V8.13.416.2025.11.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-17 06:42:57 +01:00
parent 3f1d6789c3
commit f0ee12513f
68 changed files with 251 additions and 113 deletions
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 name: 🔐 Generating a Private Live ISO TRIXIE.

--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 name: 🔐 Generating a Private Live ISO TRIXIE.

--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 name: 💙 Generating a PUBLIC Live ISO.

--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.408.2025.11.13"
+      placeholder: "e.g., Master V8.13.416.2025.11.17"
    validations:
      required: true

--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 FROM debian:bookworm

--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 name: 🔁 Render README.md to README.html.

--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.408.2025.11.13
+  version: V8.13.416.2025.11.17
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 name: 🔐 Generating a Private Live ISO TRIXIE.

--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 name: 🔐 Generating a Private Live ISO TRIXIE.

--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 name: 💙 Generating a PUBLIC Live ISO.

--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 name: 🔁 Render Graphviz Diagrams.

--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.408.2025.11.13"
+properties_version="V8.13.416.2025.11.17"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.408.2025.11.13
+PackageVersion: Master V8.13.416.2025.11.17
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.408.2025.11.13-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.416.2025.11.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -152,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V8.13.408.2025.11.13`
+Example: `V8.13.416.2025.11.17`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2.1. Repository Structure

 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.408.2025.11.13** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.416.2025.11.17** (as of 2025-10-11)

 ## 2.2. Top-Level Layout

--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -20,6 +20,14 @@
 # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
 # or Cygwin on Windows systems.

+### RESOURCES
+# https://github.com/koalaman/shellcheck
+# https://github.com/mvdan/sh
+# https://google.github.io/styleguide/shellguide.html
+# https://mywiki.wooledge.org/BashGuide
+# https://www.bashsupport.com/de/
+# https://www.gnu.org/software/bash/manual/
+
 ### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
 # shellcheck disable=SC2155,SC2249
 declare -agx  ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -204,7 +204,8 @@ generate_ciss_xdg_sh
 generate_ciss_xdg_tmp_sh

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get update -qq
 apt-get install -y --no-install-suggests libpam-systemd

--- a/config/hooks/live/0007_update_logrotate.chroot
+++ b/config/hooks/live/0007_update_logrotate.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"

 rm -f         "/etc/logrotate.conf"
 cat << EOF >| "/etc/logrotate.conf"
--- a/config/hooks/live/0010_install_apparmor.chroot
+++ b/config/hooks/live/0010_install_apparmor.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra

 install -d /etc/systemd/system/apparmor.service.d
--- a/config/hooks/live/0020_dropbear_build.chroot
+++ b/config/hooks/live/0020_dropbear_build.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"

 ### Declare Arrays, HashMaps, and Variables.
 declare var_dropbear_version="2025.88"
--- a/config/hooks/live/0021_dropbear_initramfs.chroot
+++ b/config/hooks/live/0021_dropbear_initramfs.chroot
@@ -10,14 +10,15 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-set -x
+
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 ### Declare Arrays, HashMaps, and Variables.
 declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"

 apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
 apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
--- a/config/hooks/live/0022_dropbear_setup.chroot
+++ b/config/hooks/live/0022_dropbear_setup.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"

 #######################################
 # Set up the 'dropbear-initramfs' environment.
--- a/config/hooks/live/0080_keyboard_layout.chroot
+++ b/config/hooks/live/0080_keyboard_layout.chroot
@@ -22,7 +22,8 @@ BACKSPACE="guess"
 EOF

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/hooks/live/0090_jitterentropy.chroot
+++ b/config/hooks/live/0090_jitterentropy.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y --no-install-recommends jitterentropy-rngd

 cd /root
--- a/config/hooks/live/0100_ciss_mem_wipe.chroot
+++ b/config/hooks/live/0100_ciss_mem_wipe.chroot
@@ -14,9 +14,10 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"

