## V8.13.096.2025.10.09

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -13,6 +13,9 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+export DEBIAN_FRONTEND="noninteractive"
+apt-get update -qq
+
 mkdir -p /root/.ciss/dlb/backup
 chmod 0700 /root/.ciss/dlb/backup
 

config/hooks/live/0001_initramfs_modules.chroot

@@ -14,9 +14,13 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
 #######################################
-# Get all NIC Driver of the current Host-machine
+# Get all NIC drivers of the current Host machine.
+# Globals:
+#   None
 # Arguments:
-#  None
+#   None
+# Returns:
+#   0: on success
 #######################################
 grep_nic_driver_modules() {
   declare _mods
@@ -33,15 +37,25 @@ grep_nic_driver_modules() {
 
   declare nic_module
   declare nic_modules
+
   if [[ "${#_mods[@]}" -eq 1 ]]; then
+
     nic_module="${_mods[0]}"
     echo "${nic_module}"
+
   else
+
     nic_modules="${_mods[*]}"
     echo "${nic_modules}"
+
   fi
+
+  return 0
 }
 
+export DEBIAN_FRONTEND="noninteractive"
+apt-get install -y intel-microcode amd64-microcode
+
 # shellcheck disable=SC2155
 declare nic_driver="$(grep_nic_driver_modules)"
 cat << EOF >| /etc/initramfs-tools/modules
@@ -68,7 +82,19 @@ cat << EOF >| /etc/initramfs-tools/modules
 # raid1
 # sd_mod
 
-### Main btrfs-Stack
+### Load AppArmor early:
+apparmor
+
+### Entropy source for '/dev/random':
+jitterentropy_rng
+rng_core
+
+### Live-ISO-Stack:
+loop
+squashfs
+overlay
+
+### Main btrfs-Stack:
 btrfs
 lzo
 xor
@@ -76,12 +102,12 @@ xxhash
 zstd
 zstd_compress
 
-### Main ext4-Stack
+### Main ext4-Stack:
 ext4
 jbd2
 libcrc32c
 
-### Main VFAT/ESP/FAT/UEFI-Stack
+### Main VFAT/ESP/FAT/UEFI-Stack:
 exfat
 fat
 nls_ascii
@@ -91,30 +117,32 @@ nls_iso8859-15
 nls_utf8
 vfat
 
-### Device mapper, encryption & integrity
+### Device mapper, encryption & integrity:
 dm_mod
 dm_crypt
 dm_integrity
 dm_verity
 
-### Main cryptography-Stack
+### Main cryptography-Stack:
 aes_generic
 blake2b_generic
 crc32c_generic
+cryptd
 libcrc32c
 sha256_generic
 sha512_generic
+xts
 
-### QEMU Bochs-compatible virtual machine support
+### QEMU Bochs-compatible virtual machine support:
 bochs
 
-### RAID6 parity generation module
+### RAID6 parity generation module:
 raid6_pq
 
-### Combined RAID4/5/6 support module
+### Combined RAID4/5/6 support module:
 raid456
 
-### SCSI/SATA-Stack
+### SCSI/SATA-Stack:
 sd_mod
 sr_mod
 sg
@@ -125,11 +153,11 @@ libata
 scsi_mod
 scsi_dh_alua
 
-### NVMe-Stack
+### NVMe-Stack:
 nvme
 nvme_core
 
-### USB-Stack
+### USB-Stack:
 xhci_pci
 xhci_hcd
 ehci_pci
@@ -138,14 +166,14 @@ uhci_hcd
 usb_storage
 uas
 
-### Virtual-Machines-Stack
+### Virtual-Machines-Stack:
 virtio_pci
 virtio_blk
 virtio_scsi
 virtio_rng
 virtio_console
 
-### Network Driver Host-machine
+### Network Driver Host-machine:
 "${nic_driver}"
 
 EOF

config/hooks/live/0010_install_apparmor.chroot

@@ -0,0 +1,34 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+export DEBIAN_FRONTEND="noninteractive"
+apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
+
+install -d /etc/systemd/system/apparmor.service.d
+cat << EOF >| /etc/systemd/system/apparmor.service.d/10-live-force.conf
+[Unit]
+### Drop any negative live conditions that would skip AppArmor on overlay.
+ConditionPathExists=
+
+### Ensure we only rely on the security=apparmor condition.
+ConditionSecurity=apparmor
+EOF
+
+install -d -m 0755 /var/cache/apparmor
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0050_activate_root.chroot

@@ -14,16 +14,19 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
 if [[ ! -f /root/.pwd ]]; then
+
   printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
   exit 0
+
 fi
 
 cd /root
 
+# shellcheck disable=SC2312
 cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
-chmod 600 /root/.ciss/dlb/backup/shadow.bak.*
+chmod 0600 /root/.ciss/dlb/backup/shadow.bak.*
 
 declare hashed_pwd
 declare safe_hashed_pwd
@@ -37,9 +40,13 @@ unset hashed_pwd safe_hashed_pwd
 cat /etc/shadow
 
 if shred -vfzu -n 5 /root/.pwd; then
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
+
 else
+
   printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
+
 fi
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

config/hooks/live/0090_haveged.chroot

@@ -12,10 +12,9 @@
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-apt-get update -y
-apt-get install --no-install-recommends haveged -y
+export DEBIAN_FRONTEND="noninteractive"
+apt-get install -y --no-install-recommends haveged
 
 cd /root
 cat << 'EOF' >| /etc/default/haveged
@@ -25,18 +24,8 @@ cat << 'EOF' >| /etc/default/haveged
 DAEMON_ARGS="-w 2048 -v 1"
 EOF
 
