DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]

X-CI-Metadata: master@22d6c9a at 2025-08-22T17:41:17Z on 9441b3c6beee

Generated at : 2025-08-22T17:41:17Z
Runner Host  : 9441b3c6beee
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 22d6c9a HEAD -> master

.archive/.0000_lib_usage.sh

@@ -21,7 +21,7 @@ usage() {
   clear
   cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.04.002.2025.08.11\e[0m")
+$(echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")

.archive/0003_install_backports.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail

.archive/icon.lib

@@ -5,7 +5,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ✅

.editorconfig

@@ -25,6 +25,10 @@ charset = utf-8
 insert_final_newline = true
 trim_trailing_whitespace = true
 
+[{makefile,*.mk}]
+indent_style = tab
+tab_width    = 8
+
 [*.md]
 end_of_line = lf
 # Markdown benefits from a final newline for POSIX tools

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.04.002.2025.08.11"
+      placeholder: "e.g., Master V8.13.008.2025.08.22"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.04.002.2025.08.11
+### Version Master V8.13.008.2025.08.22
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -5,11 +5,11 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.04.002.2025.08.11
+### Version Master V8.13.008.2025.08.22
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.04.002.2025.08.11
+  version: V8.13.008.2025.08.22
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.04.002.2025.08.11
+  version: V8.13.008.2025.08.22
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.04.002.2025.08.11
+  version: V8.13.008.2025.08.22
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.04.002.2025.08.11
+  version: V8.13.008.2025.08.22
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,9 +9,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.04.002.2025.08.11
+### Version Master V8.13.008.2025.08.22
 
-name: 🔐 Generating a Private Live ISO FLV 0.
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+defaults:
+  run:
+    shell: bash
 
 permissions:
   contents: write
@@ -21,164 +25,34 @@ on:
     branches:
       - master
     paths:
-      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml'
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'
 
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-private-cdlb-trixie:
-    name: 🔐 Generating a Private Live ISO FLV 0.
+    name: 🔐 Generating a Private Live ISO TRIXIE.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
 
-    ### Run all steps inside Debian Bookworm
     container:
-      image: debian:bookworm
+      image: debian:trixie
 
     steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+      - name: 🛠️ Basic Image Setup.
-        run: |
-          apt-get update -y
-          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
-          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
-            >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update -y
-          apt-get upgrade -y
-
-      - name: 🛠️ Installing Build Tools.
         shell: bash
         run: |
-          apt-get update -y
+          export DEBIAN_FRONTEND=noninteractive
-          apt-get install -y \
+          apt-get update
-            autoconf \
+          apt-get upgrade -y
-            automake \
+          apt-get install -y --no-install-recommends \
-            build-essential \
+            apt-utils \
-            cryptsetup \
+            bash \
+            ca-certificates \
             curl \
-            debootstrap \
-            dosfstools \
-            efibootmgr \
-            gettext \
             git \
             gnupg \
-            haveged \
+            openssh-client \
-            libbz2-dev \
+            openssl \
-            zlib1g-dev \
-            liblzma-dev \
-            libtool \
-            live-build \
-            parted \
-            pkg-config \
-            ssh \
-            ssl-cert \
             sudo \
-            texinfo \
+            util-linux
-            wget \
-            whois \
-
-      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
-        shell: bash
-        run: |
-          urls=(
-            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
-          )
-
-          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
-          gpg --batch --import signature_key.asc
-
-          for url in "${urls[@]}"; do
-            archive_name="${url##*/}"
-            pkg_name="${archive_name%.tar.bz2}"
-            echo "🔄 Processing ${pkg_name}"
-            if [[ ! -f "${archive_name}" ]]; then
-              echo "📥 Downloading: '${archive_name}'."
-              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
-                echo "✅ Download successful: '${archive_name}'."
-              else
-                echo "❌ Download NOT successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping download, package already exists: '${archive_name}'."
-            fi
-
-            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
-
-            if [[ ! -d "${pkg_name}" ]]; then
-              echo "📂 Extracting: '${archive_name}'."
-              if tar -xjf "${archive_name}"; then
-                echo "✅ Extraction successful: '${archive_name}'."
-              else
-                echo "❌ Extraction not successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping directory, already exists: '${pkg_name}'."
-            fi
-
-            echo "🏗️ Build and install the package: '${pkg_name}'."
-            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
-            mkdir -p build
-            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
-
-            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
-            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
-            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
-
-            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
-
-            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
-            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
-            echo "✅ Successful build and installation of '${pkg_name}'."
-            echo "-------------------------------------------------------------------------------------"
-
-          done
-
-          rm -f signature_key.asc
-
-          echo "✅ All packages were built and installed successfully."
-
-          mv_bin=(
-            "/usr/bin/gpg"
-            "/usr/bin/gpg-agent"
-            "/usr/bin/gpgconf"
-            "/usr/bin/gpg-connect-agent"
-            "/usr/bin/gpg-wks-client"
-            "/usr/bin/gpg-preset-passphrase"
-          )
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
-              if mv "${bin}" "${bin}.debian-backup"; then
-                echo "✅ Moved successfully: '${bin}'."
-              else
-                echo "❌ Moved NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist as build binary: '${bin}'."
-            fi
-          done
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "/usr/local/bin/${name}" ]]; then
-              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
-                echo "✅ 'update-alternatives' successfully: '${bin}'."
-              else
-                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist: '/usr/local/bin/${name}'."
-            fi
-          done
-
-          sudo ldconfig
-
-          gpgconf --kill all
-          /usr/local/bin/gpg-agent --daemon
 