-apt-get install -y --no-install-recommends kexec-tools busybox-static
+apt-get install -y --no-install-recommends kexec-tools

 install -d -m 0755 /boot/ciss-memwipe
 install -d -m 0755 /usr/local/sbin
@@ -25,32 +26,89 @@ install -d -m 0755 /etc/default

 ### Pick a kernel to kexec into: use the latest installed vmlinuz. -------------------------------------------------------------
 # shellcheck disable=SC2012,SC2155
-declare _kernel="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)"
-cp -f "/boot/vmlinuz-${_kernel}" /boot/ciss-memwipe/vmlinuz
+declare _KERNEL="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)"
+cp -f "/boot/vmlinuz-${_KERNEL}" /boot/ciss-memwipe/vmlinuz

 ### Build minimal initramfs with a busybox and a tiny '/init'. -----------------------------------------------------------------
-declare TMPDIR; TMPDIR="$(mktemp -d)"
-trap 'rm -rf "${TMPDIR}"' EXIT
+declare _TMP_DIR; _TMP_DIR="$(mktemp -d)"
+trap 'rm -rf "${_TMP_DIR}"' EXIT

-mkdir -p "${TMPDIR}"/{bin,dev,proc,sys,wipe}
-cp -f /bin/busybox.static "${TMPDIR}/bin/busybox"
+mkdir -p "${_TMP_DIR}"/{bin,dev,proc,sys,wipe}

+### Locate the current busybox binary. -----------------------------------------------------------------------------------------
+declare _BUSYBOX_BIN; _BUSYBOX_BIN="$(command -v busybox || true)"
+if [[ -z "${_BUSYBOX_BIN}" ]]; then
+  echo "ERROR: busybox not found after installation attempt." >&2
+  exit 42
+fi
+
+cp -f "${_BUSYBOX_BIN}" "${_TMP_DIR}/bin/busybox"
+
+###
+
+#######################################
+# Copy required shared libs into the initramfs (if the busybox is dynamic).
+# Globals:
+#   _TMP_DIR
+# Arguments:
+#   1: _BUSYBOX_BIN
+# Returns:
+#   0: on success
+#######################################
+copy_libs() {
+  declare bin="$1"
+
+  if ldd "${bin}" 2>&1 | grep -q 'not a dynamic executable'; then
+    return 0
+  fi
+
+  ldd "${bin}" | awk '
+    /=> \// {print $3}
+    # some libs are printed as absolute path without "=>"
+    /^\//    {print $1}
+  ' | while read -r lib; do
+    [[ -n "${lib}" ]] || continue
+    dest="${_TMP_DIR}$(dirname "${lib}")"
+    install -d -m 0755 "${dest}"
+    cp -f "${lib}" "${dest}"
+  done
+}
+
+copy_libs "${_BUSYBOX_BIN}"
+
+### Generate /init script
 cat << 'EOF' >| "${TMPDIR}/init"
 #!/bin/busybox sh
-### Minimal init to wipe RAM, then power off.
-### Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Minimal init to wipe RAM, then power off.
+# Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95
 set -eu

+#######################################
+# Helper
+# Globals:
+#   None
+# Arguments:
+#   1: key
+# Returns:
+#   0: on success
+#######################################
 get_arg() { # $1=key ; echoes value or empty
-
  for tok in $(cat /proc/cmdline); do
-
-    case "${tok}" in
+    case "$tok" in
      $1=*) echo "${tok#*=}"; return 0;;
    esac
-
  done
-
  echo ""
 }

@@ -67,15 +125,24 @@ MODE="$(get_arg ciss_wipe_mode)"; [ -n "${MODE}" ] || MODE="zero+random"
 BS="$(get_arg ciss_dd_bs)"; [ -n "${BS}" ] || BS=64M
 PCT="$(get_arg ciss_tmpfs_pct)"; [ -n "${PCT}" ] || PCT=95

-echo 1 > /proc/sys/kernel/printk 2>/dev/null || true
+echo 1 >| /proc/sys/kernel/printk 2>/dev/null || true

 MEM_KB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"
 SIZE_KB=$(( MEM_KB * PCT / 100 ))
 mount -t tmpfs -o "size=${SIZE_KB}k,nodev,nosuid,noexec,mode=0700" tmpfs /wipe

