DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]

X-CI-Metadata: master@4f7131c at 2025-06-24T22:34:39Z on 56dbb041e6a3

Generated at : 2025-06-24T22:34:39Z
Runner Host  : 56dbb041e6a3
Workflow ID  : 🔐 Generating a Private Live ISO FLV 1.
Git Commit   : 4f7131c HEAD -> master

.archive/icon.lib

@@ -2,46 +2,54 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ✅
-🔧
+❌
+⚠️
+🚫
+🔐
+🔒
 🔑
+✍️
 🖥️
+🔄
+🔁
+🌌
+🔵
+💙
+🔍
+💡
+🔧
 🛠️
+🏗
+⚙️
+📐
+🧪
+📩
 📥
 📦
 📑
 📂
-🔒
-🔐
-⚙️
-❌
-🌌
+📀
 🎉
-🖥️
-📂
-📩
-🔵
 😺
-🧪
+📉
 📊
 🧾
-📀
-📉
+📋
 🕑
 🧠
 📅
-💙
-🚫
-🔄
-🔁
-📋
 🎯
-🔍
-💡
+🌐
+🔗
+💬
+☢️
+☣️
+•
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.editorconfig

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.400.2025.06.05"
+      placeholder: "e.g., Master V8.03.832.2025.06.24"
     validations:
       required: true
 

.gitea/ISSUE_TEMPLATE/PULL_REQUEST_TEMPLATE.yaml

@@ -48,8 +48,8 @@ body:
       options:
         - label: "My edits contain no tabs, use two-space indentation, and no trailing whitespace"
         - label: "I have read ~/docs/CONTRIBUTING.md and ~/docs/CODING_CONVENTION.md"
-        - label: "I have tested this fix or improvement on ≥2 VMs without issues"
-        - label: "I have tested this new feature on ≥2 VMs with and without it to avoid side effects"
+        - label: "I have tested this fix or improvement on >=2 VMs without issues"
+        - label: "I have tested this new feature on >=2 VMs with and without it to avoid side effects"
         - label: "Documentation and/or 'usage()' and/or 'arg_parser' have been updated for the new feature"
         - label: "I added myself to ~/docs/CREDITS.md (alphabetical) and updated ~/docs/CHANGELOG.md"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/TODO/dockerfile

@@ -0,0 +1,69 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Version Master V8.03.832.2025.06.24
+
+FROM debian:bookworm
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get install -y \
+      apt-transport-https \
+      apt-utils \
+      bash \
+      ca-certificates \
+      gnupg \
+      openssl \
+      sudo \
+    && apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get clean \
+    && apt-get autoremove --purge -y \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir -p /etc/apt/sources.list.d && touch /etc/apt/sources.list.d/bookworm-backports.list \
+    && echo 'deb https://deb.debian.org/debian bookworm-backports main' >| /etc/apt/sources.list.d/bookworm-backports.list \
+    && apt-get update -y \
+    && apt-get upgrade -y \
+    && apt-get install -y --no-install-recommends \
+      autoconf \
+      automake \
+      build-essential \
+      cryptsetup \
+      curl \
+      debootstrap \
+      dosfstools \
+      efibootmgr \
+      gettext \
+      git \
+      haveged \
+      libtool \
+      live-build \
+      parted \
+      pkg-config \
+      ssh \
+      ssl-cert \
+      texinfo \
+      wget \
+      whois \
+    && apt-get clean \
+    && apt-get autoremove --purge -y \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN useradd --create-home --shell /bin/bash runner
+
+WORKDIR /home/runner
+
+USER runner
+
+ENTRYPOINT ["bash"]

.gitea/TODO/render-md-to-html.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.832.2025.06.24
 
-name: Render README.md to README.html.
+name: 🔁 Render README.md to README.html.
 
 permissions:
   contents: write
@@ -26,7 +26,7 @@ on:
 
 jobs:
   render-md-to-html:
-    name: Render README.md to README.html.
+    name: 🔁 Render README.md to README.html.
     runs-on: ubuntu-latest
 
     steps:
@@ -111,28 +111,28 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y pandoc
 
-      #- name: ⚙️ Ensure .html/ directory exists.
-      #  shell: bash
-      #  run:
-      #    mkdir -p .html
+      - name: ⚙️ Ensure .html/ directory exists.
+        shell: bash
+        run:
+          mkdir -p .html
 
-      #- name: 🛠️ Render *.md to full standalone HTML.
-      #  shell: bash
-      #  run: |
-      #    set -euo pipefail
-      #    find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print  | while read file; do
-      #      out=$(basename "${file%.md}.html")
-      #      pandoc -s "${file}" \
-      #        --metadata title="${file}" \
-      #        --metadata lang=en \
-      #        -f gfm+footnotes \
-      #        -t html5 \
-      #        --no-highlight \
-      #        --strip-comments \
-      #        --wrap=none \
-      #        --lua-filter=.gitea/properties/lua/linkfix.lua \
-      #        -o .html/"${out}"
-      #    done
+      - name: 🛠️ Render *.md to full standalone HTML.
+        shell: bash
+        run: |
+          set -euo pipefail
+          find . \( -path "*/.*" -prune \) -o -type f -name "*.md" -print  | while read file; do
+            out=$(basename "${file%.md}.html")
+            pandoc -s "${file}" \
+              --metadata title="${file}" \
+              --metadata lang=en \
+              -f gfm+footnotes \
+              -t html5 \
+              --no-highlight \
+              --strip-comments \
+              --wrap=none \
+              --lua-filter=.gitea/properties/lua/linkfix.lua \
+              -o .html/"${out}"
+          done
 
       - name: 🛠️ Extract HTML fragment for Gitea for *.md.
         shell: bash
@@ -150,6 +150,15 @@ jobs:
               -o "${out}"
           done
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -168,6 +177,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -197,15 +215,15 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate *.html from *.md [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate *.html from *.md [skip ci]
 
-            ${CI_HEADER}
+          ${CI_HEADER}
 
-            Generated at: ${TIMESTAMP_UTC}
-            Runner Host : ${HOSTNAME}
-            Workflow ID : ${WORKFLOW_ID}
-            Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
-            "
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
 
             echo "🔏 Commit message :"
             echo "${COMMIT_MSG}"

.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml

@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1023
-  version: V8.03.384.2025.06.03
+  counter: 1024
+  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml

@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1024
-  version: V8.03.400.2025.06.05
+  counter: 1023
+  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.384.2025.06.03
+  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.400.2025.06.05
+  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.832.2025.06.24
 
-name: Generating a Private Live ISO FLV 0.
+name: 🔐 Generating a Private Live ISO FLV 0.
 
 permissions:
   contents: write
@@ -25,8 +25,8 @@ on:
 
 jobs:
   generate-private-ciss-debian-live-iso:
-    name: Generating a Private Live ISO FLV 0.
-    runs-on: ciss.debian.live.builder
+    name: 🔐 Generating a Private Live ISO FLV 0.
+    runs-on: ciss.debian.live.builder.iso.generator
 
     ### Run all steps inside Debian Bookworm
     container:
@@ -35,17 +35,17 @@ jobs:
     steps:
       - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
         run: |
-          apt-get update
+          apt-get update -y
           apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
           echo 'deb https://deb.debian.org/debian bookworm-backports main' \
             >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update
-          apt-get upgrade
+          apt-get update -y
+          apt-get upgrade -y
 
       - name: 🛠️ Installing Build Tools.
         shell: bash
         run: |
-          apt-get update
+          apt-get update -y
           apt-get install -y \
             autoconf \
             automake \
@@ -85,22 +85,27 @@ jobs:
             "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
           )
 
+          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
+          gpg --batch --import signature_key.asc
+
           for url in "${urls[@]}"; do
             archive_name="${url##*/}"
             pkg_name="${archive_name%.tar.bz2}"
             echo "🔄 Processing ${pkg_name}"
             if [[ ! -f "${archive_name}" ]]; then
               echo "📥 Downloading: '${archive_name}'."
-              if wget "${url}" -O "${archive_name}" > /dev/null 2>&1; then
+              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                 echo "✅ Download successful: '${archive_name}'."
               else
                 echo "❌ Download NOT successful: '${archive_name}'."
                 exit 1
               fi
             else
-              echo "ℹ️ Skipping download, package already exists: '${archive_name}'."
+              echo "💡 Skipping download, package already exists: '${archive_name}'."
             fi
 