       - name: ⚙️ Check GnuPG Version.
         shell: bash
@@ -268,9 +142,9 @@ jobs:
           set -euo pipefail
           chmod 0755 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.30+bpo-amd64 \
+            --autobuild=6.12.41+deb13-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
@@ -280,7 +154,8 @@ jobs:
             --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
             --root-password-file /opt/config/password.txt \
             --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
+            --trixie
 
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
@@ -367,11 +242,12 @@ jobs:
           gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
 
           timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
           touch "${PRIVATE_FILE}"
           cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -381,7 +257,7 @@ jobs:
           # SPDX-PackageName: CISS.debian.live.builder
           # SPDX-Security-Contact: security@coresecret.eu
 
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
 
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"
@@ -435,7 +311,7 @@ jobs:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
           git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
@@ -459,7 +335,7 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
 
           ${CI_HEADER}
 

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,9 +9,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.04.002.2025.08.11
+### Version Master V8.13.008.2025.08.22
 
-name: 🔐 Generating a Private Live ISO FLV 1.
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+defaults:
+  run:
+    shell: bash
 
 permissions:
   contents: write
@@ -21,164 +25,34 @@ on:
     branches:
       - master
     paths:
-      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml'
 
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-private-cdlb-trixie:
-    name: 🔐 Generating a Private Live ISO FLV 1.
+    name: 🔐 Generating a Private Live ISO TRIXIE.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
 
-    ### Run all steps inside Debian Bookworm
     container:
-      image: debian:bookworm
+      image: debian:trixie
 
     steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+      - name: 🛠️ Basic Image Setup.
-        run: |
-          apt-get update -y
-          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
-          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
-            >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update -y
-          apt-get upgrade -y
-
-      - name: 🛠️ Installing Build Tools.
         shell: bash
         run: |
-          apt-get update -y
+          export DEBIAN_FRONTEND=noninteractive
-          apt-get install -y \
+          apt-get update
-            autoconf \
+          apt-get upgrade -y
-            automake \
+          apt-get install -y --no-install-recommends \
-            build-essential \
+            apt-utils \
-            cryptsetup \
+            bash \
+            ca-certificates \
             curl \
-            debootstrap \
-            dosfstools \
-            efibootmgr \
-            gettext \
             git \
             gnupg \
-            haveged \
+            openssh-client \
-            libbz2-dev \
+            openssl \
-            zlib1g-dev \
-            liblzma-dev \
-            libtool \
-            live-build \
-            parted \
-            pkg-config \
-            ssh \
-            ssl-cert \
             sudo \
-            texinfo \
+            util-linux
-            wget \
-            whois \
-
-      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
-        shell: bash
-        run: |
-          urls=(
-            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
-          )
-
-          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
-          gpg --batch --import signature_key.asc
-
-          for url in "${urls[@]}"; do
-            archive_name="${url##*/}"
-            pkg_name="${archive_name%.tar.bz2}"
-            echo "🔄 Processing ${pkg_name}"
-            if [[ ! -f "${archive_name}" ]]; then
-              echo "📥 Downloading: '${archive_name}'."
-              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
-                echo "✅ Download successful: '${archive_name}'."
-              else
-                echo "❌ Download NOT successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping download, package already exists: '${archive_name}'."
-            fi
-
-            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
-
-            if [[ ! -d "${pkg_name}" ]]; then
-              echo "📂 Extracting: '${archive_name}'."
-              if tar -xjf "${archive_name}"; then
-                echo "✅ Extraction successful: '${archive_name}'."
-              else
-                echo "❌ Extraction not successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping directory, already exists: '${pkg_name}'."
-            fi
-
-            echo "🏗️ Build and install the package: '${pkg_name}'."
-            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
-            mkdir -p build
-            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
-
-            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
-            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
-            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
-
-            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
-
-            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
-            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
-            echo "✅ Successful build and installation of '${pkg_name}'."
-            echo "-------------------------------------------------------------------------------------"
-
-          done
-
-          rm -f signature_key.asc
-
-          echo "✅ All packages were built and installed successfully."
-
-          mv_bin=(
-            "/usr/bin/gpg"
-            "/usr/bin/gpg-agent"
-            "/usr/bin/gpgconf"
-            "/usr/bin/gpg-connect-agent"
-            "/usr/bin/gpg-wks-client"
-            "/usr/bin/gpg-preset-passphrase"
-          )
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
-              if mv "${bin}" "${bin}.debian-backup"; then
-                echo "✅ Moved successfully: '${bin}'."
-              else
-                echo "❌ Moved NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist as build binary: '${bin}'."
-            fi
-          done
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "/usr/local/bin/${name}" ]]; then
-              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
-                echo "✅ 'update-alternatives' successfully: '${bin}'."
-              else
-                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist: '/usr/local/bin/${name}'."
-            fi
-          done
-
-          sudo ldconfig
-
-          gpgconf --kill all
-          /usr/local/bin/gpg-agent --daemon
 
       - name: ⚙️ Check GnuPG Version.
         shell: bash
@@ -268,16 +142,17 @@ jobs:
           set -euo pipefail
           chmod 0755 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.30+bpo-amd64 \
+            --autobuild=6.12.41+deb13-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
             --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
             --root-password-file /opt/config/password.txt \
             --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
+            --trixie
 
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
@@ -364,11 +239,12 @@ jobs:
           gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
 
           timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
           touch "${PRIVATE_FILE}"
           cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -378,7 +254,7 @@ jobs:
           # SPDX-PackageName: CISS.debian.live.builder
           # SPDX-Security-Contact: security@coresecret.eu
 
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
 
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"
@@ -432,7 +308,7 @@ jobs:
           GIT_SSH_COMMAND: "ssh -p 42842"
         run: |
           set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
           git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
 
       - name: 🔑 Commit and sign changes with CI metadata.
@@ -456,7 +332,7 @@ jobs:
             WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
             CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
 
-            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
 
           ${CI_HEADER}
 

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.04.002.2025.08.11
+### Version Master V8.13.008.2025.08.22
 
 name: 💙 Generating a PUBLIC Live ISO.
 