+#######################################
+# Wipe helper
+# Globals:
+#   None
+# Arguments:
+#   1: pattern
+# Returns:
+#   0: on success
+#######################################
 wipe_pass() {
-  pattern="$1"
-  if [ "${pattern}" = "zero" ]; then
+  pattern="$1" # zero or random
+  if [ "$pattern" = "zero" ]; then
    src="/dev/zero"
  else
    src="/dev/urandom"
@@ -83,17 +150,19 @@ wipe_pass() {

  i=0
  while :; do
-    busybox dd if="${src}" of="/wipe/block_${i}" bs="${BS}" status=none || break
+    # Use busybox dd explicitly to avoid surprises
+    busybox dd if="$src" of="/wipe/block_$i" bs="$BS" status=none || break
    i=$((i+1))
  done
  sync
  echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
  rm -f /wipe/block_* 2>/dev/null || true
  sync
+  return 0
 }

 DO_ZERO=0; DO_RANDOM=0
-case "${MODE}" in
+case "$MODE" in
  zero) DO_ZERO=1 ;;
  random) DO_RANDOM=1 ;;
  zero+random|random+zero) DO_ZERO=1; DO_RANDOM=1 ;;
@@ -101,31 +170,59 @@ case "${MODE}" in
 esac

 p=1
-while [ ${p} -le "${PASSES}" ]; do
-  [ ${DO_ZERO} -eq 1 ] && wipe_pass zero
-  [ ${DO_RANDOM} -eq 1 ] && wipe_pass random
+while [ $p -le "$PASSES" ]; do
+  [ $DO_ZERO -eq 1 ] && wipe_pass zero
+  [ $DO_RANDOM -eq 1 ] && wipe_pass random
  p=$((p+1))
 done

 sync
 busybox poweroff -f || echo o >| /proc/sysrq-trigger
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF

 chmod +x "${TMPDIR}/init"

+### Create the initramfs archive.
 ( cd "${TMPDIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img

+### Default configuration.
 cat << 'EOF' >| /etc/default/ciss-memwipe
-### CISS Memory Wipe defaults
-CISS_WIPE_PASSES=2           # number of passes
-CISS_WIPE_MODE="zero+random" # zero | random | zero+random
-CISS_WIPE_DD_BS="64M"        # dd block size
-CISS_WIPE_TMPFS_PCT=95       # percentage of MemTotal to allocate
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# CISS Memory Wipe defaults:
+
+CISS_WIPE_PASSES=2             # number of passes
+CISS_WIPE_MODE="zero+random"   # zero | random | zero+random
+CISS_WIPE_DD_BS="64M"          # dd block size
+CISS_WIPE_TMPFS_PCT=95         # percentage of MemTotal to allocate
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

+### Helper script
 cat << 'EOF' >| /usr/local/sbin/ciss-memwipe
 #!/bin/bash
-# Prepare and execute kexec-based memory wipe.
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
 set -euo pipefail

 . /etc/default/ciss-memwipe || true
@@ -136,22 +233,19 @@ INITRD="/boot/ciss-memwipe/initrd.img"
 append_common="quiet loglevel=1 ciss_wipe_passes=${CISS_WIPE_PASSES:-2} ciss_wipe_mode=${CISS_WIPE_MODE:-zero+random} ciss_dd_bs=${CISS_WIPE_DD_BS:-64M} ciss_tmpfs_pct=${CISS_WIPE_TMPFS_PCT:-95}"

 prepare() {
-  # Try to allow kexec if not locked down
  if [ -w /proc/sys/kernel/kexec_load_disabled ] && [ "$(cat /proc/sys/kernel/kexec_load_disabled)" = "1" ]; then
    echo 0 > /proc/sys/kernel/kexec_load_disabled || true
  fi
-  # Load wipe kernel
-  if command -v kexec >/dev/null 2>&1 && [ -s "${KERNEL}" ] && [ -s "${INITRD}" ]; then
-    kexec -l "${KERNEL}" --initrd="${INITRD}" --append="${append_common}" || true
+  if command -v kexec >/dev/null 2>&1 && [ -s "$KERNEL" ] && [ -s "$INITRD" ]; then
+    kexec -l "$KERNEL" --initrd="$INITRD" --append="$append_common" || true
  fi
 }

