V8.02.644.2025.05.31

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-05-31 00:42:24 +02:00
parent d9fb33376d
commit efa3a5d3aa
49 changed files with 712 additions and 444 deletions
--- a/.gitea/TODO/generate-iso.yaml
+++ b/.gitea/TODO/generate-iso.yaml
@@ -0,0 +1,169 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 name: Generating private Live ISO.
 permissions:
  contents: write
 on:
  push:
    branches:
      - master
    paths:
      - '.gitea/autobuild.yaml'
 jobs:
  generating-ciss-debian-live-iso:
    runs-on: ubuntu-latest
    ### Run all steps inside Debian Bookworm
    container:
      image: debian:bookworm
      options: --user root
    steps:
      - name: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        run: |
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
            HostName git.coresecret.dev
            Port 42842
            IdentityFile ~/.ssh/id_ed25519
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
          chmod 600 ~/.ssh/config
      ### https://github.com/actions/checkout/issues/1843
      - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        run: |
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
          git fetch --unshallow || echo "Nothing to fetch - already full clone."
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
      - name: Cleaning workspace.
        run: |
          git reset --hard
          git clean -fd
      - name: Installing Debian Live-Build and Tools.
        run: |
          apt-get update
          apt-get install -y live-build gnupg curl whois
      - name: Importing "CI PGP DEPLOY ONLY" Key.
        run: |
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
          export GNUPGHOME="$(pwd)/.gnupg"
          mkdir -m700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
      - name: Configuring Git for signed CI DEPLOY commits.
        run: |
          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
      - name: Preparing Build Environment.
        run: |
          rm -rf /opt/{config,livebuild}
          mkdir -p /opt/{config,livebuild}
          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
          chmod 0600 /opt/config/authorized_keys
      - name: Starting CISS.debian.live.builder.
        run: |
          timestamp=$(date -u +"%Y_%m_%d_%H_%M_Z")
          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
          ./ciss_live_builder.sh \
          --autobuild=6.12.22+bpo-amd64 \
          --architecture amd64 \
          --build-directory /opt/livebuild \
          --control "${timestamp}" \
          --debug \
          --dhcp-centurion \
          --jump-host "${{ secrets.CISS_DLB_JUMP_HOSTS }}" \
          --provider-netcup-ipv6 "${{ secrets.CISS_DLB_NETCUP_IPV6 }}" \
          --renice-priority "-19" \
          --reionice-priority 1 2 \
          --root-password-file /opt/config/password.txt \
          --ssh-port 4242 \
          --ssh-pubkey /opt/config
      - name: Uploading ISO to CenturionCloud "cloud.e2ee.li" via WebDAV
        env:
          WEBDAV_URL: "https://cloud.e2ee.li/remote.php/dav/files/runner/PUBLIC/CISS-live/NAME.iso"
          WEBDAV_USER: ${{ secrets.NC_USER }}
          WEBDAV_PASS: ${{ secrets.NC_PASS }}
        run: |
          ### Remove old ISO if exists
          curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -X DELETE "${WEBDAV_URL}" || true
          ### Upload new ISO
          curl -u "${WEBDAV_USER}:${WEBDAV_PASS}" -T NAME.iso "${WEBDAV_URL}"
          ### Verify upload
          HTTP_CODE=$(curl -o /dev/null -s -w "%{http_code}" -u "${WEBDAV_USER}:${WEBDAV_PASS}" "${WEBDAV_URL}")
          if [ "$HTTP_CODE" -ne 200 ]; then
            echo "Upload failed with HTTP status ${HTTP_CODE}"
            exit 1
          fi
          echo "ISO successfully uploaded and verified."
      - name: Generating Hash and Signing with Private Key
        run: |
          :
          ### TODO: Implement this function
      - name: Generating Success Message to Push back into Repo
        run: |
          :
          ### TODO: Implement this function
      - name: Stage generated files.
        run: |
          git add !!!!!!!!!!!!!
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
      - name: Commit and Sign changes.
        run: |
          export GNUPGHOME="$(pwd)/.gnupg"
          git commit -S -m "DEPLOY BOT: Auto-Generate LIVE ISO [skip ci]" || echo "No Changes, nothing to Sign or to Commit."
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
      - name: Push back to Repository.
        run: |
          git push origin HEAD:${GITHUB_REF_NAME}
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/autobuild.yaml
+++ b/.gitea/autobuild.yaml
@@ -0,0 +1,15 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 build:
  counter: 1024
  version: V8.02.644.2025.05.31
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.hardened.installer framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.02.512.2025.05.30"
+properties_version="V8.02.644.2025.05.31"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.02.512.2025.05.30
+PackageVersion: Master V8.02.644.2025.05.31
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.512.2025.05.30-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.02.644.2025.05.31-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.512.2025.05.30<br>
+**Build**: V8.02.644.2025.05.31<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -43,14 +43,13 @@ Check out more:
 > Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped.
 > The next step is to move to a room-gapped environment.
-Please note that `coresecret.dev` is included in the HSTS Preload list and always serves the headers:
+Please note that `coresecret.dev` is included in the [(HSTS Preload List)](https://hstspreload.org/) and always serves the headers:
 ````nginx configuration pro
 add_header Expect-CT                 "max-age=86400, enforce"                       always;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 ````
 Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at [DNSSEC Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.md)
 ## 1.1. Immutable Source-of-Truth System
 This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
@@ -367,15 +366,17 @@ predictable script behavior.
 # 5. Installation & Usage
 # 5.1. Interactive CLI / Dialog Wrapper
 1. Clone the repository:
   ```bash
-   git clone https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-   cd CISS.2025.debian.live.builder
+   cd CISS.debian.live.builder
   ```
-2. Run the config builder and the integrated `lb build` command (example):
+2. Edit the '.gitea/workflows/generate-iso.yaml' file according to your requirements.
-   ```bash
+   ```yaml
   ./ciss_live_builder.sh --architecture amd64 \
                          --build-directory /opt/livebuild \
                          --change-splash hexagon \
@@ -397,6 +398,10 @@ predictable script behavior.
 7. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
 8. Type `celp` for some shortcuts.
 # 5.2. CI/CD Gitea Runner Workflow Example
 1. tba
 # 6. Licensing & Compliance
 This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -38,15 +38,16 @@
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
-declare -gr VERSION="Master V8.02.512.2025.05.30"
+declare -gr VAR_VERSION="Master V8.02.644.2025.05.31"
-declare -gr CONTACT="security@coresecret.eu"
+declare -gr VAR_CONTACT="security@coresecret.eu"
-### VERY EARLY CHECK FOR CONTACT, USAGE, AND VERSION STRING
+### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
 declare arg
 if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi
-for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${CONTACT}"; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -g VAR_HANDLER_AUTOBUILD=true; declare -g VAR_KERNEL="${arg#*=}";; esac; done
 for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${VAR_CONTACT}"; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VERSION}"; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
 unset arg
 ### VERY EARLY CHECK FOR XTRACE DEBUGGING
@@ -54,7 +55,7 @@ if [[ $* == *" --debug "* ]]; then
  . ./lib/lib_debug.sh
  debugger "${@}"
 else
-  declare -grx EARLY_DEBUG=false
+  declare -grx VAR_EARLY_DEBUG=false
 fi
 ### Advisory Lock
@@ -75,15 +76,15 @@ fi
 check_pkgs
 ### Dialog Output for Initialization
-. ./lib/lib_boot_screen.sh && boot_screen
+if ! $VAR_HANDLER_AUTOBUILD; then . ./lib/lib_boot_screen.sh && boot_screen; fi
 ### Updating Status of Dialog Gauge Bar
-printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3; fi
 . ./var/global.var.sh
 . ./var/colors.var.sh
 ### Updating Status of Dialog Gauge Bar
-printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3; fi
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
 set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
 set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
@@ -93,18 +94,18 @@ set -o pipefail  # Makes pipelines return the exit status of the last command in
 set -o noclobber # Prevent overwriting, the same as "set -C".
 ### Updating Status of Dialog Gauge Bar
-printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
 ### Initialization
 declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
-declare -ar ARG_ARY_ORG_INPUT=("$@")
+#declare -ar ARG_ARY_ORG_INPUT=("$@")
 # shellcheck disable=SC2155
 declare -gr SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
 # shellcheck disable=SC2155
-declare -grx WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
+declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### Updating Status of Dialog Gauge Bar
-printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
 . ./lib/lib_arg_parser.sh
 . ./lib/lib_arg_priority_check.sh
 . ./lib/lib_cdi.sh
@@ -133,42 +134,41 @@ printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3
 . ./lib/lib_usage.sh
 ### Updating Status of Dialog Gauge Bar
-printf "XXX\nActivate traps ... \nXXX\n55\n" >&3
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 ### Updating Status of Dialog Gauge Bar
-printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
 arg_check "$@"
 declare -ar ARG_ARY_SANITIZED=("$@")
 declare -gr ARG_STR_SANITIZED="${ARG_ARY_SANITIZED[*]}"
 ### Updating Status of Dialog Gauge Bar
-printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"
 ### Updating Status of Dialog Gauge Bar
-printf "XXX\nFinal checks ... \nXXX\n95\n" >&3
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip
 ### Updating Status of Dialog Gauge Bar
-printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 sleep 1
-boot_screen_cleaner
+if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
 ### MAIN Program
 arg_priority_check
 check_stats
-check_provider
+if ! $VAR_HANDLER_AUTOBUILD; then check_provider; fi
-check_kernel
+if ! $VAR_HANDLER_AUTOBUILD; then check_kernel; fi
 check_hooks
 hardening_ssh
 lb_config_start
 lb_config_write
-cd "${WORKDIR}"
+cd "${VAR_WORKDIR}"
 hardening_ultra
 hardening_root_pw
 change_splash
@@ -183,6 +183,6 @@ lb_build_start
 set -o errtrace
 run_analysis
 copy_db
-declare -g handler_success=true
+declare -g VAR_SCRIPT_SUCCESS=true
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.02.512.2025.05.30
+### Version Master V8.02.644.2025.05.31
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.02.512.2025.05.30
+### Version Master V8.02.644.2025.05.31
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.02.512.2025.05.30"
+declare -gr VERSION="Master V8.02.644.2025.05.31"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.02.512.2025.05.30 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.02.644.2025.05.31 at: 10:18:37.9542
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,11 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.512.2025.05.30<br>
+**Build**: V8.02.644.2025.05.31<br>
 # 2. DNSSEC Status
-![DNSSEC Status](docs/SECURITY/coresecret.dev.png)
+This is an auto-generated overview of the DNSSEC status of `coresecret.dev` at the time of the last human-initiated push event.