+            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
+
             if [[ ! -d "${pkg_name}" ]]; then
               echo "📂 Extracting: '${archive_name}'."
               if tar -xjf "${archive_name}"; then
@@ -110,7 +115,7 @@ jobs:
                 exit 1
               fi
             else
-              echo "ℹ️ Skipping directory, already exists: '${pkg_name}'."
+              echo "💡 Skipping directory, already exists: '${pkg_name}'."
             fi
 
             echo "🏗️ Build and install the package: '${pkg_name}'."
@@ -124,15 +129,15 @@ jobs:
 
             cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
 
-            rm -f "${archive_name}"; \
-            echo "✅ Removed archive: '${pkg_name}'."
-            rm -fr "${pkg_name}"; \
-            echo "✅ Removed build artifacts: '${pkg_name}'."
+            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
+            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
             echo "✅ Successful build and installation of '${pkg_name}'."
             echo "-------------------------------------------------------------------------------------"
 
           done
 
+          rm -f signature_key.asc
+
           echo "✅ All packages were built and installed successfully."
 
           mv_bin=(
@@ -153,7 +158,7 @@ jobs:
                 echo "❌ Moved NOT successfully: '${bin}'."
               fi
             else
-              echo "ℹ️ Does not exist as build binary: '${bin}'."
+              echo "💡 Does not exist as build binary: '${bin}'."
             fi
           done
 
@@ -166,7 +171,7 @@ jobs:
                 echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
               fi
             else
-              echo "ℹ️ Does not exist: '/usr/local/bin/${name}'."
+              echo "💡 Does not exist: '/usr/local/bin/${name}'."
             fi
           done
 
@@ -265,7 +270,7 @@ jobs:
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
           ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.12.30+bpo-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
@@ -299,7 +304,7 @@ jobs:
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
-            echo "ℹ️ Old ISO files found and deleted :"
+            echo "💡 Old ISO files found and deleted :"
             while IFS= read -r href; do
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
@@ -312,7 +317,7 @@ jobs:
               fi
             done < public_iso_list.txt
           else
-            echo "ℹ️ No old ISO files found to delete."
+            echo "💡 No old ISO files found to delete."
           fi
 
       - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
@@ -381,13 +386,22 @@ jobs:
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"
           CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
           CISS.debian.live.builder ISO sha512 sign :
             $(< "${SIGNATURE_FILE}")
 
           # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
           EOF
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -406,6 +420,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -436,14 +459,14 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
 
           ${CI_HEADER}
 
-          Generated at: ${TIMESTAMP_UTC}
-          Runner Host : ${HOSTNAME}
-          Workflow ID : ${WORKFLOW_ID}
-          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
           "
 
             echo "🔏 Commit message :"

.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.832.2025.06.24
 
-name: Generating a Private Live ISO FLV 1.
+name: 🔐 Generating a Private Live ISO FLV 1.
 
 permissions:
   contents: write
@@ -21,12 +21,12 @@ on:
     branches:
       - master
     paths:
-      - '.gitea/trigger/.t_generate_PRIVATE_iso_flavour_1.yaml'
+      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
 
 jobs:
   generate-private-ciss-debian-live-iso:
-    name: Generating a Private Live ISO FLV 1.
-    runs-on: ciss.debian.live.builder
+    name: 🔐 Generating a Private Live ISO FLV 1.
+    runs-on: ciss.debian.live.builder.iso.generator
 
     ### Run all steps inside Debian Bookworm
     container:
@@ -35,17 +35,17 @@ jobs:
     steps:
       - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
         run: |
-          apt-get update
+          apt-get update -y
           apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
           echo 'deb https://deb.debian.org/debian bookworm-backports main' \
             >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update
-          apt-get upgrade
+          apt-get update -y
+          apt-get upgrade -y
 
       - name: 🛠️ Installing Build Tools.
         shell: bash
         run: |
-          apt-get update
+          apt-get update -y
           apt-get install -y \
             autoconf \
             automake \
@@ -85,22 +85,27 @@ jobs:
             "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
           )
 
+          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
+          gpg --batch --import signature_key.asc
+
           for url in "${urls[@]}"; do
             archive_name="${url##*/}"
             pkg_name="${archive_name%.tar.bz2}"
             echo "🔄 Processing ${pkg_name}"
             if [[ ! -f "${archive_name}" ]]; then
               echo "📥 Downloading: '${archive_name}'."
-              if wget "${url}" -O "${archive_name}" > /dev/null 2>&1; then
+              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                 echo "✅ Download successful: '${archive_name}'."
               else
                 echo "❌ Download NOT successful: '${archive_name}'."
                 exit 1
               fi
             else
-              echo "ℹ️ Skipping download, package already exists: '${archive_name}'."
+              echo "💡 Skipping download, package already exists: '${archive_name}'."
             fi
 
+            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
+
             if [[ ! -d "${pkg_name}" ]]; then
               echo "📂 Extracting: '${archive_name}'."
               if tar -xjf "${archive_name}"; then
@@ -110,7 +115,7 @@ jobs:
                 exit 1
               fi
             else
-              echo "ℹ️ Skipping directory, already exists: '${pkg_name}'."
+              echo "💡 Skipping directory, already exists: '${pkg_name}'."
             fi
 
             echo "🏗️ Build and install the package: '${pkg_name}'."
@@ -124,15 +129,15 @@ jobs:
 
             cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
 
-            rm -f "${archive_name}"; \
-            echo "✅ Removed archive: '${pkg_name}'."
-            rm -fr "${pkg_name}"; \
-            echo "✅ Removed build artifacts: '${pkg_name}'."
+            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
+            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
             echo "✅ Successful build and installation of '${pkg_name}'."
             echo "-------------------------------------------------------------------------------------"
 
           done
 
+          rm -f signature_key.asc
+
           echo "✅ All packages were built and installed successfully."
 
           mv_bin=(
@@ -153,7 +158,7 @@ jobs:
                 echo "❌ Moved NOT successfully: '${bin}'."
               fi
             else
-              echo "ℹ️ Does not exist as build binary: '${bin}'."
+              echo "💡 Does not exist as build binary: '${bin}'."
             fi
           done
 
@@ -166,7 +171,7 @@ jobs:
                 echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
               fi
             else
-              echo "ℹ️ Does not exist: '/usr/local/bin/${name}'."
+              echo "💡 Does not exist: '/usr/local/bin/${name}'."
             fi
           done
 
@@ -265,7 +270,7 @@ jobs:
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
           ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.12.30+bpo-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
@@ -296,7 +301,7 @@ jobs:
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
-            echo "ℹ️ Old ISO files found and deleted :"
+            echo "💡 Old ISO files found and deleted :"
             while IFS= read -r href; do
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
@@ -309,7 +314,7 @@ jobs:
               fi
             done < public_iso_list.txt
           else
-            echo "ℹ️ No old ISO files found to delete."
+            echo "💡 No old ISO files found to delete."
           fi
 
       - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
@@ -378,13 +383,22 @@ jobs:
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"
           CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
           CISS.debian.live.builder ISO sha512 sign :
             $(< "${SIGNATURE_FILE}")
 
           # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
           EOF
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -403,6 +417,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -433,14 +456,14 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
 
           ${CI_HEADER}
 
-          Generated at: ${TIMESTAMP_UTC}
-          Runner Host : ${HOSTNAME}
-          Workflow ID : ${WORKFLOW_ID}
-          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
           "
 
             echo "🔏 Commit message :"

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.832.2025.06.24
 
-name: Generating a PUBLIC Live ISO.
+name: 💙 Generating a PUBLIC Live ISO.
 
 permissions:
   contents: write
@@ -21,12 +21,12 @@ on:
     branches:
       - master
     paths:
-      - '.gitea/trigger/.t_generate_PUBLIC.yaml'
+      - '.gitea/trigger/t_generate_PUBLIC.yaml'
 
 jobs:
   generate-private-ciss-debian-live-iso:
-    name: Generating a PUBLIC Live ISO.
-    runs-on: ciss.debian.live.builder
+    name: 💙 Generating a PUBLIC Live ISO.
+    runs-on: ciss.debian.live.builder.iso.generator
 
     ### Run all steps inside Debian Bookworm
     container:
@@ -35,17 +35,17 @@ jobs:
     steps:
       - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
         run: |
-          apt-get update
+          apt-get update -y
           apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
           echo 'deb https://deb.debian.org/debian bookworm-backports main' \
             >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update
-          apt-get upgrade
+          apt-get update -y
+          apt-get upgrade -y
 
