From e3dc26858d382dc50c9da114280d7ef6273707bc7f373561ecfee380de56f9eb Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Mon, 10 Nov 2025 18:59:00 +0100
Subject: [PATCH] V8.13.404.2025.11.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 ciss_live_builder.sh                          |   2 +-
 config/hooks/live/0050_activate_root.chroot   |   2 -
 config/hooks/live/0800_lynis_setup.chroot     | 440 ++++++++++++++++++
 .../live/9940_hardening_memory.dump.chroot    |  69 ++-
 .../live/9992_password_expiration.chroot      |  83 ++++
 config/hooks/live/9999_zzzz.chroot            |   3 +-
 config/includes.chroot/etc/login.defs         |   3 +-
 docs/CHANGELOG.md                             |   3 +
 lib/lib_arg_parser.sh                         |   2 +-
 lib/lib_cdi.sh                                |   2 +
 lib/lib_clean_up.sh                           |  11 +-
 11 files changed, 596 insertions(+), 24 deletions(-)

diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh
index ca8b367..10a8492 100644
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -21,7 +21,7 @@
 # or Cygwin on Windows systems.
 
 ### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
-# shellcheck disable=SC2155
+# shellcheck disable=SC2155,SC2249
 declare -agx  ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
 declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
diff --git a/config/hooks/live/0050_activate_root.chroot b/config/hooks/live/0050_activate_root.chroot
index e8feef7..a5d9eee 100644
--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -37,8 +37,6 @@ sed -i "s|^root:[^:]*:\(.*\)|root:${safe_hashed_pwd}:\1|" /etc/shadow
 sed -i "s|^user:[^:]*:\(.*\)|user:${safe_hashed_pwd}:\1|" /etc/shadow
 unset hashed_pwd safe_hashed_pwd
 
-cat /etc/shadow
-
 if shred -fzu -n 5 /root/.pwd; then
 
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
diff --git a/config/hooks/live/0800_lynis_setup.chroot b/config/hooks/live/0800_lynis_setup.chroot
index f4501d6..f27119b 100644
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -22,6 +22,446 @@ apt-get update -qq
 apt-get install -y lynis
 lynis show version
 