 ![DNSSEC Status](SECURITY/coresecret.dev.png)
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.512.2025.05.30<br>
+**Build**: V8.02.644.2025.05.31<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.512.2025.05.30<br>
+**Build**: V8.02.644.2025.05.31<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.512.2025.05.30<br>
+**Build**: V8.02.644.2025.05.31<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.512.2025.05.30<br>
+**Build**: V8.02.644.2025.05.31<br>
 # TBA
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.512.2025.05.30<br>
+**Build**: V8.02.644.2025.05.31<br>
 # 2. Coding Style
@@ -62,14 +62,27 @@ neat features. Here's how you make use of them. Besides those short hints here,
  * Global variables:
    * use them only when really necessary,
    * in CAPS,
-    * initialize them (`declare -g VAR=""`),
+    * initialize them (`declare -g VAR_EXAMPLE=""`),
-    * use `declare -g` and use typing (variable types) if possible.
+    * SHOULD start with:
      * `ARY_`  for Arrays,
      * `C_`    for Variables defining colored outputs,
      * `ERR_`  for Error Codes Variables,
      * `HMP_`  for HashMap Arrays,
      * `LOG_`  for Logfile Variables,
      * `PID_`  for PID Variables,
      * `PIPE_` for PIPE Variables,
      * `VAR_`  for Variables
  * Local variables:
    * are lower case,
-    * declare them before usage (`declare`),
+    * declare them before usage (`declare` eq `local`),
-    * initialize them (`declare VAR=""`).
+    * initialize them (`declare var_example=""`),
-  * Preferred declaration and initialization:
+    * SHOULD start with:
-    * VAR: `declare -g VAR=""` and `declare -a ARRAY=()`.
+      * `ary_` for Arrays,
      * `c_` for Variables defining colored outputs,
      * `err_` for Error Codes Variables,
      * `hmp_` for HashMap Arrays,
      * `log_` for Logfile Variables,
      * `var_` for Variables.
 # 3. Misc
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.512.2025.05.30<br>
+**Build**: V8.02.644.2025.05.31<br>
 # 2. Contributors
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.512.2025.05.30<br>
+**Build**: V8.02.644.2025.05.31<br>
 # 2. Credits
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.512.2025.05.30<br>
+**Build**: V8.02.644.2025.05.31<br>
 # 2. Usage
 ````text
 CISS.debian.live.builder
-Master V8.02.512.2025.05.30
+Master V8.02.644.2025.05.31
 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.02<br>
-**Build**: V8.02.512.2025.05.30<br>
+**Build**: V8.02.644.2025.05.31<br>
 # 2. Resources
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -30,11 +30,11 @@
 #   ERR_SPLASH_PNG
 #   ERR_UNCRITICAL
 #   ERR__SSH__PORT
-#   HANDLER_ARCHITECTURE
+#   handler_architecture
 #   HANDLER_BUILD_DIR
 #   HANDLER_CDI
 #   HANDLER_DHCP
-#   HANDLER_ISO_COUNTER
+#   VAR_HANDLER_ISO_COUNTER
 #   HANDLER_PRIORITY
 #   HANDLER_SPLASH
 #   HANDLER_SSHPORT
@@ -44,16 +44,61 @@
 #   ISO8601
 #   REIONICE_CLASS
 #   REIONICE_PRIORITY
-#   VERSION
+#   VAR_VERSION
 #   handler_jumphost
 # Arguments:
 #  None
 #######################################
 #######################################
 # description
 # Globals:
 #   ARY_HANDLER_JUMPHOST
 #   ARY_HANDLER_NETCUP_IPV6
 #   ERR_ARG_MSMTCH
 #   ERR_CONTROL_CT
 #   ERR_MISS_PWD_F
 #   ERR_MISS_PWD_P
 #   ERR_OWNS_PWD_F
 #   ERR_PASS_LENGH
 #   ERR_PASS_PLICY
 #   ERR_REIONICE_P
 #   ERR_REIO_C_VAL
 #   ERR_REIO_P_VAL
 #   ERR_RENICE_PRI
 #   ERR_RGHT_PWD_F
 #   ERR_SPLASH_PNG
 #   ERR_UNCRITICAL
 #   ERR__SSH__PORT
 #   VAR_ARCHITECTURE
 #   VAR_BUILD_LOG
 #   VAR_EARLY_DEBUG
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_CDI
 #   VAR_HANDLER_DHCP
 #   VAR_HANDLER_ISO_COUNTER
 #   VAR_HANDLER_NETCUP_IPV6
 #   VAR_HANDLER_PRIORITY
 #   VAR_HANDLER_SPLASH
 #   VAR_HANDLER_STA
 #   VAR_HASHED_PWD
 #   VAR_ISO8601
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
 #   VAR_SSHPORT
 #   VAR_SSHPUBKEY
 # Arguments:
 #  None
 #######################################
 arg_parser() {
  while [[ $# -gt 0 ]]; do
    declare argument="${1}"
      case "${argument,,}" in
        -a=* | --autobuild=*)
          shift 1
          ;;
        -c | --contact)
          if [[ -n "${2}" && "${2}" != -* ]]; then
            boot_screen_cleaner
@@ -86,7 +131,7 @@ arg_parser() {
        --architecture)
          if [[ "${2}" == "amd64" || "${2}" == "arm64" ]]; then
-            declare -gx HANDLER_ARCHITECTURE="$2"
+            declare -gx VAR_ARCHITECTURE="${2}"
            shift 2
          else
            boot_screen_cleaner
@@ -98,8 +143,8 @@ arg_parser() {
          ;;
        --build-directory)
-          declare -gx HANDLER_BUILD_DIR="${2}"
+          declare -gx VAR_HANDLER_BUILD_DIR="${2}"
-          declare -gx BUILD_LOG="${HANDLER_BUILD_DIR}/${ISO8601}_build.log"
+          declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/${VAR_ISO8601}_build.log"
          shift 2
          ;;
@@ -110,13 +155,13 @@ arg_parser() {
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
          fi
-          declare -g HANDLER_CDI=true
+          declare -g VAR_HANDLER_CDI=true
          shift 1
          ;;
        --change-splash )
          if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then
-            declare -g HANDLER_SPLASH="${2}"
+            declare -g VAR_HANDLER_SPLASH="${2}"
            shift 2
          else
            boot_screen_cleaner
@@ -129,7 +174,7 @@ arg_parser() {
        --control)
          if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65536 ]]; then
-            declare -gi HANDLER_ISO_COUNTER="$2"
+            declare -gi VAR_HANDLER_ISO_COUNTER="$2"
            shift 2
          else
            boot_screen_cleaner
@@ -157,7 +202,7 @@ arg_parser() {
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
          fi
-          declare -gi HANDLER_DHCP=1
+          declare -gi VAR_HANDLER_DHCP=1
          shift 1
          ;;
@@ -166,7 +211,7 @@ arg_parser() {
            declare -i count=0
            shift
            while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do
-              declare -g handler_jumphost+=("$1")
+              declare -g ARY_HANDLER_JUMPHOST+=("$1")
              count=$((count + 1))
              shift
            done
@@ -188,18 +233,18 @@ arg_parser() {
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
          fi
-          declare -gi HANDLER_STA=1
+          declare -gi VAR_HANDLER_STA=1
          shift 1
          ;;
        --provider-netcup-ipv6)
          if [[ -n "${2}" && "${2}" != -* ]]; then
            declare -i count=0
-            declare -g handler_netcup_ipv6=true
+            declare -g VAR_HANDLER_NETCUP_IPV6=true
            shift
            while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 1 ]]; do
              declare cleaned="${1//[\[\]]/}"
-              declare -g handler_netcup_ipv6_array+=("${cleaned}")
+              declare -g ARY_HANDLER_NETCUP_IPV6+=("${cleaned}")
              count=$((count + 1))
              shift
            done
@@ -216,7 +261,7 @@ arg_parser() {
        --renice-priority)
          if [[ -n ${2} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
-            declare -gi HANDLER_PRIORITY="$2"
+            declare -gi VAR_HANDLER_PRIORITY="$2"
            shift 2
          else
            boot_screen_cleaner
@@ -235,12 +280,12 @@ arg_parser() {
            exit "${ERR_REIONICE_P}"
          else
            if [[ "${2}" =~ ^[1-3]$ ]]; then
-              declare -gi REIONICE_CLASS="${2}"
+              declare -gi VAR_REIONICE_CLASS="${2}"
              if [[ -z "${3}" ]]; then
                :
              else
                if [[ "${3}" =~ ^[0-7]$ ]]; then
-                  declare -gi REIONICE_PRIORITY="${3}"
+                  declare -gi VAR_REIONICE_PRIORITY="${3}"
                else
                  boot_screen_cleaner
                  printf "\e[91m❌ Error: --reionice-priority PRIORITY MUST be an integer between '0' and '7'.\e[0m\n" >&2
@@ -255,7 +300,7 @@ arg_parser() {
              exit "${ERR_REIO_C_VAL}"
            fi
          fi
-          if [[ -n ${REIONICE_PRIORITY} ]]; then
+          if [[ -n ${VAR_REIONICE_PRIORITY} ]]; then
            shift 3
          else
            shift 2
@@ -305,11 +350,11 @@ arg_parser() {
          fi
          declare plaintext_pw
-          [[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
+          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
          if ! IFS= read -r plaintext_pw < "${pw_file}"; then
            :
          fi
-          [[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
          declare pw_length
          pw_length=${#plaintext_pw}
@@ -321,16 +366,16 @@ arg_parser() {
            exit "${ERR_PASS_LENGH}"
          fi
-          [[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
+          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
          if [[ "${plaintext_pw}" == *\"* ]]; then
-            [[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+            [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
            boot_screen_cleaner
            printf "\e[91m❌ Error: --root-password-file password MUST NOT contain double quotes (\").\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_PASS_PLICY}"
          fi
-          [[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
          declare salt
          set +o pipefail
@@ -341,11 +386,11 @@ arg_parser() {
          set -o pipefail
          declare hash_temp
-          [[ "${EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
+          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
          hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
-          [[ "${EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
-          declare -g HASHED_PWD="${hash_temp}"
+          declare -g VAR_HASHED_PWD="${hash_temp}"
          unset hash_temp plaintext_pw
          sync
@@ -361,7 +406,7 @@ arg_parser() {
        --ssh-port)
          if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
-            declare -gi HANDLER_SSHPORT="${2}"
+            declare -gi VAR_SSHPORT="${2}"
            shift 2
          else
            boot_screen_cleaner
@@ -372,7 +417,7 @@ arg_parser() {
          ;;
        --ssh-pubkey)
-          declare -g HANDLER_SSHPUBKEY="${2}"
+          declare -g VAR_SSHPUBKEY="${2}"
          shift 2
          ;;