       - name: 🛠️ Installing Build Tools.
         shell: bash
         run: |
-          apt-get update
+          apt-get update -y
           apt-get install -y \
             autoconf \
             automake \
@@ -85,22 +85,27 @@ jobs:
             "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
           )
 
+          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
+          gpg --batch --import signature_key.asc
+
           for url in "${urls[@]}"; do
             archive_name="${url##*/}"
             pkg_name="${archive_name%.tar.bz2}"
             echo "🔄 Processing ${pkg_name}"
             if [[ ! -f "${archive_name}" ]]; then
               echo "📥 Downloading: '${archive_name}'."
-              if wget "${url}" -O "${archive_name}" > /dev/null 2>&1; then
+              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                 echo "✅ Download successful: '${archive_name}'."
               else
                 echo "❌ Download NOT successful: '${archive_name}'."
                 exit 1
               fi
             else
-              echo "ℹ️ Skipping download, package already exists: '${archive_name}'."
+              echo "💡 Skipping download, package already exists: '${archive_name}'."
             fi
 
+            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
+
             if [[ ! -d "${pkg_name}" ]]; then
               echo "📂 Extracting: '${archive_name}'."
               if tar -xjf "${archive_name}"; then
@@ -110,7 +115,7 @@ jobs:
                 exit 1
               fi
             else
-              echo "ℹ️ Skipping directory, already exists: '${pkg_name}'."
+              echo "💡 Skipping directory, already exists: '${pkg_name}'."
             fi
 
             echo "🏗️ Build and install the package: '${pkg_name}'."
@@ -124,15 +129,15 @@ jobs:
 
             cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
 
-            rm -f "${archive_name}"; \
-            echo "✅ Removed archive: '${pkg_name}'."
-            rm -fr "${pkg_name}"; \
-            echo "✅ Removed build artifacts: '${pkg_name}'."
+            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
+            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
             echo "✅ Successful build and installation of '${pkg_name}'."
             echo "-------------------------------------------------------------------------------------"
 
           done
 
+          rm -f signature_key.asc
+
           echo "✅ All packages were built and installed successfully."
 
           mv_bin=(
@@ -153,7 +158,7 @@ jobs:
                 echo "❌ Moved NOT successfully: '${bin}'."
               fi
             else
-              echo "ℹ️ Does not exist as build binary: '${bin}'."
+              echo "💡 Does not exist as build binary: '${bin}'."
             fi
           done
 
@@ -166,7 +171,7 @@ jobs:
                 echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
               fi
             else
-              echo "ℹ️ Does not exist: '/usr/local/bin/${name}'."
+              echo "💡 Does not exist: '/usr/local/bin/${name}'."
             fi
           done
 
@@ -266,7 +271,7 @@ jobs:
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
           ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.12.30+bpo-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
@@ -296,7 +301,7 @@ jobs:
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
-            echo "ℹ️ Old ISO files found and deleted :"
+            echo "💡 Old ISO files found and deleted :"
             while IFS= read -r href; do
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
@@ -309,7 +314,7 @@ jobs:
               fi
             done < public_iso_list.txt
           else
-            echo "ℹ️ No old ISO files found to delete."
+            echo "💡 No old ISO files found to delete."
           fi
 
       - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
@@ -378,13 +383,22 @@ jobs:
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"
           CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
           CISS.debian.live.builder ISO sha512 sign :
             $(< "${SIGNATURE_FILE}")
 
           # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
           EOF
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -403,6 +417,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -433,14 +456,14 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate PUBLIC LIVE ISO [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
 
           ${CI_HEADER}
 
-          Generated at: ${TIMESTAMP_UTC}
-          Runner Host : ${HOSTNAME}
-          Workflow ID : ${WORKFLOW_ID}
-          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
           "
 
             echo "🔏 Commit message :"

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.832.2025.06.24
 
 # Gitea Workflow: Shell-Script Linting
 #
@@ -70,7 +70,7 @@ jobs:
           GITHUB_REF_NAME: ${{ github.ref_name }}
         run: |
           set -euo pipefail
-          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/PRIVATE_TESTING_CISS.debian.live.builder.git .
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
           git fetch --unshallow || echo "Nothing to fetch - already full clone."
 
       - name: 🛠️ Cleaning the workspace.
@@ -127,32 +127,34 @@ jobs:
           #
           # We capture:
           # - All files '*.sh', '*.zsh', '*.chroot'
-          # - All files whose first line begins with “#!” (shebang)
+          # - All files whose first line begins with "#!" (shebang)
           # -------------------------------
           mapfile -t files_to_check < <(
-            find . -type f \( \
-              -iname '*.sh' -o \
-              -iname '*.zsh' -o \
-              -iname '*.chroot' -o \
-              -exec grep -Iq '^#!' {} \; \
-            \) -print
+            find . \
+              -path './.git' -prune -o \
+              -type f \( \
+                -iname '*.sh' -o \
+                -iname '*.zsh' -o \
+                -iname '*.chroot' -o \
+                -exec grep -Iq '^#!' {} \; \
+              \) -print
           )
 
           # -------------------------------
           # STEP 2: Regex definitions
           #
-          # - CRLF_REGEX → Carriage Return (\r) for Windows CRLF
-          # - CTRL_REGEX → C0 control characters except Tab (\x09) and Newline (\x0A)
-          # Range: [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
-          # - NON_ASCII_REGEX → All bytes > 0x7F, except emoji characters in defined ranges
+          # - CRLF_REGEX           Carriage Return (\r) for Windows CRLF
+          # - CTRL_REGEX           C0 control characters except Tab (\x09) and Newline (\x0A)
+          #   - Range:             [\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]
+          # - NON_ASCII_REGEX      All bytes -> 0x7F, except emoji characters in defined ranges
           #
           # Emoji ranges that we exclude:
-          # - \x{1F300}-\x{1F5FF} (Misc Symbols & Pictographs)
-          # - \x{1F600}-\x{1F64F} (Emoticons)
-          # - \x{1F680}-\x{1F6FF} (Transport & Map Symbols)
-          # - \x{1F900}-\x{1F9FF} (Supplemental Symbols & Pictographs)
-          # - \x{2600}-\x{26FF}   (Miscellaneous Symbols)
-          # - \x{2700}-\x{27BF}   (Dingbats)
+          # - \x{1F300}-\x{1F5FF}  Misc Symbols & Pictographs
+          # - \x{1F600}-\x{1F64F}  Emoticons
+          # - \x{1F680}-\x{1F6FF}  Transport & Map Symbols
+          # - \x{1F900}-\x{1F9FF}  Supplemental Symbols & Pictographs
+          # - \x{2600}-\x{26FF}    Miscellaneous Symbols
+          # - \x{2700}-\x{27BF}    Dingbats
           # -------------------------------
 
           CRLF_REGEX=$'\r'
@@ -170,7 +172,7 @@ jobs:
           for file in "${files_to_check[@]}"; do
             #
             # 4.1: CRLF detection
-            #      grep -nP returns “lineno:<line with CR>”
+            #      grep -nP returns "lineno:<line with CR>"
             # -------------------------------
             while IFS=: read -r lineno _rest; do
               findings+="${file}: CRLF-found at line ${lineno}: <CR>"$'\n'
@@ -178,7 +180,7 @@ jobs:
 
             #
             # 4.2: Unallowed control characters
-            #      grep -nP -o returns “lineno:<matched-char>”
+            #      grep -nP -o returns "lineno:<matched-char>"
             # -------------------------------
             while IFS=: read -r lineno char; do
               findings+="${file}: control-char at line ${lineno}: ${char}"$'\n'
@@ -186,7 +188,7 @@ jobs:
 
             #
             # 4.3: Non-ASCII characters with emoji exception
-            #      grep -nP -o returns “lineno:<matched-char>”
+            #      grep -nP -o returns "lineno:<matched-char>"
             # -------------------------------
             while IFS=: read -r lineno char; do
               findings+="${file}: non-ascii at line ${lineno}: ${char}"$'\n'
@@ -199,8 +201,139 @@ jobs:
           if [[ -n "${findings}" ]]; then
             echo -e "⚠️ Linting issues detected:\n"
             echo -e "${findings}"
-            exit 1
+            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            PRIVATE_FILE="LINTER_RESULTS.txt"
+            touch "${PRIVATE_FILE}"
+            cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          ⚠️ The last linter check was NOT successful. ⚠️
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
           else
             echo "✅ No issues found in shell scripts."
+            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            PRIVATE_FILE="LINTER_RESULTS.txt"
+            touch "${PRIVATE_FILE}"
+            cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+
+          ✅ The last linter check was successful. ✅
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
           fi
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LINTER_RESULTS.txt"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🛡️ Shell Script Linting [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/render-dnssec-status.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.832.2025.06.24
 