@@ -271,7 +271,7 @@ jobs:
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
           ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.30+bpo-amd64 \
+            --autobuild=6.1.0-37-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
@@ -378,7 +378,7 @@ jobs:
           # SPDX-PackageName: CISS.debian.live.builder
           # SPDX-Security-Contact: security@coresecret.eu
 
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
 
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.04.002.2025.08.11
+### Version Master V8.13.008.2025.08.22
 
 # Gitea Workflow: Shell-Script Linting
 #
@@ -202,11 +202,12 @@ jobs:
             echo -e "⚠️ Linting issues detected:\n"
             echo -e "${findings}"
             timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            VAR_DATE="$(date +%F)"
             PRIVATE_FILE="LINTER_RESULTS.txt"
             touch "${PRIVATE_FILE}"
             cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -216,7 +217,7 @@ jobs:
           # SPDX-PackageName: CISS.debian.live.builder
           # SPDX-Security-Contact: security@coresecret.eu
 
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
 
           ⚠️ The last linter check was NOT successful. ⚠️
 
@@ -225,11 +226,12 @@ jobs:
           else
             echo "✅ No issues found in shell scripts."
             timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+            VAR_DATE="$(date +%F)"
             PRIVATE_FILE="LINTER_RESULTS.txt"
             touch "${PRIVATE_FILE}"
             cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -239,7 +241,7 @@ jobs:
           # SPDX-PackageName: CISS.debian.live.builder
           # SPDX-Security-Contact: security@coresecret.eu
 
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
 
           ✅ The last linter check was successful. ✅
 

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.04.002.2025.08.11
+### Version Master V8.13.008.2025.08.22
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.04.002.2025.08.11
+### Version Master V8.13.008.2025.08.22
 
 name: 🔁 Render Graphviz Diagrams.
 

.gitignore

@@ -16,5 +16,6 @@ target/
 *.DS_Store
 *.log
 *.ps1
+config.mk
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.04.002.2025.08.11"
+properties_version="V8.13.008.2025.08.22"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.04.002.2025.08.11
+PackageVersion: Master V8.13.008.2025.08.22
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-11T17:23:55Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:25:58Z"
 
 ✅ The last linter check was successful. ✅
 

LIVE_ISO.public

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-07T10:53:55Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-11T22:40:21Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_07T10_04_36Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_11T21_49_56Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  3d1e73f464cae840af3faf43ab1dcd2b47b2a8610527ed57d406b0d1d6c80b23d8b550c33288edad2652f33560cc410efcb71c022e6f46ef6edec344e9b735f7
+  4aa02673b9a8d5b974014eca4371d1ed69b05eaea9e92203cf7c092880833e18812bf31ab053399eda98b7a3da0b76b8dcdaaba892e9f52f836ea9d2b0e09e38
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJSFwwAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpxVQAKCRA85KY4hzOw
-IdavAP9IXSWEcQcEW0LRPJBEino30IU4bzAlJJPJ/ROcRblMWQEA06xIsSQVM6A/
+IZWOAQDJriUoDvDNSQiHbFfW4KVV1E1wqe12eS7GyfVFr9bISwEAoDKhQ85+RiGr
-JeUxqQCspstTDwOEROSwfcZgCN/ySwA=
+pCdWqvU8wcfzEIlKIpAgAZVrhX/xRw8=
-=RynM
+=wNVV
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_0.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-07T08:55:20Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-22T16:55:09Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_07T08_03_38Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_22T16_11_02Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  1ed2a27ca9137e55202cc3936c32c8285c02e200fc7e40034752d21fe15d251d10a91b05e5336aedd351d47b0aa6bed34304bf46dbd6a1df0df92612a72c950d
+  35c288d96239804e244cbe99c8ce3895aec39104a7200c2ef7326d38e1ec4eea3bf60b895eaa4d981cb718ae4d27d2d4166f16252b88606a870d14c3db096a37
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJRp+AAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKig7QAKCRA85KY4hzOw
-IRXlAQDsDYY4bc7OA8pVWbz4AXlTh/m5PJtt4DAiRvqBnSNQkQEA3M0OZr/6cZkF
+IWKWAP0Wlqbi3ArURSGW5m+E+OstdsU7qHjf+e1SVRJ3BGUzaAEAr3ceyHiiA2/7
-lDpsQU14hbr06d70JmNeAc9CVsMVbQQ=
+RlXsvZxNgVDaEVSdjmt99dMrZK7DRws=
-=h1hv
+=4Oh3
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_1.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-07T09:55:21Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:41:13Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_07T09_04_30Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_22T16_56_12Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  7ccbe6b6622a6fe2db68a37c0d4feb2759addf8fe8b3cd1186bcc2bb7305dae4b6ffbbdad336b41eb98e5bef681166d50ddcf9761226575584201de94de9007b
+  4925332b61dbd91f0c444624bbe7de586dbd911fbb27b080a99e44ae312c5139afc502d0415d0bef7dfbd1e5461c07e0a0700f7206e746a91cbcb5403ef003e3
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJR4CQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKiruQAKCRA85KY4hzOw
-IdL0AP9jojn+k2E9FdCuc/y8qvD4p26m12cvydq2CYFUwfjbXgD/TBC0yRhM4Cfo
+IdoTAQDqyOBkGA0xDoLsDvjFSaf3tmzz8mD/5qvsDtF6y/rEWwD/dAXzMOdQjxg8
-GShrXSXGILEZBIxSbmWwPqHEWo7vMQ8=
+IcK+GK6u4k5/HT5bYlCvTy/WxRb5ggQ=
-=tgad
+=boDM
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.04.002.2025.08.11-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.008.2025.08.22-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -11,7 +11,7 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)  
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.5-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
 [![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
@@ -25,8 +25,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -70,7 +70,16 @@ separate directory tree, employs `DynamicUser` features, and adheres to strict s
 rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
 of both UFW software firewalls and dedicated hardware firewall appliances.
 
