## V8.13.096.2025.10.09

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-09 20:57:08 +01:00
parent e682b6ac17
commit d3f9bec31c
52 changed files with 263 additions and 88 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.064.2025.10.07\e[0m")
+$(echo -e "\e[92mMaster V8.13.096.2025.10.09\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.064.2025.10.07"
+      placeholder: "e.g., Master V8.13.096.2025.10.09"
    validations:
      required: true
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.064.2025.10.07
+### Version Master V8.13.096.2025.10.09
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.064.2025.10.07
+### Version Master V8.13.096.2025.10.09
 name: 🔁 Render README.md to README.html.
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 build:
-  counter: 1024
+  counter: 1023
-  version: V8.13.064.2025.10.07
+  version: V8.13.096.2025.10.09
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.064.2025.10.07
+  version: V8.13.096.2025.10.09
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 build:
-  counter: 1024
+  counter: 1023
-  version: V8.13.064.2025.10.07
+  version: V8.13.096.2025.10.09
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.064.2025.10.07
+  version: V8.13.096.2025.10.09
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.064.2025.10.07
+### Version Master V8.13.096.2025.10.09
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.064.2025.10.07
+### Version Master V8.13.096.2025.10.09
 name: 🔐 Generating a Private Live ISO TRIXIE.
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.064.2025.10.07
+### Version Master V8.13.096.2025.10.09
 name: 💙 Generating a PUBLIC Live ISO.
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.064.2025.10.07
+### Version Master V8.13.096.2025.10.09
 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.064.2025.10.07
+### Version Master V8.13.096.2025.10.09
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.064.2025.10.07
+### Version Master V8.13.096.2025.10.09
 name: 🔁 Render Graphviz Diagrams.
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.064.2025.10.07"
+properties_version="V8.13.096.2025.10.09"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.064.2025.10.07
+PackageVersion: Master V8.13.096.2025.10.09
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.064.2025.10.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.096.2025.10.09-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.064.2025.10.07`
+Example: `V8.13.096.2025.10.09`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
--- a/config/hooks/live/0000_generate_backup_dir.chroot
+++ b/config/hooks/live/0000_generate_backup_dir.chroot
@@ -13,6 +13,9 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 export DEBIAN_FRONTEND="noninteractive"
 apt-get update -qq
 mkdir -p /root/.ciss/dlb/backup
 chmod 0700 /root/.ciss/dlb/backup
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -14,9 +14,13 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 #######################################
-# Get all NIC Driver of the current Host-machine
+# Get all NIC drivers of the current Host machine.
 # Globals:
 #   None
 # Arguments:
-#  None
+#   None
 # Returns:
 #   0: on success
 #######################################
 grep_nic_driver_modules() {
  declare _mods
@@ -33,15 +37,25 @@ grep_nic_driver_modules() {
  declare nic_module
  declare nic_modules
  if [[ "${#_mods[@]}" -eq 1 ]]; then
    nic_module="${_mods[0]}"
    echo "${nic_module}"
  else
    nic_modules="${_mods[*]}"
    echo "${nic_modules}"
  fi
  return 0
 }
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y intel-microcode amd64-microcode
 # shellcheck disable=SC2155
 declare nic_driver="$(grep_nic_driver_modules)"
 cat << EOF >| /etc/initramfs-tools/modules
@@ -68,7 +82,19 @@ cat << EOF >| /etc/initramfs-tools/modules
 # raid1
 # sd_mod
-### Main btrfs-Stack
+### Load AppArmor early:
 apparmor
 ### Entropy source for '/dev/random':
 jitterentropy_rng
 rng_core
 ### Live-ISO-Stack:
 loop
 squashfs
 overlay
 ### Main btrfs-Stack:
 btrfs
 lzo
 xor
@@ -76,12 +102,12 @@ xxhash
 zstd
 zstd_compress
-### Main ext4-Stack
+### Main ext4-Stack:
 ext4
 jbd2
 libcrc32c
-### Main VFAT/ESP/FAT/UEFI-Stack
+### Main VFAT/ESP/FAT/UEFI-Stack:
 exfat
 fat
 nls_ascii
@@ -91,30 +117,32 @@ nls_iso8859-15
 nls_utf8
 vfat
-### Device mapper, encryption & integrity
+### Device mapper, encryption & integrity:
 dm_mod
 dm_crypt
 dm_integrity
 dm_verity
-### Main cryptography-Stack
+### Main cryptography-Stack:
 aes_generic
 blake2b_generic
 crc32c_generic
 cryptd
 libcrc32c
 sha256_generic
 sha512_generic
 xts
-### QEMU Bochs-compatible virtual machine support
+### QEMU Bochs-compatible virtual machine support:
 bochs
-### RAID6 parity generation module
+### RAID6 parity generation module:
 raid6_pq
-### Combined RAID4/5/6 support module
+### Combined RAID4/5/6 support module:
 raid456
-### SCSI/SATA-Stack
+### SCSI/SATA-Stack:
 sd_mod
 sr_mod
 sg
@@ -125,11 +153,11 @@ libata
 scsi_mod
 scsi_dh_alua
-### NVMe-Stack
+### NVMe-Stack:
 nvme
 nvme_core
-### USB-Stack
+### USB-Stack:
 xhci_pci
 xhci_hcd
 ehci_pci
@@ -138,14 +166,14 @@ uhci_hcd
 usb_storage
 uas
-### Virtual-Machines-Stack
+### Virtual-Machines-Stack:
 virtio_pci
 virtio_blk
 virtio_scsi
 virtio_rng
 virtio_console
-### Network Driver Host-machine
+### Network Driver Host-machine:
 "${nic_driver}"
 EOF
--- a/config/hooks/live/0010_install_apparmor.chroot
+++ b/config/hooks/live/0010_install_apparmor.chroot
@@ -0,0 +1,34 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
 install -d /etc/systemd/system/apparmor.service.d
 cat << EOF >| /etc/systemd/system/apparmor.service.d/10-live-force.conf
 [Unit]
 ### Drop any negative live conditions that would skip AppArmor on overlay.
 ConditionPathExists=
 ### Ensure we only rely on the security=apparmor condition.
 ConditionSecurity=apparmor
 EOF
 install -d -m 0755 /var/cache/apparmor
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -14,16 +14,19 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ ! -f /root/.pwd ]]; then
  printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
  exit 0
 fi
 cd /root
 # shellcheck disable=SC2312
 cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
-chmod 600 /root/.ciss/dlb/backup/shadow.bak.*
+chmod 0600 /root/.ciss/dlb/backup/shadow.bak.*
 declare hashed_pwd
 declare safe_hashed_pwd
@@ -37,9 +40,13 @@ unset hashed_pwd safe_hashed_pwd
 cat /etc/shadow
 if shred -vfzu -n 5 /root/.pwd; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
 else
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/hooks/live/0090_haveged.chroot
+++ b/config/hooks/live/0090_haveged.chroot
@@ -12,10 +12,9 @@
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-apt-get update -y
+export DEBIAN_FRONTEND="noninteractive"
-apt-get install --no-install-recommends haveged -y
+apt-get install -y --no-install-recommends haveged
 cd /root
 cat << 'EOF' >| /etc/default/haveged
@@ -25,18 +24,8 @@ cat << 'EOF' >| /etc/default/haveged
 DAEMON_ARGS="-w 2048 -v 1"
 EOF
 #mkdir -p /etc/systemd/system/haveged.service.d
 #cat << 'EOF' >| /etc/systemd/system/haveged.service.d/override.conf
 #[Service]
 #NoNewPrivileges=yes
 #ReadWritePaths=/dev/random /dev/urandom
 #AmbientCapabilities=
 #User=haveged
 #Group=nogroup
 #EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -13,7 +13,9 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-apt-get update
+export DEBIAN_FRONTEND="noninteractive"
 apt-get update -qq
 apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
@@ -45,7 +47,6 @@ else
 fi
 apt-get update
 apt-get upgrade -y
 rm -f /tmp/deinstall.log
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -13,6 +13,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y aide > /dev/null 2>&1
 cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -14,11 +14,20 @@
 set -Ceuo pipefail
 #######################################
 # Simple error terminal logger.
 # Arguments:
 #   None
 #######################################
 log() { printf '[auditd-build] %s\n' "${*}" >&2; }
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
-apt-get install auditd -y
+export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y auditd
 cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
 cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
@@ -329,8 +338,53 @@ cat << EOF >| /etc/audit/rules.d/99-finalize.rules
 -e 2
 EOF
 ### Sanity checks: reject empty or malformed rulesets early.
 if ! augenrules --check >/dev/null 2>&1; then
  log "ERROR: augenrules --check failed. Please fix /etc/audit/rules.d/*.rules"
  exit 1
 fi
 ### This writes '/etc/audit/audit.rules'.
 log "Compiling /etc/audit/audit.rules (no load)"
 augenrules --no-load
 ### Permissions hardening (augenrules typically sets sane perms; enforce anyway).
 ### 0600 is conservative; 0640 root:root is also acceptable.
 if [[ -f /etc/audit/audit.rules ]]; then
  chown root:root /etc/audit/audit.rules
  chmod 0600 /etc/audit/audit.rules
 else
  log "ERROR: Expected /etc/audit/audit.rules was not created"
  exit 2
 fi
 ### Minimal enablement checks for the first boot.
 ### Ensure auditd will try to load rules at boot (systemd unit usually does this).
 ### No-op on systems where auditd is socket-activated or already preset.
 if command -v systemctl >/dev/null 2>&1; then
  ### Do not 'enable' in live images unless desired; we only make sure the unit exists.
  systemctl --no-reload --quiet cat auditd.service >/dev/null || log "WARN: auditd.service not found at build time"
 fi
 ### Quick validation that the merged file is non-trivial.
 if ! grep -Eq '(^-a|^-w|^-e\s+1)' /etc/audit/audit.rules; then
  log "WARN: /etc/audit/audit.rules contains no active rules (-a/-w/-e). Is this intended?"
 fi
 log "Done. /etc/audit/audit.rules is precompiled."
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -15,17 +15,22 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cd /root
-apt-get install --no-install-recommends debsums -y
+export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y --no-install-recommends debsums
 cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
 chmod 0644 /root/.ciss/dlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 if debsums -g > /dev/null 2>&1; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
 else
  # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/includes.chroot/etc/login.defs
+++ b/config/includes.chroot/etc/login.defs
@@ -204,6 +204,6 @@ USERGROUPS_ENAB yes
 #
 # Added by CISS.debian.live.builder for redundance
-umask 077
+UMASK 077
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -0,0 +1,17 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V8.13.096.2025.10.09
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/ssh/sshd_confid.d/10-sshfp.conf
+++ b/config/includes.chroot/etc/ssh/sshd_confid.d/10-sshfp.conf
@@ -0,0 +1,24 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Version Master V8.13.096.2025.10.09
 Host git.coresecret.dev
    Port                    42842
    VerifyHostKeyDNS        yes
    StrictHostKeyChecking   yes
    GlobalKnownHostsFile    /etc/ssh/ssh_known_hosts
    UserKnownHostsFile      /dev/null
    HostKeyAlgorithms       ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
    CanonicalizeHostname    no
    UpdateHostKeys          no
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.064.2025.10.07
+### Version Master V8.13.096.2025.10.09
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -65,12 +65,12 @@ GatewayPorts                 no
 ### A+ Rating 100/100
 RequiredRSASize              4096
 Ciphers                      aes256-gcm@openssh.com
-KexAlgorithms                sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
+KexAlgorithms                mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512
-HostKeyAlgorithms            sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+HostKeyAlgorithms            ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 MACs                         hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-CASignatureAlgorithms        rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
+CASignatureAlgorithms        rsa-sha2-512,rsa-sha2-256,ssh-ed25519
 GSSAPIKexAlgorithms          gss-curve25519-sha256-,gss-group16-sha512-
-HostbasedAcceptedAlgorithms  sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+HostbasedAcceptedAlgorithms  ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 PubkeyAcceptedAlgorithms     sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 ### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.13.064.2025.10.07