-name: Retrieve DNSSEC status of coresecret.dev.
+name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 
 permissions:
   contents: write
@@ -25,7 +25,7 @@ on:
 
 jobs:
   build-dnssec-diagram:
-    name: Retrieve DNSSEC status of coresecret.dev.
+    name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
     runs-on: ubuntu-latest
 
     steps:
@@ -127,6 +127,15 @@ jobs:
           dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
           dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -145,6 +154,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -174,14 +192,14 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: Auto-Generate DNSSEC Status [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🛡️ Auto-Generate DNSSEC Status [skip ci]
 
           ${CI_HEADER}
 
-          Generated at: ${TIMESTAMP_UTC}
-          Runner Host : ${HOSTNAME}
-          Workflow ID : ${WORKFLOW_ID}
-          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
           "
 
             echo "🔏 Commit message :"

.gitea/workflows/render-dot-to-png.yaml

@@ -9,9 +9,9 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.832.2025.06.24
 
-name: Render Graphviz Diagrams.
+name: 🔁 Render Graphviz Diagrams.
 
 permissions:
   contents: write
@@ -26,7 +26,7 @@ on:
 
 jobs:
   build-graphiz-diagrams:
-    name: Render Graphviz Diagrams.
+    name: 🔁 Render Graphviz Diagrams.
     runs-on: ubuntu-latest
 
     steps:
@@ -120,6 +120,15 @@ jobs:
             dot -Tpng "${file}" -o "${out}"
           done
 
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
       - name: 🔄 Sync with remote before commit using merge strategy.
         shell: bash
         env:
@@ -138,6 +147,15 @@ jobs:
           git status
           git log --oneline -n 5
 
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
       - name: 📦 Stage generated files.
         shell: bash
         env:
@@ -167,14 +185,14 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT: DEPLOY BOT: Auto-Generate PNG from *.dot. [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate PNG from *.dot. [skip ci]
 
           ${CI_HEADER}
 
-          Generated at: ${TIMESTAMP_UTC}
-          Runner Host : ${HOSTNAME}
-          Workflow ID : ${WORKFLOW_ID}
-          Git Commit  : ${GIT_SHA} HEAD → ${GIT_REF}
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
           "
 
             echo "🔏 Commit message :"

.gitignore

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.400.2025.06.05"
+properties_version="V8.03.832.2025.06.24"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.400.2025.06.05
+PackageVersion: Master V8.03.832.2025.06.24
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -0,0 +1,16 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+This file was automatically generated by the DEPLOY BOT on: "2025-06-24T21:45:52Z".
+
+✅ The last linter check was successful. ✅
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO.public

@@ -2,26 +2,26 @@
 # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-03T12:10:46Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-23T09:04:49Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_03T11_33_11Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_23T08_20_37Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_03T11_33_11Z-amd64.hybrid.iso.sha512"
+  86a8be09e16299892ae99d195b56a04356bcf5d2202016da8f8fa7441077c43fab68ebefcb8c39b3423f085a74b607907fb691ac71fdef92af33782bd2ac0ce5
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaD7mRgAKCRA85KY4hzOw
-IcORAP4lGjiHbnMe3CQWMH+Tz2Z4Mp/kLXbh3K2+j6agrK1rHQEA/d1NJ9npprJN
-2TKYjeFA1sAPA/LvgAdVXKKfTlhsyww=
-=PjlU
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFkYsQAKCRA85KY4hzOw
+IbrbAQDeOIS3QYKIPkMhYlNPIcsJjv/dh3TdYiuQbkvfwVI+/gD/TiB+ska62vJk
+LGfwjuaxMC0KHG1/UTICytOeAnTrXAc=
+=qk8B
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_0.private

@@ -2,26 +2,26 @@
 # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-02T23:05:15Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-24T19:21:36Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_02T22_27_09Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_24T18_36_59Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_02T22_27_09Z-amd64.hybrid.iso.sha512"
+  3ca5a9635ef74a48f6d8f31696ec56e56ee95eff5317df95976e22d31e331bc503422602e24a9eaddfc30212acf6ebe96af51e94298c4c7c49c839c62abb6c2f
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaD4uKwAKCRA85KY4hzOw
-IQ/pAQCVmu7uuOLHWrWM4XSX/t6nD/0WLZk68aR829FhF7hqaAD7Bve8jHudhvlv
-ewg9APapMOqKaM2aDowmuR8ONHJktAU=
-=meXV
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFr6wAAKCRA85KY4hzOw
+IbgHAP4p9jlF9jZkYIw/0H8j07QUWNHxeUz2r2UXp8aN2gUEBwEAxqbznJhH8li8
+40g5sWwGLmBjlidIOe0NxeMUBkuMlQg=
+=gq5w
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_1.private

@@ -2,26 +2,26 @@
 # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-05T19:17:12Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-24T22:34:36Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_05T18_36_07Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_24T21_53_22Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_05T18_36_07Z-amd64.hybrid.iso.sha512"
+  581d951c8ab4d8e7afd2d727f8e64bd6fff51d005b84b9800e941da8dae654985bae500e056f02729d6b274ba330dfdbec59fd5ec2c8b18c3bbf37433b73c154
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEHtOAAKCRA85KY4hzOw
-IXO2AQC73XTi/UMGPOMQggNfFdC/D8C16l09hgrdsq+3pWsNKwD+PeJhzSwmlMRB
-+3xze9K4Jw+5LOVcdGT8hkA/WmvY1ww=
-=eaNF
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFsn/AAKCRA85KY4hzOw
+IUvMAP9P1U6lblhdZ9tSROvYXRXcv0IEg2rVo3fMx9T5fozLewEAgxxo0+J1Nlvu
+KVZOdiuc6xdxkBHWYaA2kSXZKI+qAwA=
+=2H0C
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.400.2025.06.05-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.832.2025.06.24-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -11,8 +11,8 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)  
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)  
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -37,7 +37,7 @@ changes and made publicly available for download. The latest generic ISO is avai
 
 Check out more:
 * [CenturionNet Services](https://coresecret.eu/cnet/) 
-* [CenturionDNS Resolver](https://dns.eddns.eu/)
+* [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
 * [CenturionNet Status](https://uptime.coresecret.eu/) 
 * [CenturionMeet](https://talk.e2ee.li/) 
@@ -121,7 +121,7 @@ The following happens in all cases:
 * The installer kernel (/install/vmlinuz) + initrd.gz are started.
 * The existing live system is exited.
 * The memory is overwritten.
-* All running processes – e.g., firewall, hardened SSH access, etc. pp. – cease to exist.
+* All running processes - e.g., firewall, hardened SSH access, etc. pp. - cease to exist.
 
 The Debian Installer loads:
 * its own kernel,
@@ -142,13 +142,20 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `8.03.384.2025.06.03`
+Example: `V8.03.832.2025.06.24`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
 Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
 reproducibility and traceability.
 
+## 1.6. Keywords
+
+The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
+"MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], 
+[[RFC2119](https://datatracker.ietf.org/doc/html/rfc2119)], [[RFC8174](https://datatracker.ietf.org/doc/html/rfc8174)] when,
+and only when, they appear in all capitals, as shown here.
+
 # 2. Features & Rationale
 
 Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.

ciss_live_builder.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -37,65 +37,89 @@
   . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
   . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+[[ ${#} -eq 0 ]] && {
+  . ./lib/lib_usage.sh; usage; exit 1; }
 
-declare -g VAR_HANDLER_AUTOBUILD="false"
-declare -gr VAR_CONTACT="security@coresecret.eu"
-declare -gr VAR_VERSION="Master V8.03.400.2025.06.05"
+### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
+. ./var/early.var.sh
+. ./lib/lib_guard_sourcing.sh
+. ./lib/lib_git_var.sh
 
-### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
-declare arg
-if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi
-for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -g VAR_HANDLER_AUTOBUILD=true; declare -g VAR_KERNEL="${arg#*=}";; esac; done
-for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${VAR_CONTACT}"; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done
+### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
+for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
-unset arg
 
-### VERY EARLY CHECK FOR XTRACE DEBUGGING
-if [[ $* == *" --debug "* ]]; then
-  . ./lib/lib_debug.sh
-  debugger "${@}"
-else
-  declare -grx VAR_EARLY_DEBUG=false
-fi
+### ALL CHECKS DONE. READY TO START THE SCRIPT
+check_git
+for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
+declare -gx VAR_SETUP="true"
 