-## 1.2. Immutable Source-of-Truth System
+## 1.2. Match Host and Target Versions
+
+Build, for example, a Debian Trixie live image only on a Debian Trixie host. The build toolchain and boot artifacts are 
+release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``kernel/initramfs`` tools, ``mksquashfs``, 
+``GRUB/ISOLINUX``, and even ``dpkg/apt`` often change defaults and formats between releases (e.g., compression modes, SquashFS 
+options, hook ordering, systemd/udev behavior). Building on a different host release commonly yields non-reproducible or even 
+unbootable ISOs (missing modules/firmware, ABI mismatches, divergent paths). Keeping host and target on the same version ensures
+reproducible builds, matching dependencies, and compatible boot artifacts.
+
+## 1.3. Immutable Source-of-Truth System
 
 This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
 source-code definitions. All configurations, system components, and installation routines are embedded during build time and 
@@ -89,7 +98,7 @@ or shell-access, also via the forthcoming `CISS.debian.installer`. Such a versio
 provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then 
 awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports
 without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of 
-`grub2 (2.12-1~bpo12+1)`.<br>
+`grub2 (2.12-9)`.<br>
 
 This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in 
 source-defined infrastructure logic.<br>
@@ -103,11 +112,11 @@ After build and configuration, the following audit reports can be generated:
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
   Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
 
-## 1.3. Preview
+## 1.4. Preview
 
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
 
-## 1.4. Caution. Significant information for those considering using D-I.
+## 1.5. Caution. Significant information for those considering using D-I.
 
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
 
@@ -138,18 +147,18 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 * Logging (rsyslog, journald) ✘ not active,
 * preseed control over the network is possible (but without any protection).
 
-## 1.5. Versioning Schema
+## 1.6. Versioning Schema
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.04.002.2025.08.11`
+Example: `V8.13.008.2025.08.22`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
 Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
 reproducibility and traceability.
 
-## 1.6. Keywords
+## 1.7. Keywords
 
 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
 "MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], 
@@ -389,35 +398,52 @@ apply or revert these controls.
 set -o errexit   # Exit script when a command exits with non-zero status (same as "set -e").
 set -o errtrace  # Inherit ERR traps in subshells (same as "set -E").
 set -o functrace # Inherit DEBUG and RETURN traps in subshells (same as "set -T").
+set -o ignoreeof # An interactive shell will not exit upon reading EOF.
 set -o nounset   # Exit script on use of an undefined variable (same as "set -u").
 set -o pipefail  # Return the exit status of the last failed command in a pipeline.
 set -o noclobber # Prevent overwriting files via redirection (same as "set -C").
 ```
+
+* The following `shopt` options are applied at the beginning of the script (see
+  [Bash Manual, The Shopt Builtin](https://www.gnu.org/software/bash/manual/bash.html#The-Shopt-Builtin)):
+````bash
+shopt -s failglob        # If set, patterns that fail to match filenames during filename expansion result in an expansion error.
+shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option instead of unsetting it in the
+                         # subshell environment.
+shopt -s lastpipe        # If set, and job control is not active, the shell runs the last command of a pipeline not executed in
+                         # the background in the current shell environment.
+shopt -u expand_aliases  # If set, aliases are expanded as described. This option is enabled by default for interactive shells.
+shopt -u dotglob         # If set, Bash includes filenames beginning with a '.' in the results of filename expansion.
+shopt -u extglob         # If set, enable the extended pattern matching features.
+shopt -u nullglob        # If set, filename expansion patterns that match no files expand to nothing and are removed.
+````
+
 * **Rationale**: These options enforce strict error checking and handling, reducing silent failures and ensuring 
 predictable script behavior.
 
 # 4. Prerequisites
 
-* **Host**: Debian Bookworm or newer with `live-build` package installed.
+* **Host**: Debian Trixie with `live-build` and ``debootstrap`` packages installed.
 * **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
 * **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
 
 # 5. Installation & Usage
 
-# 5.1. Interactive CLI / Dialog Wrapper
+## 5.1. Interactive CLI / Dialog Wrapper
 
 1. Clone the repository:
-
    ```bash
    git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
    cd CISS.debian.live.builder
    ```
+   
 2. Preparation:
    1. Ensure you are root.
    2. Create the build directory `mkdir /opt/livebuild`.
    3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
    4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
    5. Make any other changes you need to.
+
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
 
    ````bash
@@ -435,8 +461,10 @@ predictable script behavior.
                           --reionice-priority 1 2 \
                           --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
                           --ssh-port 4242 \
-                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder
+                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder \
+                          --trixie
    ````
+
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -444,7 +472,46 @@ predictable script behavior.
 8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
 9. Type `celp` for some shortcuts.
 