--- a/lib/lib_arg_priority_check.sh
+++ b/lib/lib_arg_priority_check.sh
@@ -13,17 +13,17 @@
 #######################################
 # Check and setup Script Priorities
 # Globals:
-#   HANDLER_PRIORITY
+#   VAR_HANDLER_PRIORITY
-#   REIONICE_CLASS
+#   VAR_REIONICE_CLASS
-#   REIONICE_PRIORITY
+#   VAR_REIONICE_PRIORITY
 # Arguments:
 #  None
 #######################################
 arg_priority_check() {
  declare var
  # Check if nice PRIORITY is set and adjust nice priority.
-  if [[ -n ${HANDLER_PRIORITY} ]]; then
+  if [[ -n ${VAR_HANDLER_PRIORITY} ]]; then
-    renice "${HANDLER_PRIORITY}" -p "$$"
+    renice "${VAR_HANDLER_PRIORITY}" -p "$$"
    var=$(ps -o ni= -p $$) > /dev/null 2>&1
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
    # sleep 1
@@ -31,8 +31,8 @@ arg_priority_check() {
  fi
  # Check if ionice PRIORITY is set and adjust ionice priority.
-  if [[ -n ${REIONICE_CLASS} ]]; then
+  if [[ -n ${VAR_REIONICE_CLASS} ]]; then
-    ionice -c"${REIONICE_CLASS:-2}" -n"${REIONICE_PRIORITY:-4}" -p "$$"
+    ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
    var=$(ionice -p $$) > /dev/null 2>&1
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
    # sleep 1
--- a/lib/lib_boot_screen.sh
+++ b/lib/lib_boot_screen.sh
@@ -13,15 +13,15 @@
 #######################################
 # Change Grub Boot Screen Splash
 # Globals:
-#   boot_screen_pid
+#   PID_BOOT_SCREEN
-#   boot_screen_pipe
+#   PIPE_BOOT_SCREEN
 # Arguments:
 #  None
 #######################################
 boot_screen() {
  clear
-  declare -gr boot_screen_pipe="/tmp/progress.fifo"
+  declare -gr PIPE_BOOT_SCREEN="/tmp/progress.fifo"
-  [[ -p "${boot_screen_pipe}" ]] || mkfifo "${boot_screen_pipe}"
+  [[ -p "${PIPE_BOOT_SCREEN}" ]] || mkfifo "${PIPE_BOOT_SCREEN}"
  setsid dialog --no-collapse \
                --ascii-lines \
@@ -29,9 +29,9 @@ boot_screen() {
                --title "CISS.debian.live.builder" \
                --gauge "Starting initialization..." \
                10 70 0 \
-                < "${boot_screen_pipe}" &
+                < "${PIPE_BOOT_SCREEN}" &
-  declare -gr boot_screen_pid="$!"
+  declare -gr PID_BOOT_SCREEN="$!"
-  exec 3> "${boot_screen_pipe}"
+  exec 3> "${PIPE_BOOT_SCREEN}"
 }
 #######################################
@@ -44,9 +44,9 @@ boot_screen() {
 #######################################
 boot_screen_cleaner() {
  exec 3>&-
-  kill -TERM -- -"${boot_screen_pid}" 2>/dev/null || true
+  kill -TERM -- -"${PID_BOOT_SCREEN}" 2>/dev/null || true
-  wait "${boot_screen_pid}" 2>/dev/null || true
+  wait "${PID_BOOT_SCREEN}" 2>/dev/null || true
-  rm -f "${boot_screen_pipe}"
+  rm -f "${PIPE_BOOT_SCREEN}"
  clean_screen
  sleep 1
 }
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -14,48 +14,48 @@
 # CISS.2025.debian.installer GRUB and Autostart Generator
 # Globals:
 #   BASH_SOURCE
-#   HANDLER_BUILD_DIR
+#   VAR_HANDLER_BUILD_DIR
-#   HANDLER_CDI
+#   VAR_HANDLER_CDI
-#   WORKDIR
+#   VAR_KERNEL
-#   kernel
+#   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
 cdi() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
-  if [[ "${HANDLER_CDI}" == "true" ]]; then
+  if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
-    if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
+    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
-      mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
+      mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
    fi
-    cp "${WORKDIR}/scripts/9000-cdi-starter" "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
+    cp "${VAR_WORKDIR}/scripts/9000-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
-    chmod 0750 "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
+    chmod 0750 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
-    chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
+    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
    declare tmp_entry
    tmp_entry="$(mktemp)"
    cat << EOF >| "${tmp_entry}"
-menuentry "CISS Hardened DI (${kernel})" --hotkey=i {
+menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
-        linux /live/vmlinuz-${kernel} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path}
+        linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path}
-        initrd /live/initrd.img-${kernel}
+        initrd /live/initrd.img-${VAR_KERNEL}
 }
 EOF
    sed -i "/#MUST_BE_REPLACED/{
  r ${tmp_entry}
  d
-}" "${HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
+}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
    sed -i "/#MUST_BE_REPLACED/{
  r ${tmp_entry}
  d
-}" "${HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg"
+}" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg"
    rm -f "${tmp_entry}"
  else
    # shellcheck disable=SC1003
-    sed -i '/#MUST_BE_REPLACED/c\\' "${HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
+    sed -i '/#MUST_BE_REPLACED/c\\' "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
 }
--- a/lib/lib_change_splash.sh
+++ b/lib/lib_change_splash.sh
@@ -13,24 +13,24 @@
 #######################################
 # Change Grub Boot Screen Splash
 # Globals:
-#   HANDLER_BUILD_DIR
+#   VAR_HANDLER_BUILD_DIR
-#   HANDLER_SPLASH
+#   VAR_HANDLER_SPLASH
-#   WORKDIR
+#   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
 change_splash() {
-  if [[ ${HANDLER_SPLASH} == "club" ]]; then
+  if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
-    cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
+    cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
-    cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
+    cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
-    cp -af "${WORKDIR}"/.archive/background/club.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
+    cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n"
-  elif [[ ${HANDLER_SPLASH} == "hexagon" ]]; then
+  elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
-    cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
+    cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
-    cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
+    cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
-    cp -af "${WORKDIR}"/.archive/background/hexagon.png "${HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