-### Advisory Lock
-exec 127>/var/lock/ciss_live_builder.lock || {
+### SOURCING VARIABLES
+[[ "${VAR_SETUP}" == true ]] && {
+  . ./var/bash.var.sh
+  . ./var/color.var.sh
   . ./var/global.var.sh
+}
+
+### SOURCING LIBRARIES
+[[ "${VAR_SETUP}" == true ]] && {
+  . ./lib/lib_arg_parser.sh
+  . ./lib/lib_arg_priority_check.sh
+  . ./lib/lib_boot_screen.sh
+  . ./lib/lib_cdi.sh
+  . ./lib/lib_change_splash.sh
+  . ./lib/lib_check_dhcp.sh
+  . ./lib/lib_check_hooks.sh
+  . ./lib/lib_check_kernel.sh
+  . ./lib/lib_check_pkgs.sh
+  . ./lib/lib_check_provider.sh
+  . ./lib/lib_check_stats.sh
+  . ./lib/lib_check_var.sh
+  . ./lib/lib_clean_screen.sh
+  . ./lib/lib_clean_up.sh
+  . ./lib/lib_copy_integrity.sh
+  . ./lib/lib_hardening_root_pw.sh
+  . ./lib/lib_hardening_ssh.sh
+  . ./lib/lib_hardening_ultra.sh
+  . ./lib/lib_helper_ip.sh
+  . ./lib/lib_lb_build_start.sh
+  . ./lib/lib_lb_config_start.sh
+  . ./lib/lib_lb_config_write.sh
+  . ./lib/lib_provider_netcup.sh
+  . ./lib/lib_run_analysis.sh
+  . ./lib/lib_sanitizer.sh
+  . ./lib/lib_trap_on_err.sh
+  . ./lib/lib_trap_on_exit.sh
+  . ./lib/lib_usage.sh
+}
+
+### ADVISORY LOCK
+exec 127>/var/lock/ciss_live_builder.lock || {
   printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
   exit "${ERR_FLOCK_WRTG}"
 }
 
 if ! flock -x -n 127; then
-  . ./var/global.var.sh
   printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2
   exit "${ERR_FLOCK_COLL}"
 fi
 
-### Checking required packages
-. ./lib/lib_check_pkgs.sh
+### CHECK FOR AUTOBUILD MODE
+for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
+for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
+
+### CHECKING REQUIRED PACKAGES
 check_pkgs
 
-### Dialog Output for Initialization
-if ! $VAR_HANDLER_AUTOBUILD; then . ./lib/lib_boot_screen.sh && boot_screen; fi
+### DIALOG OUTPUT FOR INITIALIZATION
+if ! $VAR_HANDLER_AUTOBUILD; then boot_screen; fi
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3; fi
-. ./var/global.var.sh
-. ./var/colors.var.sh
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3; fi
-### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
-set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
-set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
-set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
-set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
-set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
-set -o noclobber # Prevent overwriting, the same as "set -C".
-
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 ### Initialization
 declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
@@ -108,42 +132,13 @@ declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
-. ./lib/lib_arg_parser.sh
-. ./lib/lib_arg_priority_check.sh
-. ./lib/lib_cdi.sh
-. ./lib/lib_change_splash.sh
-. ./lib/lib_check_dhcp.sh
-. ./lib/lib_check_hooks.sh
-. ./lib/lib_check_kernel.sh
-. ./lib/lib_check_provider.sh
-. ./lib/lib_check_stats.sh
-. ./lib/lib_check_var.sh
-. ./lib/lib_clean_screen.sh
-. ./lib/lib_clean_up.sh
-. ./lib/lib_copy_integrity.sh
-. ./lib/lib_hardening_root_pw.sh
-. ./lib/lib_hardening_ssh.sh
-. ./lib/lib_hardening_ultra.sh
-. ./lib/lib_helper_ip.sh
-. ./lib/lib_lb_build_start.sh
-. ./lib/lib_lb_config_start.sh
-. ./lib/lib_lb_config_write.sh
-. ./lib/lib_provider_netcup.sh
-. ./lib/lib_run_analysis.sh
-. ./lib/lib_sanitizer.sh
-. ./lib/lib_trap_on_err.sh
-. ./lib/lib_trap_on_exit.sh
-. ./lib/lib_usage.sh
-
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
-### Following the CISS Bash naming and ordering scheme
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
 declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
@@ -159,6 +154,7 @@ clean_ip
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 
+### Turn off Dialog Wrapper
 if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
 
 ### MAIN Program

config/bootloaders/grub-efi/grub.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/bootloaders/grub-pc/grub.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0000_generate_backup_dir.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0001_initramfs_modules.chroot

@@ -148,7 +148,7 @@ cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -207,9 +207,9 @@ COMPRESS=zstd
 # Defaults vary by compressor.
 #
 # Valid values are:
-# 1–9 for gzip|bzip2|lzma|lzop
-# 0–9 for  lz4|xz
-# 0–19 for zstd
+# 1-9 for gzip|bzip2|lzma|lzop
+# 0-9 for  lz4|xz
+# 0-19 for zstd
 # COMPRESSLEVEL=3
 
 #
@@ -253,7 +253,7 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0002_verify_checksums.chroot

@@ -27,7 +27,7 @@ cat << 'EOF' >| "${src}"
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/0003_install_backports.chroot

@@ -0,0 +1,39 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -C -e -u -o pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# sleep 1
+
+DEBIAN_FRONTEND=noninteractive \
+  apt-get update && \
+    DEBIAN_FRONTEND=noninteractive \
+      apt-get install -y --no-install-recommends \
+        -o Dpkg::Options::="--force-confdef" \
+        -o Dpkg::Options::="--force-confold" \
+        -t bookworm-backports \
+        btrfs-progs \
+        curl \
+        debootstrap \
+        iproute2 \
+        ncat \
+        nmap \
+        ssh \
+        systemd \
+        systemd-sysv \
+        whois
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+# sleep 1
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0820_kernel_hardening_checker.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9920_deleting_invalid_x509.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9940_hardening_memory.dump.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -30,7 +30,7 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
@@ -46,7 +46,7 @@ findtime  = 24h
 bantime   = 24h
 
 ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
-###               Jump host mistyped 1–3 times: no ban, only after four attempts          [sshd]
+###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
 
 [sshd]
 enabled   = true

config/hooks/live/9985_clamav.chroot

@@ -32,8 +32,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav /run/clamav
 
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
-CPUShares=512
+#MemoryLimit=4096M
+#CPUShares=512
 
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
@@ -58,8 +58,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav
 
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
-CPUShares=512
+#MemoryLimit=4096M
+#CPUShares=512
 
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes

config/hooks/live/9990_final_purge.chroot

@@ -16,13 +16,13 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 apt-get update -y
 
-apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config \
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 
-apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config \
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 
-dpkg --get-selections | grep deinstall >> /tmp/deinstall.log || true
+dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 
 if [[ -s /tmp/deinstall.log ]]; then
   printf "\n"

config/hooks/live/9991_file_permissions.chroot

@@ -39,6 +39,7 @@ EOF
 
 cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
 
+sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
 sed -i 's/PASS_MAX_DAYS	99999/PASS_MAX_DAYS	16384/' /etc/login.defs
 sed -i 's/PASS_MIN_DAYS	0/PASS_MIN_DAYS	1/' /etc/login.defs

config/hooks/live/9992_password_expiration.chroot

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/hooks/live/9993_aide.chroot

@@ -14,7 +14,7 @@ set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 
-apt-get install -y aide
+apt-get install -y aide > /dev/null 2>&1
 
 cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf

config/hooks/live/9994_password_policy.chroot

@@ -26,7 +26,7 @@ cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
@@ -34,7 +34,7 @@ cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### Current recommendations for '/etc/security/pwquality.conf' based on common best practices,
-### including NIST SP 800–63B, https://pages.nist.gov/800-63-3/sp800-63b.html
+### including NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 ### and weighing usability against security.
 