-# 5.2. CI/CD Gitea Runner Workflow Example
+## 5.2. Make Wrapper, Quick Usage
+
+This repo ships a thin make wrapper around ``./ciss_live_builder.sh``, so you can compose a correctly quoted command and either 
+preview it or run it.
+
+1. Clone the repository:
+
+   ```bash
+   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+   cd CISS.debian.live.builder
+   ```
+
+2. Preparation:
+   1. Ensure you are root.
+   2. Create the build directory `mkdir /opt/livebuild`.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
+
+    ````bash
+    cp config.mk.sample config.mk
+    ````
+
+    ````bash
+    BUILD_DIR=/opt/livebuild
+    ROOT_PASSWORD_FILE=/opt/gitea/CISS.debian.live.builder/password.txt
+    SSH_PORT=4242
+    SSH_PUBKEY=/root/.ssh
+
+    # Optional
+    PROVIDER_NETCUP_IPV6=2001:cdb::1
+    # comma-separated; IPv6 in [] is fine
+    JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
+    ````
+
+3. Dry-run first (prints the exact command): ````make dry-run````
+
+4. Execute the build: ````make live````
+
+## 5.3. CI/CD Gitea Runner Workflow Example
 
 1. Clone the repository:
 

ciss_live_builder.sh

@@ -59,7 +59,7 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
   exit "${ERR_NOT_USER_0}"
 }
 
-### Not called by sh.
+### Check to be not called by sh.
 # shellcheck disable=2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
   . ./var/global.var.sh
@@ -67,7 +67,7 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
   exit "${ERR_UNSPPTBASH}"
 }
 
-### Not sourced.
+### Check to be not sourced.
 [[ "${BASH_SOURCE[0]}" != "$0" ]] && {
   . ./var/global.var.sh
   printf "\e[91m❌ This script must be executed, not sourced. Please run '%s' directly! Bye... \e[0m\n" "$0" >&2
@@ -107,13 +107,13 @@ for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh  ; usa
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done
 
 ### ALL CHECKS DONE. READY TO START THE SCRIPT
+source_guard "./var/bash.var.sh"
 check_git
 for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 declare -gx VAR_SETUP="true"
 
 ### SOURCING VARIABLES
 [[ "${VAR_SETUP}" == true ]] && {
-  source_guard "./var/bash.var.sh"
   source_guard "./var/color.var.sh"
   source_guard "./var/global.var.sh"
 }
@@ -214,12 +214,17 @@ hardening_ssh
 lb_config_start
 
 if [[ "${VAR_SUITE}" == "bookworm" ]]; then
+
   lb_config_write
   rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
+  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs"
+
 else
+
   lb_config_write_trixie
   rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
   rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
+
 fi
 
 # shellcheck disable=SC2164

config.mk.sample

@@ -0,0 +1,21 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-21; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+BUILD_DIR            ?=
+PROVIDER_NETCUP_IPV6 ?=
+ROOT_PASSWORD_FILE   ?=
+SSH_PORT             ?=
+SSH_PUBKEY           ?=
+
+### Comma-separated jump hosts (can be empty):
+JUMP_HOSTS           ?=
+
+# vim: set ft=make noet ts=8 sw=8

config/hooks/live/0001_initramfs_modules.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
@@ -53,7 +53,7 @@ cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
@@ -69,35 +69,45 @@ cat << EOF >| /etc/initramfs-tools/modules
 # raid1
 # sd_mod
 
-### QEMU Bochs-compatible virtual machine support
+### Main btrfs-Stack
-bochs
-
-### Device-mapper core module (required for all dm_* features)
-dm_mod
-
-### Device-mapper integrity target (provides integrity checking)
-dm-integrity
-
-### Device-mapper crypt target (provides disk encryption)
-dm-crypt
-
-### Generic AES block cipher implementation (used by dm-crypt)
-aes_generic
-
-### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
-sha256_generic
-
-### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
-crc32c_generic
-
-### Main btrfs filesystem module
 btrfs
-
+lzo
-### Zstandard compression support for btrfs
+xor
+xxhash
+zstd
 zstd_compress
 
-### XOR parity implementation for RAID functionality
+### Main ext4-Stack
-xor
+ext4
+jbd2
+libcrc32c
+
+### Main VFAT/ESP/FAT/UEFI-Stack
+exfat
+fat
+nls_ascii
+nls_cp437
+nls_iso8859-1
+nls_iso8859-15
+nls_utf8
+vfat
+
+### Device mapper, encryption & integrity
+dm_mod
+dm_crypt
+dm_integrity
+dm_verity
+
+### Main cryptography-Stack
+aes_generic
+blake2b_generic
+crc32c_generic
+libcrc32c
+sha256_generic
+sha512_generic
+
+### QEMU Bochs-compatible virtual machine support
+bochs
 
 ### RAID6 parity generation module
 raid6_pq
@@ -105,6 +115,37 @@ raid6_pq
 ### Combined RAID4/5/6 support module
 raid456
 
+### SCSI/SATA-Stack
+sd_mod
+sr_mod
+sg
+ahci
+libahci
+ata_generic
+libata
+scsi_mod
+scsi_dh_alua
+
+### NVMe-Stack
+nvme
+nvme_core
+
+### USB-Stack
+xhci_pci
+xhci_hcd
+ehci_pci
+ohci_pci
+uhci_hcd
+usb_storage
+uas
+
+### Virtual-Machines-Stack
+virtio_pci
+virtio_blk
+virtio_scsi
+virtio_rng
+virtio_console
+
 ### Network Driver Host-machine
 "${nic_driver}"
 
@@ -118,7 +159,7 @@ cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
@@ -153,7 +194,7 @@ cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
@@ -258,7 +299,7 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

config/hooks/live/0002_verify_checksums.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
@@ -30,7 +30,7 @@ cat << 'EOF' >| "${src}"
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

config/hooks/live/0050_activate_root.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail

config/hooks/live/0850_ssh_audit.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail

config/hooks/live/0855_dnsviz.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail

config/hooks/live/9900_process_accounting.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail

config/hooks/live/9910_motd.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -33,8 +33,8 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
 [DEFAULT]

config/hooks/live/9992_password_expiration.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail

config/hooks/live/9993_aide.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail

config/hooks/live/9994_password_policy.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
@@ -29,7 +29,7 @@ cat << 'EOF' >| /etc/security/pwquality.conf
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

config/hooks/live/9995_sysstat.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail

config/hooks/live/9996_auditd.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
@@ -50,13 +50,18 @@ EOF
 ############################################################### /etc/audit/rules.d/20-dont-audit.rules
 cat << EOF >| /etc/audit/rules.d/20-dont-audit.rules
 ## This is for don't audit rules. We put these early because audit
-### is a first match wins system. Uncomment the rules you want.
+## is a first match wins system. Uncomment the rules you want.
 