+    cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
  fi
 }
--- a/lib/lib_check_dhcp.sh
+++ b/lib/lib_check_dhcp.sh
@@ -13,14 +13,14 @@
 #######################################
 # Check if hardened Centurion DNS servers are desired.
 # Globals:
-#   HANDLER_DHCP
+#   VAR_HANDLER_DHCP
-#   WORKDIR
+#   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
 check_dhcp() {
-  if [[ ${HANDLER_DHCP} -eq 1 ]]; then
+  if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
-    chmod +x "${WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${WORKDIR}"/scripts/0010_dhcp_supersede.sh
+    chmod +x "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_check_hooks.sh
+++ b/lib/lib_check_hooks.sh
@@ -14,7 +14,7 @@
 # Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
 # Globals:
 #   ERR_UNCRITICAL
-#   WORKDIR
+#   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
@@ -22,10 +22,10 @@ check_hooks() {
  declare ifs
  ifs=$'\n\t'
  shopt -s nullglob
-  declare -a files=("${WORKDIR}"/config/hooks/live/*.chroot)
+  declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)
  if (( ${#files[@]} == 0 )); then
-    printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${WORKDIR}" >&2
+    printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2
    exit "${ERR_UNCRITICAL}"
  fi
--- a/lib/lib_check_kernel.sh
+++ b/lib/lib_check_kernel.sh
@@ -13,10 +13,10 @@
 #######################################
 # Kernel Image Selector
 # Globals:
-#   HANDLER_ARCHITECTURE
+#   VAR_ARCHITECTURE
-#   KERNEL_SRT
+#   VAR_KERNEL
-#   KERNEL_TMP
+#   VAR_KERNEL_SRT
-#   kernel
+#   VAR_KERNEL_TMP
 # Arguments:
 #  None
 # Returns:
@@ -27,17 +27,17 @@ check_kernel() {
  declare -i counter=1
  declare first_string=""
  declare line=""
-  declare -gx kernel=""
+  declare -gx VAR_KERNEL=""
  declare name=""
  declare options=""
-  if [[ ${HANDLER_ARCHITECTURE} != arm64 ]]; then
+  if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then
-    apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${KERNEL_TMP}"
+    apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
  else
-    apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${KERNEL_TMP}"
+    apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
  fi
-  sort --output="${KERNEL_SRT}" "${KERNEL_TMP}" || {
+  sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
    printf "❌ Error check_kernel() Line 40 sort failed\n" >&2
    # shellcheck disable=SC2162
    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -49,10 +49,10 @@ check_kernel() {
      name=${first_string#linux-image-}
      options+=("${name}" "${counter}" off)
      ((counter++))
-    done < "${KERNEL_SRT}"
+    done < "${VAR_KERNEL_SRT}"
  # shellcheck disable=SC2155
-  if declare -g kernel=$(dialog \
+  if declare -g VAR_KERNEL=$(dialog \
                          --no-collapse \
                          --ascii-lines \
                          --clear \
@@ -62,10 +62,10 @@ check_kernel() {
    clear
  else
    clear
-    if [[ "${HANDLER_ARCHITECTURE}" == "amd64" ]]; then
+    if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then
-      declare -gr kernel="amd64"
+      declare -gr VAR_KERNEL="amd64"
-    elif [[ "${HANDLER_ARCHITECTURE}" == "arm64" ]]; then
+    elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then
-      declare -gr kernel="arm64"
+      declare -gr VAR_KERNEL="arm64"
    fi
  fi
 }
--- a/lib/lib_check_provider.sh
+++ b/lib/lib_check_provider.sh
@@ -17,8 +17,8 @@
 #######################################
 check_provider() {
  clear
-  cat << 'EOF' >| "${notes}"
+  cat << 'EOF' >| "${VAR_NOTES}"
-Build: Master V8.02.512.2025.05.30
+Build: Master V8.02.644.2025.05.31
 Press 'EXIT' to continue with CISS.debian.live.builder.
@@ -59,7 +59,7 @@ EOF
         --backtitle "CISS.debian.live.builder" \
         --title "Important Notes" \
         --scrollbar \
-         --textbox "${notes}" 32 128
+         --textbox "${VAR_NOTES}" 32 128
  clear
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_check_stats.sh
+++ b/lib/lib_check_stats.sh
@@ -13,12 +13,12 @@
 #######################################
 # Check if analysis run is desired only.
 # Globals:
-#   HANDLER_STA
+#   VAR_HANDLER_STA
 # Arguments:
 #  None
 #######################################
 check_stats() {
-  if [[ ${HANDLER_STA} -eq 1 ]]; then
+  if [[ ${VAR_HANDLER_STA} -eq 1 ]]; then
    clear
    run_analysis
    exit 0
--- a/lib/lib_clean_up.sh
+++ b/lib/lib_clean_up.sh
@@ -13,26 +13,26 @@
 #######################################
 # Clean Up Wrapper on Trap on 'ERR' and 'EXIT'.
 # Globals:
-#   ERROR_LOG
+#   LOG_ERROR
-#   KERNEL_INF
+#   VAR_KERNEL_INF
-#   KERNEL_SRT
+#   VAR_KERNEL_SRT
-#   KERNEL_TMP
+#   VAR_KERNEL_TMP
-#   WORKDIR
+#   VAR_WORKDIR
 # Arguments:
 #   1 : ${trap_on_exit_code} of trap_on_exit()
 #######################################
 clean_up() {
  declare clean_exit_code="$1"
-  rm -f -- "${KERNEL_INF}"
+  rm -f -- "${VAR_KERNEL_INF}"
-  rm -f -- "${KERNEL_SRT}"
+  rm -f -- "${VAR_KERNEL_SRT}"
-  rm -f -- "${KERNEL_TMP}"
+  rm -f -- "${VAR_KERNEL_TMP}"
  rm -f /run/lock/ciss_live_builder.lock
-  if (( clean_exit_code == 0 )); then rm -f -- "${ERROR_LOG}"; fi
+  if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
-  if [[ -f "${WORKDIR}/hosts.allow" ]]; then
+  if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
-    rm -f "${WORKDIR}/hosts.allow"
+    rm -f "${VAR_WORKDIR}/hosts.allow"
  fi
-  if [[ -f "${WORKDIR}/hosts.deny" ]]; then
+  if [[ -f "${VAR_WORKDIR}/hosts.deny" ]]; then
-    rm -f "${WORKDIR}/hosts.deny"
+    rm -f "${VAR_WORKDIR}/hosts.deny"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_copy_integrity.sh
+++ b/lib/lib_copy_integrity.sh
@@ -14,7 +14,7 @@
 # Copy Initial ISO aide Database into Host System
 # Globals:
 #   BASH_SOURCE
-#   HANDLER_BUILD_DIR
+#   VAR_HANDLER_BUILD_DIR
 # Arguments:
 #  None
 # Returns:
@@ -23,12 +23,12 @@
 copy_db() {
  # printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${BASH_SOURCE[0]}"
-  if [[ ! -d "${HANDLER_BUILD_DIR}/.integrity" ]]; then
+  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.integrity" ]]; then
-    mkdir -p "${HANDLER_BUILD_DIR}/.integrity"
+    mkdir -p "${VAR_HANDLER_BUILD_DIR}/.integrity"
  fi
-  if cp -p "${HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${HANDLER_BUILD_DIR}/.integrity/"; then
+  if cp -p "${VAR_HANDLER_BUILD_DIR}/chroot/var/lib/aide/"* "${VAR_HANDLER_BUILD_DIR}/.integrity/"; then
-    chmod 0400 "${HANDLER_BUILD_DIR}/.integrity/"*
+    chmod 0400 "${VAR_HANDLER_BUILD_DIR}/.integrity/"*
    # printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
    return 0
  else
--- a/lib/lib_debug.sh
+++ b/lib/lib_debug.sh
@@ -13,12 +13,13 @@
 #######################################
 # Debugger Wrapper for xtrace to Debug Log
 # Globals:
 #   BASH_SOURCE
 #   BASH_XTRACEFD
-#   DEBUG_LOG
+#   LOG_DEBUG
 #   EARLY_DEBUG
 #   PS4
 #   SHELLOPTS
-#   dump_vars_initial
+#   VAR_DUMP_VARS_INITIAL
 #   VAR_EARLY_DEBUG
 #   var
 # Arguments:
 #  None
@@ -26,22 +27,22 @@
 debugger() {
  ### Capture an initial snapshot of all variables (excluding '^(BASH|_).*')
  # shellcheck disable=SC2155
-  declare -grx dump_vars_initial=$(mktemp)
+  declare -grx VAR_DUMP_VARS_INITIAL=$(mktemp)
  {
    declare var
    while IFS= read -r var; do
      declare -p "${var}" 2>/dev/null
    done < <(compgen -v | grep -Ev '^(BASH|_).*')
-  } | sort >| "${dump_vars_initial}"
+  } | sort >| "${VAR_DUMP_VARS_INITIAL}"
-  declare -grx EARLY_DEBUG=true
+  declare -grx VAR_EARLY_DEBUG=true
  ### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name
  declare -grx PS4='\e[97m+\e[0m\e[96m$(date +%T.%4N)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
  # shellcheck disable=SC2155
-  declare -grx DEBUG_LOG="/tmp/ciss_live_builder_$$_debug.log"
+  declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log"
-  ### Generates empty DEBUG_LOG
+  ### Generates empty LOG_DEBUG
-  touch "${DEBUG_LOG}" && chmod 0600 "${DEBUG_LOG}"
+  touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
  ### Open file descriptor 42 for writing to the debug log
-  exec 42>| "${DEBUG_LOG}"
+  exec 42>| "${LOG_DEBUG}"
  ### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
    ### Determine the directory of this script, even if sourced.
    # shellcheck disable=SC2155
--- a/lib/lib_debug_header.sh
+++ b/lib/lib_debug_header.sh
@@ -21,7 +21,7 @@
 #   PPID
 #   PWD
 #   UID
-#   VERSION
+#   VAR_VERSION
 # Arguments:
 #   $0: Script Name $0
 #   $1: Argument Counter $#
@@ -32,7 +32,7 @@ debug_header() {
  declare -r arg_string="$2"
  {
    printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date +%T.%4N)"
-    printf "\e[97m+\e[0m\e[92m%s: Version                   : %s \e[0m\n" "$(date +%T.%4N)" "${VERSION}"
+    printf "\e[97m+\e[0m\e[92m%s: Version                   : %s \e[0m\n" "$(date +%T.%4N)" "${VAR_VERSION}"
    printf "\e[97m+\e[0m\e[92m%s: Epoch                     : %s \e[0m\n" "$(date +%T.%4N)" "${EPOCHREALTIME}"
    printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release          : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[0]}"
    printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version          : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[1]}"