 fallback_inplace() {
-  # Last-resort: wipe in-place via tmpfs and then power off
  mount -t tmpfs -o "size=95%,nodev,nosuid,noexec,mode=0700" tmpfs /run/wipe 2>/dev/null || mkdir -p /run/wipe
  i=0
  while :; do
-    dd if=/dev/zero of="/run/wipe/blk_${i}" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break
+    dd if=/dev/zero of="/run/wipe/blk_$i" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break
    i=$((i+1))
  done
  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
@@ -162,9 +256,7 @@ fallback_inplace() {

 execute() {
  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
-  # Prefer systemd's path if possible
  if command -v systemctl >/dev/null 2>&1 && systemctl --quiet is-system-running; then
-    # If kexec image was loaded, systemctl kexec will use it
    systemctl kexec || kexec -e || fallback_inplace
  else
    kexec -e || fallback_inplace
@@ -176,15 +268,16 @@ case "${1:-}" in
  execute) execute ;;
  *) echo "Usage: $0 {prepare|execute}" >&2; exit 2 ;;
 esac
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod 0755 /usr/local/sbin/ciss-memwipe

-### Systemd service: load at boot, execute on shutdown
+### Systemd service: load at boot, execute on shutdown.
 cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service
 [Unit]
 Description=CISS: preload and execute kexec-based RAM wipe on shutdown
 DefaultDependencies=no
-# Ensure we run late enough on shutdown, but early enough to take over
 Before=shutdown.target
 After=local-fs.target network.target multi-user.target

@@ -192,7 +285,6 @@ After=local-fs.target network.target multi-user.target
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/local/sbin/ciss-memwipe prepare
-# ExecStop runs during shutdown: jump into wipe kernel
 ExecStop=/usr/local/sbin/ciss-memwipe execute
 TimeoutStartSec=20s
 TimeoutStopSec=infinity
@@ -201,6 +293,9 @@ TimeoutStopSec=infinity
 WantedBy=multi-user.target
 EOF

+install -d -m 0755 /etc/systemd/system/multi-user.target.wants
+ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.target.wants/ciss-memwipe.service
+
 systemctl enable ciss-memwipe.service

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -24,7 +24,8 @@ echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get update -qq
 apt-get install -y eza

--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -17,7 +17,8 @@ curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --d
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get update -qq
 apt-get install -y lynis
 lynis show version
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -16,7 +16,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 mkdir -p /var/log/chrony

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 export TZ="Etc/UTC"

 apt-get install -y adjtimex chrony tzdata
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs

--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"

 SOPS_VER="v3.11.0"
 ARCH="$(dpkg --print-architecture)"
--- a/config/hooks/live/0865_yq.chroot
+++ b/config/hooks/live/0865_yq.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"

 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq && chmod +x /usr/local/bin/yq

--- a/config/hooks/live/0870_bashdb.chroot
+++ b/config/hooks/live/0870_bashdb.chroot
@@ -16,7 +16,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 umask 0077

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"

 apt-get install -y texinfo

--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y acct

 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
--- a/config/hooks/live/9970_remove_exim.chroot
+++ b/config/hooks/live/9970_remove_exim.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"

 cd /etc

--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y usbguard

 ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -15,7 +15,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh

-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"

 apt-get update -qq

--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y aide > /dev/null 2>&1

 cp -u /etc/aide/aide.conf /root/.ciss/cdlb/backup/aide.conf.bak
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -26,7 +26,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cd /root

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y auditd

 cp -u /etc/audit/audit.rules /root/.ciss/cdlb/backup/audit.rules.bak
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -16,7 +16,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 cd /root

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"
 apt-get install -y --no-install-recommends debsums

 cp -a /etc/default/debsums /root/.ciss/cdlb/backup/debsums.bak
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -14,7 +14,8 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"

 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
--- a/config/hooks/live/9999_yyyy_logrotate.chroot
+++ b/config/hooks/live/9999_yyyy_logrotate.chroot
@@ -34,7 +34,8 @@ declare -ar ary_logrotate=(

 declare     var_file="" var_log=""
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+export DEBIAN_FRONTEND="noninteractive"
+export INITRD="No"

 for var_log in "${ary_logrotate[@]}"; do

--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.408.2025.11.13
+# Version Master V8.13.416.2025.11.17

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V8.13.408.2025.11.13"
+declare -gr VERSION="Master V8.13.416.2025.11.17"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.408.2025.11.13 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.416.2025.11.17 at: 10:18:37.9542
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. DNSSEC Status

--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. Lynis Audit:

--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. SSH Audit by ssh-audit.com

--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. TLS Audit:
 ````text
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. Hardened Kernel Boot Parameters

--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. Changelog

+## V8.13.416.2025.11.17
+* **Global**: Explicit ``export INITRD="No"``
+* **Changed**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot)
+
 ## V8.13.408.2025.11.13
 * **Added**: [0002_hardening_overlay_tmpfs.chroot](../config/hooks/live/0002_hardening_overlay_tmpfs.chroot) + Remount overlay root with ``nosuid,nodev``.
 * **Added**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping.
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. Centurion Net - Developer Branch Overview

--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. Coding Style

--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. Contributing / participating

--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. Credits

--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)

 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.408.2025.11.13
+Master V8.13.416.2025.11.17
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
@@ -146,7 +146,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/

-                        V8.13.408.2025.11.13                        2025-11-06                         CDLB(1)
+                        V8.13.416.2025.11.17                        2025-11-06                         CDLB(1)
 ````

 # 3. Booting
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)

--- a/docs/MAN_SSH_Host_Key_Policy.md
+++ b/docs/MAN_SSH_Host_Key_Policy.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer

--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.408.2025.11.13<br>
+**Build**: V8.13.416.2025.11.17<br>

 # 2. Resources

--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -39,13 +39,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.408.2025.11.13                        2025-11-06                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.416.2025.11.17                        2025-11-06                         CDLB(1)" "${var_cols}")

  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.408.2025.11.13\e[0m"
+    echo -e "\e[92mMaster V8.13.416.2025.11.17\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
--- a/scripts/usr/local/sbin/9999_cdi_starter.sh
+++ b/scripts/usr/local/sbin/9999_cdi_starter.sh
@@ -127,7 +127,7 @@ main() {
  # shellcheck disable=SC2312
  exec > >(tee -a "${var_log}") 2>&1

-  printf "CISS.debian.installer Master V8.13.408.2025.11.13 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.416.2025.11.17 is up! \n" >> "${var_log}"

  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -183,7 +183,7 @@ main() {

  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.408.2025.11.13: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.416.2025.11.17: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"

  exit 0
 }
--- a/var/bash.var.sh
+++ b/var/bash.var.sh
@@ -12,6 +12,8 @@

 guard_sourcing || return "${ERR_GUARD_SRCE}"

+unset BASH_ENV CDPATH ENV GLOBIGNORE
+
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
 set -o errexit           # Exit script when a command exits with non-zero status, the same as "set -e".
 set -o errtrace          # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
@@ -32,8 +34,13 @@ shopt -u dotglob         # If set, Bash includes filenames beginning with a '.'
 shopt -u extglob         # If set, enable the extended pattern matching features.
 shopt -u nullglob        # If set, filename expansion patterns that match no files expand to nothing and are removed.

+### Deterministic environment
+declare -gx LC_ALL=C.UTF-8
+declare -gx LANG=C.UTF-8
+declare -gx TZ=UTC
 declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 declare -gx IFS=$' \t\n'
+
 umask 0022

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.408.2025.11.13"
+declare -grx VAR_VERSION="Master V8.13.416.2025.11.17"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4