 ## Cron jobs fill the logs with stuff we normally don't want
--a never,user -F subj_type=crond_t
+-a never,user
 
 ## This prevents chrony from overwhelming the logs
--a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F exe=/usr/sbin/chronyd
+-a never,exit -F arch=b32 -S adjtimex -F exe=/usr/sbin/chronyd
+
+## Human-attributable time changes
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
 
 ### This is not very interesting and wastes a lot of space if
 ### the server is public facing
@@ -75,8 +80,8 @@ EOF
 ############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
 cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 ## This rule suppresses the time-change event when chrony does time updates
--a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
--a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF
 
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules

config/hooks/live/9998_sources_list_bookworm.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
@@ -28,8 +28,8 @@ cat << 'EOF' >| /etc/apt/sources.list
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #-----------------------------------------------------------------------------------------#
 #                                  OFFICIAL DEBIAN REPOS

config/hooks/live/9998_sources_list_trixie.chroot

@@ -1,12 +1,12 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
@@ -16,41 +16,108 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 cd /root
 
-if [[ -f /etc/apt/sources.list ]]; then
+mkdir -p /etc/apt/apt.conf.d
-  mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak
-fi
 
-cat << 'EOF' >| /etc/apt/sources.list
+cat << EOF >| /etc/apt/apt.conf.d/00-deb822-prefer
+// Make APT ignore the classic /etc/apt/sources.list entirely.
+Dir::Etc {
+  sourcelist  "/dev/null";                // classic list is ignored
+  sourceparts "/etc/apt/sources.list.d";  // deb822 *.sources remain authoritative
+}
+EOF
+
+if [[ ! -f /etc/apt/sources.list.d/trixie.sources ]]; then
+  cat << EOF >| /etc/apt/sources.list.d/trixie.sources
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-#-----------------------------------------------------------------------------------------#
-#                                  OFFICIAL DEBIAN REPOS
-#-----------------------------------------------------------------------------------------#
 
-### Debian Main Repos Bookworm
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 
-deb https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
-deb-src https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware
-
-deb http://security.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
-deb-src http://security.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
-
-deb https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware
-
-deb https://deb.debian.org/debian/ trixie-backports main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ trixie-backports main contrib non-free non-free-firmware
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
+fi
+
+if [[ ! -f /etc/apt/sources.list.d/trixie-security.sources ]]; then
+  cat << EOF >| /etc/apt/sources.list.d/trixie-security.sources
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://security.debian.org/debian-security/
+Suites: trixie-security
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+fi
+
+if [[ ! -f /etc/apt/sources.list.d/trixie-updates.sources ]]; then
+ cat << EOF >| /etc/apt/sources.list.d/trixie-updates.sources
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie-updates
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+fi
+
+
+if [[ ! -f /etc/apt/sources.list.d/trixie-backports.sources ]]; then
+  cat << EOF >| /etc/apt/sources.list.d/trixie-backports.sources
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie-backports
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+fi
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1

config/includes.binary/boot/grub/config.cfg

@@ -5,7 +5,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

config/includes.chroot/etc/apt/sources.list

@@ -0,0 +1,15 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# File: /etc/apt/sources.list
+# Intentionally empty, disable classic sources.list generation (deb822 in use).
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources

@@ -0,0 +1,18 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie-backports
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources

@@ -0,0 +1,18 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://security.debian.org/debian-security/
+Suites: trixie-security
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources

@@ -0,0 +1,18 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie-updates
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

config/includes.chroot/etc/apt/sources.list.d/trixie.sources

@@ -0,0 +1,18 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+Types: deb deb-src
+URIs: https://deb.debian.org/debian/
+Suites: trixie
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