--- a/lib/lib_hardening_root_pw.sh
+++ b/lib/lib_hardening_root_pw.sh
@@ -13,15 +13,15 @@
 #######################################
 # Updates the Live ISO to use root password authentication for local console access.
 # Globals:
-#   HANDLER_BUILD_DIR
+#   VAR_HANDLER_BUILD_DIR
-#   HASHED_PWD
+#   VAR_HASHED_PWD
 # Arguments:
 #  None
 # Returns:
 #   0: In case no root password is desired.
 #######################################
 hardening_root_pw() {
-  if [[ -z ${HASHED_PWD} ]]; then
+  if [[ -z ${VAR_HASHED_PWD} ]]; then
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Root Password for Console set, skipping root password hook.\e[0m\n"
    # sleep 1
    return 0
@@ -30,7 +30,7 @@ hardening_root_pw() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Setup Root Password for Console ... \e[0m\n"
  # sleep 1
-  declare cfg_dir="${HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
+  declare cfg_dir="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/live"
  declare cfg_file="${cfg_dir}/config.conf"
  declare dropin_dir="${cfg_dir}/config.conf.d"
  declare dropin_file="${dropin_dir}/20-root-password.conf"
@@ -45,27 +45,27 @@ EOF
    sed -i -E 's|LIVE_CONFIGS="([^"]*)"|LIVE_CONFIGS="\1 root-password"|' "${cfg_file}"
  fi
-  declare clean_hash="${HASHED_PWD//\"/}"
+  declare clean_hash="${VAR_HASHED_PWD//\"/}"
  printf 'live-config.root-password-hash=%s\n' "${clean_hash}" >| "${dropin_file}"
  chmod 0600 "${dropin_file}"
  chown root:root "${dropin_file}"
-  mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/root"
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root"
-  printf '%s\n' "${clean_hash}" >| "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
+  printf '%s\n' "${clean_hash}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
-  chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
+  chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
-  chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
+  chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.pwd"
-  mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d
-  cat << 'EOF' >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
+  cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf
 [Service]
 ExecStart=
 #ExecStart=-/usr/sbin/agetty --noclear %I $TERM
 ExecStart=-agetty --noclear %I $TERM
 EOF
-  mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc
-  cat << 'EOF' >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty
+  cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/securetty
 tty1
 tty2
 tty3
@@ -74,21 +74,21 @@ tty5
 tty6
 EOF
-  mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/sbin
-  mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/bin
-  mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/sbin
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/sbin
-  cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty"
+  cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/sbin/agetty"
-  cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty"
+  cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/bin/agetty"
-  cp -af /usr/sbin/agetty "${HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty"
+  cp -af /usr/sbin/agetty "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/sbin/agetty"
  ### Hotfix I
-  mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
-  cat << 'EOF' >| "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
+  cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
 #!/bin/sh
 # bypass live-config-getty-generator
 exit 0
 EOF
-  chmod +x "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
+  chmod +x "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators/live-config-getty-generator"
  ### Hotfix II
  #mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/systemd/system-generators"
--- a/lib/lib_hardening_ssh.sh
+++ b/lib/lib_hardening_ssh.sh
@@ -13,15 +13,15 @@
 #######################################
 # SSH Hardening Ultra via TCP Wrapper
 # Globals:
-#   WORKDIR
+#   ARY_HANDLER_JUMPHOST
-#   handler_jumphost
+#   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
 hardening_ssh() {
-  if ((${#handler_jumphost[@]} > 0)); then
+  if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
    declare allowed=""
-    cat << 'EOF' >| "${WORKDIR}/hosts.allow"
+    cat << 'EOF' >| "${VAR_WORKDIR}/hosts.allow"
 # /etc/hosts.allow: list of hosts that are allowed to access the system.
 #                   See the manual pages hosts_access(5) and hosts_options(5).
 #
@@ -34,10 +34,10 @@ hardening_ssh() {
 EOF
-    allowed=$(echo "${handler_jumphost[*]}" | tr '\n' ' ')
+    allowed=$(echo "${ARY_HANDLER_JUMPHOST[*]}" | tr '\n' ' ')
-    printf 'sshd: %s\n' "${allowed}" >> "${WORKDIR}/hosts.allow"
+    printf 'sshd: %s\n' "${allowed}" >> "${VAR_WORKDIR}/hosts.allow"
-    cat << 'EOF' >| "${WORKDIR}/hosts.deny"
+    cat << 'EOF' >| "${VAR_WORKDIR}/hosts.deny"
 # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
 #                  See the manual pages hosts_access(5) and hosts_options(5).
 #
@@ -52,7 +52,7 @@ EOF
 #
 # You may wish to enable this to ensure any programs that don't
 # validate looked-up hostnames still leave understandable logs. In past
-# versions of Debian this has been the default.
+# versions of Debian, this has been the default.
 # ALL: PARANOID
 ALL: ALL
--- a/lib/lib_hardening_ultra.sh
+++ b/lib/lib_hardening_ultra.sh
@@ -11,65 +11,65 @@
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
-# Wrapper for accompanying all CISS.2025 hardening features into the Live ISO image.
+# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
 # Globals:
-#   HANDLER_ARCHITECTURE
+#   ARY_HANDLER_JUMPHOST
-#   HANDLER_BUILD_DIR
+#   ARY_HANDLER_JUMPHOST_UNIQUE
-#   HANDLER_SSHPORT
+#   VAR_ARCHITECTURE
-#   HANDLER_SSHPUBKEY
+#   VAR_HANDLER_BUILD_DIR
-#   WORKDIR
+#   VAR_SSHPORT
-#   handler_jumphost
+#   VAR_SSHPUBKEY
-#   handler_jumphost_unique
+#   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
 hardening_ultra() {
  # shellcheck disable=SC2164
-  cd "${WORKDIR}"
+  cd "${VAR_WORKDIR}"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
-  if [[ ! -d "${HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
+  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
-    mkdir -p "${HANDLER_BUILD_DIR}/config/bootloaders"
+    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders"
-    cp -af ./config/bootloaders "${HANDLER_BUILD_DIR}/config"
+    cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
  else
-    cp -af ./config/bootloaders "${HANDLER_BUILD_DIR}/config"
+    cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
-  if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
+  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
-    mkdir -p "${HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
+    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
-    cp -af ./config/includes.binary "${HANDLER_BUILD_DIR}/config"
+    cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
  else
-    cp -af ./config/includes.binary "${HANDLER_BUILD_DIR}/config"
+    cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
-  if [[ ! -d "${HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
+  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
-    mkdir -p "${HANDLER_BUILD_DIR}/config/hooks/live"
+    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
-    cp -af ./config/hooks/live "${HANDLER_BUILD_DIR}/config/hooks"
+    cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
  else
-    cp -af ./config/hooks/live "${HANDLER_BUILD_DIR}/config/hooks"
+    cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
-  if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
+  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
-    mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot"
+    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
-    cp -af ./config/includes.chroot "${HANDLER_BUILD_DIR}/config"
+    cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
  else
-    cp -af ./config/includes.chroot "${HANDLER_BUILD_DIR}/config"
+    cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
-  if [[ ! -d "${HANDLER_BUILD_DIR}/config/package-lists" ]]; then
+  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
-    mkdir -p "${HANDLER_BUILD_DIR}/config/package-lists"
+    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
  fi
-  cp -af ./config/package-lists/live.list.common.chroot "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
+  cp -af ./config/package-lists/live.list.common.chroot "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
-  case "${HANDLER_ARCHITECTURE}" in
+  case "${VAR_ARCHITECTURE}" in
    amd64)
      declare arch_list="./config/package-lists/live.list.amd64.chroot"
      declare arch_comment="# amd64 specific packages"
@@ -79,7 +79,7 @@ hardening_ultra() {
      declare arch_comment="# arm64 specific packages"
      ;;
    *)
-      printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${HANDLER_ARCHITECTURE}"
+      printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}"
      exit 1
      ;;
  esac
@@ -105,26 +105,26 @@ hardening_ultra() {
    }
    print
    }
-    ' "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
+    ' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
-  if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"  ]]; then
+  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"  ]]; then
-    mkdir -p  "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
+    mkdir -p  "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
-    cp -af "${HANDLER_SSHPUBKEY}/authorized_keys" "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
+    cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
-    chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
+    chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
-    chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
+    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
-    declare -r sshport="${HANDLER_SSHPORT:-22}"
+    declare -r sshport="${VAR_SSHPORT:-22}"
-    sed -i "s|^port      = MUST_BE_SET|port      = ${sshport}|" "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
+    sed -i "s|^port      = MUST_BE_SET|port      = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
-    sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+    sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
-    sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
+    sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
-    if [[ ${#handler_jumphost[@]} -gt 0 ]]; then
+    if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