 ### Configuration for systemwide password quality limits
@@ -46,15 +46,15 @@ difok = 4
 
 ### Length over complexity: Studies show that longer passphrases are significantly more
 ### resistant to brute-force and dictionary attacks. NIST recommends at least eight characters
-### but advises longer passphrases (e.g., 12–64) for increased security. Twenty characters strike a
+### but advises longer passphrases (e.g., 12-64) for increased security. Twenty characters strike a
 ### good balance between security and user convenience.
 ### Minimum acceptable size for the new password (plus one if
 ### credits are not disabled, which is the default). (See pam_cracklib manual.)
 ### Cannot be set to a lower value than 6.
-minlen = 20
+minlen = 40
 
 ### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
-### NIST SP 800–63B advises against rigid complexity rules (numbers, symbols, uppercase)
+### NIST SP 800-63B advises against rigid complexity rules (numbers, symbols, uppercase)
 ### because they can lead users to adopt predictable patterns (e.g., "Pa$$word!").
 ### Length and dictionary checks are more effective.
 

config/includes.binary/boot/grub/config.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/includes.chroot/etc/live/config.conf

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/etc/network/interfaces

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/etc/ssh/sshd_config

@@ -2,14 +2,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.832.2025.06.24
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -51,7 +51,7 @@ MaxSessions                  2
 MaxStartups                  08:64:16
 ### Restrict each individual source IP to only 4 unauthenticated connection slot
 ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
-PerSourceMaxStartups         4
+PerSourceMaxStartups         8
 ClientAliveInterval          300
 ClientAliveCountMax          2
 

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -2,14 +2,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.400.2025.06.05
+### Version Master V8.03.832.2025.06.24
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/etc/systemd/system/getty@tty1.service.d/override.conf

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/0_di_preseed_include_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/1_di_preseed_early_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/2_di_partman_early_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/3_di_preseed_late_command.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/di_scripting_flexibility.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.ash/di_scripting_password.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -26,13 +26,13 @@ grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}
 DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp)
 readonly DEB_INSTALLER_CRYPT_INC_FILE
 
-# Read the first line (the passphrase) – POSIX-compliant
+# Read the first line (the passphrase) - POSIX-compliant
 # IFS= prevents leading/trailing spaces from being truncated,
 # -r ensures that backslashes are not interpreted.
 IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}"
 
 # A single printf call with exactly one redirect
-# – ShellCheck-compliant and valid in POSIX-sh
+# - ShellCheck-compliant and valid in POSIX-sh
 printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
 
 printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"

config/includes.chroot/preseed/.ash/di_scripting_ssh.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/.directories.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/apt.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/base.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/finished.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/firmware.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/grub.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/locale.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/modules.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/network.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/packages.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/partitioning.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/security.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/software.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/ssh.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/time.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.cfg/user.cfg

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.iso/iso.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -3,14 +3,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.03.400.2025.06.05"
+declare -gr VERSION="Master V8.03.832.2025.06.24"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/.lib/sshd_config.lib

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.

config/includes.chroot/preseed/preseed.cfg

@@ -4,7 +4,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024â€"2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.400.2025.06.05 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.03.832.2025.06.24 at: 10:18:37.9542

config/includes.chroot/root/.bashrc

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -33,6 +33,7 @@
 
 trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
 source /root/.ciss/alias
+source /root/.ciss/f2bchk.sh
 source /root/.ciss/shortcuts
 source /root/.ciss/scan_libwrap
 

config/includes.chroot/root/.ciss/alias

@@ -3,14 +3,14 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-########################################################################################### ℵ
+########################################################################################### Alpha
 #######################################
 # Outputs a 16-character random printable string
 # Arguments:
@@ -149,64 +149,85 @@ genpasswdhash() {
   mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
 }
 
-###########################################################################################
-# Globals: Wrapper for secure curl
+#######################################
+# Wrapper for secure curl
 # Arguments:
 #  $1: URL from which to download a specific file
 #  $2: /path/to/file to be saved to
-###########################################################################################
-# shellcheck disable=SC2317
+# Returns:
+#   0: Download successful
+#   1: Usage error
+#   2: Download failure
+#######################################
 scurl() {
   if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>. \e[0m\n" >&2
+    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
     return 1
   fi
-
-  if ! curl --proto '=https' --tlsv1.3 -sSf -o "${2}" "${1}"; then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2
+  declare url="$1"
+  declare output_path="$2"
+  if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
+            --doh-cert-status \
+            --tlsv1.3 \
+            -sSf \
+            -o "${output_path}" \
+            "${url}"
+  then
+    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
     return 2
   fi
+  return 0
 }
 
-###########################################################################################
-# Globals: Wrapper for secure wget
+#######################################
+# Wrapper for secure wget
 # Arguments:
 #  $1: URL from which to download a specific file
 #  $2: /path/to/file to be saved to
-###########################################################################################
-# shellcheck disable=SC2317
+# Returns:
+#   0: Download successful
+#   1: Usage error
+#   2: Download failure
+#######################################
 swget() {
   if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>. \e[0m\n" >&2
+    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
     return 1
   fi
-
-  if ! wget --no-clobber --https-only --secure-protocol=TLSv1_3 -qO "${2}" "${1}"; then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2
+  declare url="$1"
+  declare output_path="$2"
+  mkdir -p "$(dirname "${output_path}")"
+  if ! wget --show-progress \
+            --no-clobber \
+            --https-only \
+            --secure-protocol=TLSv1_3 \
+            -qO "${output_path}" \
+            "${url}"
+  then
+    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
     return 2
   fi
+  return 0
 }
 
-###########################################################################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
+#######################################
+# Wrapper for loading CISS.2025 hardened Kernel Parameters
 # Arguments:
-#  none
-###########################################################################################
-# shellcheck disable=SC2317
+#  None
+#######################################
 sysp() {
   sysctl -p /etc/sysctl.d/99_local.hardened
   # sleep 1
   sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 
-###########################################################################################
-# Globals: Wrapper for tree
+#######################################
+# Wrapper for tree
 # Arguments:
 #  $1: Depth of Directory Listing
-###########################################################################################
-# shellcheck disable=SC2317
+#######################################
 trel() {
-    declare depth=${1:-3}
-    tree -C -h --dirsfirst -L "${depth}"
+  declare depth=${1:-3}
+  tree -C -h --dirsfirst -L "${depth}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/root/.ciss/clean_logout.sh

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/includes.chroot/root/.ciss/f2bchk.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Wrapper for fail2ban filter checks against logs.
+# Usage: f2bchk --mode=ignored || --mode=matched  || --mode=missed \
+#               --filter=/etc/fail2ban/filter.d/ufw.aggressive.conf \
+#               --log=/var/log/ufw.log \
+#               --output=/tmp/f2bchk.log
+# Globals:
+#   DEFAULT_FILTER
+#   DEFAULT_LOG
+#   DEFAULT_MODE
+# Arguments:
+#  None
+# Returns:
+#   1 In case of any errors
+#######################################
+f2bchk(){
+  # Declare default values (readonly)
+  declare -r DEFAULT_MODE="matched"
+  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
+  declare -r DEFAULT_LOG="/var/log/ufw.log"
+
+  declare mode="${DEFAULT_MODE}"
+  declare filter="${DEFAULT_FILTER}"
+  declare log="${DEFAULT_LOG}"
+  declare output=""
+  declare arg=""
+
+  for arg in "$@"; do
+    case "${arg}" in
+      --mode=*)   mode="${arg#--mode=}";;
+      --filter=*) filter="${arg#--filter=}";;
+      --log=*)    log="${arg#--log=}";;
+      --output=*) output="${arg#--output=}";;
+      *)
+        printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
+        return 1
+        ;;
+    esac
+  done
+
+  declare flag suffix
+  case "${mode}" in
+    ignored) flag="--print-all-ignored"; suffix="all.ignored";;
+    matched) flag="--print-all-matched"; suffix="all.matched";;
+    missed)  flag="--print-all-missed";  suffix="all.missed";;
+    *)
+      printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
+      return 1
+      ;;
+  esac
+
+  if [[ -z "${output}" ]]; then
+    declare filter_name="${filter##*/}"
+    filter_name="${filter_name%.conf}"
+    output="/tmp/${filter_name}.${suffix}.log"
+  fi
+  if [[ ! -r "${log}" ]]; then
+    printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
+    return 1
+  fi
+  if [[ ! -r "${filter}" ]]; then
+    printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
+    return 1
+  fi
+
+  printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
+  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
+    printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
+    printf "You can view it with: cat %s\n" "$output"
+  else
+    printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
+    return 1
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/root/.ciss/scan_libwrap

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/includes.chroot/root/.ciss/shortcuts

@@ -3,7 +3,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

config/package-lists/live.list.amd64.chroot

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/package-lists/live.list.arm64.chroot

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.

