V8.03.912.2025.07.23

 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.896.2025.07.22
+### Version Master V8.03.912.2025.07.23

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.896.2025.07.22
+### Version Master V8.03.912.2025.07.23

 name: 🔁 Render Graphviz Diagrams.

--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.896.2025.07.22"
+properties_version="V8.03.912.2025.07.23"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.896.2025.07.22
+PackageVersion: Master V8.03.912.2025.07.23
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.896.2025.07.22-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.912.2025.07.23-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -142,7 +142,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V8.03.896.2025.07.22`
+Example: `V8.03.912.2025.07.23`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.896.2025.07.22
+### Version Master V8.03.912.2025.07.23

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.896.2025.07.22
+### Version Master V8.03.912.2025.07.23

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V8.03.896.2025.07.22"
+declare -gr VERSION="Master V8.03.912.2025.07.23"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.896.2025.07.22 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.03.912.2025.07.23 at: 10:18:37.9542
--- a/config/includes.chroot/root/.bashrc
+++ b/config/includes.chroot/root/.bashrc
@@ -10,25 +10,6 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# ~/.bashrc: executed by bash(1) for non-login shells.
-
-# Note: PS1 and umask are already set in /etc/profile. You should not
-# need this unless you want different defaults for root.
-# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
-# umask 022
-
-# You may uncomment the following lines if you want `ls' to be colorized:
-# export LS_OPTIONS='--color=auto'
-# eval "$(dircolors)"
-# alias ls='ls $LS_OPTIONS'
-# alias ll='ls $LS_OPTIONS -l'
-# alias l='ls $LS_OPTIONS -lA'
-#
-# Some more alias to avoid making mistakes:
-# alias rm='rm -i'
-# alias cp='cp -i'
-# alias mv='mv -i'
-
 [[ $- != *i* ]] && return

 trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
@@ -55,15 +36,8 @@ export CMAG='\033[1;95m'
 export CCYA='\033[1;96m'
 export CWHI='\033[1;97m'
 export CRES='\033[0m'
+export NL='\n'

-#if [[ "${UID}" -eq 0 ]]; then
-#  export user_color="${CRED}"
-#else
-#  export user_color="${CGRE}"
-#fi
-
-### Define bash colorful prompt
-# PS1="${user_color}\d${CRES}|${user_color}\u${CRES}@${CMAG}\h${CRES}:${CCYA}\w${CRES}/>>\$(if [[ \$? -eq 0 ]]; then echo -e \"${CGRE}\$?${CRES}\"; else echo -e \"${CRED}\$?${CRES}\"; fi)|~\$ "
 PS1="\
 \[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
 \[\033[1;95m\]\h\[\033[0m\]:\
@@ -83,10 +57,22 @@ alias cp="cp -iv"
 alias mv='mv -iv'
 alias rm='rm -iv'

-# Welcome message after login
+### Welcome message after login
+#printf "\n"
+#printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
+#printf "\e[92m✅ Welcome back\e[0m"
+#printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
+#printf "\n"
+#printf "\n"
+
+### Welcome message after login.
 printf "\n"
-printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
-printf "\e[92m✅ Welcome back\e[0m"; printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
+printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}"
+printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}"
+printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}"
+printf "%s! Type%s " "${CGRE}" "${CRES}"
+printf "%s'celp'%s " "${CMAG}" "${CRES}"
+printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}"
 printf "\n"
 printf "\n"

--- a/config/includes.chroot/root/.ciss/alias
+++ b/config/includes.chroot/root/.ciss/alias
@@ -11,16 +11,6 @@
 # SPDX-Security-Contact: security@coresecret.eu

 ########################################################################################### Alpha
-#######################################
-# Outputs a 16-character random printable string
-# Arguments:
-#   None
-#######################################
-genstring() {
-  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
-}
-
-# Generates 1,048,576 random bytes into a timestamped file
 alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'

 ########################################################################################### Bash
@@ -105,11 +95,11 @@ alias whatpurge='dpkg --get-selections | grep deinstall'

 ########################################################################################### Functions

-###########################################################################################
+#######################################
 # Generates Secure (/dev/random) Passwords
 # Arguments:
 #    Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
-###########################################################################################
+#######################################
 # shellcheck disable=SC2317
 genpasswd() {
  declare -i length=32
@@ -129,6 +119,7 @@ genpasswd() {
  done

  declare passwd
+  # shellcheck disable=SC2312
  passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}")

  if [[ ${usebase64} -eq 1 ]]; then
@@ -146,12 +137,27 @@ genpasswd() {
 # shellcheck disable=SC2317
 genpasswdhash() {
  declare salt
+  # shellcheck disable=SC2312
  salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
  mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
 }

+#######################################
+# Outputs a 16-character random printable string
+# Arguments:
+#   None
+#######################################
+genstring() {
+  # shellcheck disable=SC2312
+  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
+}
+
 #######################################
 # Wrapper for secure curl
+# Globals:
+#   CRED
+#   CRES
+#   NL
 # Arguments:
 #   1: URL from which to download a specific file
 #   2: /path/to/file to be saved to
@@ -162,7 +168,7 @@ genpasswdhash() {
 #######################################
 scurl() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
+    printf "%s❌ Error: Usage: scurl <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
    return 1
  fi
  declare url="$1"
@@ -174,7 +180,7 @@ scurl() {
            -o "${output_path}" \
            "${url}"
  then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
    return 2
  fi
  return 0
@@ -182,6 +188,10 @@ scurl() {

 #######################################
 # Wrapper for secure wget
+# Globals:
+#   CRED
+#   CRES
+#   NL
 # Arguments:
 #   1: URL from which to download a specific file
 #   2: /path/to/file to be saved to
@@ -192,7 +202,7 @@ scurl() {
 #######################################
 swget() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
+    printf "%s❌ Error: Usage: swget <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
    return 1
  fi
  declare url="$1"
@@ -205,21 +215,22 @@ swget() {
            -qO "${output_path}" \
            "${url}"
  then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
    return 2
  fi
  return 0
 }

 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters
+# Wrapper for loading CISS.2025 hardened Kernel Parameters.
 # Arguments:
 #   None
 #######################################
 sysp() {
  sysctl -p /etc/sysctl.d/99_local.hardened
  # sleep 1
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  # shellcheck disable=SC2312
+  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }

 #######################################
@@ -239,9 +250,10 @@ trel() {
 #######################################
 whichpackage() {
  if ! command -v "$1" >/dev/null 2>&1; then
-    printf 'Error: Program '%s' not found.\n' "$1" >&2
+    printf '%s❌ Error: Program '%s' not found. %s%s' "${CRED}" "$1" "${CRES}" "${NL}" >&2
    exit 1
  fi
+  # shellcheck disable=SC2230,SC2312
  dpkg -S "$(which "$1")"
 }

@@ -253,6 +265,7 @@ whichpackage() {
 #   3: Number of Entries (defaults 16)
 #######################################
 whichused() {
+  # shellcheck disable=SC2312
  du -h --max-depth="${2:-1}" "${1:-/var}" | sort -hr | head -n "${3:-16}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/f2bchk.sh
+++ b/config/includes.chroot/root/.ciss/f2bchk.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+set -Ceuo pipefail
+
 #######################################
 # Wrapper for fail2ban filter checks against logs.
 # Usage: f2bchk --mode=ignored || --mode=matched  || --mode=missed \
@@ -17,16 +19,18 @@
 #               --log=/var/log/ufw.log \
 #               --output=/tmp/f2bchk.log
 # Globals:
-#   DEFAULT_FILTER
-#   DEFAULT_LOG
-#   DEFAULT_MODE
+#   CGRE
+#   CRED
+#   CRES
+#   NL
 # Arguments:
-#  None
+#   None
 # Returns:
-#   1 In case of any errors
+#   0: on success
+#   1: In case of any errors
 #######################################
 f2bchk(){
-  # Declare default values (readonly)
+  ### Declare default values (readonly)
  declare -r DEFAULT_MODE="matched"
  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
  declare -r DEFAULT_LOG="/var/log/ufw.log"
@@ -44,7 +48,7 @@ f2bchk(){
      --log=*)    log="${arg#--log=}";;
      --output=*) output="${arg#--output=}";;
      *)
-        printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
+        printf "%s[ERROR]%s Unknown argument: '%s' %s" "${CRED}" "${CRES}" "${arg}" "${CRED}"
        return 1
        ;;
    esac
@@ -56,7 +60,7 @@ f2bchk(){
    matched) flag="--print-all-matched"; suffix="all.matched";;
    missed)  flag="--print-all-missed";  suffix="all.missed";;
    *)
-      printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
+      printf "%s[ERROR]%s Invalid mode: '%s' %s" "${CRED}" "${CRES}" "${mode}" "${NL}"
      return 1
      ;;
  esac
@@ -66,22 +70,30 @@ f2bchk(){
    filter_name="${filter_name%.conf}"
    output="/tmp/${filter_name}.${suffix}.log"
  fi
+
  if [[ ! -r "${log}" ]]; then
-    printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
-    return 1
-  fi
-  if [[ ! -r "${filter}" ]]; then
-    printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
+    printf "%s[ERROR]%s Log file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${log}" "${NL}"
    return 1
  fi

-  printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
-  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
-    printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
-    printf "You can view it with: cat %s\n" "$output"
-  else
-    printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
+  if [[ ! -r "${filter}" ]]; then
+    printf "%s[ERROR]%s Filter file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${filter}" "${NL}"
    return 1
  fi
+
+  printf "%s[INFO]%s Running: fail2ban-regex '%s %s %s' %s" "${CGRE}" "${CRES}" "${log}" "${filter}" "${flag}" "${NL}"
+
+  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
+
+    printf "%s[SUCCESS]%s Saved log to: '%s' %s" "${CGRE}" "${CRES}" "${output}" "${NL}"
+    printf "You can view it with: cat %s%s" "${output}" "${NL}"
+  else
+
+    printf "%s[ERROR]%s fail2ban-regex execution failed. %s" "${CRED}" "${CRES}" "${NL}"
+    return 1
+
+  fi
+
+  exit 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/scan_libwrap
+++ b/config/includes.chroot/root/.ciss/scan_libwrap
@@ -12,30 +12,38 @@

 #######################################
 # Scanner for 'libwrap' usage.
+# Globals:
+#   CGRE
+#   CRES
+#   NL
 # Arguments:
-#  None
+#   None
 #######################################
 scanlw() {
-  printf "\e[92m🔍 Scanning all running processes for 'libwrap' usage ... \e[0m\n"
+  printf "%s🔍 Scanning all running processes for 'libwrap' usage ... %s%s" "${CGRE}" "${CRES}" "${NL}"
  printf "\n"

-  # Collect binaries from all running PIDs
+  ### Collect binaries from all running PIDs.
  declare pid exe_path comm user

  for pid in $(ps -e -o pid=); do
    exe_path=$(readlink -f "/proc/${pid}/exe" 2>/dev/null)

-    # Skip if not a regular executable
+    ### Skip if not a regular executable.
    [[ -x "${exe_path}" ]] || continue

-    # Check if the binary is linked with libwrap
-    if ldd "$exe_path" 2>/dev/null | grep -q "libwrap"; then
-      comm=$(ps -p "$pid" -o comm=)
-      user=$(ps -p "$pid" -o user=)
-      printf "\e[92m✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. \e[0m\n" "${pid}" "${comm}" "${user}"
+    ### Check if the binary is linked with libwrap.
+    # shellcheck disable=SC2312
+    if ldd "${exe_path}" 2>/dev/null | grep -q "libwrap"; then
+      comm=$(ps -p "${pid}" -o comm=)
+      user=$(ps -p "${pid}" -o user=)
+      printf "%s✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. %s%s" "${CGRE}" "${pid}" "${comm}" "${user}" "${CRES}" "${NL}"
    fi
  done
+
  printf "\n"
-  printf "\e[92m✅ Scan complete. \e[0m\n"
+  printf "%s✅ Scan complete. %s%s" "${CGRE}" "${CRES}" "${NL}"
+
+  exit 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/shortcuts
+++ b/config/includes.chroot/root/.ciss/shortcuts
@@ -104,7 +104,7 @@ celp() {
  declare i=0
  declare entry
  for entry in "${arr[@]}"; do
-    # Print entry left-aligned in fixed width, colored
+    ### Print entry left-aligned in fixed width, colored.
    printf "${CMAG}%-${col_width}s${CRES}" "${entry}"
    ((i++))
    if ((i % cols == 0)); then
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. DNSSEC Status

--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. Lynis Audit:

--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. SSH Audit by ssh-audit.com

--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. TLS Audit:

--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. Hardened Kernel Boot Parameters

--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,18 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. Changelog

+## V8.03.912.2025.07.23
+
+* Updated: [alias](../config/includes.chroot/root/.ciss/alias)
+* Updated: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
+* Updated: [scan_libwrap](../config/includes.chroot/root/.ciss/scan_libwrap)
+* Updated: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
+* Updated: [.bashrc](../config/includes.chroot/root/.bashrc)
+
 ## V8.03.896.2025.07.22

 * Added: [.shellcheckrc](../.shellcheckrc)
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. Centurion Net - Developer Branch Overview

--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. Coding Style

--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. Contributing / participating

--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. Credits

--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.896.2025.07.22
+Master V8.03.912.2025.07.23
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
@@ -133,7 +133,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.03.896.2025.07.22
+Master V8.03.912.2025.07.23
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.896.2025.07.22<br>
+**Build**: V8.03.912.2025.07.23<br>

 # 2. Resources

--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -35,13 +35,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CLB(1)        CISS.debian.live.builder        CLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.03.896.2025.07.22        2025-06-25        CLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.03.912.2025.07.23        2025-06-25        CLB(1)" "${var_cols}")

  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.03.896.2025.07.22\e[0m"
+    echo -e "\e[92mMaster V8.03.912.2025.07.23\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
--- a/scripts/9000-cdi-starter
+++ b/scripts/9000-cdi-starter
@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1

 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.03.896.2025.07.22 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.03.912.2025.07.23 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log

 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
  chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -17,7 +17,7 @@ declare -agx ARY_PARAM_ARRAY=("$@")
 declare -grx VAR_PARAM_COUNT="$#"
 declare -grx VAR_PARAM_STRNG="$*"
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.03.896.2025.07.22"
+declare -grx VAR_VERSION="Master V8.03.912.2025.07.23"
 declare -grx VAR_SYSTEM="$(uname -a)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"