-      declare file="${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+      declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
      sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
      declare line
      line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
@@ -135,7 +135,7 @@ hardening_ultra() {
      fi
      declare host
-      for host in "${handler_jumphost_unique[@]}"; do
+      for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
        ((line++))
        sed -i "${line}a ufw allow from \"${host}\" to any port \"${sshport}\" proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
      done
@@ -143,19 +143,19 @@ hardening_ultra() {
  else
-    cp -af "${HANDLER_SSHPUBKEY}/authorized_keys" "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
+    cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
-    chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
+    chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
-    chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
+    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
-    declare -r sshport="${HANDLER_SSHPORT:-22}"
+    declare -r sshport="${VAR_SSHPORT:-22}"
-    sed -i "s|^port      = MUST_BE_SET|port      = ${sshport}|" "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
+    sed -i "s|^port      = MUST_BE_SET|port      = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
-    sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+    sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
-    sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
+    sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
-    if [[ ${#handler_jumphost_unique[@]} -gt 0 ]]; then
+    if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
-      declare file="${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+      declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
      sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
      declare line
      line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
@@ -166,7 +166,7 @@ hardening_ultra() {
      fi
      declare host
-      for host in "${handler_jumphost_unique[@]}"; do
+      for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
        ((line++))
        sed -i "${line}a ufw allow from \"${host}\" to any port \"${sshport}\" proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
      done
@@ -174,21 +174,21 @@ hardening_ultra() {
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
-  if [[ -f "${WORKDIR}/hosts.allow" ]]; then
+  if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
-    cp -af "${WORKDIR}/hosts.allow" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc"
+    cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
-    cp -af "${WORKDIR}/hosts.deny" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc"
+    cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
-    chmod 0644 "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
+    chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
-    chmod 0644 "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
+    chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
-    rm -f "${WORKDIR}/hosts.allow"
+    rm -f "${VAR_WORKDIR}/hosts.allow"
-    rm -f "${WORKDIR}/hosts.deny"
+    rm -f "${VAR_WORKDIR}/hosts.deny"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
  fi
-  if ((${#handler_jumphost[@]} > 0)); then
+  if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
    # Join array entries with spaces, preserving any newlines
-    declare ips="${handler_jumphost[*]}"
+    declare ips="${ARY_HANDLER_JUMPHOST[*]}"
    # Flatten to a single line and strip literal brackets []
    declare flat_ips
    flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
@@ -196,14 +196,14 @@ hardening_ultra() {
    # Perform an in-place replacement of MUST_BE_SET with the cleaned list
    sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \
-        "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
+        "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
  else
    printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
    sed -i \
        -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \
        -e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \
-        "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
+        "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
  fi
 }
--- a/lib/lib_helper_ip.sh
+++ b/lib/lib_helper_ip.sh
@@ -13,15 +13,15 @@
 #######################################
 # IP Notation cleaner for pure IP output only
 # Globals:
-#   handler_jumphost
+#   ARY_HANDLER_JUMPHOST
-#   handler_jumphost_unique
+#   ARY_HANDLER_JUMPHOST_UNIQUE
 # Arguments:
 #  None
 #######################################
 clean_ip() {
  declare host
  declare stripped
-  for host in "${handler_jumphost[@]}"; do
+  for host in "${ARY_HANDLER_JUMPHOST[@]}"; do
    # Remove leading '[' and trailing ']'
    stripped="${host#\[}"
    stripped="${stripped%\]}"
@@ -30,7 +30,7 @@ clean_ip() {
        continue
    fi
    # Directly append, no duplicate check
-    declare -ga handler_jumphost_unique+=("${stripped}")
+    declare -ga ARY_HANDLER_JUMPHOST_UNIQUE+=("${stripped}")
  done
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_lb_build_start.sh
+++ b/lib/lib_lb_build_start.sh
@@ -13,20 +13,20 @@
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
 #   BUILD_LOG
 #   ERR_UNCRITICAL
-#   HANDLER_BUILD_DIR
+#   VAR_BUILD_LOG
 #   VAR_HANDLER_BUILD_DIR
 # Arguments:
 #  None
 #######################################
 lb_build_start() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${BUILD_LOG}"
+  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔨 Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}"
  # sleep 1
  # shellcheck disable=SC2164
-  cd "${HANDLER_BUILD_DIR}"
+  cd "${VAR_HANDLER_BUILD_DIR}"
-  if lb build --color 2>&1 | tee "${BUILD_LOG}"; then
+  if lb build --color 2>&1 | tee "${VAR_BUILD_LOG}"; then
    printf "\e[92m✅ Build successfully completed.\e[0m\n"
  else
    printf "\e[91m❌ Build failed!\e[0m\n" >&2
--- a/lib/lib_lb_config_start.sh
+++ b/lib/lib_lb_config_start.sh
@@ -13,24 +13,24 @@
 #######################################
 # Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
 # Globals:
-#   HANDLER_BUILD_DIR
+#   VAR_HANDLER_BUILD_DIR
 # Arguments:
 #   $0: Script-name
 #######################################
 lb_config_start() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-  if [[ ! -d ${HANDLER_BUILD_DIR} ]]; then
+  if [[ ! -d ${VAR_HANDLER_BUILD_DIR} ]]; then
-    mkdir -p "${HANDLER_BUILD_DIR}"
+    mkdir -p "${VAR_HANDLER_BUILD_DIR}"
    # shellcheck disable=SC2164
-    cd "${HANDLER_BUILD_DIR}"
+    cd "${VAR_HANDLER_BUILD_DIR}"
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${HANDLER_BUILD_DIR}"
+    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' created. \e[0m\n" "${VAR_HANDLER_BUILD_DIR}"
  else
    # shellcheck disable=SC2164
-    cd "${HANDLER_BUILD_DIR}"
+    cd "${VAR_HANDLER_BUILD_DIR}"
  fi
-  if [[ ! -d "${HANDLER_BUILD_DIR}/.build" ]]; then
+  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/.build" ]]; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Preparing environment ... \e[0m\n"
    # Start lb config in a completely detached shell
    bash -c "lb config" &
--- a/lib/lib_lb_config_write.sh
+++ b/lib/lib_lb_config_write.sh
@@ -13,12 +13,20 @@
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
-#   HANDLER_ARCHITECTURE
+#   VAR_HANDLER_ISO_COUNTER
-#   HANDLER_BUILD_DIR
+#   VAR_ARCHITECTURE
-#   HANDLER_ISO_COUNTER
+#   VAR_HANDLER_BUILD_DIR
-#   VERSION
+#   VAR_KERNEL
-#   WORKDIR
+#   VAR_WORKDIR
-#   kernel
+#   VAR_VERSION
 # Arguments:
 #  None
 #######################################
 #######################################
 # description
 # Globals:
 # Arguments:
 #  None
 #######################################
@@ -31,7 +39,7 @@ lb_config_write() {
    --apt-recommends true \
    --apt-secure true \
    --apt-source-archives true \
-    --architecture "${HANDLER_ARCHITECTURE}" \
+    --architecture "${VAR_ARCHITECTURE}" \
    --archive-areas main contrib non-free non-free-firmware \
    --backports true \
    --binary-filesystem fat32 \
@@ -59,15 +67,15 @@ lb_config_write() {
    --firmware-binary true \
    --firmware-chroot true \
    --hdd-label "CENTURIONLIVE" \
-    --image-name "ciss-debian-live-${HANDLER_ISO_COUNTER}" \
+    --image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
    --initramfs "live-boot" \
    --initramfs-compression gzip \
    --initsystem systemd \
-    --iso-application "CISS.debian.live.builder: ${VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
+    --iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
    --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
    --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
    --iso-volume 'CISS.debian.live' \
-    --linux-flavours "${kernel}" \
+    --linux-flavours "${VAR_KERNEL}" \
    --linux-packages linux-image \
    --loadlin true \
    --memtest memtest86+ \
@@ -103,10 +111,10 @@ lb_config_write() {
  sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
  sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
-  mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
-  cp -a "${WORKDIR}/scripts/live-boot/0030-verify-checksums" "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
+  cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
-  chmod 0755 "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
+  chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
-  chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
+  chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
 }
--- a/lib/lib_provider_netcup.sh
+++ b/lib/lib_provider_netcup.sh
@@ -16,14 +16,14 @@
 #  None
 #######################################
 provider_netcup() {
-  if "${handler_netcup_ipv6}"; then
+  if "${VAR_HANDLER_NETCUP_IPV6}"; then
    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
-    declare handler_netcup_ipv6_string="${handler_netcup_ipv6_array[*]}"
+    declare handler_netcup_ipv6_string="${ARY_HANDLER_NETCUP_IPV6[*]}"
-    mkdir -p "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d
+    mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d
-    cat << EOF >| "${HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static
+    cat << EOF >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/network/interfaces.d/99-netcup-static
 ### Static IPv6 Address for Netcup Root Server
 iface ens3 inet6 static
    address ${handler_netcup_ipv6_string}/128
@@ -34,10 +34,10 @@ iface ens3 inet6 static
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-  sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