config/package-lists/live.list.common.chroot

@@ -2,7 +2,7 @@
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
@@ -21,6 +21,7 @@ bc
 bind9-dnsutils
 bsdmainutils
 btrfs-progs
+bzip2
 ca-certificates
 clamav
 clamav-daemon
@@ -42,9 +43,11 @@ dirmngr
 dmsetup
 dnsviz
 dosfstools
+e2fsprogs
 efibootmgr
 expect
 fail2ban
+fdisk
 figlet
 fzf
 gawk
@@ -79,6 +82,7 @@ man
 man-db
 manpages
 manpages-dev
+mdadm
 mtr
 nano
 ncat
@@ -110,11 +114,13 @@ ssl-cert
 sudo
 sysstat
 systemd-sysv
+tar
 tree
 tshark
 ufw
 unattended-upgrades
 unzip
+util-linux
 virt-what
 wamerican
 wbritish
@@ -122,6 +128,9 @@ wfrench
 wget
 whois
 wngerman
+xfsprogs
+xz-utils
+yq
 zip
 zsh
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 # 2. TLS Audit:
 
 ````text
 #####################################################################
-  testssl.sh version 3.2rc4 from https://testssl.sh/dev/
-  (6746fa5 2025-04-18 13:17:50)
+  testssl.sh version 3.2.1 from https://testssl.sh/
+  (81471c3 2025-06-15 09:48:31)
 
   This program is free software. Distribution and modification under
   GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -26,7 +26,7 @@ include_toc: true
   Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
   on kali:./bin/openssl.Linux.x86_64
 
- Start 2025-06-02 18:04:19        -->> 152.53.110.40:443 (coresecret.dev) <<--
+ Start 2025-06-23 17:58:48        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 
  Further IP addresses:   2a0a:4cc0:80:330f:152:53:110:40
  rDNS (152.53.110.40):   git.coresecret.dev.
@@ -193,17 +193,21 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
                               SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
  Common Name (CN)             coresecret.dev
  subjectAltName (SAN)         coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
- Trust (hostname)             Ok via SAN and CN (same w/o SNI)
+ Trust (hostname)             Ok via SAN (same w/o SNI)
  Chain of trust               Ok
  EV cert (experimental)       no
- Certificate Validity (UTC)   174 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
+ Certificate Validity (UTC)   153 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
  ETS/"eTLS", visibility info  not present
  In pwnedkeys.com DB          not in database
  Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
  OCSP URI                     http://ocsp.buypass.com, not revoked
  OCSP stapling                offered, not revoked
  OCSP must staple extension   --
- DNS CAA RR (experimental)    not offered
+ DNS CAA RR (experimental)    available - please check for match with "Issuer" below
+                              communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl,
+                              issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
+                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
+                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
  Certificate Transparency     yes (certificate extension)
  Certificates provided        2
  Issuer                       Buypass Class 2 CA 5 (Buypass AS-983163327 from NO)
@@ -213,23 +217,27 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 
  Testing HTTP header response @ "/"
 
- HTTP Status Code             301 Moved Permanently, redirecting to "https://git.coresecret.dev"
+ HTTP Status Code             200 OK
  HTTP clock skew              0 sec from localtime
  Strict Transport Security    730 days=63072000 s, includeSubDomains, preload
  Public Key Pinning           --
  Server banner                nginx
  Application banner           --
- Cookie(s)                    (none issued at "/") -- maybe better try target URL of 30x
+ Cookie(s)                    2 issued: 2/2 secure, 2/2 HttpOnly
  Security headers             X-Frame-Options: SAMEORIGIN
                               X-Content-Type-Options: nosniff
+                              Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self';
+                                frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
+                                https://uml.coresecret.dev; manifest-src 'self'; media-src 'self' data: https://badges.coresecret.dev
+                                https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none';
                               Expect-CT: max-age=86400, enforce
                               Permissions-Policy: interest-cohort=()
-                              Cross-Origin-Opener-Policy: same-origin
-                              Cross-Origin-Resource-Policy: same-origin
-                              Cross-Origin-Embedder-Policy: require-corp
+                              Cross-Origin-Opener-Policy: cross-origin
+                              Cross-Origin-Resource-Policy: cross-origin
+                              Cross-Origin-Embedder-Policy: unsafe-none
                               X-XSS-Protection: 1; mode=block
                               Permissions-Policy: interest-cohort=()
-                              Referrer-Policy: same-origin
+                              Referrer-Policy: no-referrer
                               Cache-Control: no-cache
  Reverse Proxy banner         --
 
@@ -268,6 +276,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Android 10.0 (native)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Android 11/12 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Android 13/14 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Android 15 (native)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Chrome 101 (Win 10)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Chromium 137 (Win 11)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Firefox 100 (Win 10)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
@@ -308,7 +317,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Final Score                  100
  Overall Grade                A+
 
- Done 2025-06-02 18:05:51 [  95s] -->> 152.53.110.40:443 (coresecret.dev) <<--
+ Done 2025-06-23 18:00:16 [  99s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 ````
 
 ---

docs/CHANGELOG.md

@@ -8,26 +8,102 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 # 2. Changelog
 
+## V8.03.832.2025.06.24
+
+* Updated:
+  * [lib_check_provider.sh](../lib/lib_check_provider.sh)
+  * [lib_debug_header.sh](../lib/lib_debug_header.sh)
+  * [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
+* The Debian package ``bat`` will be installed to enable smooth log reading.
+
+## V8.03.768.2025.06.23
+
+* Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
+* Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh)
+* Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh)
+* Added Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
+* Added ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
+  * to prevent the caller LIB-file from being sourced twice.
+
+## V8.03.768.2025.06.19
+
+* Minor main script improvements.
+* Updated [lib_usage.sh](../lib/lib_usage.sh) output.
+
+## V8.03.768.2025.06.18
+
+* Minor main script improvements.
+* Updated contact section.
+* Integrated third ``dns03.eddns.eu`` Centurion DNS Resolver.
+
+## V8.03.768.2025.06.17
+
+* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64``
+
+## V8.03.768.2025.06.11
+
+* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64``
+
+## V8.03.768.2025.06.09
+
+* Added: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
+* Updated: [alias](../config/includes.chroot/root/.ciss/alias)
+  * ``scurl()``
+  * ``swget()``
+
+## V8.03.644.2025.06.07
+
+* Updated workflows ISO Generators Runners. 
+* Installing ``bookworm-backports`` Versions of:
+  * ``btrfs-progs``
+  * ``curl``
+  * ``debootstrap``
+  * ``iproute2``
+  * ``ncat``
+  * ``nmap``
+  * ``ssh``
+  * ``systemd``
+  * ``systemd-sysv``
+  * ``whois``
+* Changed default: ``/etc/login.defs`` ``LOGIN_TIMEOUT 60`` to: ``LOGIN_TIMEOUT 180``
+* LIVE ISO generated by workflow tested against:
+  * Netcup Root Server
+  * Proxmox 
+* LIVE ISO generated by script tested against:
+  * Netcup Root Server
+
+## V8.03.512.2025.06.06
+
+* Updated workflows: 
+  1. ``git stash push``
+  2. ``git fetch origin master``
+  3. ``git merge --no-edit origin/master``
+  4. ``git stash pop``
+
+* Changed workflows ISO Generators routines ``🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.``
+  * added ``wget --https-only`` flag
+  * added verification step
+
 ## V8.03.400.2025.06.05
 
-* The workflow image was changed to ``debian:bookworm``.
+* The workflow ISO Generators image was changed to ``debian:bookworm``.
 * Added a LIVE ISO workflow routine to build GnuPG from sources, since Bookworm GPG does not recognize key format 5.
 * Changed verbosity of:
   * [9993_aide.chroot](../config/hooks/live/9993_aide.chroot)
   * [9997_debsums.chroot](../config/hooks/live/9997_debsums.chroot)
 * Added basic linter checks for:
-  * '*.sh',
-  * '*.zsh',
-  * '*.chroot',
-  * all files with Shebang (#!) for:
+  * **``*.sh``**,
+  * **``*.zsh``**,
+  * **``*.chroot``**,
+  * all files with Shebang **``#``**! for:
     * Windows CRLF line endings
     * unauthorized control characters (C0 control characters except \t, \n)
     * non-ASCII (ambiguous UTF) characters
-  [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml)
+  * [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml)
 
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,20 +8,17 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.400.2025.06.05<br>
+**Build**: V8.03.832.2025.06.24<br>
 
-# 2. Usage
+# 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.400.2025.06.05
+Master V8.03.832.2025.06.24
+A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025
 
-https://coresecret.eu/
-
-A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
-
 "./ciss_live_builder.sh <option>", where <option> is one or more of:
 
   --help, -h
@@ -30,7 +27,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
   --autobuild=*, -a=*
     Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
     selector dialog. Change '*' to your desired Linux kernel and trim the
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.22+bpo-amd64'.
+    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
 
   --architecture <STRING> one of <amd64 | arm64>
     A string reflecting the architecture of the Live System.
@@ -58,19 +55,20 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 
   --debug
     Enables debug logging for the main program routine. Detailed logging
-    information are written to "/tmp/ciss_live_builder_3764286.log"
+    information are written to "/tmp/ciss_live_builder_1136873.log"
 
   --dhcp-centurion
     If a DHCP lease is provided, the provider's nameserver will be overridden,
     and only the hardened, privacy-focused Centurion DNS servers will be used:
-    - https://dns01.eddns.eu/
-    - https://dns02.eddns.de/
+      - https://dns01.eddns.eu/
+      - https://dns02.eddns.de/
+      - https://dns03.eddns.eu/
 
   --jump-host <IP | IP | ... >
     Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
     Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
     If provided, than it MUST be a <SPACE> separated list.
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd/64].
+    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
 
   --log-statistics-only
     Provides statistic only after successful building a
@@ -80,23 +78,25 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 
   --provider-netcup-ipv6
     Activates IPv6 support for Netcup Root Server. One unique
-    IPv6 address MUST be provided in this case.
+    IPv6 address MUST be provided in this case and MUST be encapsulated
+    with [], e.g., [1234::abcd].
 
   --renice-priority <PRIORITY>
     Reset the nice priority value of the script and all its children
-    to the desired PRIORITY. MUST be an integer (between "-19" and 19).
+    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
     Negative (higher) values MUST be enclosed in double quotes '"'.
 
   --reionice-priority <CLASS> <PRIORITY>
     Reset the ionice priority value of the script and all its children
-    to the desired CLASS. MUST be an integer:
-    1: realtime
-    2: best-effort
-    3: idle
-    defaults to "2".
-    PRIORITY MUST be an integer:
-    between 0 (highest) and 7 (lowest) priority.
-    defaults to "4".
+    to the desired <CLASS>. MUST be an integer:
+      1: realtime
+      2: best-effort
+      3: idle
+    Defaults to '2'.
+    Whereas <PRIORITY> MUST be an integer as well between:
+      0: highest priority and
+      7: lowest priority.
+    Defaults to '4'.
     A real-time I/O process can significantly slow down other processes
     or even cause them to starve if it continuously requests I/O.
 
@@ -107,9 +107,9 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
     the local console. The root password is hashed with an 16 Byte '/dev/random'
     generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
     after Hash generation all Variables containing plain password fragments are
-    deleted. Password file SHOULD be 0400 and root:root and is deleted without
+    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
     further prompt after password hash has been successfully generated via:
-    shred -vfzu 5 -f.
+    'shred -vfzu 5 -f'.
     No tracing of any plain text password fragment in any debug log.
 
   --ssh-port <INTEGER>
@@ -123,14 +123,30 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
   --version, -v
     Displays version of ./ciss_live_builder.sh.
 
-NOTES:
-  - You MUST be root to run this script.
+💡 Notes:
+🔵 You MUST be 'root' to run this script.
 
-Contact:
-  - https://coresecret.eu/
-  - security@coresecret.eu
-    - PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
-      - https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD
+💷 Please consider donating to my work at:
+🌐 https://coresecret.eu/spenden/
+````
+
+# 2.2. Contact
+````text
+CISS.debian.live.builder
+Master V8.03.832.2025.06.24
+A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
+
+(c) Marc S. Weidner, 2018 - 2025
+(p) Centurion Press, 2024 - 2025
+
+💬 Contact:
+🌐 https://coresecret.eu/
+📧 security@coresecret.eu
+🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
+🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD
+
+💷 Please consider donating to my work at:
+🌐 https://coresecret.eu/spenden/
 ````
 