config/includes.chroot/etc/login.defs

@@ -0,0 +1,209 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#
+# /etc/login.defs - Configuration control definitions for the shadow package.
+#
+
+# REQUIRED for useradd/userdel/usermod
+#   Directory where mailboxes reside, _or_ name of file, relative to the
+#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
+#   MAIL_DIR takes precedence.
+#
+#   Essentially:
+#      - MAIL_DIR defines the location of users mail spool files
+#        (for mbox use) by appending the username to MAIL_DIR as defined
+#        below.
+#      - MAIL_FILE defines the location of the users mail spool files as the
+#        fully-qualified filename obtained by prepending the user home
+#        directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
+#       job of the pam_mail PAM modules
+#       See default PAM configuration files provided for
+#       login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR        /var/mail
+#MAIL_FILE      .mail
+
+#
+# Enable display of unknown usernames when login(1) failures are recorded.
+#
+# WARNING: Unknown usernames may become world readable.
+# See #290803 and #298773 for details about how this could become a security
+# concern
+LOG_UNKFAIL_ENAB	no
+
+#
+# Enable logging of successful logins
+#
+LOG_OK_LOGINS		yes
+
+#
+# If defined, file which maps tty line to TERM environment parameter.
+# Each line of the file is in a format similar to "vt100  tty01".
+#
+#TTYTYPE_FILE	/etc/ttytype
+
+#
+# If defined, file which inhibits all the usual chatter during the login
+# sequence.  If a full pathname, then hushed mode will be enabled if the
+# user's name or shell are found in the file.  If not a full pathname, then
+# hushed mode will be enabled if the file exists in the user's home directory.
+#
+HUSHLOGIN_FILE	.hushlogin
+#HUSHLOGIN_FILE	/etc/hushlogins
+
+#
+# *REQUIRED*  The default PATH settings, for superuser and normal users.
+#
+# (they are minimal, add the rest in the shell startup files)
+ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
+
+#
+# Terminal permissions for terminals after login(1).
+# These settings are ignored for remote and other logins.
+#
+#	TTYGROUP	Login tty will be assigned this group ownership.
+#	TTYPERM		Login tty will be set to this permission.
+#
+#TTYGROUP	tty
+TTYPERM		0600
+
+#
+# Login configuration initializations:
+#
+#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
+#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
+#
+# The ERASECHAR and KILLCHAR are used only on System V machines.
+#
+ERASECHAR	0177
+KILLCHAR	025
+
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+HOME_MODE	0700
+
+#
+# Password aging controls:
+#
+#	PASS_MAX_DAYS	Maximum number of days a password may be used.
+#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
+#	PASS_WARN_AGE	Number of days warning given before a password expires.
+#
+PASS_MAX_DAYS	16384
+PASS_MIN_DAYS	1
+PASS_WARN_AGE	128
+
+#
+# Min/max values for automatic uid selection in useradd(8)
+#
+UID_MIN			 1000
+UID_MAX			60000
+# System accounts
+#SYS_UID_MIN		  101
+#SYS_UID_MAX		  999
+# Extra per user uids
+SUB_UID_MIN		   100000
+SUB_UID_MAX		600100000
+SUB_UID_COUNT		    65536
+
+#
+# Min/max values for automatic gid selection in groupadd(8)
+#
+GID_MIN			 1000
+GID_MAX			60000
+# System accounts
+#SYS_GID_MIN		  101
+#SYS_GID_MAX		  999
+# Extra per user group ids
+SUB_GID_MIN		   100000
+SUB_GID_MAX		600100000
+SUB_GID_COUNT		    65536
+
+#
+# Max number of login(1) retries if password is bad
+# This will most likely be overriden by PAM, since the default pam_unix module
+# has it's own built in of 3 retries. However, this is a safe fallback in case
+# you are using an authentication module that does not enforce PAM_MAXTRIES.
+#
+LOGIN_RETRIES		5
+
+#
+# Max time in seconds for login(1)
+#
+LOGIN_TIMEOUT		180
+
+#
+# Which fields may be changed by regular users using chfn(1) - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone).  If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT		rwh
+
+#
+# If set to MD5, MD5-based algorithm will be used for encrypting password
+# If set to SHA256, SHA256-based algorithm will be used for encrypting password
+# If set to SHA512, SHA512-based algorithm will be used for encrypting password
+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
+# If set to DES, DES-based algorithm will be used for encrypting password (default)
+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
+# Overrides the MD5_CRYPT_ENAB option
+#
+# Note: It is recommended to use a value consistent with
+# the PAM modules configuration.
+#
+ENCRYPT_METHOD YESCRYPT
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default is no.
+#
+DEFAULT_HOME	yes
+
+#
+# The pwck(8) utility emits a warning for any system account with a home
+# directory that does not exist.  Some system accounts intentionally do
+# not have a home directory.  Such accounts may have this string as
+# their home directory in /etc/passwd to avoid a spurious warning.
+#
+NONEXISTENT	/nonexistent
+
+#
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
+#
+#USERDEL_CMD	/usr/sbin/userdel_local
+
+#
+# If set to yes, userdel(8) will remove the user's group if it contains no more
+# members, and useradd(8) will create by default a group with the name of the
+# user.
+#
+# Other former uses of this variable are not used in PAM environments, such as
+# Debian.
+#
+USERGROUPS_ENAB yes
+
+#
+# Added by CISS.debian.live.builder for redundance
+umask 077
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.04.002.2025.08.11
+### Version Master V8.13.008.2025.08.22
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.04.002.2025.08.11
+### Version Master V8.13.008.2025.08.22
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.04.002.2025.08.11"
+declare -gr VERSION="Master V8.13.008.2025.08.22"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/.lib/sshd_config.lib

@@ -5,8 +5,8 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
 Include /etc/ssh/sshd_config.d/*.conf

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.04.002.2025.08.11 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.008.2025.08.22 at: 10:18:37.9542

config/includes.chroot/root/.bashrc

@@ -1,4 +1,3 @@
-#!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
@@ -12,12 +11,18 @@
 
 [[ $- != *i* ]] && return
 
-trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
+### Never use errexit/pipefail in interactive shells
+set +o errexit +o pipefail
+
+trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' EXIT
 source /root/.ciss/alias
 source /root/.ciss/f2bchk.sh
 source /root/.ciss/shortcuts
 source /root/.ciss/scan_libwrap
 
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
+set +o errexit +o nounset +o pipefail
+
 ### History
 touch /tmp/.bash_history
 chmod 0660 /tmp/.bash_history

config/includes.chroot/root/.ciss/clean_logout.sh

@@ -37,5 +37,4 @@ echo -e "\e[92m          Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'"
 # shellcheck disable=SC2162
 read
 [[ -x /usr/bin/clear_console ]] && /usr/bin/clear_console -q
-exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/root/.ciss/f2bchk.sh