+  sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
-  rm -f "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
+  rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
-  cp "${WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
+  cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
-  chmod 0755 "${HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
+  chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
  fi
--- a/lib/lib_run_analysis.sh
+++ b/lib/lib_run_analysis.sh
@@ -13,17 +13,17 @@
 #######################################
 # Wrapper for statistic functions of the final build.
 # Globals:
 #   BUILD_LOG
 #   CHROOT_DIR
 #   ERR_UNCRITICAL
-#   HANDLER_BUILD_DIR
+#   VAR_BUILD_LOG
-#   PACKAGES_FILE
+#   VAR_CHROOT_DIR
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_PACKAGES_FILE
 # Arguments:
 #  None
 #######################################
 run_analysis() {
  # shellcheck disable=SC2164
-  cd "${HANDLER_BUILD_DIR}"
+  cd "${VAR_HANDLER_BUILD_DIR}"
  # shellcheck disable=SC2155
  declare iso_file=$(find . -maxdepth 1 -name "*.iso" -printf "%f\n" | sort | tail -n1)
@@ -38,21 +38,21 @@ run_analysis() {
  # shellcheck disable=SC2155
  declare iso_size_bytes=$(du -b "${iso_file}" | awk '{print $1}')
  # shellcheck disable=SC2155
-  declare chroot_size_hr=$(du -sh "${CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
+  declare chroot_size_hr=$(du -sh "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
  # shellcheck disable=SC2155
-  declare chroot_size_bytes=$(du -sb "${CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
+  declare chroot_size_bytes=$(du -sb "${VAR_CHROOT_DIR}" 2> /dev/null | awk '{print $1}')
  # shellcheck disable=SC2155
  declare compression=$(awk -v iso="${iso_size_bytes}" -v chroot="${chroot_size_bytes}" 'BEGIN { printf "%.2f%%", 100 * iso / chroot }')
  # shellcheck disable=SC2155
-  declare package_count=$(wc -l < "${PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden")
+  declare package_count=$(wc -l < "${VAR_PACKAGES_FILE}" 2> /dev/null || echo "nicht gefunden")
  # shellcheck disable=SC2155
-  declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${BUILD_LOG}")"
+  declare squash_cpu_used="$(grep -m1 -oP 'Using \K[0-9]+' "${VAR_BUILD_LOG}")"
-  if [[ -f "${BUILD_LOG}" ]]; then
+  if [[ -f "${VAR_BUILD_LOG}" ]]; then
    # shellcheck disable=SC2155
-    declare start_line=$(grep 'lb build' "${BUILD_LOG}" | head -n1 || true)
+    declare start_line=$(grep 'lb build' "${VAR_BUILD_LOG}" | head -n1 || true)
    # shellcheck disable=SC2155
-    declare end_line=$(grep 'lb source' "${BUILD_LOG}" | tail -n1 || true)
+    declare end_line=$(grep 'lb source' "${VAR_BUILD_LOG}" | tail -n1 || true)
    if [[ -n "${start_line}" && -n "${end_line}" ]]; then
      # shellcheck disable=SC2155
--- a/lib/lib_sanitizer.sh
+++ b/lib/lib_sanitizer.sh
@@ -27,8 +27,8 @@ arg_check() {
 #######################################
 # Function to sanitize a single argument
 # Globals:
 #   ERROR_LOG
 #   ERR_INVLD_CHAR
 #   LOG_ERROR
 # Arguments:
 #   $1: Argument to check
 #######################################
@@ -46,7 +46,7 @@ sanitize_arg() {
      printf "❌         in argument : '%s'. \n" "${input}"
      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - ' \n"
      printf "\n"
-    } >> "${ERROR_LOG}"
+    } >> "${LOG_ERROR}"
    boot_screen_cleaner
    printf "\e[91m❌ Invalid character   : '%s'. \e[0m\n" "${disallowed//?/& }" >&2
    printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
--- a/lib/lib_trap_on_err.sh
+++ b/lib/lib_trap_on_err.sh
@@ -16,40 +16,42 @@
 #   ARGUMENTS_COUNT
 #   ARG_STR_ORG_INPUT
 #   ARG_STR_SANITIZED
-#   DEBUG_LOG
+#   LOG_DEBUG
-#   EARLY_DEBUG
+#   ERRCMMD
-#   ERROR_LOG
+#   ERRCODE
-#   VAR_LOG
+#   ERRFUNC
-#   VERSION
+#   ERRLINE
-#   errcmmd
+#   ERRSCRT
-#   errcode
+#   LOG_ERROR
-#   errfunc
+#   LOG_VAR
-#   errline
+#   SECONDS
-#   errscrt
+#   VAR_EARLY_DEBUG
 #   VAR_SYSTEM
 #   VAR_VERSION
 # Arguments:
 #  None
 #######################################
 print_file_err() {
  {
    printf "❌ CISS.debian.live.builder Script failed. \n"
-    printf "❌ Version             : %s \n" "${VERSION}"
+    printf "❌ Version             : %s \n" "${VAR_VERSION}"
-    printf "❌ Environment         : %s \n" "${SYSTEM_VAR}"
+    printf "❌ Environment         : %s \n" "${VAR_SYSTEM}"
-    printf "❌ Error               : %s \n" "${errcode}"
+    printf "❌ Error               : %s \n" "${ERRCODE}"
-    printf "❌ Line                : %s \n" "${errline}"
+    printf "❌ Line                : %s \n" "${ERRLINE}"
-    printf "❌ Script              : %s \n" "${errscrt}"
+    printf "❌ Script              : %s \n" "${ERRSCRT}"
-    printf "❌ Function            : %s \n" "${errfunc}"
+    printf "❌ Function            : %s \n" "${ERRFUNC}"
-    printf "❌ Command             : %s \n" "${errcmmd}"
+    printf "❌ Command             : %s \n" "${ERRCMMD}"
    printf "❌ Script Runtime      : %s \n" "${SECONDS}"
    printf "❌ Arguments Counter   : %s \n" "${ARGUMENTS_COUNT}"
    printf "❌ Arguments Original  : %s \n" "${ARG_STR_ORG_INPUT}"
    printf "❌ Arguments Sanitized : %s \n" "${ARG_STR_SANITIZED}"
-    if "${EARLY_DEBUG}"; then
+    if "${VAR_EARLY_DEBUG}"; then
-      printf "❌ Vars Dump saved at  : %s \n" "${VAR_LOG}"
+      printf "❌ Vars Dump saved at  : %s \n" "${LOG_VAR}"
-      printf "❌ Debug Log saved at  : %s \n" "${DEBUG_LOG}"
+      printf "❌ Debug Log saved at  : %s \n" "${LOG_DEBUG}"
-      printf "❌                   cat %s \n" "${DEBUG_LOG}"
+      printf "❌                   cat %s \n" "${LOG_DEBUG}"
    fi
    printf "\n"
-  } >> "${ERROR_LOG}"
+  } >> "${LOG_ERROR}"
 }
 #######################################
@@ -58,38 +60,40 @@ print_file_err() {
 #   ARGUMENTS_COUNT
 #   ARG_STR_ORG_INPUT
 #   ARG_STR_SANITIZED
-#   DEBUG_LOG
+#   LOG_DEBUG
-#   EARLY_DEBUG
+#   ERRCMMD
-#   ERROR_LOG
+#   ERRCODE
-#   VAR_LOG
+#   ERRFUNC
-#   VERSION
+#   ERRLINE
-#   errcmmd
+#   ERRSCRT
-#   errcode
+#   LOG_ERROR
-#   errfunc
+#   LOG_VAR
-#   errline
+#   SECONDS
-#   errscrt
+#   VAR_EARLY_DEBUG
 #   VAR_SYSTEM
 #   VAR_VERSION
 # Arguments:
 #  None
 #######################################
 print_scr_err() {
  printf "\e[91m❌ CISS.debian.live.builder Script failed. \e[0m\n" >&2
-  printf "\e[91m❌ Version             : %s \e[0m\n" "${VERSION}" >&2
+  printf "\e[91m❌ Version             : %s \e[0m\n" "${VAR_VERSION}" >&2
-  printf "\e[91m❌ Environment         : %s \e[0m\n" "${SYSTEM_VAR}" >&2
+  printf "\e[91m❌ Environment         : %s \e[0m\n" "${VAR_SYSTEM}" >&2
-  printf "\e[91m❌ Error               : %s \e[0m\n" "${errcode}" >&2
+  printf "\e[91m❌ Error               : %s \e[0m\n" "${ERRCODE}" >&2
-  printf "\e[91m❌ Line                : %s \e[0m\n" "${errline}" >&2
+  printf "\e[91m❌ Line                : %s \e[0m\n" "${ERRLINE}" >&2
-  printf "\e[91m❌ Script              : %s \e[0m\n" "${errscrt}" >&2
+  printf "\e[91m❌ Script              : %s \e[0m\n" "${ERRSCRT}" >&2
-  printf "\e[91m❌ Function            : %s \e[0m\n" "${errfunc}" >&2
+  printf "\e[91m❌ Function            : %s \e[0m\n" "${ERRFUNC}" >&2
-  printf "\e[91m❌ Command             : %s \e[0m\n" "${errcmmd}" >&2
+  printf "\e[91m❌ Command             : %s \e[0m\n" "${ERRCMMD}" >&2
  printf "\e[91m❌ Script Runtime      : %s \e[0m\n" "${SECONDS}" >&2
  printf "\e[91m❌ Arguments Counter   : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
  printf "\e[91m❌ Arguments Original  : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
  printf "\e[91m❌ Arguments Sanitized : %s \e[0m\n" "${ARG_STR_SANITIZED}" >&2
-  printf "\e[91m❌ Error Log saved at  : %s \e[0m\n" "${ERROR_LOG}" >&2
+  printf "\e[91m❌ Error Log saved at  : %s \e[0m\n" "${LOG_ERROR}" >&2
-  printf "\e[91m❌                   cat %s \e[0m\n" "${ERROR_LOG}" >&2
+  printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_ERROR}" >&2
-  if "${EARLY_DEBUG}"; then
+  if "${VAR_EARLY_DEBUG}"; then
-    printf "\e[91m❌ Vars Dump saved at  : %s \e[0m\n" "${VAR_LOG}" >&2
+    printf "\e[91m❌ Vars Dump saved at  : %s \e[0m\n" "${LOG_VAR}" >&2
-    printf "\e[91m❌ Debug Log saved at  : %s \e[0m\n" "${DEBUG_LOG}" >&2
+    printf "\e[91m❌ Debug Log saved at  : %s \e[0m\n" "${LOG_DEBUG}" >&2
-    printf "\e[91m❌                   cat %s \e[0m\n" "${DEBUG_LOG}" >&2
+    printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_DEBUG}" >&2
  fi
  printf "\n"