-#mkdir -p /etc/systemd/system/haveged.service.d
-#cat << 'EOF' >| /etc/systemd/system/haveged.service.d/override.conf
-#[Service]
-#NoNewPrivileges=yes
-#ReadWritePaths=/dev/random /dev/urandom
-#AmbientCapabilities=
-#User=haveged
-#Group=nogroup
-#EOF
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9990_final_purge.chroot

@@ -13,7 +13,9 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
-apt-get update
+export DEBIAN_FRONTEND="noninteractive"
+
+apt-get update -qq
 
 apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
 
@@ -45,7 +47,6 @@ else
 
 fi
 
-apt-get update
 apt-get upgrade -y
 
 rm -f /tmp/deinstall.log

config/hooks/live/9993_aide.chroot

@@ -13,6 +13,7 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y aide > /dev/null 2>&1
 
 cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak

config/hooks/live/9996_auditd.chroot

@@ -14,11 +14,20 @@
 
 set -Ceuo pipefail
 
+#######################################
+# Simple error terminal logger.
+# Arguments:
+#   None
+#######################################
+log() { printf '[auditd-build] %s\n' "${*}" >&2; }
+
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cd /root
 
-apt-get install auditd -y
+export DEBIAN_FRONTEND="noninteractive"
+
+apt-get install -y auditd
 
 cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
 cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
@@ -329,8 +338,53 @@ cat << EOF >| /etc/audit/rules.d/99-finalize.rules
 -e 2
 EOF
 
+
+### Sanity checks: reject empty or malformed rulesets early.
+if ! augenrules --check >/dev/null 2>&1; then
+
+  log "ERROR: augenrules --check failed. Please fix /etc/audit/rules.d/*.rules"
+  exit 1
+
+fi
+
+### This writes '/etc/audit/audit.rules'.
+log "Compiling /etc/audit/audit.rules (no load)"
+augenrules --no-load
+
+### Permissions hardening (augenrules typically sets sane perms; enforce anyway).
+### 0600 is conservative; 0640 root:root is also acceptable.
+if [[ -f /etc/audit/audit.rules ]]; then
+
+  chown root:root /etc/audit/audit.rules
+  chmod 0600 /etc/audit/audit.rules
+
+else
+
+  log "ERROR: Expected /etc/audit/audit.rules was not created"
+  exit 2
+
+fi
+
+### Minimal enablement checks for the first boot.
+### Ensure auditd will try to load rules at boot (systemd unit usually does this).
+### No-op on systems where auditd is socket-activated or already preset.
+if command -v systemctl >/dev/null 2>&1; then
+
+  ### Do not 'enable' in live images unless desired; we only make sure the unit exists.
+  systemctl --no-reload --quiet cat auditd.service >/dev/null || log "WARN: auditd.service not found at build time"
+
+fi
+
+### Quick validation that the merged file is non-trivial.
+if ! grep -Eq '(^-a|^-w|^-e\s+1)' /etc/audit/audit.rules; then
+
+  log "WARN: /etc/audit/audit.rules contains no active rules (-a/-w/-e). Is this intended?"
+
+fi
+
+log "Done. /etc/audit/audit.rules is precompiled."
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9997_debsums.chroot

@@ -15,17 +15,22 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 cd /root
 
-apt-get install --no-install-recommends debsums -y
+export DEBIAN_FRONTEND="noninteractive"
+apt-get install -y --no-install-recommends debsums
 
 cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
 chmod 0644 /root/.ciss/dlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 
 if debsums -g > /dev/null 2>&1; then
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
+
 else
+
   # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
   printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
+
 fi
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

config/includes.chroot/etc/login.defs

@@ -204,6 +204,6 @@ USERGROUPS_ENAB yes
 
 #
 # Added by CISS.debian.live.builder for redundance
-umask 077
+UMASK 077
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

config/includes.chroot/etc/ssh/ssh_known_hosts

@@ -0,0 +1,17 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.13.096.2025.10.09
+
+[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
+[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

config/includes.chroot/etc/ssh/sshd_confid.d/10-sshfp.conf

@@ -0,0 +1,24 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.13.096.2025.10.09
+
+Host git.coresecret.dev
+    Port                    42842
+    VerifyHostKeyDNS        yes
+    StrictHostKeyChecking   yes
+    GlobalKnownHostsFile    /etc/ssh/ssh_known_hosts
+    UserKnownHostsFile      /dev/null
+    HostKeyAlgorithms       ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+    CanonicalizeHostname    no
+    UpdateHostKeys          no
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.064.2025.10.07
+### Version Master V8.13.096.2025.10.09
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -65,12 +65,12 @@ GatewayPorts                 no
 ### A+ Rating 100/100
 RequiredRSASize              4096
 Ciphers                      aes256-gcm@openssh.com
-KexAlgorithms                sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
-HostKeyAlgorithms            sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+KexAlgorithms                mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512
+HostKeyAlgorithms            ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 MACs                         hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-CASignatureAlgorithms        rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
+CASignatureAlgorithms        rsa-sha2-512,rsa-sha2-256,ssh-ed25519
 GSSAPIKexAlgorithms          gss-curve25519-sha256-,gss-group16-sha512-
-HostbasedAcceptedAlgorithms  sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+HostbasedAcceptedAlgorithms  ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 PubkeyAcceptedAlgorithms     sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 
 ### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.064.2025.10.07
+### Version Master V8.13.096.2025.10.09
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.064.2025.10.07"
+declare -gr VERSION="Master V8.13.096.2025.10.09"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.064.2025.10.07 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.096.2025.10.09 at: 10:18:37.9542