+cat << EOF_LYNIS >| /etc/lynis/default.prf
+#################################################################################
+#
+#
+# Lynis - Default scan profile
+#
+#
+#################################################################################
+#
+#
+# This profile provides Lynis with most of its initial values to perform a
+# system audit.
+#
+#
+# WARNINGS
+# ----------
+#
+# Do NOT make changes to this file. Instead, copy only your changes into
+# the file custom.prf and put it in the same directory as default.prf
+#
+# To discover where your profiles are located: lynis show profiles
+#
+#
+# Lynis performs a strict check on profiles to avoid the inclusion of
+# possibly harmful injections. See include/profiles for details.
+#
+#
+#################################################################################
+#
+# All empty lines or with the # prefix will be skipped
+#
+#################################################################################
+
+# Use colored output
+colors=yes
+
+# Compressed uploads (set to zero when errors with uploading occur)
+compressed-uploads=yes
+
+# Amount of connections in WAIT state before reporting it as a suggestion
+#connections-max-wait-state=5000
+
+# Debug mode (for debugging purposes, extra data logged to screen)
+#debug=yes
+
+# Show non-zero exit code when warnings are found
+error-on-warnings=no
+
+# Use Lynis in your own language (by default auto-detected)
+language=
+
+# Log tests from another guest operating system (default: yes)
+#log-tests-incorrect-os=yes
+
+# Define if available NTP daemon is configured as a server or client on the network
+# values: server or client (default: client)
+#ntpd-role=client
+
+# Defines the role of the system (personal, workstation or server)
+machine-role=server
+
+# Ignore some stratum 16 hosts (for example when running as time source itself)
+#ntp-ignore-stratum-16-peer=127.0.0.1
+
+# Profile name, will be used as title/description
+profile-name=Default Audit Template
+
+# Number of seconds to pause between every test (0 is no pause)
+pause-between-tests=0
+
+# Quick mode (do not wait for keypresses)
+quick=yes
+
+# Refresh software repositories to help detecting vulnerable packages
+refresh-repositories=yes
+
+# Show solution for findings
+show-report-solution=yes
+
+# Show inline tips about the tool
+show-tool-tips=yes
+
+# Skip plugins
+skip-plugins=no
+
+# Skip a test (one per line)
+#skip-test=SSH-7408
+skip-test=KRNL-5788
+skip-test=KRNL-5830
+skip-test=AUTH-9229
+
+# Skip a particular option within a test (when applicable)
+#skip-test=SSH-7408:loglevel
+#skip-test=SSH-7408:permitrootlogin
+
+# Skip Lynis upgrade availability test (default: no)
+#skip-upgrade-test=yes
+
+# Locations where to search for SSL certificates (separate paths with a colon)
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
+ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
+ssl-certificate-include-packages=no
+
+# Scan type - how deep the audit should be (light, normal or full)
+test-scan-mode=full
+
+# Verbose output
+verbose=no
+
+
+#################################################################################
+#
+# Plugins
+# ---------------
+# Define which plugins are enabled
+#
+# Notes:
+# - Nothing happens if plugin isn't available
+# - There is no order in execution of plugins
+# - See documentation about how to use plugins and phases
+# - Some are for Lynis Enterprise users only
+#
+#################################################################################
+
+# Lynis plugins to enable
+plugin=authentication
+plugin=compliance
+plugin=configuration
+plugin=control-panels
+plugin=crypto
+plugin=dns
+plugin=docker
+plugin=file-integrity
+plugin=file-systems
+plugin=firewalls
+plugin=forensics
+plugin=hardware
+plugin=intrusion-detection
+plugin=intrusion-prevention
+plugin=kernel
+plugin=malware
+plugin=memory
+plugin=nginx
+plugin=pam
+plugin=processes
+plugin=security-modules
+plugin=software
+plugin=system-integrity
+plugin=systemd
+plugin=users
+plugin=krb5
+
+# Disable a particular plugin (will overrule an enabled plugin)
+#disable-plugin=authentication
+
+#################################################################################
+#
+# Kernel options
+# ---------------
+# config-data=, followed by:
+#
+# - Type                     = Set to 'sysctl'
+# - Setting                  = value of sysctl key (e.g. kernel.sysrq)
+# - Expected value           = Preferred value for key (e.g. 0)
+# - Hardening Points         = Number of hardening points (typically 1 point per key) (1)
+# - Description              = Textual description about the sysctl key(Disable magic SysRQ)
+# - Related file or command  = For example, sysctl -a to retrieve more details
+# - Solution field           = Specifies more details or where to find them (url:URL, text:TEXT, or -)
+#
+#################################################################################
+
+# Config
+# - Type (sysctl)
+# - Setting (kernel.sysrq)
+# - Expected value (0)
+# - Hardening Points (1)
+# - Description (Disable magic SysRQ)
+# - Related file or command (sysctl -a)
+# - Solution field (url:URL, text:TEXT, or -)
+
+# Processes
+config-data=sysctl;security.bsd.see_other_gids;0;1;Groups only see their own processes;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.see_other_uids;0;1;Users only see their own processes;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.stack_guard_page;1;1;Enable stack smashing protection (SSP)/ProPolice to defend against possible buffer overflows;-;category:security;
+config-data=sysctl;security.bsd.unprivileged_proc_debug;0;1;Unprivileged processes can not use process debugging;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.unprivileged_read_msgbuf;0;1;Unprivileged processes can not read the kernel message buffer;sysctl -a;-;category:security;
+
+# Kernel
+config-data=sysctl;fs.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_fifos;2;1;Restrict FIFO special device creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_hardlinks;1;1;Restrict hardlink creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_regular;2;1;Restrict regular files creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_symlinks;1;1;Restrict symlink following behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+#config-data=sysctl;kern.randompid=2345;Randomize PID numbers with a specific modulus;sysctl -a;-;category:security;
+config-data=sysctl;kern.sugid_coredump;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_setuid_ok;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_uses_pid;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.ctrl-alt-del;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.dmesg_restrict;1;1;Restrict use of dmesg;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield-randomize;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.perf_event_paranoid;2|3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.unprivileged_bpf_disabled;1;1;Restrict BPF for unprivileged users;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.use-nx;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.yama.ptrace_scope;1|2|3;1;Disable process tracing for everyone;-;category:security;
+
+# Network
+config-data=sysctl;net.core.bpf_jit_harden;2;1;Hardened BPF JIT compilation;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;net.inet.ip.linklocal.in.allowbadttl;0;
+config-data=sysctl;net.inet.tcp.always_keepalive;0;1;Disable TCP keep alive detection for dead peers as the keepalive can be spoofed;-;category:security;
+#config-data=sysctl;net.inet.tcp.fast_finwait2_recycle;1;1;Recycle FIN/WAIT states more quickly (DoS mitigation step, with risk of false RST);-;category:security;
+config-data=sysctl;net.inet.tcp.nolocaltimewait;1;1;Remove the TIME_WAIT state for loopback interface;-;category:security;
+config-data=sysctl;net.inet.tcp.path_mtu_discovery;0;1;Disable MTU discovery as many hosts drop the ICMP type 3 packets;-;category:security;
+config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.inet.tcp.icmp_may_rst;0;1;ICMP may not send RST to avoid spoofed ICMP/UDP floods;-;category:security;
+config-data=sysctl;net.inet.icmp.drop_redirect;1;1;Do not allow redirected ICMP packets;-;category:security;
+config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet.icmp.timestamp;0;1;Disable timestamps;-;category:security;
+config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip.check_interface;1;1;Verify that a packet arrived on the right interface;-;category:security;
+config-data=sysctl;net.inet.ip.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
+config-data=sysctl;net.inet.ip.process_options;0;1;Ignore any IP options in the incoming packets;-;category:security;
+config-data=sysctl;net.inet.ip.random_id;1;1;Use a random IP id to each packet leaving the system;-;category:security;
+config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic when delivered to closed TCP port;-;category:security;
+config-data=sysctl;net.inet.tcp.drop_synfin;1;1;SYN/FIN packets will be dropped on initial connection;-;category:security;
+config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic when delivered to closed UDP port;-;category:security;
+config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet6.ip6.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
+config-data=sysctl;net.inet6.ip6.fw.enable;1;1;Enable filtering;-;category:security;
+config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do not relay BOOTP packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do not relay ARP packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce ingress/egress filtering for packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
+config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
+#config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security;
+config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security;
+config-data=sysctl;net.ipv4.tcp_timestamps;0|1;1;Disable TCP time stamps or enable them with different offsets;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
+
+# Other
+config-data=sysctl;dev.tty.ldisc_autoload;0;1;Disable loading of TTY line disciplines;-;category:security;
+config-data=sysctl;hw.kbd.keymap_restrict_change;4;1;Disable changing the keymap by non-privileged users;-;category:security;
+#sysctl;kern.securelevel;1^2^3;1;FreeBSD security level;
+#security.jail.jailed; 0
+#security.jail.jail_max_af_ips; 255
+#security.jail.mount_allowed; 0
+#security.jail.chflags_allowed; 0
+#security.jail.allow_raw_sockets; 0
+#security.jail.enforce_statfs; 2
+#security.jail.sysvipc_allowed; 0
+#security.jail.socket_unixiproute_only; 1
+#security.jail.set_hostname_allowed; 1
+#security.bsd.suser_enabled; 1
+#security.bsd.unprivileged_proc_debug; 1
+#security.bsd.conservative_signals; 1
+#security.bsd.unprivileged_read_msgbuf; 1
+#security.bsd.unprivileged_get_quota; 0
+config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other groups;-;category:security;
+config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;
+
+
+#################################################################################
+#
+# permfile
+# ---------------
+# permfile=file name:file permissions:owner:group:action:
+# Action = NOTICE or WARN
+# Examples:
+# permfile=/etc/test1.dat:600:root:wheel:NOTICE:
+# permfile=/etc/test1.dat:640:root:-:WARN:
+#
+#################################################################################
+
+#permfile=/etc/inetd.conf:rw-------:root:-:WARN:
+#permfile=/etc/fstab:rw-r--r--:root:-:WARN:
+permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN:
+permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN:
+permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN:
+permfile=/etc/at.allow:rw-------:root:-:WARN:
+permfile=/etc/at.deny:rw-------:root:-:WARN:
+permfile=/etc/cron.allow:rw-------:root:-:WARN:
+permfile=/etc/cron.deny:rw-------:root:-:WARN:
+permfile=/etc/crontab:rw-------:root:-:WARN:
+permfile=/etc/group:rw-r--r--:root:-:WARN:
+permfile=/etc/group-:rw-r--r--:root:-:WARN:
+permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN:
+permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN:
+permfile=/etc/issue:rw-r--r--:root:root:WARN:
+permfile=/etc/issue.net:rw-r--r--:root:root:WARN:
+permfile=/etc/lilo.conf:rw-------:root:-:WARN:
+permfile=/etc/motd:rw-r--r--:root:root:WARN:
+permfile=/etc/passwd:rw-r--r--:root:-:WARN:
+permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
+permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
+permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN:
+permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN:
+permfile=/root/.rhosts:rw-------:root:root:WARN:
+permfile=/root/.rlogin:rw-------:root:root:WARN:
+permfile=/root/.shosts:rw-------:root:root:WARN:
+
+# These permissions differ by OS
+#permfile=/etc/gshadow:---------:root:-:WARN:
+#permfile=/etc/gshadow-:---------:root:-:WARN:
+#permfile=/etc/shadow:---------:root:-:WARN:
+#permfile=/etc/shadow-:---------:root:-:WARN:
+
+
+#################################################################################
+#
+# permdir
+# ---------------
+# permdir=directory name:file permissions:owner:group:action when permissions are different:
+#
+#################################################################################
+
+permdir=/root/.ssh:rwx------:root:-:WARN:
+permdir=/etc/cron.d:rwx------:root:root:WARN:
+permdir=/etc/cron.daily:rwx------:root:root:WARN:
+permdir=/etc/cron.hourly:rwx------:root:root:WARN:
+permdir=/etc/cron.weekly:rwx------:root:root:WARN:
+permdir=/etc/cron.monthly:rwx------:root:root:WARN:
+
+
+# Ignore some specific home directories
+# One directory per line; directories will be skipped for home directory specific
+# checks, like file permissions, SSH and other configuration files
+#ignore-home-dir=/home/user
+
+
+# Allow promiscuous interfaces
+#   <option>:<promiscuous interface name>:<description>:
+#if_promisc:pflog0:pf log daemon interface:
+
+
+# The URL prefix and append to the URL for controls or your custom tests
+# Link will be formed as {control-url-protocol}://{control-url-prepend}CONTROL-ID{control-url-append}
+#control-url-protocol=https
+#control-url-prepend=cisofy.com/control/
+#control-url-append=/
+
+# The URL prefix and append to URL's for your custom tests
+#custom-url-protocol=https
+#custom-url-prepend=your-domain.example.org/control-info/
+#custom-url-append=/
+
+
+#################################################################################
+#
+# Operating system specific
+# -------------------------
+#
+#################################################################################
+
+# Skip the FreeBSD portaudit test
+#freebsd-skip-portaudit=yes
+
+# Skip security repository check for Debian based systems
+#debian-skip-security-repository=yes
+
+
+
+#################################################################################
+#
+# Lynis Enterprise options
+# ------------------------
+#
+#################################################################################
+
+# Allow this system to be purged when it is outdated (default: not defined).
+# This is useful for ephemeral systems which are short-lived.
+#allow-auto-purge=yes
+
+# Sometimes it might be useful to override the host identifiers.
+# Use only hexadecimal values (0-9, a-f), with 40 and 64 characters in length.
+#
+#hostid=40-char-hash
+#hostid2=64-char-hash
+
+# Lynis Enterprise license key
+license-key=
+
+# Proxy settings
+# Protocol (http, https, socks5)
+#proxy-protocol=https
+
+# Proxy server
+#proxy-server=10.0.1.250
+
+# Define proxy port to use
+#proxy-port=3128
+
+# Define the group names to link to this system (preferably single words). Default setting: append
+# To clear groups before assignment, add 'action:clear' as last groupname
+#system-groups=groupname1,groupname2,groupname3
+
+# Define which compliance standards are audited and reported on. Disable this if not required.
+compliance-standards=cis,hipaa,iso27001,pci-dss
+
+# Provide the name of the customer/client
+#system-customer-name=mycustomer
+
+# Upload data to central server
+upload=no
+
+# The hostname/IP address to receive the data
+upload-server=
+
+# Provide options to cURL (or other upload tool) when uploading data.
+# upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates)
+upload-options=
+
+# Link one or more tags to a system
+#tags=db,production,ssn-1304
+
+#EOF
+EOF_LYNIS
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
diff --git a/config/hooks/live/9940_hardening_memory.dump.chroot b/config/hooks/live/9940_hardening_memory.dump.chroot
index 81c9dc5..75796da 100644
--- a/config/hooks/live/9940_hardening_memory.dump.chroot
+++ b/config/hooks/live/9940_hardening_memory.dump.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -16,24 +16,71 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
 chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
 
-grep -Eq '^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
-  || sed -i -E '/^[[:space:]]*#?[[:space:]]*soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/ i\*               soft    core            0' /etc/security/limits.conf
+### Comment any existing active core settings to avoid conflicts, both soft/hard, any domain including "*".
+sed -i -E '
+/^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/d
+/^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+0[[:space:]]*$/d
+/^[[:space:]]*#\*               soft    core            0$/d
+/^[[:space:]]*#root            hard    core            100000$/d
+/^[[:space:]]*#\*               hard    rss             10000$/d
+/^[[:space:]]*#@student        hard    nproc           20$/d
+/^[[:space:]]*#@faculty        soft    nproc           20$/d
+/^[[:space:]]*#@faculty        hard    nproc           50$/d
+/^[[:space:]]*#ftp             hard    nproc           0$/d
+/^[[:space:]]*#ftp             -       chroot          \/ftp$/d
+/^[[:space:]]*#@student        -       maxlogins       4$/d
+/^[[:space:]]*# End of file/i\
+*               soft    core            0\
+*               hard    core            0
+' /etc/security/limits.conf
 
-grep -Eq '^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
-  || sed -i -E '/^[[:space:]]*#?[[:space:]]*root[[:space:]]+hard[[:space:]]+core[[:space:]]+100000[[:space:]]*$/ i\*               hard    core            0' /etc/security/limits.conf
+mkdir -p /etc/systemd/coredump.conf.d
+mkdir -p /etc/security/limits.d
 
-if [[ ! -d /etc/systemd/coredump.conf.d ]]; then
+cat << EOF >| /etc/security/limits.d/9999-ciss-coredump-disable.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
 
-  mkdir -p /etc/systemd/coredump.conf.d
+*               soft    core            0
+*               hard    core            0
+root            soft    core            0
+root            hard    core            0
 
-fi
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+chmod 0644 /etc/security/limits.d/9999-ciss-coredump-disable.conf
+
+cat << EOF >| /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
 
-touch /etc/systemd/coredump.conf.d/disable.conf
-chmod 0644 /etc/systemd/coredump.conf.d/disable.conf
-cat << EOF >| /etc/systemd/coredump.conf.d/disable.conf
 [Coredump]
 Storage=none
+ProcessSizeMax=0
+ExternalSizeMax=0
+JournalSizeMax=0
+MaxUse=0
+KeepFree=0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
+chmod 0644 /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
diff --git a/config/hooks/live/9992_password_expiration.chroot b/config/hooks/live/9992_password_expiration.chroot
index 4596209..db2b272 100644
--- a/config/hooks/live/9992_password_expiration.chroot
+++ b/config/hooks/live/9992_password_expiration.chroot
@@ -10,6 +10,87 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
+#######################################
+# Iterates all '/etc/shadow' entries and sets:
+#   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
+#   Safe: creates a timestamped backup and (if available) locks '/etc/.pwd.lock'.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+update_shadow() {
+  ### Declare Arrays, HashMaps, and Variables.
+
+  declare -r  var_shadow="/etc/shadow"
+  declare -r  var_backup="/root/.ciss/cdlb/backup/etc/shadow.$(date +%s).bak"
+  declare -r  var_temp="${var_shadow}.new.$$"
+  declare -r  var_exp_dt="17.09.2102"
+  declare     var_exp_ds=""
+
+  mkdir -p "/root/.ciss/cdlb/backup/etc"
+
+  var_exp_ds="$(
+    awk -v d="${var_exp_dt}" 'BEGIN{
+      # Force UTC to avoid DST/timezone off-by-one errors
+      ENVIRON["TZ"]="UTC";
+      if (match(d, /^([0-9]{2})\.([0-9]{2})\.([0-9]{4})$/, a)) {
+        dd=a[1]+0; mm=a[2]+0; yyyy=a[3]+0;
+        sec = mktime(sprintf("%04d %02d %02d 00 00 00 0", yyyy, mm, dd));
+        if (sec < 0) { print "ERR"; exit 1 }
+        print int(sec/86400);
+        exit 0
+      } else { print "ERR"; exit 1 }
+    }'
+  )" || return 42
+
+  # shellcheck disable=SC2249
+  case "${var_exp_ds}" in
+
+    ''|*ERR*)
+      return 127
+      ;;
+
+  esac
+
+  umask 0077
+  cp --preserve=mode,ownership "${var_shadow}" "${var_backup}"
+
+  ### Rewrite fields 4..8 for every line
+  ### Preserve fields 1..3 and 9, keep password hashes untouched.
+  ### Pad to 9 fields if shorter; keep empty lines intact (rare but safe).
+  awk -v FS=":" -v OFS=":" -v v_exp="${var_exp_ds}" '
+    NF==0 { print; next }                      # preserve blank lines verbatim
+    {
+      # pad missing trailing fields to 9
+      for (i=NF+1; i<=9; i++) $i="";
+      $4=0; $5=16384; $6=128; $7=42; $8=v_exp; # set required fields
+      print
+    }
+  ' "${var_backup}" >| "${var_temp}"
+
+  ### Defensive: ensure non-empty output.
+  if [[ ! -s "${var_temp}" ]]; then
+    rm -f "${var_temp}"
+    return 42
+  fi
+
+  ### Preserve owner/mode (fallback to 0640 root:shadow if reference fails).
+  chown --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chown root:shadow "${var_temp}" 2>/dev/null || true
+  chmod --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chmod 0640 "${var_temp}" 2>/dev/null || true
+
+  ### Atomic replace.
+  mv -f "${var_temp}" "${var_shadow}"
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_shadow
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
@@ -49,6 +130,8 @@ awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
 
+update_shadow
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
diff --git a/config/hooks/live/9999_zzzz.chroot b/config/hooks/live/9999_zzzz.chroot
index eb446b4..6cc8ca4 100644
--- a/config/hooks/live/9999_zzzz.chroot
+++ b/config/hooks/live/9999_zzzz.chroot
@@ -16,7 +16,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
 
 ### Remove CDLB artifacts ------------------------------------------------------------------------------------------------------
-rm -f /root/ciss_xdg_tmp.sh
+rm -f  /root/ciss_xdg_tmp.sh
+rm -fr /root/build
 
 ### Securing '/etc/ciss/keys' --------------------------------------------------------------------------------------------------
 find /etc/ciss/keys -type f -exec chmod 0444 {} +
diff --git a/config/includes.chroot/etc/login.defs b/config/includes.chroot/etc/login.defs
index b284e9b..a3b9366 100644
--- a/config/includes.chroot/etc/login.defs
+++ b/config/includes.chroot/etc/login.defs
@@ -93,7 +93,6 @@ TTYPERM		0600
 #
 ERASECHAR	0177
 KILLCHAR	025
-UMASK 077
 
 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
 # home directories.
@@ -205,7 +204,7 @@ USERGROUPS_ENAB yes
 
 #
 # Added by CISS.debian.live.builder for redundancy
-UMASK 027
+UMASK 077
 SHA_CRYPT_MIN_ROUNDS 8388608
 SHA_CRYPT_MAX_ROUNDS 8388608
 
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index e7ecd2f..66178d7 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -31,6 +31,9 @@ include_toc: true
 * **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums)
 * **Changed**: [localoptions.h](../upgrades/dropbear/localoptions.h)
 * **Changed**: [.shellcheckrc](../.shellcheckrc)
+* **Changed**: [9940_hardening_memory.dump.chroot](../config/hooks/live/9940_hardening_memory.dump.chroot) + added: 9999-ciss-coredump-disable.conf
+* **Changed**: [9992_password_expiration.chroot](../config/hooks/live/9992_password_expiration.chroot) + added: ``update_shadow()``
+* **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) + added: Securely shred all regular files below ./includes.chroot, then remove empty dirs.
 
 ## V8.13.400.2025.11.08
 * **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) - GPG key handling
diff --git a/lib/lib_arg_parser.sh b/lib/lib_arg_parser.sh
index bb6fcd4..4345111 100644
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -354,7 +354,7 @@ arg_parser() {
           declare perms
           perms=$(stat -c '%a' "${pw_file}")
           if [[ "${perms}" -ne 400 ]]; then
-            chmod 400 "${pw_file}" || {
+            chmod 0400 "${pw_file}" || {
               if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
               printf "\e[91m❌ Error: --root-password-file failed to set permissions 0400 on '%s'.\e[0m\n" "${pw_file}" >&2
               # shellcheck disable=SC2162
diff --git a/lib/lib_cdi.sh b/lib/lib_cdi.sh
index 2525b0d..535e26f 100644
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -30,6 +30,8 @@ cdi() {
 
   if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
 
+    install -m 0400 -o root -g root /dev/null /root/.cdi
+
     if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin" ]]; then
 
       mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin"
diff --git a/lib/lib_clean_up.sh b/lib/lib_clean_up.sh
index c514442..6be1984 100644
--- a/lib/lib_clean_up.sh
+++ b/lib/lib_clean_up.sh
@@ -66,7 +66,7 @@ clean_up() {
   fi
 
   ### Kill gpg-agent and remove artifacts securely.
-  if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
+  if [[ "${VAR_CDLB_INSIDE_RUNNER}" != "true" ]]; then
 
     if [[ -n "${GNUPGHOME:-}" && -d "${GNUPGHOME}" ]]; then
 
@@ -96,17 +96,16 @@ clean_up() {
   find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
   find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
 
-  # TODO: Activate shred
   ### Securely shred all regular files below ./includes.chroot, then remove empty dirs.
-  #if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
+  if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
 
     # shellcheck disable=SC2312
-  #  find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
+    find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
 
     ### Remove empty directories (bottom-up).
-  #  find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete
+    find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete
 
-  #fi
+  fi
 
   eval "${_old_nullglob}" 2>/dev/null || true
   eval "${_old_dotglob}"  2>/dev/null || true