+### Version Master V8.13.096.2025.10.09
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.064.2025.10.07"
+declare -gr VERSION="Master V8.13.096.2025.10.09"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.064.2025.10.07 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.096.2025.10.09 at: 10:18:37.9542
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. DNSSEC Status
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. TLS Audit:
 ````text
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. Hardened Kernel Boot Parameters
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,22 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. Changelog
 ## V8.13.096.2025.10.09
 * **Added**: [0010_install_apparmor.chroot](../config/hooks/live/0010_install_apparmor.chroot)
 * **Added**: [10-sshfp.conf](../config/includes.chroot/etc/ssh/sshd_confid.d/10-sshfp.conf)
 * **Added**: [ssh_known_hosts](../config/includes.chroot/etc/ssh/ssh_known_hosts)
 * **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot)
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot)
 * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
 * **Updated**: [login.defs](../config/includes.chroot/etc/login.defs)
 * **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
 * **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh)
 * **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh)
 ## V8.13.064.2025.10.07
 * **Added**: An internal Gitea Action Runner switch for the CISS and PHYS central configuration source of truth.
 * **Added**: Verbose status information screen on successful completion.
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. Centurion Net - Developer Branch Overview
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. Coding Style
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. Contributing / participating
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. Credits
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.13.064.2025.10.07
+Master V8.13.096.2025.10.09
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.13.064.2025.10.07
+Master V8.13.096.2025.10.09
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.064.2025.10.07<br>
+**Build**: V8.13.096.2025.10.09<br>
 # 2. Resources
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -44,7 +44,7 @@ cdi() {
    tmp_entry="$(mktemp)"
    cat << EOF >| "${tmp_entry}"
 menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
-        linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
+        linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
        initrd /live/initrd.img-${VAR_KERNEL}
 }
 EOF
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -40,8 +40,8 @@ lb_config_write_trixie() {
    --backports true \
    --binary-filesystem fat32 \
    --binary-image iso-hybrid \
-    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
    --bootloaders grub-efi \
    --cache true \
    --checksums sha512 sha256 md5 \
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -35,13 +35,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CLB(1)                        CISS.debian.live.builder                        CLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.064.2025.10.07                        2025-10-07                        CLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.096.2025.10.09                        2025-10-07                        CLB(1)" "${var_cols}")
  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.064.2025.10.07\e[0m"
+    echo -e "\e[92mMaster V8.13.096.2025.10.09\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
--- a/scripts/9999-cdi-starter
+++ b/scripts/9999-cdi-starter
@@ -45,7 +45,7 @@ main() {
  # shellcheck disable=SC2312
  exec > >(tee -a "${log}") 2>&1
-  printf "CISS.debian.installer Master V8.13.064.2025.10.07 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+  printf "CISS.debian.installer Master V8.13.096.2025.10.09 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
  net_wait
@@ -66,7 +66,7 @@ main() {
 #  --reionice-priority 1 0 \
 #  --renice-priority "-19"
-  printf "CISS.debian.installer Master V8.13.064.2025.10.07 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+  printf "CISS.debian.installer Master V8.13.096.2025.10.09 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
  exit 0
 }
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -14,7 +14,7 @@
 # shellcheck disable=SC2155
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.13.064.2025.10.07"
+declare -grx VAR_VERSION="Master V8.13.096.2025.10.09"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"