 # 3. Booting

docs/LICENSES/CC-BY-NC-ND-4.0.txt

@@ -1,6 +1,6 @@
 Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
 
-  Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
+  Creative Commons Corporation ("Creative Commons") is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an "as-is" basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
 
 Using Creative Commons Public Licenses
 
@@ -150,6 +150,6 @@ Section 8 - Interpretation.
 
      d.	Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
 
-Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent, including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
+Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the "Licensor." Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark "Creative Commons" or any other trademark or logo of Creative Commons without its prior written consent, including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
 
 Creative Commons may be contacted at creativecommons.org.

docs/LICENSES/CCLA-1.0.html

@@ -1,53 +0,0 @@
-<h1 id="spdx-license-identifier-licenseref-ccla-10">SPDX-License-Identifier: LicenseRef-CCLA-1.0</h1>
-<h1 id="centurion-commercial-license-agreement-10">Centurion Commercial License Agreement 1.0</h1>
-<h2 id="1-general-terms"><strong>1. General Terms</strong></h2>
-<p>1.1. This Subscription License Agreement ("Agreement") governs the commercial use of the Software ("Software").</p>
-<p>1.2. Private and open-source usage of the Software remains governed by the EUPL-1.2 license.</p>
-<p>1.3. By purchasing and using the Software under this Agreement, you ("Licensee") agree to the terms outlined below.</p>
-<p>1.4. Only the English version of this Agreement shall be legally binding. Translations are provided for convenience only.</p>
-<h2 id="2-grant-of-license"><strong>2. Grant of License</strong></h2>
-<p>2.1. Subject-to-payment of applicable subscription fees, Licensor grants Licensee a</p>
-<ul>
-<li>non-exclusive,</li>
-<li>non-transferable,</li>
-<li>time-limited,</li>
-</ul>
-<p>right to use the Software for commercial purposes.</p>
-<p>2.2. This license is valid only for the duration of the subscription period and under the scope defined in this Agreement.</p>
-<h2 id="3-subscription-fees-and-payment"><strong>3. Subscription Fees and Payment</strong></h2>
-<p>3.1. Licensee agrees to pay the subscription fees as specified in the pricing agreement. These fees are non-refundable.</p>
-<p>3.2. Licensor reserves the right to modify subscription fees upon 30 days' written notice.</p>
-<h2 id="4-restrictions"><strong>4. Restrictions</strong></h2>
-<p>4.1. Licensee shall not:</p>
-<ul>
-<li>Distribute, sublicense, or resell the Software.</li>
-<li>Reverse engineer, decompile, or modify the Software, except as permitted by mandatory law.</li>
-</ul>
-<p>4.2. The Software may not be used for illegal or unethical purposes.</p>
-<h2 id="5-support-and-updates"><strong>5. Support and Updates</strong></h2>
-<p>5.1. Licensor will provide updates and support for the Software during the subscription period, as detailed in the accompanying support agreement.</p>
-<p>5.2. Support services may include bug fixes, patches, and minor updates. Major updates may incur additional fees.</p>
-<h2 id="6-termination"><strong>6. Termination</strong></h2>
-<p>6.1. This Agreement is valid for the subscription term unless terminated earlier:</p>
-<ul>
-<li>By Licensee, with a 30-day written notice.</li>
-<li>By Licensor, in the event of Licensees breach of this Agreement.</li>
-</ul>
-<p>6.2. Upon termination, Licensee must cease all uses of the Software and delete all copies.</p>
-<h2 id="7-liability-and-warranty"><strong>7. Liability and Warranty</strong></h2>
-<p>7.1. The Software is provided "as is" without warranties of any kind, except as required by law.</p>
-<p>7.2. Licensors' liability is limited to the number of subscription fees paid by Licensee in the preceding 12 months.</p>
-<h2 id="8-governing-law"><strong>8. Governing Law</strong></h2>
-<p>8.1. This Agreement shall be governed by the laws of Portugal.</p>
-<p>8.2. Disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Portugal.</p>
-<h2 id="9-miscellaneous"><strong>9. Miscellaneous</strong></h2>
-<p>9.1. Any changes to this Agreement must be in writing and signed by both parties.</p>
-<p>9.2. If any provision of this Agreement is found invalid, the remaining provisions shall remain enforceable.</p>
-<h2 id="10-contact-information">10. <strong>Contact Information</strong></h2>
-<ul>
-<li>Licensor : Centurion Intelligence Consulting Agency</li>
-<li>Email : <a href="mailto:legal@coresecret.eu">legal@coresecret.eu</a></li>
-</ul>
-<hr />
-<p>This Subscription License Agreement was last updated at 09.05.2025.</p>
-