 }
@@ -97,7 +101,12 @@ print_scr_err() {
 #######################################
 # Trap function to be called on 'ERR'.
 # Globals:
-#   EARLY_DEBUG
+#   ERRCMMD
 #   ERRCODE
 #   ERRFUNC
 #   ERRLINE
 #   ERRSCRT
 #   VAR_EARLY_DEBUG
 # Arguments:
 #   $1: $?
 #   $2: ${BASH_SOURCE[0]}
@@ -106,14 +115,14 @@ print_scr_err() {
 #   $5: ${BASH_COMMAND}
 #######################################
 trap_on_err() {
-  declare -g errcode="$1"
+  declare -g ERRCODE="$1"
-  declare -g errscrt="$2"
+  declare -g ERRSCRT="$2"
-  declare -g errline="$3"
+  declare -g ERRLINE="$3"
-  declare -g errfunc="$4"
+  declare -g ERRFUNC="$4"
-  declare -g errcmmd="$5"
+  declare -g ERRCMMD="$5"
  trap - ERR
-  if "${EARLY_DEBUG}"; then dump_user_vars; fi
+  if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
-  clean_up "${errcode}"
+  clean_up "${ERRCODE}"
  clean_screen
  print_file_err
  print_scr_err
@@ -122,10 +131,9 @@ trap_on_err() {
 #######################################
 # Gather all user-defined variables (name and value)
 # Globals:
-#   VAR_LOG
+#   LOG_VAR
-#   VERSION
+#   VAR_DUMP_VARS_INITIAL
-#   dump_vars_initial
+#   VAR_VERSION
 #   var
 # Arguments:
 #  None
 #######################################
@@ -144,19 +152,19 @@ dump_user_vars() {
  {
    printf "✅ CISS.debian.live.builder Config Variable Dump. \n"
-    printf "✅ Version             : %s \n" "${VERSION}"
+    printf "✅ Version             : %s \n" "${VAR_VERSION}"
    printf "\n"
    printf "===== Initial VAR Environment ===== \n"
-  } >> "${VAR_LOG}"
+  } >> "${LOG_VAR}"
-  comm -23 "${dump_vars_initial}" "${dump_vars_final}" >> "${VAR_LOG}"  || true
+  comm -23 "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}" >> "${LOG_VAR}"  || true
  {
    printf "\n"
    printf "===== Final VAR Environment ===== \n"
-  } >> "${VAR_LOG}"
+  } >> "${LOG_VAR}"
-  comm -13 "${dump_vars_initial}" "${dump_vars_final}" >> "${VAR_LOG}" || true
+  comm -13 "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}" >> "${LOG_VAR}" || true
-  rm "${dump_vars_initial}" "${dump_vars_final}"
+  rm "${VAR_DUMP_VARS_INITIAL}" "${dump_vars_final}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_trap_on_exit.sh
+++ b/lib/lib_trap_on_exit.sh
@@ -13,7 +13,7 @@
 #######################################
 # Trap function to be called on 'EXIT'.
 # Globals:
-#   EARLY_DEBUG
+#   VAR_EARLY_DEBUG
 # Arguments:
 #   $1: $?
 #######################################
@@ -21,7 +21,7 @@ trap_on_exit() {
  declare -r trap_on_exit_code="$1"
  trap - EXIT
  if (( trap_on_exit_code == 0 )); then
-    if "${EARLY_DEBUG}"; then dump_user_vars; fi
+    if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
    clean_up "${trap_on_exit_code}"
    print_scr_exit "${trap_on_exit_code}"
    exit 0
@@ -33,28 +33,29 @@ trap_on_exit() {
 #######################################
 # Print Success Message for Trap on 'EXIT' on 'stdout'
 # Globals:
-#   DEBUG
+#   LOG_DEBUG
-#   DEBUG_LOG
+#   LOG_VAR
-#   HANDLER_BUILD_DIR
+#   SECONDS
-#   VAR_LOG
+#   VAR_EARLY_DEBUG
-#   handler_success
+#   VAR_HANDLER_BUILD_DIR
 #   VAR_SCRIPT_SUCCESS
 # Arguments:
 #   $1: ${trap_on_exit_code} of trap_on_exit()
 #######################################
 print_scr_exit() {
  declare -r print_scr_exit_code="$1"
  if (( print_scr_exit_code == 0 )); then
-    if [[ "${handler_success}" == "true" ]]; then
+    if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then
      printf "\n"
      printf "\e[92m✅ CISS.debian.live.builder Script successful. \e[0m\n"
-      printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${HANDLER_BUILD_DIR}/.integrity/"
+      printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/"
      printf "\e[92m✅ Exited with Status: %s \e[0m\n" "${print_scr_exit_code}"
      printf "\n"
-      if [[ "${EARLY_DEBUG}" == "true" ]]; then
+      if [[ "${VAR_EARLY_DEBUG}" == "true" ]]; then
        printf "\e[92m✅ Script Runtime    : %s \e[0m\n" "${SECONDS}"
-        printf "\e[92m✅ Vars Dump saved at: %s \e[0m\n" "${VAR_LOG}"
+        printf "\e[92m✅ Vars Dump saved at: %s \e[0m\n" "${LOG_VAR}"
-        printf "\e[92m✅ Debug Log saved at: %s \e[0m\n" "${DEBUG_LOG}"
+        printf "\e[92m✅ Debug Log saved at: %s \e[0m\n" "${LOG_DEBUG}"
-        printf "\e[92m✅                 cat %s \e[0m\n" "${DEBUG_LOG}"
+        printf "\e[92m✅                 cat %s \e[0m\n" "${LOG_DEBUG}"
        printf "\n"
      fi
      printf "\e[95m💷 Please consider donating to my work at: \e[0m\n"
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -22,7 +22,7 @@ usage() {
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.02.512.2025.05.30\e[0m")
+$(echo -e "\e[92mMaster V8.02.644.2025.05.31\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
 $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
--- a/scripts/9000-cdi-starter
+++ b/scripts/9000-cdi-starter
@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.02.512.2025.05.30 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.02.644.2025.05.31 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
  chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -11,45 +11,46 @@
 # SPDX-Security-Contact: security@coresecret.eu
 # shellcheck disable=SC2155
-declare -gr SYSTEM_VAR="$(uname -a)"
+declare -gr VAR_SYSTEM="$(uname -a)"
 # shellcheck disable=SC2155
-declare -gr ISO8601="$(date +%Y_%m_%d_%H_%M_%S)"
+declare -gr VAR_ISO8601="$(date +%Y_%m_%d_%H_%M_%S)"
 # shellcheck disable=SC2155
-declare -gr KERNEL_INF="$(mktemp)"
+declare -gr VAR_KERNEL_INF="$(mktemp)"
 # shellcheck disable=SC2155
-declare -gr KERNEL_TMP="$(mktemp)"
+declare -gr VAR_KERNEL_TMP="$(mktemp)"
 # shellcheck disable=SC2155
-declare -gr KERNEL_SRT="$(mktemp)"
+declare -gr VAR_KERNEL_SRT="$(mktemp)"
 # shellcheck disable=SC2155
-declare -gr notes="$(mktemp)"
+declare -gr VAR_NOTES="$(mktemp)"
-if "${EARLY_DEBUG}"; then
+if "${VAR_EARLY_DEBUG}"; then
-  declare -gr VAR_LOG="/tmp/ciss_live_builder_$$_var.log"
+  declare -gr LOG_VAR="/tmp/ciss_live_builder_$$_var.log"
-  touch "${VAR_LOG}" && chmod 0600 "${VAR_LOG}"
+  touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
 fi
-declare -gr ERROR_LOG="/tmp/ciss_live_builder_$$_error.log"
+declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log"
-touch "${ERROR_LOG}" && chmod 0600 "${ERROR_LOG}"
+touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}"
-declare -g HANDLER_ARCHITECTURE=""
+declare -g VAR_ARCHITECTURE=""
-declare -g HANDLER_BUILD_DIR=""
+declare -g VAR_HANDLER_AUTOBUILD="false"
-declare -g HANDLER_CDI=""
+declare -g VAR_HANDLER_BUILD_DIR=""
-declare -g HANDLER_DHCP=""
+declare -g VAR_HANDLER_CDI=""
-declare -g HANDLER_SPLASH=""
+declare -g VAR_HANDLER_DHCP=""
-declare -g HANDLER_SSHPORT=""
+declare -g VAR_HANDLER_SPLASH=""
-declare -g HANDLER_SSHPUBKEY=""
+declare -g VAR_SSHPORT=""
-declare -g handler_success=""
+declare -g VAR_SSHPUBKEY=""
-declare -g HANDLER_PRIORITY=""
+declare -g VAR_SCRIPT_SUCCESS=""
-declare -g handler_netcup_ipv6=""
+declare -g VAR_HANDLER_PRIORITY=""
-declare -g handler_netcup_ipv6_array=""
+declare -g VAR_HANDLER_NETCUP_IPV6=""
-declare -g HASHED_PWD=""
+declare -g VAR_HASHED_PWD=""
-declare -g HANDLER_STA=""
+declare -g VAR_HANDLER_STA=""
-declare -g REIONICE_CLASS=""
+declare -g VAR_REIONICE_CLASS=""
-declare -g REIONICE_PRIORITY=""
+declare -g VAR_REIONICE_PRIORITY=""
-declare -gr CHROOT_DIR="chroot"
+declare -gr VAR_CHROOT_DIR="chroot"
-declare -gr PACKAGES_FILE="chroot.packages.live"
+declare -gr VAR_PACKAGES_FILE="chroot.packages.live"
-declare -ga handler_jumphost=()
+declare -ga ARY_HANDLER_JUMPHOST=()
-declare -ga handler_jumphost_unique=()
+declare -ga ARY_HANDLER_NETCUP_IPV6=()
 declare -ga ARY_HANDLER_JUMPHOST_UNIQUE=()
 ### Definition of error codes
 declare -gir ERR_UNCRITICAL=127
@@ -75,9 +76,9 @@ declare -gir ERR_UNBOUNDVAR=254 # Unbound Variable
 declare -gir ERR_UNSPPTBASH=255 # Unsupported Bash
 ### Definition of error trap vars
-declare -g errcode="" # = $?                   = $1 = ERRCODE
+declare -g ERRCODE="" # = $?                   = $1 = ERRCODE
-declare -g errscrt="" # = ${BASH_SOURCE[0]}    = $2 = ERRSCRT
+declare -g ERRSCRT="" # = ${BASH_SOURCE[0]}    = $2 = ERRSCRT
-declare -g errline="" # = ${LINENO}            = $3 = ERRLINE
+declare -g ERRLINE="" # = ${LINENO}            = $3 = ERRLINE
-declare -g errfunc="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC
+declare -g ERRFUNC="" # = ${FUNCNAME[0]:-main} = $4 = ERRFUNC
-declare -g errcmmd="" # = ${$BASH_COMMAND}     = $5 = ERRCMMD
+declare -g ERRCMMD="" # = ${$BASH_COMMAND}     = $5 = ERRCMMD
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh