V8.02.512.2025.05.30

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-05-30 00:28:39 +02:00
parent 2680012395
commit b2282d3475
172 changed files with 14057 additions and 41 deletions
--- a/.archive/background/club.png
+++ b/.archive/background/club.png
--- a/.archive/background/hexagon.png
+++ b/.archive/background/hexagon.png
--- a/.archive/icon.lib
+++ b/.archive/icon.lib
@@ -0,0 +1,42 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ✅
 🔧
 🔑
 🖥️
 🛠️
 📥
 📦
 📑
 📂
 🔒
 🔐
 ⚙️
 ❌
 🌌
 🎉
 🖥️
 🔑
 📂
 📩
 🔵
 😺
 🧪
 📊
 🧾
 📀
 📉
 ⏱
 🧠
 📅
 💙
 🚫
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.editorconfig
+++ b/.editorconfig
@@ -0,0 +1,53 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # EditorConfig is awesome: https://editorconfig.org
 root = true
 [*]
 indent_style = space
 indent_size = 2
 tab_width = 2
 max_line_length = 128
 [*.conf]
 end_of_line = lf
 charset = utf-8
 insert_final_newline = true
 trim_trailing_whitespace = true
 [*.md]
 end_of_line = lf
 # Markdown benefits from a final newline for POSIX tools
 insert_final_newline = true
 # Do not trim trailing whitespace: two spaces at end-of-line signal a hard line break in Markdown
 trim_trailing_whitespace = false
 #[*.toml]
 #end_of_line = lf
 #insert_final_newline = true
 ## TOML values can include strings where trailing spaces may matter; better not trim
 #trim_trailing_whitespace = false
 #charset = utf-8
 [*.{yaml,yml}]
 end_of_line = lf
 insert_final_newline = true
 # Trim trailing whitespace (safe, since YAML does not rely on trailing spaces)
 trim_trailing_whitespace = true
 [*.{sh,bash,zsh}]
 end_of_line = lf
 charset = utf-8
 insert_final_newline = true
 trim_trailing_whitespace = true
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -0,0 +1,94 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ---
 name: "Bug Report"
 about: "Create a report to help us improve"
 title: "[BUG | possible BUG]: "
 labels: "bug:to be reproduced,bug:needs triage/confirmation"
 assignees: ""
 ---
 body:
  # Instructions for the reporter
  - type: markdown
    attributes:
      value: |
        _Please provide concise information to reproduce the bug; issues lacking detail may be closed._
  # Version information
  - type: input
    id: version
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
      placeholder: "e.g., Master V8.02.080.2025.05.19"
    validations:
      required: true
  # Known issues check
  - type: textarea
    id: known_issue
    attributes:
      label: "Search for known issues"
      description: "Is this a known problem? Link to related issues or state 'none found'."
      placeholder: "e.g., #1234 or none found"
    validations:
      required: true
  # Reproduction steps
  - type: textarea
    id: reproduction
    attributes:
      label: "Command line"
      description: |
        Which command did you run, and against which target?
        If you prefer not to disclose publicly, use `security@coresecret.eu`.
      placeholder: "e.g., ./ciss_live_builder.sh --debug"
    validations:
      required: true
  # Expected behavior
  - type: textarea
    id: expected
    attributes:
      label: "Expected behavior"
      description: "Describe clearly what you expected to happen."
      placeholder: "e.g., Build completes without errors"
    validations:
      required: true
  # System information
  - type: input
    id: os
    attributes:
      label: "Operating System"
      description: "Retrieve via `awk -F\" '/PRETTY_NAME/ { print $2 }' /etc/os-release`."
      placeholder: "e.g., Debian GNU/Linux 12 (bookworm)"
    validations:
      required: true
  - type: input
    id: platform
    attributes:
      label: "Platform"
      description: "Retrieve via `uname -srm`."
      placeholder: "e.g., Linux 6.12.22+bpo-amd64 x86_64"
    validations:
      required: true
  # Additional context
  - type: textarea
    id: additional_context
    attributes:
      label: "Additional context"
      description: "Any other information about the problem."
      placeholder: "e.g., Logs, screenshots, configuration snippets"
    validations:
      required: false
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml
@@ -0,0 +1,55 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ---
 name: "Standard-PR"
 about: "Please answer the following questions before submitting the PR."
 title: "[PR]: "
 ref: "master"
 body:
  - type: markdown
    attributes:
      value: |
        Thank you for your PR.
  # Section for free-form description
  - type: textarea
    id: description
    attributes:
      label: "Describe your changes"
      description: "Please refer to an issue here or describe the change thoroughly in your PR."
      placeholder: "e.g., Fix typo in README"
    validations:
      required: true
  # Section for categorizing the PR
  - type: checkboxes
    id: pr-type
    attributes:
      label: "What is your pull request about?"
      options:
        - label: "Bug fix"
        - label: "Improvement"
        - label: "New feature (adds functionality)"
        - label: "Breaking change (existing functionality may not work)"
        - label: "Typo fix"
        - label: "Documentation update"
        - label: "Update of other files"
  # Section for code-quality checklist
  - type: checkboxes
    id: code-checklist
    attributes:
      label: "If this is a code change, please check all that apply:"
      options:
        - label: "My edits contain no tabs, use two-space indentation, and no trailing whitespace"
        - label: "I have read ~/docs/CONTRIBUTING.md and ~/docs/CODING_CONVENTION.md"
        - label: "I have tested this fix or improvement on ≥2 VMs without issues"
        - label: "I have tested this new feature on ≥2 VMs with and without it to avoid side effects"
        - label: "Documentation and/or 'usage()' and/or 'arg_parser' have been updated for the new feature"
        - label: "I added myself to ~/docs/CREDITS.md (alphabetical) and updated ~/docs/CHANGELOG.md"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/properties/json/gitea-issue-config.json
+++ b/.gitea/properties/json/gitea-issue-config.json
@@ -0,0 +1,45 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "https://json.schemastore.org/gitea-issue-config.json",
  "$comment": "https://docs.gitea.com/usage/issue-pull-request-templates#syntax-for-issue-config",
  "properties": {
    "blank_issues_enabled": {
      "description": "Specify whether forms have to be used or blank issue are allowed\nhttps://docs.gitea.com/usage/issue-pull-request-templates#possible-options",
      "type": "boolean"
    },
    "contact_links": {
      "title": "contact links",
      "description": "Contact links\nhttps://docs.gitea.com/usage/issue-pull-request-templates#possible-options",
      "type": "array",
      "minItems": 1,
      "items": {
        "type": "object",
        "required": ["name", "url", "about"],
        "properties": {
          "name": {
            "description": "The name of your link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
            "type": "string",
            "minLength": 1,
            "examples": ["Sample name"]
          },
          "url": {
            "description": "The URL of your Link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
            "type": "string",
            "pattern": "^https?://",
            "examples": ["https://sample/url"]
          },
          "about": {
            "description": "A short description of your Link\nhttps://docs.gitea.com/usage/issue-pull-request-templates#contact-link",
            "type": "string",
            "minLength": 1,
            "examples": ["Sample description"]
          }
        },
        "additionalProperties": false
      }
    }
  },
  "additionalProperties": false,
  "title": "Gitea issue template chooser config file schema",
  "type": "object"
 }
--- a/.gitea/properties/json/gitea-workflow-config.json
+++ b/.gitea/properties/json/gitea-workflow-config.json
@@ -0,0 +1,12 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "allOf": [
    { "$ref": "https://json.schemastore.org/github-workflow.json" },
    {
      "properties": {
        "kind": { "type": "string", "enum": ["pipeline"] },
        "type": { "type": "string", "enum": ["docker"] }
      }
    }
  ]
 }
--- a/.gitea/properties/json/github-workflow.json
+++ b/.gitea/properties/json/github-workflow.json
--- a/.gitea/properties/lua/linkfix.lua
+++ b/.gitea/properties/lua/linkfix.lua
@@ -0,0 +1,8 @@
 -- Linkfix.lua
 function Link (el)
    -- wenn Linkziel auf .md endet, ändere es zu .html
    if el.target:match('%.md$') then
        el.target = el.target:gsub('%.md$', '.html')
    end
    return el
 end
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,20 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 .checklist/
 .idea/
 build/
 out/
 target/
 *.DS_Store
 *.log
 *.ps1
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.pubkey/centurion_intelligence_consulting_agency_2025_root_x448_Master_Signing_Key_Offline_0x4EADE462_public.asc
+++ b/.pubkey/centurion_intelligence_consulting_agency_2025_root_x448_Master_Signing_Key_Offline_0x4EADE462_public.asc
@@ -0,0 +1,12 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mEkFaDXW/RYAAAA/AytlcQHI0wBCQVlX/T1P1op2zxMcvSXsIO6Ry5dVxzJyWFkB
 SB0utYV5PVOcoparGuxuVV5h5q538FMowsAAtFZDZW50dXJpb24gSW50ZWxsaWdl
 bmNlIENvbnN1bHRpbmcgQWdlbmN5IDIwMjUgUm9vdCB4NDQ4IChNYXN0ZXIgU2ln
 bmluZyBLZXkgW09mZmxpbmVdKYjNBRMWCABNAhsBBQsJCAcCAiICBhUKCQgLAgQW
 AgMBAh4HAheAIiEFb9PDFk6t5GIBJKfozM13iXXLB7VAp8veRtbuNEidacIFAmg1
 4c0FCRezg7YAAJycAcdFA+KOZ0U3+AhnNJWm4SXCgzwfJ2Rg10uUt/iiKNtiagDG
 xifwXGd5fh2Om/oFdYkgf48GAVVDE4ABx1x6OmN6dt6GWHCKgienVOgKhu+Cl/04
 c3Sth4dGCosfFJNUaNmfja5GQ/wQKLVQ0C4TjuJXHCkEAA==
 =bk/i
 -----END PGP PUBLIC KEY BLOCK-----
--- a/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.asc
+++ b/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.asc
@@ -0,0 +1,18 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEaDcItBYJKwYBBAHaRw8BAQdAFyGLpFASTiK4vBgycV2wjb3ZaNqhjZ33E1ir
 MiU98Fu0LE1hcmMgUy4gV2VpZG5lciBCT1QgPG1zdytib3RAY29yZXNlY3JldC5k
 ZXY+iJkEExYIAEEWIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaDcItAIbAwUJCKVq
 fAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRA85KY4hzOwIVOoAQD9WXoh
 Isjs4q7RCAtCXXWO4y4p8Dmn1AjCRN07vBYskQEAu/LjJYpjC553SnLPEN2PjZBt
 pNkwp/fMg2oigxRkygyI1AUQFggAVCIhBW/TwxZOreRiASSn6MzNd4l1ywe1QKfL
 3kbW7jRInWnCBQJoNwjMBYMIpYaAJBSAAAAAAA0ADnJlbUBnbnVwZy5vcmdDZW50
 dXJpb24sQ0lDQQAA3TABxjNpYGUWhvt6x3h688F1KJfeWrrMetflFZBA3UzoIAAg
 SltgMYRnCzpZFGnQILKgj9jyakwckxFLAAHHY/I0Fxmc5ujfkGScUhUKPhruVT2x
 w4aHogEuE9Ebu94JuvBQX3+RlHjG+47qG7bmAT81E47Hih0AuDgEaDcItBIKKwYB
 BAGXVQEFAQEHQOKAnInWn3Wy1fUJJD7bycrXEx6SoLejW5/0jGIG2VdGAwEIB4h+
 BBgWCAAmFiEEqmJzzDShs+vWn8hwPOSmOIczsCEFAmg3CLQCGwwFCQilanwACgkQ
 POSmOIczsCHztAEA2AWCPQ8V8hNdEBvYHwRye8Q9FJO7IyciwwpjH1nOBLMBAJS2
 OSrjMYBFaumow950s7T2d7BEpnxJBtCwfuF+RwgI
 =QwhF
 -----END PGP PUBLIC KEY BLOCK-----
--- a/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc
+++ b/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc
@@ -0,0 +1,13 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEaCxYpRYJKwYBBAHaRw8BAQdAr9mRwJ44x3qirCRbE+qjgwBDzZLVkKXvC4UI
 AHxvyMK0JE1hcmMgUy4gV2VpZG5lciA8bXN3QGNvcmVzZWNyZXQuZGV2PoiZBBMW
 CABBFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgFAmgsWKUCGwMFCQiwGosFCwkIBwIC
 IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQhAKZkeYuhPhWnQEAulGegHfBva0ezN5/
 VVqLqDVTe+etr3crCcxKpj8gg7wA/3OfkCvgPht18OoIQbR1IA7jDBSOKvY8OfcR
 1632dZIIuDgEaCxYpRIKKwYBBAGXVQEFAQEHQP34OGSMdCMM8Ku/QY7NC81xbL0h
 kOFdDGlKlA865+kpAwEIB4h+BBgWCAAmFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgF
 AmgsWKUCGwwFCQiwGosACgkQhAKZkeYuhPhnjgD+IHh9XhE+s3VB3ItDIgtT9gTA
 S8ET80dQcFmFGYfjs/oBALmXXxceE+aSd2VO6dumqhtzWCGE7S52/50hxRgLsi8G
 =C3ox
 -----END PGP PUBLIC KEY BLOCK-----
--- a/.pubkey/marc_s_weidner_rfc.editor@coresecret.eu_0x9A3D8CF6_public.asc
+++ b/.pubkey/marc_s_weidner_rfc.editor@coresecret.eu_0x9A3D8CF6_public.asc
@@ -0,0 +1,52 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBGgKhAABEADKXAZwxkr4Wlo0KKjvvxUNycajqFLSEf8CNSkZCzE6/Ya5SlCy
 p/yO8bqMUiL6zFO3A7bt0HYZo3jjU7nyOap0nq2qKgSvLJPeiJF6wk3XQDvJbpCh
 NBi6vlKicWMyJqVtbqQZeX7q4MFrJPQX5JurSOsauAsJ8xz8vOnhesVwh44m7jTf
 Yvuelz0zh/LQkypTaeMA1CXhCtLhoS8V359azO0VHdVaFmxIjsiiU4wKUCNiUgC5
 Z/QhG3v1TlIS5R8tnPrke39TkjRVBXAnW5mVTxE7+hauDhefGlpIDkIr8ACCpgLf
 ZN0sEXH1+DNTvCwDsP9eoEuf5+2l+w0pQ5c0Rsi2RIbrE/Ct9PL9+cXDYOkNk4fa
 5pws7LzldacBB3XTHhSgTAkF+knk+RNxyrlJ42FAo6HiP+pM3ym/ElFGF0cS/qnU
 h6JR3SDUybI/89t3lPDHEj24+GLxHd/6d0WY0xYMwNElm7DK+BOgKpEQO/ZBqtRP
 crpx81IDInJYjck5z8BAYwnW+CPsAi1cSSFtGBGvem7iKvz7e1nvQcxn9i9HUbiM
 FjrfrFztkSE2ZINoTPUPYNEtLyAm/TQKBCS08uyYjSPaivN1yQ75dm6pIS1OJmGe
 i7SwhU6j4Y8CXdpo3OioemrUuccPbxu18Iw+PovLUvmkAhqFIY6EvYw9ZwARAQAB
 tCpNYXJjIFMuIFdlaWRuZXIgPHJmYy5lZGl0b3JAY29yZXNlY3JldC5ldT6JAlcE
 EwEIAEEWIQR6g0Hl8VcDGdgPRBihHohRmj2M9gUCaAqEAAIbAwUJCrMisAULCQgH
 AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRChHohRmj2M9o5aD/0ceZqsJC98RyvN
 HM9+Ke+1yhwRGXJ3AdFPMdhhzajBdRpOx/N/xY9sqeWpm4S1/UsLBZsaGxASJvXq
 HXOzOXY+RPlOocBcm3yAzlrz+UU/NhvSnpMOU63mR3pvf6qwwfgqGbtxozNgbb2Y
 g+tV4sG+DhCWO4G0Pb2+qlitBY4vbY9W7TdA805bAWwf7E9Pb2x5kLj7uQUKi3dy
 2YCqgHYqQ9yS7UztiA39zmHh2IRl72ZUKGcBMWFfSpO0Mfgr+mCe+5sTymPfIRqk
 IrTmugCXgCV/xs3nE4lv8C/4eSJsLEmMaFELL7dBjn6dhl+0hEblKQYUgURZaG20
 hh/uaR0X1iwA4D9ipHXCr4CM9/fq5ny2uCihPxI/6xeNU9/rOCDZ+LMpJoe/cwTM
 9aY+toC4tyv4f8lm46XPWm+SujJOaVEI7NNKX/kJR9UZZBii8YYGQ1gSs4HX9PxZ
 G1Nf7qG5cfFBV77M9uQsrKnsXRMZjRtyxnclU9r8NKg4jfNvzqpqAVoynhG+YjKM
 krQreCr1LU9uT3O0ABf1s457C0oNr+YMva9PL5LdXEGHwAL93YgyerzEs1TIik80
 YLEVDeTunMWtb1v/h516q+fk1p2bdNflQUMD3X1Cmj6qRMe1f4ku1I3zcjK0kikI
 MGgOoag7efnNBDDsyhKUP/ZtNzOB9LkCDQRoCoQAARAAnoqlViizlICxSBmWkq3D
 dSBfyK98uY6uA8H/lUhsG/ZTUG0y3kqEZ6JoU2G+QwTMm0/8VutwFoc38142FhqQ
 Gs2imUN+sQRlKdyk8wtoq2Kv4G7XhXBGFsEfScHKQb8VTz8eoHAgtqAzJcLXDO0u
 gHHk5OoOqc93TsT9rimHNNNyKqU20rRe+AJ2Yjn92dIuSQ7B7R7O9U5OflZKrVMO
 e6KSXbbMx+Z/tOOoAC2EWpPE8Vcogs8CFlAUaCKaKcSTwYUZMKJg67voeIZHLKAE
 k4hth+1oGcawfuA7duJBVFlK2u6Vu14c26y7tgZQWge6e7DuXlp0qGyu349M10qF
 p+d0v1oN8h6cfYjDPPvTAdO20iB/c3KaDMNqcGBDUWd366YcLBAzHZO4YDjE4CF1
 7TnZQNMuelg83jl4OIcyDqzATDEY+amOgzvkxsgHw+tihSulGBeliph1n5pfpD3w
 wjrtMskCo4PaFWk8YofO3ZzpMCdIDXg0hR1PvThkXQQR6fccOYd8t5QEOdS9NS53
 fL3ayRvMt5fgwYeo9yfzl5ByTSXeT4BSpz596SG/BdcHxHky7lM8++LuRNrOiy9Q
 xLohwgPonceF4bjL944Ec13lneZunJN8nel8yrjd0cX0ZikWMWoRFk9GejNN6HLo
 /FrIKxSjf8h5UK5Gtn2OgtMAEQEAAYkCPAQYAQgAJhYhBHqDQeXxVwMZ2A9EGKEe
 iFGaPYz2BQJoCoQAAhsMBQkKsyKwAAoJEKEeiFGaPYz2SkMQALjeSyg8HzMLXwN4
 Trt7aW5ef/38J89cav0ouvlY1OggZDiHSXjck7wI0uc0oiB9uVjBj8VfJC4op3bJ
 FNlXANE2j9wDR2idQF6hFWVibznMiYOLdmAv3UPGEwm5mJw3h3oGTMqMxKllOKYk
 sjRD4PwMOz9x43385PO1q0UQO69kQfnLcRm1gR5w8UHM6j1Mp6HcBapnOluf4PZj
 o+5etx3MZBQtDEN5Q80ou3sS2FY23ydmpbn1AGQverr7wUH0ofAgC/xAQ/QJaxWE
 ISVm+6F6gC67UU/DMtw2iq9G/CsBKOglC6anU75UEAQnhkiCaFXlghCX0LGWyVbM
 OQzjlfBgswTQ4lvYV2I8FHbvgKCYuRvEeAqrIgnpK4BfoBZOXhrsanbtXth4Cl82
 euveI/dbSnEa0iXucP39VbvDrzfNmpUlE9HTpiad10YmrYWIR0yEv4TGPnvtWzgj
 ldqhMToXTbuz4bcIEfLLNBEVOXOpEehhpwiXPBmWjCbiSTdt9wcmMXTzjzGyVWoF
 N37P3BcodQWrsIJD5rlBN+mlga2JBfaJndOoYDLTuCNp63O3QO+/B+37hOYHphyu
 Z1UsyA0biHQ2exoMtUn8VrfrVaVjqeKzD5E2C2w8jKh2bNFYjbNoEhmw/ld+wTC4
 h9Da4wsNzL2ADzBfxBgFgm0uI6+7
 =5Jh4
 -----END PGP PUBLIC KEY BLOCK-----
--- a/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc
+++ b/.pubkey/zimnol_andre_h_git.cs@physnet.eu_0x8A659CC7B4D63AE6_public.asc
@@ -0,0 +1,20 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mDMEaDcAphYJKwYBBAHaRw8BAQdA/9UGPKzDSRCGirPMrePXMMynIida/McCOYe6
 PVcCPpG0MVpJTU5PTCwgQW5kcsOpIEguIFtkZXZlbG9wZXJdIDxnaXQuY3NAcGh5
 c25ldC5ldT6IkQQTFgoAORYhBBmJL29uc6075RFbVoplnMe01jrmBQJoNwCmAhsB
 BQkIpLt+AwsJCAQVCgkIAxYCAwIeBQIXgAAKCRCKZZzHtNY65jKyAQDrk2x/laEP
 YIaRmS7STGBnZjWVwv/eJ5ILFqRhV3sSGQEAwfT2wgporMER+EHz2mRPAaE5TtPB
 SMm4DHug4Yka2A24MwRoNwDmFgkrBgEEAdpHDwEBB0Bx3cbRd0Q/Dn73IcbEvKx5
 +KcP7unYv3rNeirZTGtTfoj1BBgWCgAmFiEEGYkvb25zrTvlEVtWimWcx7TWOuYF
 Amg3AOYCGwIFCQL/zz4AgQkQimWcx7TWOuZ2IAQZFgoAHRYhBEVoBW4odEqUQpSB
 D1za7swLMHUzBQJoNwDmAAoJEFza7swLMHUzYw0A/05Y5GoEsbHH5+LqVf9EI8WN
 ud1kp3M4WRto2KQ2abicAP0W71sTY2Po1XbBDVbFi2fvXkjuCUVeSlotaQgh1YrP
 BtIXAQDabJERY+nNU9T/8pAlFhC3ImAJAXWSpxlIZWU3q12DpQEA3zCIMXBTc7w1
 eREXUft3CupIIT70bCjcTbH5dIYX1w24OARoNwEMEgorBgEEAZdVAQUBAQdAmvb9
 1f/tWoR4ADQytUwrXlXfp/U5Jt7KvWS5URWCjRMDAQgHiH4EGBYKACYWIQQZiS9v
 bnOtO+URW1aKZZzHtNY65gUCaDcBDAIbDAUJAv/PGAAKCRCKZZzHtNY65n/UAQCR
 0W40F4QaD2SnXZS8fmDBK341LTbyhy8JACmKKKB3PAD/Tq/0SfDC0i905OdWcbJ0
 AQfwlnC0kTOkPh2bO1vyfwg=
 =YZAU
 -----END PGP PUBLIC KEY BLOCK-----
--- a/.version.properties
+++ b/.version.properties
@@ -0,0 +1,19 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 properties_SPDX-Version="3.0"
 properties_SPDX-ExternalRef="GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git"
 properties_SPDX-FileCopyrightText="2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>"
 properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.hardened.installer framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
 properties_version="V8.02.512.2025.05.30"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -0,0 +1,23 @@
 SPDXVersion: SPDX-3.0
 DataLicense: CC0-1.0
 SPDX-DocumentName: CISS.debian.live.builder.SPDX
 SPDX-DocumentNamespace: https://git.coresecret.dev/msw/CISS.debian.live.builder
 Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
 PackageVersion: Master V8.02.512.2025.05.30
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageLicenseDeclared: EUPL-1.2 OR LicenseRef-CCLA-1.0
 PackageLicenseConcluded: EUPL-1.2
 License: EUPL-1.2
 LicenseID: EUPL-1.2
 LicenseName: European Union Public License 1.2
 LicenseCrossReference: https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
 License: LicenseRef-CCLA-1.0
 LicenseID: LicenseRef-CCLA-1.0
 LicenseName: Centurion Commercial License Agreement 1.0
 LicenseCrossReference: https://coresecret.eu/imprint/licenses/
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/144
+++ b/144
@@ -1,89 +1,121 @@
 # SPDX-License-Identifier: EUPL-1.2
 EUPL-1.2
 EUROPEAN UNION PUBLIC LICENCE v. 1.2
 EUPL © the European Union 2007, 2016
-This European Union Public Licence (the ‘EUPL’) applies to the Work (as defined below) which is provided under the
+This European Union Public Licence (the 'EUPL') applies to the Work (as defined below) which is provided under the
 terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
-use is covered by a right of the copyright holder of the Work).
+a use is covered by a right of the copyright holder of the Work).
 The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
 notice immediately following the copyright notice for the Work:
                          Licensed under the EUPL
 or has expressed by any other means his willingness to license under the EUPL.
 1.Definitions
 In this Licence, the following terms have the following meaning:
-— ‘The Licence’:this Licence.
+
-— ‘The Original Work’:the work or software distributed or communicated by the Licensor under this Licence, available
+— 'The Licence':this Licence.
 — 'The Original Work':the work or software distributed or communicated by the Licensor under this Licence, available
 as Source Code and also as Executable Code as the case may be.
-— ‘Derivative Works’:the works or software that could be created by the Licensee, based upon the Original Work or
+
 — 'Derivative Works':the works or software that could be created by the Licensee, based upon the Original Work or
 modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
 required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
 the country mentioned in Article 15.
-— ‘The Work’:the Original Work or its Derivative Works.
+
-— ‘The Source Code’:the human-readable form of the Work which is the most convenient for people to study and
+— 'The Work':the Original Work or its Derivative Works.
 — 'The Source Code':the human-readable form of the Work, which is the most convenient for people to study and
 modify.
-— ‘The Executable Code’:any code which has generally been compiled and which is meant to be interpreted by
+
 — 'The Executable Code':any code, which has generally been compiled and, which is meant to be interpreted by
 a computer as a program.
-— ‘The Licensor’:the natural or legal person that distributes or communicates the Work under the Licence.
+
-— ‘Contributor(s)’:any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
+— 'The Licensor':the natural or legal person that distributes or communicates the Work under the Licence.
 — 'Contributor(s)':any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
 the creation of a Derivative Work.
-— ‘The Licensee’ or ‘You’:any natural or legal person who makes any usage of the Work under the terms of the
+
 — 'The Licensee' or 'You':any natural or legal person who makes any usage of the Work under the terms of the
 Licence.
-— ‘Distribution’ or ‘Communication’:any act of selling, giving, lending, renting, distributing, communicating,
+
-transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential
+— 'Distribution' or 'Communication':any act of selling, giving, lending, renting, distributing, communicating,
 transmitting, or otherwise making available, online, or offline, copies of the Work or providing access to its essential
 functionalities at the disposal of any other natural or legal person.
 2.Scope of the rights granted by the Licence
 The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
 the duration of copyright vested in the Original Work:
-— use the Work in any circumstance and for all usage,
+
 — use the Work in any circumstances and for all usage,
 — reproduce the Work,
-— modify the Work, and make Derivative Works based upon the Work,
+
 — modify the Work and make Derivative Works based upon the Work,
 — communicate to the public, including the right to make available or display the Work or copies thereof to the public
 and perform publicly, as the case may be, the Work,
 — distribute the Work or copies thereof,
 — lend and rent the Work or copies thereof,
 — sublicense rights in the Work or copies thereof.
-Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the
+
 Those rights can be exercised on any media, supports, and formats, whether now known or later invented, as far as the
 applicable law permits so.
 In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
 by law in order to make effective the licence of the economic rights here above listed.
 The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
 extent necessary to make use of the rights granted on the Work under this Licence.
 3.Communication of the Source Code
-The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as
+
 The Licensor may provide the Work either in its Source Code form or as Executable Code. If the Work is provided as
 Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
 each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
 the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
 distribute or communicate the Work.
 4.Limitations on copyright
 Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
-exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations
+exclusive rights of the rights owners in the Work, to the exhaustion of those rights or of other applicable limitations
 thereto.
 5.Obligations of the Licensee
 The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
 obligations are the following:
 Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
-the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the
+the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices, and a copy of the
 Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
 to carry prominent notices stating that the Work has been modified and the date of modification.
 Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
 Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
-the Original Work is expressly distributed only under this version of the Licence — for example by communicating
+the Original Work is expressly distributed only under this version of the Licence — for example, by communicating
-‘EUPL v. 1.2 only’. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
+'EUPL v. 1.2 only'. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
 Work or Derivative Work that alter or restrict the terms of the Licence.
 Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
 the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
-under the terms of this Compatible Licence. For the sake of this clause, ‘Compatible Licence’ refers to the licences listed
+under the terms of this Compatible Licence. For the sake of this clause, 'Compatible Licence' refers to the licences listed
 in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
 his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
-Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
+The provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
 a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
 for as long as the Licensee continues to distribute or communicate the Work.
 Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
@@ -91,100 +123,134 @@ of the Licensor, except as required for reasonable and customary use in describi
 reproducing the content of the copyright notice.
 6.Chain of Authorship
 The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
 licensed to him/her and that he/she has the power and authority to grant the Licence.
-Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or
+
 Each Contributor warrants that the copyright in the modifications he/she brings to the Work is owned by him/her or
 licensed to him/her and that he/she has the power and authority to grant the Licence.
 Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
 to the Work, under the terms of this Licence.
 7.Disclaimer of Warranty
-The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work
+
-and may therefore contain defects or ‘bugs’ inherent to this type of development.
+The Work is a work in progress, which is continuously improved by numerous Contributors. It is not finished work
-For the above reason, the Work is provided under the Licence on an ‘as is’ basis and without warranties of any kind
+and may therefore contain defects or 'bugs' inherent to this type of development.
 For the above reason, the Work is provided under the Licence on an 'as is' basis and without warranties of any kind
 concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
 errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
 Licence.
 This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
 8.Disclaimer of Liability
 Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
 liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
 Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
-of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
+of data, or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
-the Licensor will be liable under statutory product liability laws as far such laws apply to the Work.
+the Licensor will be liable under statutory product liability laws as far as such laws apply to the Work.
 9.Additional agreements
 While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
 consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
 responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
-defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by
+defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such a Contributor by
 the fact You have accepted any warranty or additional liability.
 10.Acceptance of the Licence
-The provisions of this Licence can be accepted by clicking on an icon ‘I agree’ placed under the bottom of a window
+
 The provisions of this Licence can be accepted by clicking on an icon 'I agree' placed under the bottom of a window
 displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
 applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
 and conditions.
 Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
 by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
 or Communication by You of the Work or copies thereof.
 11.Information to the public
 In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
 by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
-must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence
+must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence,
-and the way it may be accessible, concluded, stored and reproduced by the Licensee.
+and the way it may be accessible, concluded, stored, and reproduced by the Licensee.
 12.Termination of the Licence
 The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
 of the Licence.
 Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
 the Licence, provided such persons remain in full compliance with the Licence.
 13.Miscellaneous
 Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
 Work.
 If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
 enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
 and enforceable.
 The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
 the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
 New versions of the Licence will be published with a unique version number.
 All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
 advantage of the linguistic version of their choice.
 14.Jurisdiction
 Without prejudice to specific agreement between parties,
 — any litigation resulting from the interpretation of this License, arising between the European Union institutions,
-bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
+bodies, offices, or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
 of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
-— any litigation arising between other parties and resulting from the interpretation of this License, will be subject to
+
 — any litigation arising between other parties and resulting from the interpretation of this License will be subject to
 the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
 15.Applicable Law
 Without prejudice to specific agreement between parties,
 — this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
-resides or has his registered office,
+resides, or has his registered office
-— this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside
+
 — this licence shall be governed by Belgian law if the Licensor has no seat, residence, or registered office inside
 a European Union Member State.
                                                         Appendix
-‘Compatible Licences’ according to Article 5 EUPL are:
+'Compatible Licences' according to Article 5 EUPL are:
 — GNU General Public License (GPL) v. 2, v. 3
 — GNU Affero General Public License (AGPL) v. 3
 — Open Software License (OSL) v. 2.1, v. 3.0
 — Eclipse Public License (EPL) v. 1.0
 — CeCILL v. 2.0, v. 2.1
 — Mozilla Public Licence (MPL) v. 2
 — GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
 — Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
 — European Union Public Licence (EUPL) v. 1.1, v. 1.2
 — Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
 The European Commission may update this Appendix to later versions of the above licences without producing
 a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
 covered Source Code from exclusive appropriation.
-All other changes or additions to this Appendix require the production of a new EUPL version.
+
 All other changes or additions to this Appendix require the production of a new EUPL version.
--- a/README.md
+++ b/README.md
@@ -1,3 +1,404 @@
-# CISS.debian.live.builder
+---
 gitea: none
 include_toc: true
 ---
 [![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.512.2025.05.30-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.installer)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Donation-Donation-white?style=plastic&logo=sepa&logoColor=white&logoSize=auto&label=&color=%230F243E)](https://coresecret.eu/spenden/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/bitcoin-Bitcoin-white?style=plastic&logo=bitcoin&logoColor=white&logoSize=auto&label=Donation&color=%23F7931A)](https://coresecret.eu/spenden/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/simplex-Simplex-white?style=plastic&logo=simplex&logoColor=white&logoSize=auto&label=Contact&color=%23000000)](https://simplex.chat/) &nbsp;
-Debian Live Build Generator for hardened live environment and CISS Debian Installer
+# 1. CISS.debian.live.builder
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
 **Build**: V8.02.512.2025.05.30<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
 cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`.
 Check out more:
 * [CenturionNet Services](https://coresecret.eu/cnet/) 
 * [CenturionDNS Resolver](https://dns.eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
 * [CenturionNet Status](https://uptime.coresecret.eu/) 
 * [CenturionMeet](https://talk.e2ee.li/) 
 * [Contact the author](https://coresecret.eu/contact/)
 > Please note: All my signing keys are contained in an HSM and the signing environment is air gapped. Next step: move to
 > a room-gapped environment ^^
 ## 1.1. Immutable Source-of-Truth System
 This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
 source-code definitions. All configurations, system components, and installation routines are embedded during build time and 
 locked for runtime immutability. This ensures that the live environment functions as a trusted **Source of Truth** — not only 
 for boot-time operations, but for deploying entire systems in a secure and reproducible way.<br>
 Once booted, the environment optionally launches a fully scripted installer, via the forthcoming `CISS.debian.installer`,
 yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external 
 dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not 
 secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully 
 secured provisioning. Combined with checksum verification, **activated by default**, at boot and strict firewall defaults, this 
 architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.<br>
 An even more secure deployment variant — an unattended and headless version — can be built without any active network interface
 or shell-access, also via the forthcoming `CISS.debian.installer`. Such a version performs all verification steps autonomously, 
 provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then 
 awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports
 without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of 
 `grub2 (2.12-1~bpo12+1)`.<br>
 This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in 
 source-defined infrastructure logic.<br>
 After build and configuration, the following audit reports can be generated:
 * **Haveged Audit Report**: Validates entropy daemon health and confirms '/dev/random' seeding performance.
  Type `chkhvg` at the prompt. See example report: [Haveged Audit Report](https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder/src/branch/master/docs/AUDIT_HAVEGED.md)
 * **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
  Type `lsadt` at the prompt. See example report: [Lynis Audit Report](https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder/src/branch/master/docs/AUDIT_LYNIS.md)
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
  Type `ssh-audit <IP>:<PORT>`. See example report: [SSH Audit Report](https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder/src/branch/master/docs/AUDIT_SSH.md)
 ## 1.2. Preview
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
 ## 1.3. Caution. Significant information for those considering using D-I.
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
 Regardless of whether you start it:
 * via the boot menu of your Live ISO (grub, isolinux) like **CISS.2025.debian.live.builder**,
 * via kexec in the running system,
 * via the debian-installer-launcher package,
 * or even via a graphical installer shortcut.
 The following happens in all cases:
 * The installer kernel (/install/vmlinuz) + initrd.gz are started.
 * The existing live system is exited.
 * The memory is overwritten.
 * All running processes – e.g., firewall, hardened SSH access, etc. pp. – cease to exist.
 The Debian Installer loads:
 * its own kernel,
 * its own initramfs,
 * its own minimal root filesystem (BusyBox + udeb packages),
 * no SSH access (unless explicitly enabled via preseed)
 * no firewall, AppArmor, logging, etc. pp.,
 * it disables all running network services, even if you were previously in the live system.
 This means function status of the **CISS.2025.debian.live.builder** ISO after d-i start:
 * ufw, iptables, nftables ✘ disabled, not loaded,
 * sshd with hardening ✘ stopped (processes gone),
 * the running kernel ✘ replaced,
 * Logging (rsyslog, journald) ✘ not active,
 * preseed control over the network is possible (but without any protection).
 # 2. Features & Rationale
 Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.
 ## 2.1. Kernel Hardening
 ### 2.1.1. Boot Parameters
 * **Description**: Customizes kernel command‑line flags to disable unused features and enable mitigations.
 * **Key Parameters**:
  * `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.
  * `audit=1`: Enables kernel auditing from boot to record system calls and security events.
  * `cfi=kcfi`: Activates kernel control-flow integrity using kCFI to protect against control-flow hijacking.
  * `debugfs=off`: Disables debugfs to prevent non-privileged access to kernel internals.
  * `efi=disable_early_pci_dma`: Stops early PCI DMA under EFI to mitigate DMA-based attacks during boot.
  * `efi_no_storage_paranoia`: Disables extra EFI storage checks to streamline boot without compromising expected storage integrity.
  * `hardened_usercopy=1`: Enables stringent checks on copy operations between user and kernel space to prevent buffer overflows.
  * `ia32_emulation=0`: Turns off 32-bit compatibility modes to reduce attack surface on 64-bit hosts.
  * `init_on_alloc=1`: Zeroes memory on allocation to prevent leakage of previous data.
  * `init_on_free=1`: Initializes memory on free to catch use-after-free bugs.
  * `iommu=force`: Enforces IOMMU for all devices to isolate DMA-capable hardware.
  * `kfence.sample_interval=100`: Configures the kernel fence memory safety tool to sample every 100 allocations.
  * `kvm.nx_huge_pages=force`: Enforces non-executable huge pages in KVM to mitigate code injection.
  * `l1d_flush=on`: Flushes L1 data cache on context switch to mitigate L1D vulnerabilities.
  * `lockdown=confidentiality`: Puts the kernel in confidentiality lockdown to restrict direct hardware access.
  * `loglevel=0`: Suppresses non-critical kernel messages to reduce information leakage.
  * `mce=0`: Disables machine check exceptions to prevent side-channel data leaks from hardware error reporting.
  * `mitigations=auto,nosmt`: Enables all automatic CPU mitigations and disables SMT to reduce side-channel risks.
  * `mmio_stale_data=full,nosmt`: Ensures stale MMIO data is fully flushed and disables SMT for added protection.
  * `oops=panic`: Forces a kernel oops to trigger a panic, preventing the system from running in an inconsistent state.
  * `page_alloc.shuffle=1`: Randomizes physical page allocation to hinder memory layout prediction attacks.
  * `page_poison=1`: Fills freed pages with a poison pattern to detect use-after-free.
  * `panic=-1`: Disables automatic reboot on panic to preserve the system state for forensic analysis.
  * `pti=on`: Enables page table isolation to mitigate Meltdown attacks.
  * `random.trust_bootloader=off`: Prevents trusting entropy provided by the bootloader.
  * `random.trust_cpu=off`: Disables trusting CPU-provided randomness, enforcing external entropy sources.
  * `randomize_kstack_offset=on`: Randomizes the kernel stack offset on each syscall entry to harden against stack probing.
  * `randomize_va_space=2`: Enables full address space layout randomization (ASLR) for user space.
  * `retbleed=auto,nosmt`: Enables automatic RETBLEED mitigations and disables SMT for better side-channel resistance.
  * `rodata=on`: Marks kernel read-only data sections to prevent runtime modification.
  * `tsx=off`: Disables Intel TSX extensions to eliminate related speculative execution vulnerabilities.
  * `vdso32=0`: Disables 32-bit vDSO to prevent unintended cross-mode calls.
  * `vsyscall=none`: Disables legacy vsyscall support to close a potential attack vector.
 * **Rationale**: Ensures early activation of protections, reducing exposure to CPU vulnerabilities before the system fully boots.
 ### 2.1.2. CPU Vulnerability Mitigations
 * **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).
 * **Rationale**: Prevents side‑channel attacks that exploit speculative execution, which remain a high‑risk vector in
  multi‑tenant cloud environments.
 ### 2.1.3. Kernel Self-Protection
 * **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self‑protections.
 * **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.
 ### 2.1.4. Local Kernel Hardening
 * **Description**: The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/99_local.hardened`:
 ````bash
 ###########################################################################################
 # Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
 # Arguments:
 #  none
 ###########################################################################################
 # shellcheck disable=SC2317
 sysp() {
  sysctl -p /etc/sysctl.d/99_local.hardened
  # sleep 1
  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 ````
 * **Key measures loaded by this file include:**
  * Disabling module loading `kernel.modules_disabled=1`
  * Restricting kernel pointers & logs `kernel.kptr_restrict=2`, `kernel.dmesg_restrict=1`, `kernel.printk=3 3 3 3`
  * Disabling unprivileged BPF and userfaultfd
  * Disabling kexec and unprivileged user namespaces
  * Locking down ptrace scope `kernel.yama.ptrace_scope=2`
  * Protecting filesystem links and FIFOs `fs.protected_*`
 **Warning**
 Once applied, some hardening settings cannot be undone via `sysctl` without a reboot, and dynamic module loading remains disabled
 until the next boot. Automatic enforcement at startup is therefore omitted by design—run `sysp()` manually and plan a reboot to 
 apply or revert these controls.
 ## 2.2. Module Blacklisting
 * **Description**: Disables and blacklists non‑essential or insecure kernel modules.
 * **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
 ## 2.3. Network Hardening
 * **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
  inbound/outbound traffic behaviors.
 * **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man‑in‑the‑middle on internal networks.
 ## 2.4. Core Dump & Kernel Hardening
 * **Description**: Limits core dump generation paths, enforces `Yama` restrictions, and configures `kernel.kptr_restrict`.
 * **Rationale**: Prevents leakage of sensitive memory contents and reduces information disclosure from unintentional crash
  dumps.
 ## 2.5. Entropy Collection Improvements
 * **Description**: Installs and configures `haveged`, seeds `/dev/random` early.
 * **Rationale**: Cloud instances frequently suffer low entropy at the start; improving randomness ensures strong cryptographic key
  generation for SSH and other services.
 ## 2.6. Permissions & Authentication
 * **Description**: Sets strict directory and file permissions, integrates with PAM modules (e.g., `pam_faillock`).
 * **Rationale**: Enforces the principle of least privilege at file‑system level and strengthens authentication policies.
 ## 2.7. High-Security Baseline (Lynis Audit)
 * **Description**: Run a baseline audit via [Lynis](https://cisofy.com/lynis/) after build completion. 
  The generated live environment consistently achieves a 91%+ score in Lynis security audits.
 * **Rationale**: Provides independent verification of security posture and flags any configuration drifts or missing
  hardening steps.
 ## 2.8. SSH Tunnel & Access Security
 * **Description**: The SSH tunnel and access are secured through multiple layers of defense:
  * **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
  * **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
  * **One‑Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
    that touches closed ports. 
    * Additionally, the `fail2ban` service is hardened as well according to:
    [Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening) 
  * **SSH Ultra‑Hardening**: The `/etc/sshd_config` enforces strict cryptographic and connection controls with respect to 
    [SSH Audit Guide Debian 12](https://www.ssh-audit.com/hardening_guides.html#debian_12):
    * `RekeyLimit 1G 1h`
    * `HostKey /etc/ssh/ssh_host_ed25519_key`
    * `HostKey /etc/ssh/ssh_host_rsa_key (8192-bit RSA)`
    * `PubkeyAuthentication yes`
    * `PermitRootLogin prohibit-password`
    * `PasswordAuthentication no`
    * `PermitEmptyPasswords no`
    * `LoginGraceTime 2m`
    * `MaxAuthTries 3`
    * `MaxSessions 2`
    * `MaxStartups 08:64:16`
    * `PerSourceMaxStartups 4`
    * `RequiredRSASize 4096`
    * `Ciphers aes256-gcm@openssh.com`
    * `KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-`
    * `MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com`
 * **Rationale**: These measures ensure that only authorized hosts can establish SSH tunnels, with strict cryptographic and usage 
  policies enforced. Minimizes brute force, passive sniffing, and reduces credentials' exposure by limiting protocol features to
  vetted algorithms.
 ## 2.9. UFW Hardening
 * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
 * **Rationale**: Implements a default‑deny firewall, reducing lateral movement and data exfiltration risks immediately after
  deployment.
 ## 2.10. Fail2Ban Enhancements
 * **Description**:
  * Bans any connection to a closed port for 24 hours
  * Automatically ignores designated bastion/jump host subnets
  * Hardened via `systemd` policy override to limit privileges of the Fail2Ban service itself
 * **Rationale**: Provides proactive defense against port scans and brute‑force attacks, while isolating the ban daemon in a
  minimal‑privilege context.
 ## 2.11. NTPsec & Chrony
 * **Description**: Installs `chrony`, selects PTB NTPsec servers by default.
 * **Rationale**: Ensures tamper‑resistant time synchronization, which is essential for log integrity, certificate validation,
  and forensic accuracy.
 # 3. Script Features & Rationale
 ## 3.1. Input Validation & Security
 * **Description**: All script arguments are validated using a robust input sanitizer.
 * **Rationale**: Prevents injection attacks and ensures only expected data types and values are processed.
 ## 3.2. Debug Mode with Detailed Logging
 * **Description**: A built-in debug mode outputs clear, timestamped logs including:
  * Script Name and Path of called Function,
  * Line Number,
  * Function Name,
  * Exit Code of the previous Command,
  * Executed Command.
 * **Rationale**: Simplifies troubleshooting and provides precise error tracing.
 ## 3.3. Secure Debug Logging
 * **Description**: No hardcoded plaintext password fragments or sensitive artifacts appear in debug logs.
 * **Rationale**: Prevents accidental exposure of credentials during troubleshooting.
 ## 3.4. Secure Password Handling
 * **Description**: Password files, if provided, are shredded immediately after being hashed.
 * **Rationale**: Prevents password recovery from temporary files.
 ## 3.5. Variable Declaration & Validation
 * **Description**: All variables are declared and validated before use.
 * **Rationale**: Avoids unintended behavior from unset or improperly set variables.
 ## 3.6. Pure Bash Implementation
 * **Description**: The entire wrapper and all its functions are written in pure Bash, without external dependencies.
 * **Rationale**: Ensures maximum portability and compatibility with standard Debian environments.
 ## 3.7. Bash Error Handling
 * **Description**: The implemented xtrace wrapper `set -x` enforces comprehensive Bash error handling to ensure
  * robust, 
  * predictable execution,
  * and early detection of failures.
  and delivers full information, which command failed to execute:
  * Script Name and Path of called Function,
  * Line Number,
  * Function Name,
  * Exit Code of the previous Command,
  * Executed Command,
  * Environment Settings,
  * Argument Counter passed to Script,
  * Argument String passed to Script.
 * The following `set` options are applied at the beginning of the script (see 
  [Bash Manual, The Set Builtin](https://www.gnu.org/software/bash/manual/bash.html#The-Set-BuiltinGNU)):
 ```bash
 set -o errexit   # Exit script when a command exits with non-zero status (same as "set -e").
 set -o errtrace  # Inherit ERR traps in subshells (same as "set -E").
 set -o functrace # Inherit DEBUG and RETURN traps in subshells (same as "set -T").
 set -o nounset   # Exit script on use of an undefined variable (same as "set -u").
 set -o pipefail  # Return the exit status of the last failed command in a pipeline.
 set -o noclobber # Prevent overwriting files via redirection (same as "set -C").
 ```
 * **Rationale**: These options enforce strict error checking and handling, reducing silent failures and ensuring 
 predictable script behavior.
 # 4. Prerequisites
 * **Host**: Debian Bookworm or newer with `live-build` package installed.
 * **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
 * **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
 # 5. Installation & Usage
 1. Clone the repository:
   ```bash
   git clone https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
   cd CISS.2025.debian.live.builder
   ```
 2. Run the config builder and the integrated `lb build` command (example):
   ```bash
   ./ciss_live_builder.sh --architecture amd64 \
                          --build-directory /opt/livebuild \
                          --change-splash hexagon \
                          --control 384 \
                          --debug \
                          --dhcp-centurion \
                          --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
                          --provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
                          --renice-priority "-19" \
                          --reionice-priority 1 2 \
                          --root-password-file /opt/gitea/CISS.2025.debian.live.builder/password.txt \
                          --ssh-port 4242 \
                          --ssh-pubkey /opt/gitea/CISS.2025.debian.live.builder
   ```
 3. Locate your ISO in the `--build-directory`.
 4. Boot from the ISO and login to the live image via the console, or the multi-layer secured coresecret SSH tunnel.
 5. Type `sysp` for the final kernel hardening features.
 6. Check the boot log with `jboot` and via `ssf` that all services are up.
 7. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
 8. Type `celp` for some shortcuts.
 # 6. Licensing & Compliance
 This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure
 clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX
 standard for license expressions and metadata.
 # 7. Disclaimer
 This README is provided "as‑is" without any warranty. Review your organization's policies before deploying to production.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
 # Security Policy
 ## Reporting vulnerabilities
 Please send your vulnerability reports to `security@coresecret.eu`
 To make sure that your report reaches me, please:
 Include the words `CISS.debian.live.builder` and `vulnerability` to the subject line as well as a short description of the vulnerability.
 Make sure that the message body contains a clear description of the vulnerability.
 If you have not received a reply to your email within seven days, please make sure to follow up with me again at `security@coresecret.eu`
 Once again, make sure that the word `vulnerability` is in the subject line.
 My security policy is available at:
 [https://coresecret.eu/security-policy/](https://coresecret.eu/security-policy/)
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -0,0 +1,188 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Contributions so far see ./docs/CREDITS.md
 ### WHY BASH?
 # Ease of installation.
 # No compiling or installing gems, CPAN modules, pip packages, etc.
 # Simple to use and read. Clear syntax and straightforward output interpretation.
 # Built-in power.
 # Pattern matching, line processing, and regular expression support are available natively,
 # no external binaries required.
 # Cross-platform consistency.
 # '/bin/bash' is the default shell on most Linux distributions, ensuring scripts run unmodified across systems.
 # macOS compatibility.
 # Since macOS Catalina (10.15), the default login shell has been zsh, but bash remains available at '/bin/bash'.
 # Windows support.
 # You can use bash via WSL, MSYS2, or Cygwin on Windows systems.
 ### Preliminary checks
 [ -z "${BASH_VERSINFO[0]}" ] && {
  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
 [[ ${EUID} -ne 0 ]] && {
  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2; exit "${ERR_NOT_USER_0}"; }
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
 [[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
 declare -gr VERSION="Master V8.02.512.2025.05.30"
 declare -gr CONTACT="security@coresecret.eu"
 ### VERY EARLY CHECK FOR CONTACT, USAGE, AND VERSION STRING
 declare arg
 if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi
 for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${CONTACT}"; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VERSION}"; exit 0;; esac; done
 unset arg
 ### VERY EARLY CHECK FOR XTRACE DEBUGGING
 if [[ $* == *" --debug "* ]]; then
  . ./lib/lib_debug.sh
  debugger "${@}"
 else
  declare -grx EARLY_DEBUG=false
 fi
 ### Advisory Lock
 exec 127>/var/lock/ciss_live_builder.lock || {
  . ./var/global.var.sh
  printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
  exit "${ERR_FLOCK_WRTG}"
 }
 if ! flock -x -n 127; then
  . ./var/global.var.sh
  printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2
  exit "${ERR_FLOCK_COLL}"
 fi
 ### Checking required packages
 . ./lib/lib_check_pkgs.sh
 check_pkgs
 ### Dialog Output for Initialization
 . ./lib/lib_boot_screen.sh && boot_screen
 ### Updating Status of Dialog Gauge Bar
 printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3
 . ./var/global.var.sh
 . ./var/colors.var.sh
 ### Updating Status of Dialog Gauge Bar
 printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
 set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
 set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
 set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
 set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
 set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
 set -o noclobber # Prevent overwriting, the same as "set -C".
 ### Updating Status of Dialog Gauge Bar
 printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3
 ### Initialization
 declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
 declare -ar ARG_ARY_ORG_INPUT=("$@")
 # shellcheck disable=SC2155
 declare -gr SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
 # shellcheck disable=SC2155
 declare -grx WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### Updating Status of Dialog Gauge Bar
 printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3
 . ./lib/lib_arg_parser.sh
 . ./lib/lib_arg_priority_check.sh
 . ./lib/lib_cdi.sh
 . ./lib/lib_change_splash.sh
 . ./lib/lib_check_dhcp.sh
 . ./lib/lib_check_hooks.sh
 . ./lib/lib_check_kernel.sh
 . ./lib/lib_check_provider.sh
 . ./lib/lib_check_stats.sh
 . ./lib/lib_check_var.sh
 . ./lib/lib_clean_screen.sh
 . ./lib/lib_clean_up.sh
 . ./lib/lib_copy_integrity.sh
 . ./lib/lib_hardening_root_pw.sh
 . ./lib/lib_hardening_ssh.sh
 . ./lib/lib_hardening_ultra.sh
 . ./lib/lib_helper_ip.sh
 . ./lib/lib_lb_build_start.sh
 . ./lib/lib_lb_config_start.sh
 . ./lib/lib_lb_config_write.sh
 . ./lib/lib_provider_netcup.sh
 . ./lib/lib_run_analysis.sh
 . ./lib/lib_sanitizer.sh
 . ./lib/lib_trap_on_err.sh
 . ./lib/lib_trap_on_exit.sh
 . ./lib/lib_usage.sh
 ### Updating Status of Dialog Gauge Bar
 printf "XXX\nActivate traps ... \nXXX\n55\n" >&3
 ### Following the CISS Bash naming and ordering scheme
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 ### Updating Status of Dialog Gauge Bar
 printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3
 arg_check "$@"
 declare -ar ARG_ARY_SANITIZED=("$@")
 declare -gr ARG_STR_SANITIZED="${ARG_ARY_SANITIZED[*]}"
 ### Updating Status of Dialog Gauge Bar
 printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3
 arg_parser "$@"
 ### Updating Status of Dialog Gauge Bar
 printf "XXX\nFinal checks ... \nXXX\n95\n" >&3
 clean_ip
 ### Updating Status of Dialog Gauge Bar
 printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3
 sleep 1
 boot_screen_cleaner
 ### MAIN Program
 arg_priority_check
 check_stats
 check_provider
 check_kernel
 check_hooks
 hardening_ssh
 lb_config_start
 lb_config_write
 cd "${WORKDIR}"
 hardening_ultra
 hardening_root_pw
 change_splash
 check_dhcp
 cdi
 provider_netcup
 ### Start the build process
 set +o errtrace
 lb_build_start
 set -o errtrace
 run_analysis
 copy_db
 declare -g handler_success=true
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/bootloaders/grub-efi/grub.cfg
+++ b/config/bootloaders/grub-efi/grub.cfg
@@ -0,0 +1,46 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 source /boot/grub/config.cfg
 GRUB_DEFAULT=0
 GRUB_TIMEOUT=16
 GRUB_DISTRIBUTOR="CISS.debian.live.builder"
 # Live boot
@LINUX_LIVE@
 ### CISS.2025 BOB
 #MUST_BE_REPLACED
 ### CISS.2025 EOB
 submenu 'CISS CoreSecret Legacy DI ...' --hotkey=c {
  source /boot/grub/theme.cfg
  menuentry "CISS CoreSecret Legacy DI" --hotkey=s {
    linux @KERNEL_GI@ @APPEND_GI@
    initrd @INITRD_GI@
    }
  }
 submenu 'Utilities ...' --hotkey=u {
  source /boot/grub/theme.cfg
  # Memtest (if any)
  if @ENABLE_MEMTEST@; then
    source /boot/grub/memtest.cfg
 	fi
 	# Firmware setup (UEFI)
  if [ "${grub_platform}" = "efi" ]; then
    menuentry "UEFI Firmware Settings" --hotkey=e {
    fwsetup
    }
  fi
  }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/bootloaders/grub-efi/splash.png
+++ b/config/bootloaders/grub-efi/splash.png
--- a/config/bootloaders/grub-pc/grub.cfg
+++ b/config/bootloaders/grub-pc/grub.cfg
@@ -0,0 +1,46 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 source /boot/grub/config.cfg
 GRUB_DEFAULT=0
 GRUB_TIMEOUT=16
 GRUB_DISTRIBUTOR="CISS.debian.live.builder"
 # Live boot
@LINUX_LIVE@
 ### CISS.2025 BOB
 #MUST_BE_REPLACED
 ### CISS.2025 EOB
 submenu 'CISS CoreSecret Legacy DI ...' --hotkey=c {
  source /boot/grub/theme.cfg
  menuentry "CISS CoreSecret Legacy DI" --hotkey=s {
    linux @KERNEL_GI@ @APPEND_GI@
    initrd @INITRD_GI@
    }
  }
 submenu 'Utilities ...' --hotkey=u {
  source /boot/grub/theme.cfg
  # Memtest (if any)
  if @ENABLE_MEMTEST@; then
    source /boot/grub/memtest.cfg
  fi
  # Firmware setup (UEFI)
  if [ "${grub_platform}" = "efi" ]; then
    menuentry "UEFI Firmware Settings" --hotkey=e {
    fwsetup
    }
  fi
  }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/bootloaders/grub-pc/splash.png
+++ b/config/bootloaders/grub-pc/splash.png
--- a/config/bootloaders/splash.png
+++ b/config/bootloaders/splash.png
--- a/config/hooks/live/0000_generate_backup_dir.chroot
+++ b/config/hooks/live/0000_generate_backup_dir.chroot
@@ -0,0 +1,27 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /root/.ciss/dlb/backup
 chmod 0700 /root/.ciss/dlb/backup
 mkdir -p /root/git
 chmod 0700 /root/git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -0,0 +1,294 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 #######################################
 # Get all NIC Driver of the current Host-machine
 # Arguments:
 #  None
 #######################################
 grep_nic_driver_modules() {
  declare _mods
  # Gather all Driver and sort unique
  readarray -t _mods < <(
    lspci -k \
      | grep -A2 -i ethernet \
      | grep 'Kernel driver in use' \
      | awk '{print $5}' \
      | sort -u
  )
  declare nic_module
  declare nic_modules
  if [[ "${#_mods[@]}" -eq 1 ]]; then
    nic_module="${_mods[0]}"
    echo "${nic_module}"
  else
    nic_modules="${_mods[*]}"
    echo "${nic_modules}"
  fi
 }
 # shellcheck disable=SC2155
 declare nic_driver="$(grep_nic_driver_modules)"
 cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # List of modules that you want to include in your initramfs.
 # They will be loaded at boot time in the order below.
 #
 # Syntax:  module_name [args ...]
 #
 # You must run update-initramfs(8) to effect this change.
 #
 # Examples:
 #
 # raid1
 # sd_mod
 ### QEMU Bochs-compatible virtual machine support
 bochs
 ### Device-mapper core module (required for all dm_* features)
 dm_mod
 ### Device-mapper integrity target (provides integrity checking)
 dm-integrity
 ### Device-mapper crypt target (provides disk encryption)
 dm-crypt
 ### Generic AES block cipher implementation (used by dm-crypt)
 aes_generic
 ### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
 sha256_generic
 ### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
 crc32c_generic
 ### Main btrfs filesystem module
 btrfs
 ### Zstandard compression support for btrfs
 zstd_compress
 ### XOR parity implementation for RAID functionality
 xor
 ### RAID6 parity generation module
 raid6_pq
 ### Combined RAID4/5/6 support module
 raid456
 ### Network Driver Host-machine
 "${nic_driver}"
 EOF
 cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #
 # The Configuration file for update-initramfs(8)
 #
 #
 # update_initramfs [ yes | all | no ]
 #
 # Default is yes
 # If set to all update-initramfs will update all initramfs
 # If set to no disables any update to initramfs besides kernel upgrade
 update_initramfs=yes
 #
 # backup_initramfs [ yes | no ]
 #
 # Default is no
 # If set to no leaves no .bak backup files.
 backup_initramfs=no
 EOF
 cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #
 # initramfs.conf
 # Configuration file for mkinitramfs(8). See initramfs.conf(5).
 #
 # Note that configuration options from this file can be overridden
 # by config files in the /etc/initramfs-tools/conf.d directory.
 #
 # MODULES: [ most | netboot | dep | list ]
 #
 # most - Add most filesystem and all hard-drive drivers.
 #
 # dep - Try and guess that module to load.
 #
 # netboot - Add the base modules, network modules, but skip block devices.
 #
 # list - Only include modules from the 'additional modules' list
 #
 MODULES=most
 #
 # BUSYBOX: [ y | n | auto ]
 #
 # Use busybox shell and utilities.  If set to n, klibc utilities will be used.
 # If set to auto (or unset), busybox will be used if installed and klibc will
 # be used otherwise.
 #
 BUSYBOX=auto
 #
 # KEYMAP: [ y | n ]
 #
 # Load a keymap during the initramfs stage.
 #
 KEYMAP=n
 #
 # COMPRESS: [ gzip | bzip2 | lz4 | lzma | lzop | xz | zstd ]
 #
 COMPRESS=zstd
 #
 # COMPRESSLEVEL: ...
 #
 # Set a compression level for the compressor.
 # Defaults vary by compressor.
 #
 # Valid values are:
 # 1–9 for gzip|bzip2|lzma|lzop
 # 0–9 for  lz4|xz
 # 0–19 for zstd
 # COMPRESSLEVEL=3
 #
 # DEVICE: ...
 #
 # Specify a specific network interface, like eth0
 # Overridden by optional ip= or BOOTIF= bootarg
 #
 DEVICE=
 #
 # NFSROOT: [ auto | HOST:MOUNT ]
 #
 NFSROOT=auto
 #
 # RUNSIZE: ...
 #
 # The size of the /run tmpfs mount point, like 256M or 10%
 # Overridden by optional initramfs.runsize= bootarg
 #
 RUNSIZE=10%
 #
 # FSTYPE: ...
 #
 # The filesystem type(s) to support, or "auto" to use the current root
 # filesystem type
 #
 FSTYPE=auto
 EOF
 cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -e
 PREREQ=""
 prereqs() { echo "$PREREQ"; }
 case $1 in
  prereqs) prereqs; exit 0 ;;
 esac
 . /usr/share/initramfs-tools/hook-functions
 mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin"
 # Include Bash
 copy_exec /usr/bin/bash /usr/bin
 # Include lsblk (block device information tool)
 copy_exec /usr/bin/lsblk /usr/bin
 # Include udevadm (udev management tool)
 copy_exec /usr/bin/udevadm /usr/bin
 EOF
 chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
 ### Regenerate the initramfs for the live system kernel
 update-initramfs -u -k all
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0002_verify_checksums.chroot
+++ b/config/hooks/live/0002_verify_checksums.chroot
@@ -0,0 +1,144 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 target="/usr/lib/live/boot/0030-verify-checksums"
 src="$(mktemp)"
 if [[ ! -d /usr/lib/live/boot ]]; then
  mkdir -p /usr/lib/live/boot
 fi
 cat << 'EOF' >| "${src}"
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Changed version of https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
 ### In case of successful verification of the offered checksums, proceed with booting, else panic.
 ### Inside 0002_verify_checksums.chroot ###
 #######################################
 # Live build ISO with the modified checksum verification script for continuing the boot process.
 # Globals:
 #   LIVE_BOOT_CMDLINE
 #   LIVE_VERIFY_CHECKSUMS
 #   LIVE_VERIFY_CHECKSUMS_DIGESTS
 #   _CHECKSUM
 #   _CHECKSUMS
 #   _DIGEST
 #   _MOUNTPOINT
 #   _PARAMETER
 #   _RETURN
 #   _TTY
 # Arguments:
 #   $1: ${_PARAMETER}
 # Returns:
 #   0 : Successful Verification
 #######################################
 Verify_checksums() {
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
    case "${_PARAMETER}" in
      live-boot.verify-checksums=* | verify-checksums=*)
        LIVE_VERIFY_CHECKSUMS="true"
        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
        ;;
      live-boot.verify-checksums | verify-checksums)
        LIVE_VERIFY_CHECKSUMS="true"
        ;;
    esac
  done
  case "${LIVE_VERIFY_CHECKSUMS}" in
    true) ;;
    *)
      return 0
      ;;
  esac
  _MOUNTPOINT="${1}"
  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
  _TTY="/dev/tty8"
  log_begin_msg "Verifying checksums"
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"
  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
    # shellcheck disable=SC2060
    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
    for _CHECKSUM in ${_CHECKSUMS}; do
      if [ -e "${_CHECKSUM}" ]; then
        echo "Found ${_CHECKSUM}..." > "${_TTY}"
        if [ -e "/bin/${_DIGEST}sum" ]; then
          echo "Checking ${_CHECKSUM}..." > "${_TTY}"
          # Verify checksums
          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
          _RETURN="${?}"
          # Stop after the first verification
          # break 2
        else
          echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
        fi
      fi
    done
  done
  log_end_msg
  case "${_RETURN}" in
    0)
      log_success_msg "Verification sha512 sha384 sha256 successful, continuing booting in 10 seconds."
      sleep 10
      return 0
      ;;
    *)
      panic "Verification failed, $(basename ${_TTY}) for more information."
      ;;
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 # Copy and make executable
 install -Dm755 "${src}" "${target}"
 rm -f "${src}"
 unset target src
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -0,0 +1,53 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 if [[ ! -f /root/.pwd ]]; then
  printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
  # sleep 1
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
  # sleep 1
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
  exit 0
 fi
 cd /root
 cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
 chmod 600 /root/.ciss/dlb/backup/shadow.bak.*
 declare hashed_pwd
 declare safe_hashed_pwd
 IFS= read -r hashed_pwd < /root/.pwd
 safe_hashed_pwd=$(printf '%s' "${hashed_pwd}" | sed 's/[\/&]/\\&/g')
 sed -i "s|^root:[^:]*:\(.*\)|root:${safe_hashed_pwd}:\1|" /etc/shadow
 sed -i "s|^user:[^:]*:\(.*\)|user:${safe_hashed_pwd}:\1|" /etc/shadow
 unset hashed_pwd safe_hashed_pwd
 cat /etc/shadow
 # sleep 1
 if shred -vfzu -n 5 /root/.pwd; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
 else
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0080_keyboard_layout.chroot
+++ b/config/hooks/live/0080_keyboard_layout.chroot
@@ -0,0 +1,31 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
 XKBLAYOUT="de"
 XKBVARIANT=""
 XKBOPTIONS=""
 BACKSPACE="guess"
 EOF
 dpkg-reconfigure -f noninteractive keyboard-configuration
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0090_haveged.chroot
+++ b/config/hooks/live/0090_haveged.chroot
@@ -0,0 +1,42 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 apt-get update -y
 apt-get install --no-install-recommends haveged -y
 cd /root
 cat << 'EOF' >| /etc/default/haveged
 # Configuration file for haveged
 # Options to pass to haveged:
 DAEMON_ARGS="-w 2048 -v 1"
 EOF
 #mkdir -p /etc/systemd/system/haveged.service.d
 #cat << 'EOF' >| /etc/systemd/system/haveged.service.d/override.conf
 #[Service]
 #NoNewPrivileges=yes
 #ReadWritePaths=/dev/random /dev/urandom
 #AmbientCapabilities=
 #User=haveged
 #Group=nogroup
 #EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0120_set_hostname.chroot
+++ b/config/hooks/live/0120_set_hostname.chroot
@@ -0,0 +1,34 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak
 mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak
 cat << 'EOF' >| /etc/hostname
 live.local
 EOF
 cat << 'EOF' >| /etc/mailname
 localhost.local
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0130_machineid.chroot
+++ b/config/hooks/live/0130_machineid.chroot
@@ -0,0 +1,40 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
  rm /var/lib/dbus/machine-id
 fi
 cat << 'EOF' >| /var/lib/dbus/machine-id
 b08dfa6083e7567a1921a715000001fb
 EOF
 chmod 644 /var/lib/dbus/machine-id
 if [[ -f /etc/machine-id ]]; then
  rm /etc/machine-id
 fi
 cat << 'EOF' >| /etc/machine-id
 b08dfa6083e7567a1921a715000001fb
 EOF
 chmod 644 /etc/machine-id
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -0,0 +1,162 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 repo="ryanoasis/nerd-fonts"
 latest_release=$(curl -s "https://api.github.com/repos/${repo}/releases/latest" | jq -r .tag_name)
 download_url="https://github.com/${repo}/releases/download/${latest_release}/Hack.zip"
 wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg --dearmor -o /etc/apt/keyrings/gierens.gpg
 echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
 apt-get update -y
 apt-get install -y eza
 git clone https://github.com/eza-community/eza-themes.git
 mkdir -p /root/.config/eza
 cat << 'EOF' >| "/root/eza-themes/themes/centurion.yml"
 colourful: true
 filekinds:
  normal: {foreground: Default}
  directory: {foreground: Purple, is_bold: true}
  symlink: {foreground: Cyan}
  pipe: {foreground: Yellow}
  block_device: {foreground: Yellow, is_bold: true}
  char_device: {foreground: Yellow, is_bold: true}
  socket: {foreground: Red, is_bold: true}
  special: {foreground: Yellow}
  executable: {foreground: Green, is_bold: true}
  mount_point: {foreground: Purple, is_bold: true, is_underlined: true}
 perms:
  user_read: {foreground: Yellow, is_bold: true}
  user_write: {foreground: Red, is_bold: true}
  user_execute_file: {foreground: Green, is_bold: true, is_underlined: true}
  user_execute_other: {foreground: Green, is_bold: true}
  group_read: {foreground: Yellow}
  group_write: {foreground: Red}
  group_execute: {foreground: Green}
  other_read: {foreground: Yellow}
  other_write: {foreground: Red}
  other_execute: {foreground: Green}
  special_user_file: {foreground: Purple}
  special_other: {foreground: Purple}
  attribute: {foreground: Default}
 size:
  major: {foreground: Green, is_bold: true}
  minor: {foreground: Green}
  number_byte: {foreground: Green, is_bold: true}
  number_kilo: {foreground: Green, is_bold: true}
  number_mega: {foreground: Green, is_bold: true}
  number_giga: {foreground: Green, is_bold: true}
  number_huge: {foreground: Green, is_bold: true}
  unit_byte: {foreground: Green}
  unit_kilo: {foreground: Green}
  unit_mega: {foreground: Green}
  unit_giga: {foreground: Green}
  unit_huge: {foreground: Green}
 users:
  user_you: {foreground: Yellow, is_bold: true}
  user_root: {foreground: Default}
  user_other: {foreground: Default}
  group_yours: {foreground: Yellow, is_bold: true}
  group_other: {foreground: Default}
  group_root: {foreground: Default}
 links:
  normal: {foreground: Red, is_bold: true}
  multi_link_file: {foreground: Red, background: Yellow}
 git:
  new: {foreground: Green}
  modified: {foreground: Blue}
  deleted: {foreground: Red}
  renamed: {foreground: Yellow}
  typechange: {foreground: Purple}
  ignored: {foreground: Default, is_dimmed: true}
  conflicted: {foreground: Red}
 git_repo:
  branch_main: {foreground: Green}
  branch_other: {foreground: Yellow}
  git_clean: {foreground: Green}
  git_dirty: {foreground: Yellow}
 security_context:
  colon: {foreground: Default, is_dimmed: true}
  user: {foreground: Blue}
  role: {foreground: Green}
  typ: {foreground: Yellow}
  range: {foreground: Cyan}
 file_type:
  image: {foreground: Purple}
  video: {foreground: Purple, is_bold: true}
  music: {foreground: Cyan}
  lossless: {foreground: Cyan, is_bold: true}
  crypto: {foreground: Green, is_bold: true}
  document: {foreground: Green}
  compressed: {foreground: Red}
  temp: {foreground: White}
  compiled: {foreground: Yellow}
  build: {foreground: Yellow, is_bold: true, is_underlined: true}
  source: {foreground: Yellow, is_bold: true}
 punctuation: {foreground: DarkGray, is_bold: true}
 date: {foreground: Cyan}
 inode: {foreground: Purple}
 blocks: {foreground: Cyan}
 header: {foreground: White, is_bold: true, is_underlined: true}
 octal: {foreground: Purple}
 flags: {foreground: Default}
 symlink_path: {foreground: Cyan}
 control_char: {foreground: Red}
 broken_symlink: {foreground: Red}
 broken_path_overlay: {foreground: Default, is_underlined: true}
 filenames:
  # Custom filename-based overrides
  # Cargo.toml: {icon: {glyph: ðŸ¦€}}
 extensions:
  # Custom extension-based overrides
  # rs: {filename: {foreground: Red}, icon: {glyph: ðŸ¦€}}
 EOF
 chmod 0644 "/root/eza-themes/themes/centurion.yml"
 ln -sf "/root/eza-themes/themes/centurion.yml" /root/.config/eza/theme.yml
 mkdir -p /tmp/nerd
 mkdir -p /root/.local/share/fonts
 wget --no-clobber --https-only --secure-protocol=TLSv1_3 -P /tmp/nerd "${download_url}"
 unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
 fc-cache -fv
 rm -rf /tmp/nerd
 unset repo latest_release download_url
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -0,0 +1,28 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
 apt-get update -y
 apt-get install -y lynis
 lynis show version
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -0,0 +1,68 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /var/log/chrony
 # See https://coresecret.eu/tutorials/debian-package-glossary/ for a brief description of the installed packages.
 apt-get install chrony -y
 systemctl enable chrony.service
 mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak
 chmod 644 /root/.ciss/dlb/backup/chrony.conf.bak
 cat << 'EOF' >| /etc/chrony/chrony.conf
 # Include configuration files found in /etc/chrony/conf.d.
 confdir /etc/chrony/conf.d
 driftfile /var/lib/chrony/chrony.drift
 keyfile /etc/chrony/chrony.keys
 logdir /var/log/chrony
 ntsdumpdir /var/lib/chrony
 sourcedir /run/chrony-dhcp
 sourcedir /etc/chrony/sources.d
 log tracking measurements statistics
 authselectmode require
 server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9
 server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9
 server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9
 server ptbtime4.ptb.de iburst nts noselect minpoll 5 maxpoll 9
 # server nts.netnod.se iburst nts minpoll 5 maxpoll 9
 # server ntp.ripe.net iburst nts minpoll 5 maxpoll 9
 # server ntp12.metas.ch iburst nts minpoll 5 maxpoll 9
 # server ntp2.tecnico.ulisboa.pt iburst nts minpoll 5 maxpoll 9
 # server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
 server ntp0.fau.de iburst nts minpoll 5 maxpoll 9
 leapsectz right/UTC
 leapsecmode system
 maxupdateskew 100.0
 rtcsync
 makestep 1 3
 EOF
 chmod 644 /etc/chrony/chrony.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0820_kernel_hardening_checker.chroot
+++ b/config/hooks/live/0820_kernel_hardening_checker.chroot
@@ -0,0 +1,24 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0822_ssh_restart_hook.chroot
+++ b/config/hooks/live/0822_ssh_restart_hook.chroot
@@ -0,0 +1,52 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 declare target_script="/etc/cron.d/restart-ssh"
 cat << 'EOF' >| "${target_script}"
@reboot root /usr/local/bin/restart-ssh.sh
 EOF
 chmod 644 "${target_script}"
 cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Script to restart SSH at boot
 systemctl stop ssh
 sleep 5
 systemctl start ssh
 EOF
 chmod +x /usr/local/bin/restart-ssh.sh
 unset target_script
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0825_my_sqltuner_perl.chroot
+++ b/config/hooks/live/0825_my_sqltuner_perl.chroot
@@ -0,0 +1,24 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0830_download_yq.chroot
+++ b/config/hooks/live/0830_download_yq.chroot
@@ -0,0 +1,24 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 chmod +x /usr/bin/yq
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0835_testssl.sh.chroot
+++ b/config/hooks/live/0835_testssl.sh.chroot
@@ -0,0 +1,24 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/testssl/testssl.sh.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -0,0 +1,28 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 apt-get install -y curl
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs
 cd /root/git
 git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0845_harbian_audit.chroot
+++ b/config/hooks/live/0845_harbian_audit.chroot
@@ -0,0 +1,24 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0850_ssh_audit.chroot
+++ b/config/hooks/live/0850_ssh_audit.chroot
@@ -0,0 +1,24 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0900_ufw_setup.chroot
+++ b/config/hooks/live/0900_ufw_setup.chroot
@@ -0,0 +1,67 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 declare -r UFW_OUT_POLICY="deny"
 declare -r SSHPORT="MUST_BE_SET"
 ufw --force reset
 ufw logging medium
 ufw default deny incoming
 ufw default "${UFW_OUT_POLICY}" outgoing
 ufw default deny forward
 ufw allow in "${SSHPORT}"/tcp comment 'Incoming SSH (Custom-Port)'
 ufw limit "${SSHPORT}"/tcp comment 'Rate-Limit for SSH (Custom-Port)'
 if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
  ufw allow out   21/tcp comment 'Outgoing FTP'
  ufw allow out   22/tcp comment 'Outgoing SSH'
  ufw allow out   25/tcp comment 'Outgoing SMTP'
  ufw allow out   53/tcp comment 'Outgoing DNS'
  ufw allow out   80/tcp comment 'Outgoing HTTP'
  ufw allow out  123/tcp comment 'Outgoing NTP'
  ufw allow out  143/tcp comment 'Outgoing IMAP'
  ufw allow out  443/tcp comment 'Outgoing HTTPS'
  ufw allow out  465/tcp comment 'Outgoing SMTPS'
  ufw allow out  587/tcp comment 'Outgoing SMTPS'
  ufw allow out  993/tcp comment 'Outgoing IMAPS'
  ufw allow out 4460/tcp comment 'Outgoing NTS'
  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
  ufw allow out   53/udp comment 'Outgoing DNS'
  ufw allow out  123/udp comment 'Outgoing NTP'
  ufw allow out  443/udp comment 'Outgoing QUIC'
  ufw allow out  853/udp comment 'Outgoing DoQ'
 fi
 sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" /etc/ufw/before.rules
 sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot
+++ b/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot
@@ -0,0 +1,25 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 # TODO: MUST be uncommented
 cd /root/git
 # git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -0,0 +1,33 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 apt-get install -y acct
 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
  mkdir -p /etc/systemd/system/multi-user.target.wants
 fi
 if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
 else
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9910_motd.chroot
+++ b/config/hooks/live/9910_motd.chroot
@@ -0,0 +1,31 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /root/.ciss/dlb/backup/update-motd.d
 cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
 cat << 'EOF' >| /etc/update-motd.d/10-uname
 #!/bin/sh
 uname -snrm
 EOF
 chmod 0755 /etc/update-motd.d/10-uname
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9920_deleting_invalid_x509.chroot
+++ b/config/hooks/live/9920_deleting_invalid_x509.chroot
@@ -0,0 +1,170 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
 declare backup_dir="/root/.ciss/dlb/backup/certificates"
 declare current_date
 current_date=$(date +%s)
 declare -ax expired_certificates=()
 #######################################
 # Backup Wrapper for all x509 Root CA Certs
 # Globals:
 #   backup_dir
 #   search_dirs
 #   dir
 # Arguments:
 #  None
 #######################################
 create_backup() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
  mkdir -p "${backup_dir}"
  declare dir=""
  for dir in "${search_dirs[@]}"; do
    if [ -d "${dir}" ] && compgen -G "${dir}"/* > /dev/null; then
      cp -r "${dir}"/* "${backup_dir}"
    fi
  done
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
 }
 #######################################
 # Check the validity of each certificate.
 # Globals:
 #   CERT
 #   CERT_DATE
 #   CERT_DATE_SECONDS
 #   CURRENT_DATE
 #   DIR
 #   EXPIRED_CERTIFICATES
 #   SEARCH_DIRS
 # Arguments:
 #  None
 #######################################
 check_certificates() {
  declare dir=""
  declare cert=""
  declare cert_date=""
  declare cert_date_seconds=""
  for dir in "${search_dirs[@]}"; do
    while IFS= read -r -d '' cert; do
      cert_date=$(openssl x509 -in "${cert}" -noout -enddate | sed 's/notAfter=//')
      cert_date_seconds=$(date -d "${cert_date}" +%s)
      if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
        declare -g expired_certificates+=("${cert}")
      fi
    done < <(find "${dir}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
  done
 }
 #   done < <(find "${dir}" -type f -name "*.crt" -o -name "*.pem" -print0)
 #   done < <(find "${DIR}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
 #######################################
 # Find and clean all ca-certificates.crt files in SEARCH_DIRS.
 # Globals:
 #   CURRENT_DATE
 #   SEARCH_DIRS
 #   cert
 #   line
 # Arguments:
 #  None
 #######################################
 delete_expired_from_all_bundles() {
  declare dir bundle
  for dir in "${search_dirs[@]}"; do
    bundle="${dir}/ca-certificates.crt"
    if [[ -f ${bundle} ]]; then
      printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
      declare tmp_bundle="${bundle}.tmp"
      declare -a block=()
      declare expired=0
      declare enddate cert_date_seconds
      : > "${tmp_bundle}"
      declare line=""
      while IFS= read -r line; do
        block+=("${line}")
        if [[ ${line} == "-----END CERTIFICATE-----"   ]]; then
          cert=$(printf "%s\n" "${block[@]}")
          enddate=$(echo "${cert}" | openssl x509 -noout -enddate 2> /dev/null | sed 's/notAfter=//')
          if [[ -n ${enddate}   ]]; then
            declare cert_date_seconds=""
            cert_date_seconds=$(date -d "${enddate}" +%s)
            if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
              expired=1
            else
              expired=0
            fi
          else
            expired=0
          fi
          if [[ ${expired} -eq 0 ]]; then
            printf "%s\n" "${block[@]}" >> "${tmp_bundle}"
          else
            printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
          fi
          block=()
        fi
      done < "${bundle}"
      mv -f "${tmp_bundle}" "${bundle}"
      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
    fi
  done
 }
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
 create_backup
 delete_expired_from_all_bundles
 check_certificates
 if [[ ${#expired_certificates[@]} -eq 0 ]]; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No expired certificates found.\e[0m\n"
 else
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
  for exp_cert in "${expired_certificates[@]}"; do
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
  done
  for exp_cert in "${expired_certificates[@]}"; do
    rm -f "${exp_cert}"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
    basename=$(basename "${exp_cert}")
    mozilla_entry="mozilla/${basename%.pem}.crt"
    mozilla_entry="${mozilla_entry%.crt}.crt"
    declare ca_conf="/etc/ca-certificates.conf"
    if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
      sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
    fi
  done
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
  update-ca-certificates --fresh
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
  # sleep 1
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -0,0 +1,64 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /etc/ssh || {
  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
 }
 rm -rf ssh_host_*key*
 ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
 ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli
 mv /etc/ssh/moduli.safe /etc/ssh/moduli
 chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
 chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp
 ###########################################################################################
 # Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only          #
 # environment variables: TMOUT and HISTFILE.                                              #
 # TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
 # readonly HISTFILE ensures that the command history cannot be changed.                   #
 # The chmod +x command ensures that the file is executed in every shell session.          #
 ###########################################################################################
 cat << 'EOF' >| /etc/profile.d/idle-users.sh
 declare -girx TMOUT=14400
 EOF
 chmod +x /etc/profile.d/idle-users.sh
 mkdir -p /etc/systemd/system/ssh.service.d
 cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
 [Unit]
 After=ufw.service
 Requires=ufw.service
 EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9940_hardening_memory.dump.chroot
+++ b/config/hooks/live/9940_hardening_memory.dump.chroot
@@ -0,0 +1,37 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
 chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
 sed -i "/#*               soft    core            0/ i\*               soft    core            0" /etc/security/limits.conf
 sed -i "/#root            hard    core            100000/ i\*               hard    core            0" /etc/security/limits.conf
 if [[ ! -d /etc/systemd/coredump.conf.d ]]; then
  mkdir -p /etc/systemd/coredump.conf.d
 fi
 touch /etc/systemd/coredump.conf.d/disable.conf
 chmod 0644 /etc/systemd/coredump.conf.d/disable.conf
 cat << EOF >| /etc/systemd/coredump.conf.d/disable.conf
 [Coredump]
 Storage=none
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -0,0 +1,148 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
 chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak
 ### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
 sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
 mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
 chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak
 cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
 # SPDX-PackageName: CISS.2025.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [DEFAULT]
 usedns    = yes
 # local | vpn
 ignoreip  = 127.0.0.0/8 ::1 MUST_BE_SET
 maxretry  = 8
 findtime  = 24h
 bantime   = 24h
 ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
 ###               Jump host mistyped 1–3 times: no ban, only after four attempts          [sshd]
 [sshd]
 enabled   = true
 backend   = systemd
 filter    = sshd
 mode      = normal
 port      = MUST_BE_SET
 protocol  = tcp
 logpath   = /var/log/auth.log
 maxretry  = 4
 findtime  = 24h
 bantime   = 24h
 [sshd-refused]
 enabled   = true
 filter    = sshd-refused
 port      = MUST_BE_SET
 protocol  = tcp
 logpath   = /var/log/auth.log
 maxretry  = 1
 findtime  = 24h
 bantime   = 24h
 # ufw aggressive approach:
 # Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
 # Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
 [ufw]
 enabled   = true
 filter    = ufw.aggressive
 action    = iptables-allports
 logpath   = /var/log/ufw.log
 maxretry  = 1
 findtime  = 24h
 bantime   = 24h
 protocol  = tcp,udp
 EOF
 cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf
 [Definition]
 failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
 EOF
 cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf
 [Definition]
 failregex = ^refused connect from \S+ \(<HOST>\)
 EOF
 ###########################################################################################
 # Remarks: hardening of fail2ban systemd                                                  #
 ###########################################################################################
 # https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
 # The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
 # access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
 # operate # on any firewall that has a command-line shell interface. By using             #
 # ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
 # allows Fail2ban to have write access on required paths.                                 #
 ###########################################################################################
 mkdir -p /etc/systemd/system/fail2ban.service.d
 mkdir /var/log/fail2ban
 cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
 ProtectSystem=strict
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban
 ReadWritePaths=-/var/spool/postfix/maildrop
 ReadWritePaths=-/run/xtables.lock
 CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
 ### Added by CISS.debian.live.builder
 ProtectClock=true
 ProtectHostname=true
 EOF
 cat << 'EOF' >> /etc/fail2ban/fail2ban.local
 [Definition]
 logtarget = /var/log/fail2ban/fail2ban.log
 EOF
 ###########################################################################################
 # Remarks: Logrotate must be updated either                                               #
 ###########################################################################################
 cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
 sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
 touch /var/log/fail2ban/fail2ban.log
 chmod 640 /var/log/fail2ban/fail2ban.log
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9960_disable_services.chroot
+++ b/config/hooks/live/9960_disable_services.chroot
@@ -0,0 +1,31 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 ###########################################################################################
 # Remarks: Turn off Energy saving mode and ctrl-alt-del                                   #
 ###########################################################################################
 declare target=""
 for target in sleep.target suspend.target hibernate.target hybrid-sleep.target ctrl-alt-del.target; do
  ln -sf /dev/null "/etc/systemd/system/${target}"
 done
 unset target
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9970_remove_exim.chroot
+++ b/config/hooks/live/9970_remove_exim.chroot
@@ -0,0 +1,40 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /etc
 apt-get purge exim4 -y
 apt-get purge exim4-base -y
 apt-get purge exim4-config -y
 apt-get autoremove -y
 apt-get autoclean -y
 apt-get autopurge -y
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config
 apt-get update -y
 apt-get upgrade -y
 if [[ -d /etc/exim4 ]]; then
  rm -rf /etc/exim4
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -0,0 +1,45 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 apt-get install -y usbguard
 # sleep 1
 # Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
 touch /tmp/rules.conf
 usbguard generate-policy >> /tmp/rules.conf
 if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
  mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
  cp -a /tmp/rules.conf /etc/usbguard/rules.conf
  chmod 0600 /etc/usbguard/rules.conf
 else
  rm -f /etc/usbguard/rules.conf
  cp -a /tmp/rules.conf /etc/usbguard/rules.conf
  chmod 0600 /etc/usbguard/rules.conf
 fi
 cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
 sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
 # sleep 1
 rm -f /tmp/rules.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9985_clamav.chroot
+++ b/config/hooks/live/9985_clamav.chroot
@@ -0,0 +1,77 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /etc/systemd/system/clamav-daemon.service.d
 cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
 [Service]
 User=clamav
 Group=clamav
 ProtectSystem=full
 ProtectHome=read-only
 PrivateTmp=yes
 NoNewPrivileges=yes
 PermissionsStartOnly=true
 ExecStartPre=/bin/mkdir -p /run/clamav
 ExecStartPre=/bin/chown clamav:clamav /run/clamav
 ExecStartPre=/bin/chmod 750 /run/clamav
 ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav /run/clamav
 MemoryDenyWriteExecute=yes
 MemoryLimit=512M
 CPUShares=512
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
 SystemCallFilter=@system-service
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE
 EOF
 chmod 0644 /etc/systemd/system/clamav-daemon.service.d/override.conf
 mkdir -p /etc/systemd/system/clamav-freshclam.service.d
 cat << 'EOF' >| /etc/systemd/system/clamav-freshclam.service.d/override.conf
 [Service]
 User=clamav
 Group=clamav
 ProtectSystem=full
 ProtectHome=read-only
 PrivateTmp=yes
 NoNewPrivileges=yes
 ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav
 MemoryDenyWriteExecute=yes
 MemoryLimit=512M
 CPUShares=512
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
 SystemCallFilter=@system-service
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE
 EOF
 chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -0,0 +1,59 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 apt-get update -y
 apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config \
 qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config \
 qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 dpkg --get-selections | grep deinstall >> /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then
  printf "\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
  sed -i 's!deinstall!!' /tmp/deinstall.log
  while IFS= read -r line; do
    declare trimmed_string
    trimmed_string=$(echo "$line" | awk '{$1=$1};1')
    echo "y" | apt-get purge "${trimmed_string}"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
    # sleep 1
  done < /tmp/deinstall.log
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
 else
  printf "\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
 fi
 apt-get update -y
 apt-get upgrade -y
 rm -f /tmp/deinstall.log
 rm -fr /opt/udebs
 apt-get autoclean -y
 apt-get autoremove -y
 apt-get autopurge -y
 updatedb
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9991_file_permissions.chroot
+++ b/config/hooks/live/9991_file_permissions.chroot
@@ -0,0 +1,105 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 chmod 0644 /etc/banner
 chmod 0644 /etc/issue
 chmod 0644 /etc/issue.net
 if [[ -f /etc/motd ]]; then
  cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak
  chmod 0644 /root/.ciss/dlb/backup/motd.bak
  rm /etc/motd
 fi
 touch /etc/motd
 cat << EOF >| /etc/motd
      (c) Marc S. Weidner, 2018 - 2025
      (p) Centurion Press, 2018 - 2025
          Centurion Intelligence Consulting Agency (tm)
          https://coresecret.eu/
          Please consider making a donation:
          https://coresecret.eu/spenden/
 EOF
 cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
 sed -i 's/PASS_MAX_DAYS	99999/PASS_MAX_DAYS	16384/' /etc/login.defs
 sed -i 's/PASS_MIN_DAYS	0/PASS_MIN_DAYS	1/' /etc/login.defs
 sed -i 's/PASS_WARN_AGE	7/PASS_WARN_AGE	128/' /etc/login.defs
 sed -i 's/ENCRYPT_METHOD SHA512/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs
 sed -i 's/#SHA_CRYPT_MIN_ROUNDS 5000/SHA_CRYPT_MIN_ROUNDS 8388608/' /etc/login.defs
 sed -i 's/#SHA_CRYPT_MAX_ROUNDS 5000/SHA_CRYPT_MAX_ROUNDS 8388608/' /etc/login.defs
 sed -i 's/#YESCRYPT_COST_FACTOR 5/YESCRYPT_COST_FACTOR 8/' /etc/login.defs
 if [[ -f /etc/cron.deny ]]; then
  rm /etc/cron.deny
 fi
 if [[ -f /etc/cron.allow ]]; then
  cp -u /etc/cron.allow /root/.backup/cron.allow.bak
  chmod 644 /root/.backup/cron.allow.bak
  chmod 600 /etc/cron.allow
  cat << EOF >| /etc/cron.allow
 root
 EOF
 else
  touch /etc/cron.allow
  chmod 0600 /etc/cron.allow
  cat << EOF >| /etc/cron.allow
 root
 EOF
 fi
 chmod g-wx,o-rwx /etc/cron.allow
 chown root:root /etc/cron.allow
 chmod 0640 /etc/shadow
 chown root:shadow /etc/shadow
 chmod 0700 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
 chmod 0700 /etc/sudoers.d
 chmod 0600 /etc/crontab
 chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 chmod 0750 /home
 if chmod 0750 /var/spool/apt-mirror; then :; fi
 mkdir /root/.ansible
 declare bin
 declare target
 for bin in as gcc g++ cc clang; do
  target=$(readlink -f "/usr/bin/${bin}") || {
    printf "\e[92m✅ Info: '%s' not found, skipping. \e[0m\n" "${bin}"
    continue
  }
  chmod 700 "${target}" || {
    printf "\e[92m❌ Error: chmod failed for '%s', skipping. \e[0m\n" "${bin}"
  }
 done
 unset bin target
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9992_password_expiration.chroot
+++ b/config/hooks/live/9992_password_expiration.chroot
@@ -0,0 +1,52 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 if ! command -v chage &>/dev/null; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
  # sleep 1
  exit 0
 fi
 declare -i max_days=16384
 mapfile -t users_to_update < <(
  awk -F: '$2 !~ /^[!*]/ { print $1 }' /etc/shadow
 )
 if [[ ${#users_to_update[@]} -eq 0 ]]; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
  # sleep 1
  exit 0
 fi
 declare user
 for user in "${users_to_update[@]}"; do
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
  chage --maxdays "$max_days" "$user"
 done
 unset max_days user users_to_update
 awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -0,0 +1,32 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 apt-get install -y aide
 cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 if aideinit; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
 else
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9994_password_policy.chroot
+++ b/config/hooks/live/9994_password_policy.chroot
@@ -0,0 +1,135 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### NIST recommends at least eight characters but advises longer passphrases (e.g., 12–64) for increased security.
 ### NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
 chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
 cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Current recommendations for '/etc/security/pwquality.conf' based on common best practices,
 ### including NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 ### and weighing usability against security.
 ### Configuration for systemwide password quality limits
 ### Defaults:
 ### Number of characters in the new password that must not be present in the
 ### old password.
 difok = 4
 ### Length over complexity: Studies show that longer passphrases are significantly more
 ### resistant to brute-force and dictionary attacks. NIST recommends at least eight characters
 ### but advises longer passphrases (e.g., 12–64) for increased security. Twenty characters strike a
 ### good balance between security and user convenience.
 ### Minimum acceptable size for the new password (plus one if
 ### credits are not disabled, which is the default). (See pam_cracklib manual.)
 ### Cannot be set to a lower value than 6.
 minlen = 20
 ### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
 ### NIST SP 800–63B advises against rigid complexity rules (numbers, symbols, uppercase)
 ### because they can lead users to adopt predictable patterns (e.g., “Pa$$word!”).
 ### Length and dictionary checks are more effective.
  ### The maximum credit for having digits in the new password. If less than 0
  ### it is the minimum number of digits in the new password.
  dcredit = 0
  ### The maximum credit for having uppercase characters in the new password.
  ### If less than 0, it is the minimum number of uppercase characters in the new
  ### password.
  ucredit = 0
  ### The maximum credit for having lowercase characters in the new password.
  ### If less than 0, it is the minimum number of lowercase characters in the new
  ### password.
  lcredit = 0
  ### The maximum credit for having other characters in the new password.
  ### If less than 0, it is the minimum number of other characters in the new
  ### password.
  ocredit = 0
  ### The minimum number of required classes of characters for the new
  ### password (digits, uppercase, lowercase, others).
  minclass = 0
 ### The maximum number of allowed consecutive same characters in the new password.
 ### The check is disabled if the value is 0.
 maxrepeat = 2
 ### The maximum number of allowed consecutive characters of the same class in the
 ### new password.
 ### The check is disabled if the value is 0.
 maxclassrepeat = 4
 ### Whether to check for the words from the passwd entry GECOS string of the user.
 ### The check is enabled if the value is not 0.
 ### gecoscheck = 0
 ### Whether to check for the words from the cracklib dictionary.
 ### The check is enabled if the value is not 0.
 dictcheck = 1
 ### Whether to check if it contains the username in some form.
 ### The check is enabled if the value is not 0.
 usercheck = 1
 ### Length of substrings from the username to check for in the password
 ### The check is enabled if the value is greater than 0, and the usercheck is enabled.
 usersubstr = 3
 ### Whether the check is enforced by the PAM module and possibly other
 ### applications.
 ### The new password is rejected if it fails the check, and the value is not 0.
 enforcing = 1
 ### Path to the cracklib dictionaries. The default is to use the cracklib default.
 dictpath =
 # Prompt user at most N times before returning with error. The default is 1.
 retry = 3
 # Enforces pwquality checks on the root user password.
 # Enabled if the option is present.
 enforce_for_root
 # Skip testing the password quality for users that are not present in the
 # /etc/passwd file.
 # Enabled if the option is present.
 local_users_only
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9995_sysstat.chroot
+++ b/config/hooks/live/9995_sysstat.chroot
@@ -0,0 +1,23 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -0,0 +1,332 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 apt-get install auditd -y
 cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
 cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
 cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
 rm -rf /etc/audit/rules.d/audit.rules
 ############################################################### /etc/audit/rules.d/10-base-config.rules
 cat << EOF >| /etc/audit/rules.d/10-base-config.rules
 ## First rule - delete all
 -D
 ## Increase the buffers to survive stress events.
 ## Make this bigger for busy systems
 -b 8192
 ## This determine how long to wait in burst of events
 --backlog_wait_time 60000
 ## Set failure mode to syslog
 -f 1
 EOF
 ############################################################### /etc/audit/rules.d/11-loginuid.rules
 cat << EOF >| /etc/audit/rules.d/11-loginuid.rules
 --loginuid-immutable
 EOF
 ############################################################### /etc/audit/rules.d/20-dont-audit.rules
 cat << EOF >| /etc/audit/rules.d/20-dont-audit.rules
 ## This is for don't audit rules. We put these early because audit
 ### is a first match wins system. Uncomment the rules you want.
 ## Cron jobs fill the logs with stuff we normally don't want
 -a never,user -F subj_type=crond_t
 ## This prevents chrony from overwhelming the logs
 -a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
 ### This is not very interesting and wastes a lot of space if
 ### the server is public facing
 -a always,exclude -F msgtype=CRYPTO_KEY_USER
 EOF
 ############################################################### /etc/audit/rules.d/21-no32bit.rules
 cat << EOF >| /etc/audit/rules.d/21-no32bit.rules
 ## If you are on a 64 bit platform, everything _should_ be running
 ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
 ## because this might be a sign of someone exploiting a hole in the 32
 ## bit ABI.
 -a always,exit -F arch=b32 -S all -F key=32bit-abi
 EOF
 ############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
 cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 ## This rule suppresses the time-change event when chrony does time updates
 -a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
 -a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 ## Unsuccessful file creation (open with O_CREAT)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
 ## Successful file creation (open with O_CREAT)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 -a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 ## Unsuccessful file modifications (open for write or truncate)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
 ## Successful file modifications (open for write or truncate)
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 -a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 ## Unsuccessful file access (any other opens) This has to go last.
 -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
 ## Successful file access (any other opens) This has to go last.
 ## These next two are likely to result in a whole lot of events
 -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 ## Unsuccessful file delete
 -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
 ## Successful file delete
 -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 ## Unsuccessful permission change
 -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
 ## Successful permission change
 -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 ## Unsuccessful ownership change
 -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
 ## Successful ownership change
 -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules
 ## The purpose of these rules is to meet the requirements for Operating
 ## System Protection Profile (OSPP)v4.2. These rules depends on having
 ## the following rule files copied to /etc/audit/rules.d:
 ##
 ## 10-base-config.rules, 11-loginuid.rules,
 ## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
 ## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
 ## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
 ## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
 ## 30-ospp-v42-5-perm-change-failed.rules,
 ## 30-ospp-v42-5-perm-change-success.rules,
 ## 30-ospp-v42-6-owner-change-failed.rules,
 ## 30-ospp-v42-6-owner-change-success.rules
 ##
 ## original copies may be found in /usr/share/audit-rules
 ## User add delete modify. This is covered by pam. However, someone could
 ## open a file and directly create or modify a user, so we'll watch passwd and
 ## shadow for writes
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
 ## User enable and disable. This is entirely handled by pam.
 ## Group add delete modify. This is covered by pam. However, someone could
 ## open a file and directly create or modify a user, so we'll watch group and
 ## gshadow for writes
 -a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
 -a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
 -a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
 -a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
 -a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
 ## Use of special rights for config changes. This would be use of setuid
 ## programs that relate to user accts. This is not all setuid apps because
 ## requirements are only for ones that affect system configuration.
 -a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
 ## Privilege escalation via su or sudo. This is entirely handled by pam.
 ## Special case for systemd-run. It is not audit aware, specifically watch it
 -a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
 -a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
 ## Special case for pkexec. It is not audit aware, specifically watch it
 -a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
 -a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
 ## Watch for configuration changes to privilege escalation.
 -a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
 -a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
 -a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
 -a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
 ## Audit log access
 -a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
 -a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
 ## Attempts to Alter Process and Session Initiation Information
 -a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
 -a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
 -a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
 -a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
 -a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
 -a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
 ## Attempts to modify MAC controls
 -a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
 -a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
 ## Software updates. This is entirely handled by rpm.
 ## System start and shutdown. This is entirely handled by systemd
 ## Kernel Module loading. This is handled in 43-module-load.rules
 ## Application invocation. The requirements list an optional requirement
 ## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
 ## state results from that policy. This would be handled entirely by
 ## that daemon.
 EOF
 ############################################################### /etc/audit/rules.d/99-finalize.rules
 cat << EOF >| /etc/audit/rules.d/99-finalize.rules
 -e 2
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -0,0 +1,36 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 apt-get install --no-install-recommends debsums -y
 cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
 chmod 0644 /root/.ciss/dlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 if debsums -g; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
 else
  # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9998_sources_list.chroot
+++ b/config/hooks/live/9998_sources_list.chroot
@@ -0,0 +1,59 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 if [[ -f /etc/apt/sources.list ]]; then
  mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak
 fi
 cat << 'EOF' >| /etc/apt/sources.list
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
 # SPDX-PackageName: CISS.2025.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #-----------------------------------------------------------------------------------------#
 #                                  OFFICIAL DEBIAN REPOS
 #-----------------------------------------------------------------------------------------#
 ### Debian Main Repos Bookworm
 deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
 deb-src https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
 deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
 deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
 deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
 deb-src https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
 deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
 deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9999_interfaces_update.chroot
+++ b/config/hooks/live/9999_interfaces_update.chroot
@@ -0,0 +1,65 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
 rm -f /etc/network/interfaces
 cat << 'EOF' >| /etc/network/interfaces
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 ### The loopback network interface
 auto lo
 iface lo inet loopback
 ### Fully dynamic interface
 auto dynamic
 iface dynamic inet dhcp
    pre-up \
      IFACE=$(ip -o link show \
        | awk -F': ' '{print $2}' \
        | grep -m1 -v lo) && \
      echo "Using interface $IFACE as dynamic" && \
      ip link set dev "$IFACE" up && \
      ip link set dev "$IFACE" name dynamic
    post-down \
      ip link set dev dynamic name "$IFACE" && \
      echo "Restored interface name $IFACE"
 source /etc/network/interfaces.d/*
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod 0644 /etc/network/interfaces
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.binary/boot/grub/config.cfg
+++ b/config/includes.binary/boot/grub/config.cfg
@@ -0,0 +1,43 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set timeout=16
 set default=0
 if [ x$feature_default_font_path = xy ] ; then
    font=unicode
 else
    font=$prefix/unicode.pf2
 fi
 # Copied from the netinst image
 if loadfont $font ; then
    set gfxmode=800x600
    set gfxpayload=keep
    insmod efi_gop
    insmod efi_uga
    insmod video_bochs
    insmod video_cirrus
 else
    set gfxmode=auto
    insmod all_video
 fi
 insmod gfxterm
 insmod png
 source /boot/grub/theme.cfg
 terminal_output gfxterm
 insmod play
 play 960 440 1 0 4 440 1
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/banner
+++ b/config/includes.chroot/etc/banner
@@ -0,0 +1,12 @@
 #######################################################################
                 #                                              #
                 ##                                             ##
 ###### ######## ###  ## ######## ###  ## #######  ### #######  ###  ##
 ###              #### ##    ###   ###  ##       ## ###       ## #### ##
 ###      ####### #######    ###   ###  ##  ######  ###  ##   ## #######
 ###      ###     ### ###    ###   ###  ##  ##  ##  ###  ##   ## ### ###
 ######  ####### ###  ##    ###    #####   ##   ## ###   #####  ###  ##
                       #                                              #
 #######################################################################
--- a/config/includes.chroot/etc/issue
+++ b/config/includes.chroot/etc/issue
@@ -0,0 +1,11 @@
 ********************************************************************
 *                                                                  *
 * This system is for the use of authorized users only.  Usage of   *
 * this system may be monitored and recorded by system personnel.   *
 *                                                                  *
 * Anyone using this system expressly consents to such monitoring   *
 * and is advised that if such monitoring reveals possible          *
 * evidence of criminal activity, system personnel may provide the  *
 * evidence from such monitoring to law enforcement officials.      *
 *                                                                  *
 ********************************************************************
--- a/config/includes.chroot/etc/issue.net
+++ b/config/includes.chroot/etc/issue.net
@@ -0,0 +1,11 @@
 ********************************************************************
 *                                                                  *
 * This system is for the use of authorized users only.  Usage of   *
 * this system may be monitored and recorded by system personnel.   *
 *                                                                  *
 * Anyone using this system expressly consents to such monitoring   *
 * and is advised that if such monitoring reveals possible          *
 * evidence of criminal activity, system personnel may provide the  *
 * evidence from such monitoring to law enforcement officials.      *
 *                                                                  *
 ********************************************************************
--- a/config/includes.chroot/etc/live/config.conf
+++ b/config/includes.chroot/etc/live/config.conf
@@ -0,0 +1,13 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 LIVE_CONFIGS="username"
 USERNAME=root
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf
+++ b/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf
@@ -0,0 +1,114 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # The kernel allows unprivileged users to indirectly cause certain modules to be loaded
 # via module auto-loading. This allows an attacker to auto-load a vulnerable module which
 # is then exploited. One such example is CVE-2017-6074, in which an attacker could trigger
 # the DCCP kernel module to be loaded by initiating a DCCP connection and then exploit a
 # vulnerability in said kernel module.
 # Specific kernel modules can be blacklisted by inserting files into /etc/modprobe.d with
 # instructions on which kernel modules to blacklist.
 ##### Disable Uncommon Network Protocols #####
 install dccp /bin/true
 install sctp /bin/true
 install rds /bin/true
 install tipc /bin/true
 install n-hdlc /bin/true
 install ax25 /bin/true
 install netrom /bin/true
 install x25 /bin/true
 install rose /bin/true
 install decnet /bin/true
 install econet /bin/true
 install af_802154 /bin/true
 install ipx /bin/true
 install appletalk /bin/true
 install psnap /bin/true
 install p8023 /bin/true
 install p8022 /bin/true
 install can /bin/true
 install atm /bin/true
 #	DCCP      Datagram Congestion Control Protocol
 #	SCTP      Stream Control Transmission Protocol
 #	RDS       Reliable Datagram Sockets
 #	TIPC      Transparent Inter-process Communication
 #	HDLC      High-Level Data Link Control
 #	AX25      Amateur X.25
 #	NetRom
 #	X25
 #	ROSE
 #	DECnet
 #	Econet
 #	af_802154 IEEE 802.15.4
 #	IPX       Internetwork Packet Exchange
 #	AppleTalk
 #	PSNAP     Subnetwork Access Protocol
 #	p8023     Novell raw IEEE 802.3
 #	p8022     IEEE 802.2
 #	CAN       Controller Area Network
 #	ATM
 ##### Disable Uncommon Filesystems #####
 install cramfs /bin/true
 install freevxfs /bin/true
 install jffs2 /bin/true
 install hfs /bin/true
 install hfsplus /bin/true
 install udf /bin/true
 blacklist cramfs
 blacklist freevxfs
 blacklist jffs2
 blacklist hfs
 blacklist hfsplus
 blacklist udf
 ##### Disable Uncommon Network Filesystems #####
 install cifs /bin/true
 install nfs /bin/true
 install nfsv3 /bin/true
 install nfsv4 /bin/true
 install ksmbd /bin/true
 install gfs2 /bin/true
 blacklist cifs
 blacklist nfs
 blacklist nfsv3
 blacklist nfsv4
 blacklist ksmbd
 blacklist gfs2
 # The vivid driver is only useful for testing purposes and has been the cause of privilege escalation vulnerabilities, so it should be disabled.
 install vivid /bin/true
 ##### Disable access to USB #####
 install usb_storage /bin/true
 blacklist usb-storage
 ##### Disable access to IEEE1394 #####
 install firewire-core /bin/true
 ##### Blacklist automatic loading of miscellaneous modules #####
 ##### https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco #####
 # evbug is a debug tool that should be loaded explicitly
 blacklist evbug
 # these drivers are very simple
 blacklist usbmouse
 blacklist usbkbd
 # causes no end of confusion by creating unexpected network interfaces
 blacklist eth1394
 # ugly and loud noise, getting on everyone's nerves
 blacklist pcspkr
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/network/interfaces
+++ b/config/includes.chroot/etc/network/interfaces
@@ -0,0 +1,36 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 ### The loopback network interface
 auto lo
 iface lo inet loopback
 ### Fully dynamic interface
 auto dynamic
 iface dynamic inet dhcp
    pre-up \
      IFACE=$(ip -o link show \
        | awk -F': ' '{print $2}' \
        | grep -m1 -v lo) && \
      echo "Using interface $IFACE as dynamic" && \
      ip link set dev "$IFACE" up && \
      ip link set dev "$IFACE" name dynamic
    post-down \
      ip link set dev dynamic name "$IFACE" && \
      echo "Restored interface name $IFACE"
 source /etc/network/interfaces.d/*
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -0,0 +1,134 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V8.02.512.2025.05.30
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
 Include                      /etc/ssh/sshd_config.d/*.conf
 Protocol                     2
 Banner                       /etc/banner
 DebianBanner                 no
 VersionAddendum              none
 Compression                  no
 LogLevel                     VERBOSE
 AddressFamily                any
 ListenAddress                0.0.0.0
 ListenAddress                ::
 Port MUST_BE_CHANGED
 AllowUsers                   root
 UseDNS                       no
 ### Force a key exchange after transferring 1 GiB of data or 1 hour of session time,
 ### whichever occurs first.
 RekeyLimit                   1G 1h
 HostKey                      /etc/ssh/ssh_host_ed25519_key
 HostKey                      /etc/ssh/ssh_host_rsa_key
 PubkeyAuthentication         yes
 PermitRootLogin              prohibit-password
 PasswordAuthentication       no
 PermitEmptyPasswords         no
 StrictModes                  yes
 LoginGraceTime               2m
 MaxAuthTries                 3
 MaxSessions                  2
 ### Begin randomly dropping new unauthenticated connections after the 8th attempt,
 ### with a 64% chance to drop each additional connection, up to a hard limit of 16.
 MaxStartups                  08:64:16
 ### Restrict each individual source IP to only 4 unauthenticated connection slot
 ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
 PerSourceMaxStartups         4
 ClientAliveInterval          300
 ClientAliveCountMax          2
 AuthorizedKeysFile           %h/.ssh/authorized_keys
 AllowAgentForwarding         no
 AllowTcpForwarding           no
 X11Forwarding                no
 GatewayPorts                 no
 ### A+ Rating 100/100
 RequiredRSASize              4096
 Ciphers                      aes256-gcm@openssh.com
 KexAlgorithms                sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
 HostKeyAlgorithms            sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 MACs                         hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 CASignatureAlgorithms        rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
 GSSAPIKexAlgorithms          gss-curve25519-sha256-,gss-group16-sha512-
 HostbasedAcceptedAlgorithms  sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 PubkeyAcceptedAlgorithms     sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 ### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
 KbdInteractiveAuthentication no
 ### Set this to 'yes' to enable PAM authentication, account processing,
 ### and session processing. If this is enabled, PAM authentication will
 ### be allowed through the ChallengeResponseAuthentication and
 ### PasswordAuthentication.  Depending on your PAM configuration,
 ### PAM authentication via ChallengeResponseAuthentication may bypass
 ### the setting of "PermitRootLogin without-password".
 ### If you just want the PAM account and session checks to run without
 ### PAM authentication, then enable this but set PasswordAuthentication
 ### and ChallengeResponseAuthentication to 'no'.
 UsePAM                       yes
 ### Allow client to pass locale environment variables
 AcceptEnv                    LANG LC_*
 ### override default of no subsystems
 Subsystem                    sftp /usr/lib/openssh/sftp-server
 PidFile                      /var/run/sshd.pid
 PrintMotd                    no
 PrintLastLog                 yes
 TCPKeepAlive                 no
 ### For this to work you will also need host keys in /etc/ssh/ssh_known_hosts!
 ### Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication!
 HostbasedAuthentication      no
 ### Don't read the user's ~/.rhosts and ~/.shosts files
 # IgnoreRhosts               yes
 # UsePrivilegeSeparation     yes
 ### Kerberos options
 # KerberosAuthentication     no
 # KerberosOrLocalPasswd      yes
 # KerberosTicketCleanup      yes
 # KerberosGetAFSToken        no
 ### GSSAPI options
 # GSSAPIAuthentication       no
 # GSSAPICleanupCredentials   yes
 # GSSAPIStrictAcceptorCheck  yes
 # GSSAPIKeyExchange          no
 # AuthorizedPrincipalsFile   none
 # AuthorizedKeysCommand      none
 # AuthorizedKeysCommandUser  nobody
 # PermitTunnel               no
 # ChrootDirectory            none
 # X11DisplayOffset           10
 # X11UseLocalhost            yes
 # PermitTTY                  yes
 # PermitUserEnvironment      no
 # IgnoreUserKnownHosts       no
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -0,0 +1,328 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V8.02.512.2025.05.30
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
 ### https://kspp.github.io/
 ### https://linux-audit.com/tags/kernel/
 ###########################################################################################
 # Warning
 # Be careful not to lock yourself out of your system after a reboot due to incorrect
 # settings. For example, 'kernel.modules_disabled=1' will generally prevent the network
 # stack from being brought up after a reboot, which means NO SSH.
 ###########################################################################################
 ##### Linux Kernel #####
 ### Disable loading new modules. Be careful with using this option!
 kernel.modules_disabled=1
 ### Restricting access to kernel pointers.
 kernel.kptr_restrict=2
 ### Restricting access to kernel logs.
 kernel.dmesg_restrict=1
 ###########################################################################################
 # Despite the value of dmesg_restrict, the kernel log will still be displayed in the
 # console during boot.
 # This option prevents those information leaks.
 ###########################################################################################
 kernel.printk=3 3 3 3
 ### Restricting eBPF to the CAP_BPF capability
 kernel.unprivileged_bpf_disabled=1
 net.core.bpf_jit_harden=2
 ### Restricting loading TTY line disciplines to the CAP_SYS_MODULE capability
 dev.tty.ldisc_autoload=0
 ###########################################################################################
 # The userfaultfd() syscall is often abused to exploit use-after-free flaws.
 # This sysctl is used to restrict this syscall to the CAP_SYS_PTRACE capability.
 ###########################################################################################
 vm.unprivileged_userfaultfd=0
 ###########################################################################################
 # kexec is a system call that is used to boot another kernel during runtime.
 # This functionality can be abused to load a malicious kernel and gain arbitrary code
 # execution in kernel mode, so this sysctl disables it.
 ###########################################################################################
 kernel.kexec_load_disabled=1
 ###########################################################################################
 # Prevents unprivileged users from creating their own user namespaces, potentially
 # enabling exploits. This is a good additional safeguard.
 ###########################################################################################
 kernel.unprivileged_userns_clone=0
 ###########################################################################################
 # The SysRq key exposes a lot of potentially dangerous debugging functionality to
 # unprivileged users. You can set the value to 0 to disable SysRq completely.
 ###########################################################################################
 kernel.sysrq=0
 ### Randomize memory space.
 kernel.randomize_va_space=2
 ###########################################################################################
 # These prevent creating files in potentially attacker-controlled environments, such as
 # world-writable directories.
 ###########################################################################################
 fs.protected_fifos=2
 fs.protected_regular=2
 ###########################################################################################
 # This only permits symlinks to be followed when outside a world-writable sticky directory,
 # when the owner of the symlink and follower match or when the directory owner matches the
 # symlink's owner.
 ###########################################################################################
 fs.protected_symlinks=1
 fs.protected_hardlinks=1
 ###########################################################################################
 # ptrace is a system call that allows a program to alter and inspect another running
 # process, which allows attackers to trivially modify the memory of other running programs.
 # 0 - classic ptrace permissions:
 # a process can PTRACE_ATTACH to any other process running under the same uid,
 # as long as it is dumpable (i.e., did not transition uids,
 # start privileged, or have called prctl(PR_SET_DUMPABLE...) already).
 # Similarly, PTRACE_TRACEME is unchanged.
 #
 # 1 - restricted ptrace:
 # a process must have a predefined relationship with the inferior it wants to call
 # PTRACE_ATTACH on. By default, this relationship is that of only its descendants when the
 # above classic criteria is also met. To change the relationship, an inferior can call
 # prctl(PR_SET_PTRACER, debugger, ...) to declare an allowed debugger PID to call
 # PTRACE_ATTACH on the inferior. Using PTRACE_TRACEME is unchanged.
 #
 # 2 - admin-only attach:
 # only processes with CAP_SYS_PTRACE may use ptrace, either with PTRACE_ATTACH or through
 # children calling PTRACE_TRACEME.
 #
 # 3 - no attach:
 # no processes may use ptrace with PTRACE_ATTACH nor via PTRACE_TRACEME. Once set, this
 # sysctl value cannot be changed.
 ###########################################################################################
 kernel.yama.ptrace_scope=2
 ### Use filename based on core_pattern value
 kernel.core_uses_pid=1
 ###########################################################################################
 # Performance events add considerable kernel attack surface and have caused abundant
 # vulnerabilities. Be careful ! Performance might be affected ! Here turned off by default.
 ###########################################################################################
 #kernel.perf_event_paranoid=2
 ###########################################################################################
 # ASLR is a common exploit mitigation that randomizes the position of critical parts of a
 # process in memory. This can make a wide variety of exploits harder to pull off, as they
 # first require an information leak. The above settings increase the bits of entropy used
 # for mmap ASLR, improving its effectiveness. The values of these sysctls must be set in
 # relation to the CPU architecture. The above values are compatible with x86, but other
 # architectures may differ.
 ###########################################################################################
 vm.mmap_rnd_bits=32
 vm.mmap_rnd_compat_bits=16
 ###########################################################################################
 # In addition to ASLR hardening, one could adjust the behavior for memory overbooking.
 # Determines how the kernel provides the available memory for processes:
 # - 0 (default): kernel decides heuristically whether memory allocations are allowed.
 # - 1: Memory is always allocated, even if it is not physically available; can lead to
 #      out-of-memory errors.
 # - 2: The kernel only allows memory allocations up to the available physical memory + swap
 #      (safe mode).
 #vm.overcommit_memory=2
 #   Specifies how much of the available physical memory (plus swap) can be made available
 #   for memory allocations when vm.overcommit_memory=2 is active.
 # The value is a percentage.
 # 50: Up to 50% of the physical memory can be reserved for memory-intensive applications.
 ###########################################################################################
 #vm.overcommit_ratio=50
 ###########################################################################################
 # Reduces the likelihood of important data remaining unsecured in RAM for too long.
 # Specifies the percentage of the total memory that can be filled with changed (dirty) data
 # before it is written to the permanent memory (e.g., the hard disk).
 # 15: If 15% of the RAM is occupied by dirty pages, a background flush process is triggered
 # to write this data.
 #vm.dirty_ratio=15
 # Specifies the percentage of total memory at which the kernel starts writing dirty pages
 # in the background before the dirty_ratio threshold is reached.
 # 5: The kernel starts writing data in the background when 5% of RAM is occupied with
 # dirty pages.
 ###########################################################################################
 #vm.dirty_background_ratio=5
 ###########################################################################################
 # Similar to core dumps, swapping or paging copies parts of memory to disk, which can
 # contain sensitive information. The kernel should be configured to only swap if absolutely
 # necessary.
 ###########################################################################################
 #vm.swappiness=1
  ### This setting minimizes swapping, which is useful for servers.
  ### However, one could also consider vm.swappiness=0 if enough RAM is available.
  # vm.swappiness=0
 ###########################################################################################
 # Process that runs with elevated privileges may still dump their memory even after these
 # settings.
 ###########################################################################################
 fs.suid_dumpable=0
 kernel.core_pattern= | /bin/false
 ### Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
 #user.max_user_namespaces=0
 ###########################################################################################
 # Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2)
 # If you want to set oops_limit greater than one, you will need to disable
 # CONFIG_PANIC_ON_OOPS.
 ###########################################################################################
 kernel.warn_limit=1
 kernel.oops_limit=1
 ###########################################################################################
 # Disable TIOCSTI, which is used to inject keypresses.
 # (This will, however, break screen readers.)
 ###########################################################################################
 dev.tty.legacy_tiocsti=0
 ###########################################################################################
 # IO_uring has yielded some security concerns and vulnerabilities,
 # particularly for those sticking to older versions of the Linux kernel.
 # There have also been IO_uring integration issues with the Linux security subsystem.
 ###########################################################################################
 #kernel.io_uring_disabled=2
 ##### Network Stack #####
 ### Disable IP source routing, we are not a router:
 net.ipv4.conf.all.accept_source_route=0
 net.ipv4.conf.default.accept_source_route=0
 net.ipv6.conf.all.accept_source_route=0
 net.ipv6.conf.default.accept_source_route=0
 ###########################################################################################
 # This setting makes your system ignore all ICMP requests to avoid Smurf attacks, make
 # the device more difficult to enumerate on the network and prevent clock fingerprinting
 # through ICMP timestamps.
 ###########################################################################################
 net.ipv4.icmp_echo_ignore_all=1
 ### Enable ignoring broadcast request.
 net.ipv4.icmp_echo_ignore_broadcasts=1
 ### This helps protect against SYN flood attacks
 net.ipv4.tcp_syncookies=1
 ###########################################################################################
 # This protects against time-wait assassination by dropping RST packets for sockets in
 # the time-wait state.
 ###########################################################################################
 net.ipv4.tcp_rfc1337=1
 ###########################################################################################
 # These enable source validation of packets received from all interfaces of the machine.
 # This protects against IP spoofing, in which an attacker sends a packet with a fraudulent
 # IP address.
 ###########################################################################################
 net.ipv4.conf.all.rp_filter=1
 net.ipv4.conf.default.rp_filter=1
 ###########################################################################################
 # This disables ICMP redirect acceptance and sending to prevent man-in-the-middle attacks
 # and minimize information disclosure.
 ###########################################################################################
 net.ipv4.conf.all.accept_redirects=0
 net.ipv4.conf.default.accept_redirects=0
 net.ipv4.conf.all.secure_redirects=0
 net.ipv4.conf.default.secure_redirects=0
 net.ipv6.conf.all.accept_redirects=0
 net.ipv6.conf.default.accept_redirects=0
 net.ipv4.conf.all.send_redirects=0
 net.ipv4.conf.default.send_redirects=0
 ###########################################################################################
 # A martian packet is a packet with a source address, which is obviously wrong -
 # nothing could possibly be routed back to that address.
 ###########################################################################################
 net.ipv4.conf.all.log_martians=1
 net.ipv4.conf.default.log_martians=1
 ###########################################################################################
 # Deactivates IP forwarding. This means that the system discards packets that are not
 # intended for its own IP addresses. It therefore does not act as a router and does not
 # forward data packets between network interfaces.
 ###########################################################################################
 net.ipv4.conf.all.forwarding=0
 ###########################################################################################
 # Disabling RA prevents the system from receiving routing information from potentially
 # insecure or compromised routers. This is particularly important for servers that use
 # static network configurations and should not dynamically accept new IPv6 routes or
 # prefixes. An attacker could otherwise use forged RA messages to change the network route
 # and redirect traffic, for example.
 ###########################################################################################
 net.ipv6.conf.all.accept_ra=0
 net.ipv6.conf.default.accept_ra=0
 ###########################################################################################
 # These parameters relate to secure ICMP redirects. ICMP redirects are messages that a
 # router sends to a device to inform it that there is a better route for the data traffic.
 # This setting prevents the system from responding to redirects that have been spoofed by
 # potential attackers to redirect traffic (e.g., for man-in-the-middle attacks).
 ###########################################################################################
 net.ipv4.conf.all.secure_redirects=1
 net.ipv4.conf.default.secure_redirects=1
 ###########################################################################################
 # This setting prevents the disclosure of TCP timestamps that can be used for system
 # fingerprinting:
 ###########################################################################################
 net.ipv4.tcp_timestamps=0
 ###########################################################################################
 # To make ARP spoofing attacks more difficult. Defines how the system responds to ARP
 # requests.
 # - 0 (default): Responds to every request, including IPs configured on other interfaces.
 # - 1: Only responds to requests that are specifically intended for the IP of the
 #      respective interface. Increases security by preventing ARP spoofing attacks, as the
 #      system does not send unnecessary ARP responses.
 ###########################################################################################
 net.ipv4.conf.all.arp_ignore=1
 net.ipv4.conf.default.arp_ignore=1
 ###########################################################################################
 # To minimize attacks on half-open connections.
 # Specifies the maximum number of connection requests (SYN packets)
 # that can be held in the connection establishment state (SYN_RECV) in the queue.
 # 4096: A generous queue to better intercept SYN flood attacks.
 # Useful for systems with high network traffic, or if protection against DoS attacks
 # needs to be improved:
 ###########################################################################################
 net.ipv4.tcp_max_syn_backlog=4096
 ###########################################################################################
 # Specifies the maximum number of SYN/ACK retries before the connection is aborted:
 # 2: The kernel will only send a SYN/ACK twice before dropping the connection.
 # Reduces the time and effort wasted on inactive connection requests.
 # This improves performance and protects against SYN flood attacks, but could cause
 # problems on poor networks.
 ###########################################################################################
 net.ipv4.tcp_synack_retries=2
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
+++ b/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
@@ -0,0 +1,14 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [Service]
 ExecStart=
 ExecStart=-/sbin/agetty --autologin root --noclear %I $TERM
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh
+++ b/config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh
@@ -0,0 +1,31 @@
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # No bash in the installer environment, only BusyBox.
 set -o errexit
 set -o nounset
 set -o noclobber
 export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
 echo '152.53.35.74 coresecret.eu' >> /etc/hosts
 touch /tmp/late-command-script
 chmod 0700 /tmp/late-command-script
 .  /.ciss/install/.ash/di_scripting_flexibility.sh
 sh /.ciss/install/.ash/di_scripting_password.sh
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh
+++ b/config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh
@@ -0,0 +1,24 @@
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # No bash in the installer environment, only BusyBox.
 set -o errexit
 set -o nounset
 set -o noclobber
 export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
 . /.ciss/install/.ash/di_scripting_flexibility.sh
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh
+++ b/config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh
@@ -0,0 +1,415 @@
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # No bash in the installer environment, only BusyBox.
 set -o errexit
 set -o nounset
 set -o noclobber
 export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
 . /.ciss/install/.ash/di_scripting_flexibility.sh
 readonly DISK_NAME="sda"
 readonly DISK_PATH="/dev/${DISK_NAME}"
 readonly SLEEPTIMER="2"
 do_sleep() {
  sleep "${SLEEPTIMER}"
 }
 modprobe btrfs || true
 modprobe ext4 || true
 blkdiscard "${DISK_PATH}"
 parted "${DISK_PATH}" --script -- mklabel gpt
 #/dev/sda1 -- ESP
 do_dev_sda1() {
  parted "${DISK_PATH}" --script -- mkpart ESP fat32 1MiB 512MiB set 1 esp on
  do_sleep
  FORMAT_LABEL="ESP"
  PARTITION="${DISK_PATH}1"
  format_partition() {
    if mkfs.fat -F32 -n "${FORMAT_LABEL}" "${PARTITION}"; then
      echo "Partition: ${PARTITION} successfully formatted with FAT32."
    else
      echo "Partition: ${PARTITION} NOT successfully formated with FAT32."
    fi
    if blkid "${PARTITION}" | grep -q 'TYPE="vfat"'; then
      echo "Partition: ${PARTITION} correctly formatted with FAT32."
    else
      echo "Partition: ${PARTITION} NOT correctly formatted with FAT32."
    fi
  }
  ATTEMPTS=0
  MAX_ATTEMPTS=3
  while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do
    echo "Repeat formatting... attempt $((ATTEMPTS + 1))"
    ATTEMPTS=$((ATTEMPTS + 1))
  done
  if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then
    echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts."
  else
    echo "Partition ${PARTITION} successfully formatted and checked."
  fi
 }
 do_dev_sda1
 #/dev/sda2 -- /boot
 do_dev_sda2() {
  parted "${DISK_PATH}" --script -- mkpart primary ext4 512MiB 4096MiB
  do_sleep
  FORMAT_LABEL="boot"
  PARTITION="${DISK_PATH}2"
  format_partition() {
    if mkfs.ext4 -L "${FORMAT_LABEL}" "${PARTITION}"; then
      echo "Partition: ${PARTITION} successfully formatted with ext4."
    else
      echo "Partition: ${PARTITION} NOT successfully formated with ext4."
    fi
    if blkid "${PARTITION}" | grep -q 'TYPE="ext4"'; then
      echo "Partition: ${PARTITION} correctly formatted with ext4."
    else
      echo "Partition: ${PARTITION} NOT correctly formatted with ext4."
    fi
  }
  ATTEMPTS=0
  MAX_ATTEMPTS=3
  while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do
    echo "Repeat formatting... attempt $((ATTEMPTS + 1))"
    ATTEMPTS=$((ATTEMPTS + 1))
  done
  if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then
    echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts."
  else
    echo "Partition ${PARTITION} successfully formatted and checked."
  fi
 }
 do_dev_sda2
 #/dev/sda3 -- preparing for crypt_ephemeral_swap
 parted "${DISK_PATH}" --script -- mkpart primary 4096MiB 8192MiB
 do_sleep
 #/dev/sda4 -- preparing for crypt_ephemeral_tmp
 parted "${DISK_PATH}" --script -- mkpart primary 8192MiB 12288MiB
 do_sleep
 #/dev/sda5 -- /home
 parted "${DISK_PATH}" --script -- mkpart primary 12288MiB 45056MiB
 do_sleep
 #/dev/sda6 -- /
 parted "${DISK_PATH}" --script -- mkpart primary 45056MiB 77824MiB
 do_sleep
 #/dev/sda7 -- /usr
 parted "${DISK_PATH}" --script -- mkpart primary 77824MiB 143360MiB
 do_sleep
 #/dev/sda8 -- /var
 parted "${DISK_PATH}" --script -- mkpart primary 143360MiB 208896MiB
 do_sleep
 #/dev/sda9 -- /var/log
 parted "${DISK_PATH}" --script -- mkpart primary 208896MiB 225280MiB
 do_sleep
 #/dev/sda10 -- /var/log/audit
 parted "${DISK_PATH}" --script -- mkpart primary 225280MiB 241664MiB
 do_sleep
 #/dev/sda11 -- /var/tmp
 parted "${DISK_PATH}" --script -- mkpart primary 241664MiB 258048MiB
 do_sleep
 #/dev/sda12 -- temporary installation /tmp
 do_dev_sda12() {
  parted "${DISK_PATH}" --script -- mkpart primary 258048MiB 261120MiB
  do_sleep
  FORMAT_LABEL="installation_tmp"
  PARTITION="${DISK_PATH}12"
  format_partition() {
    if mkfs.ext4 -L "${FORMAT_LABEL}" "${PARTITION}"; then
      echo "Partition: ${PARTITION} successfully formatted with ext4."
    else
      echo "Partition: ${PARTITION} NOT successfully formated with ext4."
    fi
    if blkid "${PARTITION}" | grep -q 'TYPE="ext4"'; then
      echo "Partition: ${PARTITION} correctly formatted with ext4."
    else
      echo "Partition: ${PARTITION} NOT correctly formatted with ext4."
    fi
  }
  ATTEMPTS=0
  MAX_ATTEMPTS=3
  while ! format_partition && [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ]; do
    echo "Repeat formatting... attempt $((ATTEMPTS + 1))"
    ATTEMPTS=$((ATTEMPTS + 1))
  done
  if [ ${ATTEMPTS} -ge ${MAX_ATTEMPTS} ]; then
    echo "Error: Partition ${PARTITION} could not be formatted correctly after ${MAX_ATTEMPTS} attempts."
  else
    echo "Partition ${PARTITION} successfully formatted and checked."
  fi
 }
 do_dev_sda12
 # Encrypt and open /dev/sda5 to /dev/sda11
 i=5
 while [ "${i}" -lt 12 ]; do
  PARTITION="/dev/${DISK_NAME}${i}"
  MAPPER_NAME="crypt_${DISK_NAME}${i}"
  if cryptsetup luksFormat "${PARTITION}" --key-file=/.ciss/install/.cfg/.password.cfg --batch-mode --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 3000 --use-random --verbose; then
    echo  "Partition: ${PARTITION} successfully encrypted."
    do_sleep
    if cryptsetup open "${PARTITION}" "${MAPPER_NAME}" --key-file=/.ciss/install/.cfg/.password.cfg; then
      echo  "Partition: ${PARTITION} successfully opened as: ${MAPPER_NAME}."
      if mkfs.btrfs -L "${MAPPER_NAME}" /dev/mapper/"${MAPPER_NAME}"; then
        echo  "Partition: ${PARTITION} successfully formatted."
      else
        echo  "Partition: ${PARTITION} NOT successfully formatted."
      fi
    else
      echo  "Partition: ${PARTITION} NOT successfully opened as: ${MAPPER_NAME}."
    fi
  else
    echo  "Partition: ${PARTITION} NOT successfully encrypted."
  fi
  i=$((i + 1))
 done
 do_sleep
 # Generate /target directories-
 FILE_DIR="/.ciss/install/.cfg/.directories.cfg"
 # Check that the file exists.
 if [ ! -f "${FILE_DIR}" ]; then
  echo "Error: File ${FILE_DIR} cannot be read." >&2
  exit 1
 fi
 while read -r DIR; do
  sleep 1
  # Proceed only if the row is not empty.
  if [ -n "${DIR}" ]; then
    # Verify if the directory already exists.
    if [ -d "${DIR}" ]; then
      echo "Directory ${DIR} already exists."
    else
      # Try to create a directory.
      until [ -d "${DIR}" ]; do
        mkdir -p "${DIR}"
        if [ ! -d "${DIR}" ]; then
          echo "Error: Creating ${DIR} directory failed. Try again. " >&2
          sleep 1
        fi
      done
      echo "Directory ${DIR} created successfully".
    fi
  fi
 done < "${FILE_DIR}"
 do_sleep
 mount /dev/mapper/crypt_sda6 /target
 do_sleep
 mkdir /target/boot
 mount /dev/sda2 /target/boot
 do_sleep
 mkdir /target/boot/efi
 mount /dev/sda1 /target/boot/efi
 do_sleep
 mkdir /target/home
 mount /dev/mapper/crypt_sda5 /target/home
 do_sleep
 mkdir /target/usr
 mount /dev/mapper/crypt_sda7 /target/usr
 do_sleep
 mkdir /target/var
 mount /dev/mapper/crypt_sda8 /target/var
 do_sleep
 mkdir /target/var/log
 mount /dev/mapper/crypt_sda9 /target/var/log
 do_sleep
 mkdir /target/var/log/audit
 mount /dev/mapper/crypt_sda10 /target/var/log/audit
 do_sleep
 mkdir /target/var/tmp
 mount /dev/mapper/crypt_sda11 /target/var/tmp
 do_sleep
 mkdir /target/tmp
 mount /dev/sda12 /target/tmp
 do_sleep
 mkdir /target/dev
 mount --bind /dev /target/dev
 do_sleep
 if [ -d "/target/dev/pts" ]; then
  echo "Directory /target/dev/pts already exists."
 else
  mkdir /target/dev/pts
 fi
 mkdir /target/proc
 mount --bind /proc /target/proc
 do_sleep
 mkdir /target/sys
 mount --bind /sys /target/sys
 do_sleep
 mkdir /target/run
 mount --bind /run /target/run
 do_sleep
 if [ -d "/target/run/lock" ]; then
  echo "Directory /target/run/lock already exists."
 else
  mkdir /target/run/lock
 fi
 mkdir /target/etc
 mkdir /target/etc/apt
 mkdir /target/etc/network
 touch /target/etc/fstab
 chmod 0644 /target/etc/fstab
 # shellcheck disable=SC2129
 cat << EOF >> /target/etc/fstab
 # /etc/fstab: static file system information.
 #
 # Use 'blkid' to print the universally unique identifier for a
 # device; this may be used with UUID= as a more robust way to name devices
 # that works even if disks are added and removed. See fstab(5).
 #
 # systemd generates mount units based on this file, see systemd.mount(5).
 # Please run 'systemctl daemon-reload' after making changes here.
 #
 # <file system> <mount point>   <type>  <options>       <dump>  <pass>
 EOF
 echo "# / was on /dev/mapper/crypt_sda6 during installation" >> /target/etc/fstab
 echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda6) / btrfs defaults,errors=remount-ro 0 1" >> /target/etc/fstab
 echo "" >> /target/etc/fstab
 echo "# /boot was on /dev/sda2 during installation" >> /target/etc/fstab
 echo "UUID=$(blkid -s UUID -o value /dev/sda2) /boot ext4 defaults 0 2" >> /target/etc/fstab
 echo "" >> /target/etc/fstab
 echo "# /boot/efi was on /dev/sda1 during installation" >> /target/etc/fstab
 echo "UUID=$(blkid -s UUID -o value /dev/sda1) /boot/efi vfat umask=0077 0 1" >> /target/etc/fstab
 echo "" >> /target/etc/fstab
 echo "# /home was on /dev/mapper/crypt_sda5 during installation" >> /target/etc/fstab
 echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda5) /home btrfs defaults 0 2" >> /target/etc/fstab
 echo "" >> /target/etc/fstab
 echo "# /usr was on /dev/mapper/crypt_sda7 during installation" >> /target/etc/fstab
 echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda7) /usr btrfs defaults 0 2" >> /target/etc/fstab
 echo "" >> /target/etc/fstab
 echo "# /var was on /dev/mapper/crypt_sda8 during installation" >> /target/etc/fstab
 echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda8) /var btrfs defaults 0 2" >> /target/etc/fstab
 echo "" >> /target/etc/fstab
 echo "# /var/log was on /dev/mapper/crypt_sda9 during installation" >> /target/etc/fstab
 echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda9) /var/log btrfs defaults 0 2" >> /target/etc/fstab
 echo "" >> /target/etc/fstab
 echo "# /var/log/audit was on /dev/mapper/crypt_sda10 during installation" >> /target/etc/fstab
 echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda10) /var/log/audit btrfs defaults 0 2" >> /target/etc/fstab
 echo "" >> /target/etc/fstab
 echo "# /var/tmp was on /dev/mapper/crypt_sda11 during installation" >> /target/etc/fstab
 echo "UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda11) /var/tmp btrfs defaults 0 2" >> /target/etc/fstab
 echo "" >> /target/etc/fstab
 echo "# /tmp was on /dev/sda12 during installation" >> /target/etc/fstab
 echo "UUID=$(blkid -s UUID -o value /dev/sda12) /tmp ext4 defaults 0 2" >> /target/etc/fstab
 echo "" >> /target/etc/fstab
 echo "# /media/cdrom0 was on /dev/sr0 during installation" >> /target/etc/fstab
 echo "/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0" >> /target/etc/fstab
 echo "" >> /target/etc/fstab
 touch /target/etc/crypttab
 chmod 0644 /target/etc/crypttab
 # shellcheck disable=SC2129
 cat << EOF >> /target/etc/crypttab
 # <name>  <device>  <password-file-or-none>  <options>
 EOF
 echo "# / was on /dev/mapper/crypt_sda6 during installation" >> /target/etc/crypttab
 echo "crypt_sda6 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda6) none luks,discard" >> /target/etc/crypttab
 echo "" >> /target/etc/crypttab
 echo "# /home was on /dev/mapper/crypt_sda5 during installation" >> /target/etc/crypttab
 echo "crypt_sda5 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda5) none luks,discard" >> /target/etc/crypttab
 echo "" >> /target/etc/crypttab
 echo "# /usr was on /dev/mapper/crypt_sda7 during installation" >> /target/etc/crypttab
 echo "crypt_sda7 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda7) none luks,discard" >> /target/etc/crypttab
 echo "" >> /target/etc/crypttab
 echo "# /var was on /dev/mapper/crypt_sda8 during installation" >> /target/etc/crypttab
 echo "crypt_sda8 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda8) none luks,discard" >> /target/etc/crypttab
 echo "" >> /target/etc/crypttab
 echo "# /var/log was on /dev/mapper/crypt_sda9 during installation" >> /target/etc/crypttab
 echo "crypt_sda9 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda9) none luks,discard" >> /target/etc/crypttab
 echo "" >> /target/etc/crypttab
 echo "# /var/log/audit was on /dev/mapper/crypt_sda10 during installation" >> /target/etc/crypttab
 echo "crypt_sda10 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda10) none luks,discard" >> /target/etc/crypttab
 echo "" >> /target/etc/crypttab
 echo "# /var/tmp was on /dev/mapper/crypt_sda11 during installation" >> /target/etc/crypttab
 echo "crypt_sda11 UUID=$(blkid -s UUID -o value /dev/mapper/crypt_sda11) none luks,discard" >> /target/etc/crypttab
 echo "" >> /target/etc/crypttab
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh
+++ b/config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh
@@ -0,0 +1,32 @@
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # No bash in the installer environment, only BusyBox.
 set -o errexit
 set -o nounset
 set -o noclobber
 export PATH="${PATH}:/sbin:/usr/sbin:/.ciss/install:/.ciss/install/.ash"
 . /.ciss/install/.ash/di_scripting_flexibility.sh
 mkdir -m 0700 /target/root/.d-i-backup
 if [ -f /tmp/late-command-script ]; then
  sh /tmp/late-command-script
 fi
 sh /.ciss/install/.ash/di_scripting_ssh.sh
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh
+++ b/config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh
@@ -0,0 +1,35 @@
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # No bash in the installer environment, only BusyBox.
 set -o errexit
 set -o nounset
 set -o noclobber
 readonly     RED="\033[91m"
                             export RED
 readonly   GREEN="\033[92m"
                             export GREEN
 readonly  YELLOW="\033[93m"
                             export YELLOW
 readonly    BLUE="\033[94m"
                             export BLUE
 readonly MAGENTA="\033[95m"
                             export MAGENTA
 readonly    CYAN="\033[96m"
                             export CYAN
 readonly   WHITE="\033[97m"
                             export WHITE
 readonly  NORMAL="\033[0m"
                             export NORMAL
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.ash/di_scripting_password.sh
+++ b/config/includes.chroot/preseed/.ash/di_scripting_password.sh
@@ -0,0 +1,93 @@
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # No bash in the installer environment, only BusyBox.
 set -o errexit
 set -o nounset
 set -o noclobber
 # Create a passphrase by pulling only characters in the range '!' to '~' (ASCII 0x21 to 0x7e) from /dev/random.
 umask 0077
 TMP_PASSPHRASE_FILE=$(mktemp)
 readonly TMP_PASSPHRASE_FILE
 grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}"
 # Create an include file for debian-installer with the passphrase as answers to the questions.
 DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp)
 readonly DEB_INSTALLER_CRYPT_INC_FILE
 # Read the first line (the passphrase) – POSIX-compliant
 # IFS= prevents leading/trailing spaces from being truncated,
 # -r ensures that backslashes are not interpreted.
 IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}"
 # A single printf call with exactly one redirect
 # – ShellCheck-compliant and valid in POSIX-sh
 printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
 printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
 # Echo the file to be included, so debian-installer will do that - assuming this command is being run via 'preseed/include_command'.
 # Without file:// will try and fetch from the webserver this preseed was served from.
 echo "file://${DEB_INSTALLER_CRYPT_INC_FILE}"
 # Add extra commands to the file that should be run using 'preseed/late_command' to ensure the passphrase is included in the new installation.
 readonly IN_TARGET_KEY_FILE=/etc/keys/luks-lvm.key
 cat - >> /tmp/late-command-script << LATE_EOF
 ##### BEGIN ADDED BY preseed-crypto-key preseed/include_command
 umask 0077
 mkdir -p /target$(dirname "${IN_TARGET_KEY_FILE}")
 cp "${TMP_PASSPHRASE_FILE}" /target"${IN_TARGET_KEY_FILE}"
 # Use /root as /tmp might be noexec
 cat - >/target/root/configure-crypt-unlock <<EOF
 #!/usr/bin/bash
 # Standard bash safety features
 set -eufo pipefail
 if grep -q UMASK /etc/initramfs-tools/initramfs.conf
 then
  sed -i 's-^#\?UMASK.*\\\$-UMASK=0077-' /etc/initramfs-tools/initramfs.conf
 else
  echo -e "# Secure initramfs while it contains unlock keys for root filesystem\nUMASK=0077" >>/etc/initramfs-tools/initramfs.conf
 fi
 # Include keyfile in initramfs
 sed -i 's-^#\?KEYFILE_PATTERN=.*\\\$-KEYFILE_PATTERN=$(dirname ${IN_TARGET_KEY_FILE})/*.key-' /etc/cryptsetup-initramfs/conf-hook
 # Configure crypt to use keyfile to unlock encrypted partition(s)
 sed -i 's#\(UUID=[^ ]\+\) none#\1 ${IN_TARGET_KEY_FILE}#' /etc/crypttab
 # Update initramfs with key file
 update-initramfs -u
 exit 0
 EOF
 sleep 1
 chmod 500 /target/root/configure-crypt-unlock
 in-target /root/configure-crypt-unlock
 rm /target/root/configure-crypt-unlock
 exit 0
 ##### END ADDED BY preseed-crypto-key preseed/include_command
 LATE_EOF
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.ash/di_scripting_ssh.sh
+++ b/config/includes.chroot/preseed/.ash/di_scripting_ssh.sh
@@ -0,0 +1,50 @@
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # No bash in the installer environment, only BusyBox.
 set -o errexit
 set -o nounset
 set -o noclobber
 if [ ! -d /target/root/.ssh ]; then
  mkdir -m 0700 /target/root/.ssh
 fi
 if [ -f /target/etc/ssh/ssh_host_ed25519_key ]; then
  rm -f /target/etc/ssh/ssh_host_ed25519_key
 fi
 if [ -f /target/etc/ssh/ssh_host_rsa_key ]; then
  rm -f /target/etc/ssh/ssh_host_rsa_key
 fi
 in-target ssh-keygen -o -a 1024 -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root d-i $(date -I)"
 in-target ssh-keygen -o -a 1024 -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root d-i $(date -I)"
 cp -a /target/etc/ssh/sshd_config /target/root/.d-i-backup/sshd_config.bak
 rm -f /target/etc/ssh/sshd_config
 cp /cdrom/install/.lib/sshd_config.lib /target/etc/ssh/sshd_config
 chmod 0600 /target/etc/ssh/sshd_config
 sed -i "s/Port					22/Port					37768/" /target/etc/ssh/sshd_config
 sed -i "s/AllowUsers				DUMMYSTRING/AllowUsers				root/" /target/etc/ssh/sshd_config
 cp /cdrom/install/.lib/banner.lib /target/etc/banner
 chmod 0644 /target/etc/banner
 umask 0077
 wget --https-only --secure-protocol=TLSv1_3 -c -O /target/root/.ssh/authorized_keys https://coresecret.eu/download/developer/2024_rsa4096_developer_root.pub.key
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/.directories.cfg
+++ b/config/includes.chroot/preseed/.cfg/.directories.cfg
@@ -0,0 +1,32 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 /target
 /target/boot
 /target/boot/efi
 /target/etc
 /target/etc/apt
 /target/etc/network
 /target/dev
 /target/dev/pts
 /target/home
 /target/proc
 /target/root
 /target/run
 /target/run/lock
 /target/sys
 /target/usr
 /target/var
 /target/var/log
 /target/var/log/audit
 /target/var/log/ciss
 /target/var/tmp
 /target/tmp
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/apt.cfg
+++ b/config/includes.chroot/preseed/.cfg/apt.cfg
@@ -0,0 +1,78 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # apt settings                                                                            #
 ###########################################################################################
 # Choose, if you want to scan additional installation media (default: false):
 d-i apt-setup/cdrom/set-first boolean false
 # By default source repositories are listed in /etc/apt/sources.list:
 d-i apt-setup/enable-source-repositories boolean true
 # A network mirror can be used to supplement the software that is not included on the
 # installation media. This may also make newer versions of software available:
 d-i apt-setup/use_mirror boolean true
 # Uncomment the following line, if you don't want to have the sources.list entry for a
 # DVD/BD installation image active in the installed system:
 d-i apt-setup/disable-cdrom-entries boolean true
 # You can choose to install non-free firmware:
 d-i apt-setup/non-free-firmware boolean true
 # You can choose to install non-free and contrib software:
 d-i apt-setup/non-free boolean true
 d-i apt-setup/contrib boolean true
 # Debian has two services that provide updates to releases:
 #
 #  security and release updates.
 #  .
 #  Security updates help to keep your system secured against attacks.
 #  Enabling this service is strongly recommended.
 #  .
 #  Release updates provide more current versions for software that changes relatively
 #  frequently and where not having the latest version could reduce the usability of the
 #  software. It also provides regression fixes. This service is only available for stable
 #  and oldstable releases.
 #  .
 #  Backported software are adapted from the development version to work with this release.
 #  Although this software has not gone through such complete testing as that contained in
 #  the release, it includes newer versions of some applications which may provide useful
 #  features. Enabling backports here does not cause any of them to be installed by default;
 #  it only allows you to manually select backports to use.
 #  https://preseed.debian.net/debian-preseed/bookworm/amd64-main-full.txt
 d-i apt-setup/services-select multiselect security updates, release updates, backported software
 # Different spelling:
 # d-i apt-setup/services-select multiselect security, updates, backports
 d-i apt-setup/security_host string security.debian.org
 # Whether to upgrade packages after debootstrap. Allowed values: none, safe-upgrade, full-upgrade
 d-i pkgsel/upgrade select full-upgrade
 # Applying updates on a frequent basis is an important part of keeping the system secure.
 #
 #  .
 #  By default, security updates are not automatically installed, as security advisories should be
 #  reviewed before manual installation of the updates using standard package management tools.
 #  .
 #  Alternatively the unattended-upgrades package can be installed, which will install security
 #  updates automatically. Note however that automatic installation of updates may occasionally
 #  cause unexpected downtime of services provided by this machine in the rare cases where the
 #  update is not fully backward-compatible, or where the security advisory requires the
 #  administrator to perform some other manual operation.
 #  .
 #  Possible choices: No automatic updates, Install security updates automatically
 d-i pkgsel/update-policy select Install security updates automatically
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/base.cfg
+++ b/config/includes.chroot/preseed/.cfg/base.cfg
@@ -0,0 +1,24 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # Base installer                                                                          #
 ###########################################################################################
 # Configure APT to not install recommended packages by default. Use of this option can
 # result in an incomplete system and should only be used by very experienced users:
 d-i base-installer/install-recommends boolean true
 # The kernel image to be installed; "none" can be used if no kernel is to be installed:
 d-i base-installer/kernel/image string linux-image-amd64
 # Choose to not get the tasksel dialog displayed at all (and don't install any packages):
 d-i pkgsel/run_tasksel boolean false
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/finished.cfg
+++ b/config/includes.chroot/preseed/.cfg/finished.cfg
@@ -0,0 +1,26 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # Finishing installation                                                                  #
 ###########################################################################################
 # Avoid that last message about the install being complete:
 d-i finish-install/reboot_in_progress note
 # This will prevent the installer from ejecting the CD during the reboot:
 d-i cdrom-detect/eject boolean true
 # This is how to make the installer shutdown when finished, but not reboot:
 d-i debian-installer/exit/halt boolean false
 # This will power off the machine instead of just halting it:
 d-i debian-installer/exit/poweroff boolean true
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/firmware.cfg
+++ b/config/includes.chroot/preseed/.cfg/firmware.cfg
@@ -0,0 +1,19 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # Firmware settings                                                                       #
 ###########################################################################################
 # never             : Completely disables the firmware search.
 # missing (default) : Searches only when the firmware is needed.
 # always            : Always searches and asks for any firmware that could be useful for the hardware.
 d-i hw-detect/firmware-lookup string missing
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/grub.cfg
+++ b/config/includes.chroot/preseed/.cfg/grub.cfg
@@ -0,0 +1,62 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # GRUB2 settings                                                                          #
 ###########################################################################################
 # Due notably to potential USB sticks, the location of the primary drive can not be
 # determined safely in general, so this needs to be specified:
 d-i grub-installer/bootdev string /dev/sda
 # To install to the primary device (assuming it is not a USB stick):
 # d-i grub-installer/bootdev  string default
 # Set this to false to install GRUB Legacy rather than GRUB 2, if possible:
 d-i grub-installer/grub2_instead_of_grub_legacy boolean true
 # This is fairly safe to set, it makes grub install automatically to the UEFI partition/boot
 # record if no other operating system is detected on the machine:
 d-i grub-installer/only_debian boolean true
 # This one makes grub-installer install to the UEFI partition/boot record, if it also finds
 # some other OS, which is less safe as it might not be able to boot that other OS:
 d-i grub-installer/with_other_os boolean true
 # OS-prober did not detect any other operating systems on your computer at this time, but you
 # may still wish to enable it in case you install more in the future:
 d-i grub-installer/enable_os_prober_otheros_no boolean true
 # Skip installing grub:
 d-i grub-installer/skip boolean false
 # Force GRUB installation to the EFI removable media path?
 #  .
 #  It seems that this computer is configured to boot via EFI, but maybe that configuration will
 #  not work for booting from the hard drive. Some EFI firmware implementations do not meet the
 #  EFI specification (i.e. they are buggy!) and do not support proper configuration of boot
 #  options from system hard drives.
 #  .
 #  A workaround for this problem is to install an extra copy of the EFI version of the GRUB
 #  boot loader to a fallback location, the "removable media path". Almost all EFI systems, no
 #  matter how buggy, will boot GRUB that way.
 #  .
 #  Warning: If the installer failed to detect another operating system that is present on your
 #  computer that also depends on this fallback, installing GRUB there will make that operating
 #  system temporarily unbootable. GRUB can be manually configured later to boot it if necessary.
 d-i grub-installer/force-efi-extra-removable boolean false
 # Description: Update NVRAM variables to automatically boot into Debian?
 #  .
 #  GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
 #  when powered on. However, you may prefer to disable this behavior and avoid changes to your
 #  boot configuration. For example, if your NVRAM variables have been set up such that your
 #  system contacts a PXE server on every boot, this would preserve that behavior.
 d-i grub-installer/update-nvram boolean true
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/locale.cfg
+++ b/config/includes.chroot/preseed/.cfg/locale.cfg
@@ -0,0 +1,25 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # Locale settings                                                                         #
 ###########################################################################################
 # Preseeding only locale sets language, country and locale:
 # d-i debian-installer/locale string en_US
 # The values can also be preseeded individually for greater flexibility:
 # d-i debian-installer/language string en
 # d-i debian-installer/country string NL
 # d-i debian-installer/locale string en_GB.UTF-8
 d-i debian-installer/locale string en_US.UTF-8
 d-i keyboard-configuration/layoutcode string de
 d-i keyboard-configuration/xkb-keymap select German
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/md5sum.txt
+++ b/config/includes.chroot/preseed/.cfg/md5sum.txt
@@ -0,0 +1,15 @@
 336de475a23be401db656485fe2134e5 apt.cfg
 9b2768bf48aada9e1fc33cfe94571826 base.cfg
 95c0feba9a9ed2a1f3d86cc2bf1910f8 finished.cfg
 bccbc23588d19b3057e4b4915b03538b firmware.cfg
 d80da843499d8d797703b8aef2bf28d5 grub.cfg
 e876c113af0630f113811e5bade71b06 locale.cfg
 2b85692b087100a0535fe8711cdbcb63 modules.cfg
 1c0c74ed939c34d620bde9b8f1a91a1c network.cfg
 da7738a8db3d4e2c220bf3f5b3e50dcb packages.cfg
 5dff498042e3d095a792951ba1bd9d2f partitioning.cfg
 7f71ea76c629c4e4f0ab2f9a6c8b28ea security.cfg
 8e6b49c07d678060b661f7dd2fad6f39 software.cfg
 f526221c741e4e2c5090f2ff60e53d62 ssh.cfg
 1ffc41f4c70be83fd6524262494bdf11 time.cfg
 67b9d1aa4bb4a4b8610ca42fa45521cf user.cfg
--- a/config/includes.chroot/preseed/.cfg/modules.cfg
+++ b/config/includes.chroot/preseed/.cfg/modules.cfg
@@ -0,0 +1,39 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # Modules                                                                                 #
 ###########################################################################################
 # Install standard modules:
 d-i anna/standard_modules boolean true
 d-i anna/choose_modules string \
 crypto-dm-modules          \
 crypto-dm-setup-udeb       \
 ethdetect                  \
 fdisk-udeb                 \
 grub-installer             \
 hw-detect                  \
 lowmem                     \
 lvm2                       \
 mbr                        \
 netcfg                     \
 network-console            \
 parted                     \
 partman-auto               \
 partman-auto-crypto        \
 partman-basicfilesystems   \
 partman-btrfs              \
 partman-crypto             \
 partman-ext4               \
 partman-lvm                \
 partman-md                 \
 rescue-mode
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/network.cfg
+++ b/config/includes.chroot/preseed/.cfg/network.cfg
@@ -0,0 +1,56 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # Network setting                                                                         #
 ###########################################################################################
 # netcfg will choose an interface that has link if possible. This makes it # skip
 # displaying a list if there is more than one interface:
 d-i netcfg/choose_interface select auto
 # To pick a particular interface instead:
 # d-i netcfg/choose_interface select eth1
 # To set a different link detection timeout (default is 3 seconds).
 d-i netcfg/link_wait_timeout string 10
 # If dhcp server is slow and the installer times out waiting for it, this might be useful.
 d-i netcfg/dhcp_timeout string 60
 d-i netcfg/dhcpv6_timeout string 60
 ###########################################################################################
 # Automatic network configuration is the default. If you prefer to configure the network  #
 # manually, uncomment this line and the static network configuration below.               #
 ###########################################################################################
 # d-i netcfg/disable_autoconfig boolean true
 ###########################################################################################
 # If you want the preconfiguration file to work on systems both with and without a dhcp   #
 # server, uncomment these lines and the static network configuration below.               #
 ###########################################################################################
 d-i netcfg/dhcp_failed note
 d-i netcfg/dhcp_options select Configure network manually
 ###########################################################################################
 # Static network configuration.                                                           #
 ###########################################################################################
 # d-i netcfg/get_nameservers string 192.168.128.254
 # d-i netcfg/get_ipaddress string 192.168.128.128
 # d-i netcfg/get_netmask string 255.255.255.0
 # d-i netcfg/get_gateway string 192.168.128.254
 # d-i netcfg/confirm_static boolean true
 ###########################################################################################
 # If non-free firmware is needed for the network or other hardware, you can configure the #
 # installer to always try to load it, without prompting. Or change to false to disable    #
 # asking.                                                                                 #
 ###########################################################################################
 d-i hw-detect/load_firmware boolean true
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/packages.cfg
+++ b/config/includes.chroot/preseed/.cfg/packages.cfg
@@ -0,0 +1,44 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # Deb packages settings                                                                   #
 ###########################################################################################
 # Please select the protocol to be used for downloading files. If unsure, select "http":
 d-i mirror/protocol string https
 # Country code or "manual":
 d-i mirror/country string US
 # Suite to install:
 d-i mirror/suite string stable
 # Suite to use for loading installer components (optional):
 d-i mirror/udeb/suite string stable
 # Debian archive mirror hostname. Please enter the hostname of the mirror from which
 # Debian will be downloaded. An alternate port can be specified using the standard
 # [hostname]:[port] format:
 d-i mirror/http/hostname string deb.debian.org
 # Debian archive mirror directory. Please enter the directory in which the mirror of
 # the Debian archive is located:
 d-i mirror/http/directory string /debian/
 # HTTP proxy information (blank for none). If you need to use a HTTP proxy to access the
 #  outside world, enter the proxy information here. Otherwise, leave this blank. The proxy
 # information should be given in the standard form of "http://[[user][:pass]@]host[:port]/".
 d-i mirror/http/proxy string
 # Debian archive mirror country. The goal is to find a mirror of the Debian archive that
 # is close to you on the network -- be aware that nearby countries, or even your own, may
 # not be the best choice.
 d-i mirror/https/countries select US
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/partitioning.cfg
+++ b/config/includes.chroot/preseed/.cfg/partitioning.cfg
@@ -0,0 +1,360 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # Partitioning CISS.partitioning                                                          #
 ###########################################################################################
 # If the system has free space you can choose to only partition that space. This is only
 # honoured if partman-auto/method is NOT set. Alternatively, choose 'use_entire_disk':
 # d-i partman-auto/init_automatically_partition select biggest_free
 # Alternatively, you may specify a disk to partition.
 ###d-i partman-auto/disk string /dev/sda
 # In addition, you'll need to specify the method to use. Presently available methods are:
 # - regular : use the usual partition types for your architecture
 # - lvm     : use LVM to partition the disk
 # - crypto  : use LVM within an encrypted partition
 ###d-i partman-auto/method string crypto
 # When disk encryption is enabled, skip wiping the partitions beforehand:
 ###d-i partman-auto-crypto/erase_disks boolean false
 # You can define the amount of space that will be used for the LVM volume group. It can
 # either be a size with its unit (eg. 20 GB), a percentage of free space or 'max' keyword:
 ###d-i partman-auto-lvm/guided_size string max
 # Name of the volume group for the new system:
 ###d-i partman-auto-lvm/new_vg_name string vg_ciss
 # Force UEFI booting ('BIOS compatibility' will be lost). Default: false:
 ###d-i partman-efi/non_efi_system boolean false
 # If one of the disks that are going to be automatically partitioned contains an old LVM
 # configuration, the user will normally receive a warning. This can be preseeded away:
 ###d-i partman-lvm/device_remove_lvm boolean true
 # The same applies to pre-existing software RAID array:
 ###d-i partman-md/device_remove_md boolean true
 # And the same goes for the confirmation to write the lvm partitions:
 ###d-i partman-lvm/confirm boolean true
 ###d-i partman-lvm/confirm_nooverwrite boolean true
 ###########################################################################################
 # This makes partman automatically partition without confirmation, provided that it was   #
 # told what to do using one of the methods specified.                                     #
 ###########################################################################################
 # The following debconfvariables are often important for the basic configuration and for  #
 # mounting after manual partitioning. These ensure that the installer does not attempt to #
 # make changes or overwrite already mounted partitions. They help to 'switch off' the     #
 # installer when it tries to apply partitioning automatically.                            #
 ###########################################################################################
 # Confirm whether you actually want to create a new partition table and write it to disk:
 ###d-i partman-partitioning/confirm_write_new_label boolean true
 ###d-i partman/choose_partition select finish
 ###d-i partman/confirm boolean true
 ###d-i partman/confirm_nooverwrite boolean true
 # Ensure the partition table is GPT - this is required for EFI:
 ###d-i partman-partitioning/choose_label select gpt
 ###d-i partman-partitioning/default_label string gpt
 # This setting ensures that partitions without a mount point do not trigger a warning dialogue.
 ###d-i partman-basicfilesystems/no_mount_point boolean true
 # This setting tells the Debian installer not to issue a warning if no swap partition is set up.
 ###d-i partman-basicfilesystems/no_swap boolean true
 # Encryption settings
 # d-i partman-crypto/passphrase password < set by ./preseed/.ash/0_di_preseed_include_command.sh >
 # d-i partman-crypto/passphrase-again password < set by ./preseed/.ash/0_di_preseed_include_command.sh >
 ###d-i partman-crypto/passphrase password DEFAULT
 ###d-i partman-crypto/passphrase-again password DEFAULT
 ###d-i partman-crypto/weak_passphrase boolean true
 # https://preseed.debian.net/debian-preseed/bookworm/amd64-main-full.txt
 ###d-i partman-crypto/entropy entropy 256
 # debconf-set-selections -c ./preseed/.cfg/partitioning.cfg: "warning: Unknown type entropy, skipping line" therefore as string:
 ###d-i partman-crypto/entropy string 256
 # Are you sure you want to use a random key?
 ###d-i partman-crypto/use_random_for_nonswap boolean false
 ###########################################################################################
 # This command is run immediately before the partitioner starts. It may be useful to      #
 # apply dynamic partitioner preseeding that depends on the state of the disks (which may  #
 # not be visible when preseed/early_command runs).                                        #
 ###########################################################################################
 # d-i partman/early_command string /sh /.ciss/install/.ash/2_di_partman_early_command.sh
 ###d-i partman-auto/expert_recipe string           \
 \
 511MiB 511MiB 511MiB EFS                  \
 label{ ESP }                            \
 $defaultignore{ }                       \
 $primary{ }                             \
 $bootable{ }                            \
 method{ efi }                           \
 format{ }                               \
 use_filesystem{ }                       \
 filesystem{ EFS }                       \
 device{ /dev/sda }                      \
 mountpoint{ /boot }                     \
 .                                       \
 rescue ::                                     \
 3584MiB 3584MiB 3584MiB ext4              \
 label{ rescue }                         \
 $defaultignore{ }                       \
 $primary{ }                             \
 method{ format }                        \
 format{ }                               \
 use_filesystem{ }                       \
 filesystem{ ext4 }                      \
 device{ /dev/sda }                      \
 mountpoint{ /mnt/rescue }               \
 .                                       \
 crypt_boot ::                                 \
 4096MiB 4096MiB 4096MiB ext4              \
 label{ boot }                           \
 $defaultignore{ }                       \
 $primary{ }                             \
 method{ format }                        \
 format{ }                               \
 use_filesystem{ }                       \
 filesystem{ ext4 }                      \
 device{ /dev/sda }                      \
 mountpoint{ /boot }                     \
 .                                       \
 crypt_ephemeral_swap ::                       \
 4096MiB 4096MiB 4096MiB none              \
 label{ crypt_swap }                     \
 $defaultignore{ }                       \
 $primary{ }                             \
 method{ keep }                          \
 device{ /dev/sda }                      \
 .                                       \
 crypt_ephemeral_tmp ::                        \
 4096MiB 4096MiB 4096MiB none              \
 label{ crypt_tmp }                      \
 $defaultignore{ }                       \
 $primary{ }                             \
 method{ keep }                          \
 device{ /dev/sda }                      \
 .                                       \
 crypt_home ::                                 \
 32768MiB 32768MiB 32768MiB crypto         \
 $primary{ }                             \
 method{ crypto }                        \
 format{ }                               \
 use_filesystem{ }                       \
 filesystem{ btrfs }                     \
 label{ btrfs_home }                     \
 options/subvol{ @snapshots }            \
 device{ /dev/sda }                      \
 mountpoint{ /home }                     \
 .                                       \
 crypt_root ::                                 \
 32768MiB 32768MiB 32768MiB crypto         \
 $primary{ }                             \
 method{ crypto }                        \
 format{ }                               \
 use_filesystem{ }                       \
 filesystem{ btrfs }                     \
 label{ btrfs_root }                     \
 options/subvol{ @snapshots }            \
 device{ /dev/sda }                      \
 mountpoint{ / }                         \
 .                                       \
 crypt_usr ::                                  \
 40960MiB 40960MiB 40960MiB crypto         \
 $primary{ }                             \
 method{ crypto }                        \
 format{ }                               \
 use_filesystem{ }                       \
 filesystem{ btrfs }                     \
 label{ btrfs_usr }                      \
 options/subvol{ @snapshots }            \
 device{ /dev/sda }                      \
 mountpoint{ /usr }                      \
 .                                       \
 crypt_var ::                                  \
 40960MiB 40960MiB 40960MiB crypto         \
 $primary{ }                             \
 method{ crypto }                        \
 format{ }                               \
 use_filesystem{ }                       \
 filesystem{ btrfs }                     \
 label{ btrfs_var }                      \
 options/subvol{ @snapshots }            \
 device{ /dev/sda }                      \
 mountpoint{ /var }                      \
 .                                       \
 crypt_var_log ::                              \
 16384MiB 16384MiB 16384MiB crypto         \
 $primary{ }                             \
 method{ crypto }                        \
 format{ }                               \
 use_filesystem{ }                       \
 filesystem{ btrfs }                     \
 label{ btrfs_var_log }                  \
 options/subvol{ @snapshots }            \
 device{ /dev/sda }                      \
 mountpoint{ /var/log }                  \
 .                                       \
 crypt_var_log_audit ::                        \
 16384MiB 16384MiB 16384MiB crypto         \
 $primary{ }                             \
 method{ crypto }                        \
 format{ }                               \
 use_filesystem{ }                       \
 filesystem{ btrfs }                     \
 label{ btrfs_var_log_audit }            \
 options/subvol{ @snapshots }            \
 device{ /dev/sda }                      \
 mountpoint{ /var/log/audit }            \
 .                                       \
 crypt_var_tmp ::                              \
 16384MiB 16384MiB 16384MiB crypto         \
 $primary{ }                             \
 method{ crypto }                        \
 format{ }                               \
 use_filesystem{ }                       \
 filesystem{ btrfs }                     \
 label{ btrfs_var_tmp }                  \
 options/subvol{ @snapshots }            \
 device{ /dev/sda }                      \
 mountpoint{ /var/tmp }                  \
 .                                       \
 installer_tmp ::                              \
 1024MiB 16384MiB -1 ext4                  \
 $defaultignore{ }                       \
 $primary{ }                             \
 method{ format }                        \
 format{ }                               \
 use_filesystem{ }                       \
 filesystem{ ext4 }                      \
 mountpoint{ /tmp }                      \
 device{ /dev/sda }                      \
 label{ installer_tmp }                  \
 .
 ###########################################################################################
 #d-i partman-auto/choose_recipe select ciss-2025-btrfs-ultra
 #d-i partman-auto/expert_recipe string           \
 ciss-2025-btrfs-ultra ::                      \
 ESP :                                       \
 511 511 511 free                          \
 $defaultignore{ }                       \
 $primary{ }                             \
 $bootable{ }                            \
 method{ efi } format{ }                 \
 label{ ESP }                            \
 .                                       \
 boot :                                      \
 3584 3584 3584 ext4                       \
 $defaultignore{ }                       \
 $primary{ }                             \
 method{ format } format{ }              \
 use_filesystem{ } filesystem{ ext4 }    \
 mountpoint{ /boot }                     \
 label{ boot }                           \
 .                                       \
 crypt_ephemeral_swap :                      \
 4096 4096 4096 none                       \
 $defaultignore{ }                       \
 $primary{ }                             \
 method{ keep }                          \
 label{ crypt_sda3 }                     \
 .                                       \
 crypt_ephemeral_tmp :                       \
 4096 4096 4096 none                       \
 $defaultignore{ }                       \
 $primary{ }                             \
 method{ keep }                          \
 label{ crypt_sda4 }                     \
 .                                       \
 lv_home :                                   \
 32768 32768 32768 btrfs                   \
 $lvmok{ }                               \
 lv_name{ lv_home }                      \
 method{ format } format{ }              \
 use_filesystem{ } filesystem{ btrfs }   \
 label{ btrfs_home }                     \
 options/subvol{ @snapshots }            \
 mountpoint{ /home }                     \
 .                                       \
 lv_root :                                   \
 32768 32768 32768 btrfs                   \
 $lvmok{ }                               \
 lv_name{ lv_root }                      \
 method{ format } format{ }              \
 use_filesystem{ } filesystem{ btrfs }   \
 label{ btrfs_root }                     \
 options/subvol{ @snapshots }            \
 mountpoint{ / }                         \
 .                                       \
 lv_usr :                                    \
 65536 65536 65536 btrfs                   \
 $lvmok{ }               }               \
 lv_name{ lv_usr }                       \
 method{ format } format{ }              \
 use_filesystem{ } filesystem{ btrfs }   \
 label{ btrfs_usr }                      \
 options/subvol{ @snapshots }            \
 mountpoint{ /usr }                      \
 .                                       \
 lv_var :                                    \
 65536 65536 65536 btrfs                   \
 $lvmok{ }                               \
 lv_name{ lv_var }                       \
 method{ format } format{ }              \
 use_filesystem{ } filesystem{ btrfs }   \
 label{ btrfs_var }                      \
 options/subvol{ @snapshots }            \
 mountpoint{ /var }                      \
 .                                       \
 lv_var_log :                                \
 16384 16384 16384 btrfs                   \
 $lvmok{ }                               \
 lv_name{ lv_var_log }                   \
 method{ format } format{ }              \
 use_filesystem{ } filesystem{ btrfs }   \
 label{ btrfs_var_log }                  \
 options/subvol{ @snapshots }            \
 mountpoint{ /var/log }                  \
 .                                       \
 lv_var_log_audit :                          \
 16384 16384 16384                         \
 $lvmok{ }                               \
 lv_name{ lv_var_log_audit }             \
 method{ format } format{ }              \
 use_filesystem{ } filesystem{ btrfs }   \
 label{ btrfs_var_log_audit }            \
 options/subvol{ @snapshots }            \
 mountpoint{ /var/log/audit }            \
 .                                       \
 lv_var_tmp :                                \
 1 16384 -1                                \
 $lvmok{ }                               \
 lv_name{ lv_var_tmp }                   \
 method{ format } format{ }              \
 use_filesystem{ } filesystem{ btrfs }   \
 label{ btrfs_var_tmp }                  \
 options/subvol{ @snapshots }            \
 mountpoint{ /var/tmp }                  \
 .                                       \
 rescue :                                    \
 1024 8192 -1                              \
 $defaultignore{ }                       \
 $primary{ }                             \
 method{ format } format{ }              \
 use_filesystem{ } filesystem{ ext4 }    \
 mountpoint{ /tmp }                      \
 label{ rescue }                         \
 .
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/security.cfg
+++ b/config/includes.chroot/preseed/.cfg/security.cfg
@@ -0,0 +1,21 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # Security settings                                                                       #
 ###########################################################################################
 # The installer will ensure that any packages are signed and authenticated.
 d-i debian-installer/allow_unauthenticated boolean false
 # This ensures that the connection between the installer and the server from which files
 # are downloaded is encrypted and signed by a trusted certificate authority.
 d-i debian-installer/allow_unauthenticated_ssl boolean false
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/software.cfg
+++ b/config/includes.chroot/preseed/.cfg/software.cfg
@@ -0,0 +1,59 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # Software installation                                                                   #
 ###########################################################################################
 d-i pkgsel/include string     \
 apt-show-versions             \
 apt-transport-https           \
 apt-utils                     \
 bat                           \
 bc                            \
 ca-certificates               \
 curl                          \
 debconf                       \
 debconf-utils                 \
 dialog                        \
 expect                        \
 figlet                        \
 fzf                           \
 gawk                          \
 git                           \
 gnupg2                        \
 haveged                       \
 htop                          \
 iftop                         \
 iputils-ping                  \
 jq                            \
 keychain                      \
 libpam-google-authenticator   \
 libpam-pwquality              \
 locate                        \
 lsb-release                   \
 lvm2                          \
 makepasswd                    \
 man                           \
 mtr                           \
 nano                          \
 ncat                          \
 neofetch                      \
 net-tools                     \
 parted                        \
 pollinate                     \
 pwgen                         \
 openssh-server                \
 unzip                         \
 virt-what                     \
 whois                         \
 wget                          \
 zip
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/preseed/.cfg/ssh.cfg
+++ b/config/includes.chroot/preseed/.cfg/ssh.cfg
@@ -0,0 +1,22 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ###########################################################################################
 # SSH settings                                                                            #
 ###########################################################################################
 # Use the following settings if you wish to make use of the network-console component for #
 # remote installation over SSH. This only makes sense if you intend to perform the        #
 # remainder of the installation manually.                                                 #
 ###########################################################################################
 d-i network-console/authorized_keys_url string https : //coresecret.eu/download/developer/2024_rsa4096_developer_root.pub.key
 # d-i network-console/password password < never ever use plain hardcoded credentials >
 # d-i network-console/password-again password < never ever use plain hardcoded credentials >
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/Show More
+++ b/Show More