@@ -10,8 +10,6 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-set -Ceuo pipefail
-
 #######################################
 # Wrapper for fail2ban filter checks against logs.
 # Usage: f2bchk --mode=ignored || --mode=matched  || --mode=missed \

config/includes.chroot/root/.ciss/scan_libwrap

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

config/includes.chroot/root/.ciss/shortcuts

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

docs/AUDIT_DNSSEC.md

@@ -7,8 +7,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -7,8 +7,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -7,8 +7,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -7,8 +7,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -7,8 +7,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. TLS Audit:
 

docs/BOOTPARAMS.md

@@ -7,8 +7,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. Hardened Kernel Boot Parameters
 

docs/CHANGELOG.md

@@ -7,105 +7,123 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. Changelog
 
-## V8.04.002.2025.08.11
+## V8.13.008.2025.08.22
-* Updated: Experimental support for Debian Trixie
+* **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot)
+
+## V8.13.004.2025.08.21
+* **Added**: [makefile](../makefile)
+
+## V8.13.002.2025.08.11
+* **Added**: [lib_source_guard.sh](../lib/lib_source_guard.sh)
+* **Added**: [sources.list](../config/includes.chroot/etc/apt/sources.list)
+* **Added**: [trixie.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie.sources)
+* **Added**: [trixie-backports.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources)
+* **Added**: [trixie-security.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources)
+* **Added**: [trixie-updates.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources)
+* **Added**: [login.defs](../config/includes.chroot/etc/login.defs)
+* **Bugfixes**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot)
+* **Bugfixes**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
+* **Updated**: [bash.var.sh](../var/bash.var.sh)
+* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
+* **Updated**: Support for Debian Trixie via Argument ``--trixie``
+* **Updated**: Debian 12 LIVE ISO workflows to use Kernel: ``linux-image-6.1.0-37-amd64``
 
 ## V8.03.920.2025.08.07
 
-* Updated: [lib_arg_parser.sh](../lib/lib_arg_parser.sh)
+* **Updated**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh)
-* Updated: [ciss_live_builder.sh](../ciss_live_builder.sh)
+* **Updated**: [ciss_live_builder.sh](../ciss_live_builder.sh)
-* Updated: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
 
 ## V8.03.912.2025.07.23
 
-* Updated: [alias](../config/includes.chroot/root/.ciss/alias)
+* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
-* Updated: [clean_logout.sh](../config/includes.chroot/root/.ciss/clean_logout.sh)
+* **Updated**: [clean_logout.sh](../config/includes.chroot/root/.ciss/clean_logout.sh)
-* Updated: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
+* **Updated**: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
-* Updated: [scan_libwrap](../config/includes.chroot/root/.ciss/scan_libwrap)
+* **Updated**: [scan_libwrap](../config/includes.chroot/root/.ciss/scan_libwrap)
-* Updated: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
+* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
-* Updated: [.bashrc](../config/includes.chroot/root/.bashrc)
+* **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc)
 
 ## V8.03.896.2025.07.22
 
-* Added: [.shellcheckrc](../.shellcheckrc)
+* **Added**: [.shellcheckrc](../.shellcheckrc)
-* Bugfixes: [ciss_live_builder.sh](../ciss_live_builder.sh)
+* **Bugfixes**: [ciss_live_builder.sh](../ciss_live_builder.sh)
-* Updated: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)
+* **Updated**: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)
 
 ## V8.03.880.2025.07.19
 
-* Updated: [alias](../config/includes.chroot/root/.ciss/alias)
+* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
-* Updated: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
+* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
-* Added: Package ``ncdu``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+* **Added**: Package ``ncdu``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
-* Added: ``TrustedUserCAKeys none``: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
+* **Added**: ``TrustedUserCAKeys none``: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
 
 ## V8.03.864.2025.07.15
 
-* Updated: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
+* **Updated**: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
-* Added: [BOOTPARAMS.md](BOOTPARAMS.md)
+* **Added**: [BOOTPARAMS.md](BOOTPARAMS.md)
-* Added: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+* **Added**: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
 
 ## V8.03.832.2025.06.25
 
-* Added: [lib_version.sh](../lib/lib_version.sh)
+* **Added**: [lib_version.sh](../lib/lib_version.sh)
-* Updated:
+* **Updated**:
   * [lib_contact.sh](../lib/lib_contact.sh)
   * [lib_usage.sh](../lib/lib_usage.sh)
-* Packages added:
+* **Packages added**:
   * https://packages.debian.org/bookworm/fio
   * https://packages.debian.org/bookworm/stress 
-* Timezone changed to ``Etc/UTC``
+* **Updated**: Timezone changed to ``Etc/UTC``
 
 ## V8.03.832.2025.06.24
 
-* Updated:
+* **Updated**:
   * [lib_check_provider.sh](../lib/lib_check_provider.sh)
   * [lib_debug_header.sh](../lib/lib_debug_header.sh)
   * [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
-* The Debian package ``bat`` will be installed to enable smooth log reading.
+* **Added**: The Debian package ``bat`` will be installed to enable smooth log reading.
 
 ## V8.03.768.2025.06.23
 
-* Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
+* **Updated**: [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
 * Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh)
 * Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh)
-* Added Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
+* **Added**: Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
-* Added ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
+* **Added**: ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
-  * to prevent the caller LIB-file from being sourced twice.
+  to prevent the caller LIB-file from being sourced twice.
 
 ## V8.03.768.2025.06.19
 
 * Minor main script improvements.
-* Updated [lib_usage.sh](../lib/lib_usage.sh) output.
+* **Updated**: [lib_usage.sh](../lib/lib_usage.sh) output.
 
 ## V8.03.768.2025.06.18
 
 * Minor main script improvements.
-* Updated contact section.
+* **Updated**: Contact section.
 * Integrated third ``dns03.eddns.eu`` Centurion DNS Resolver.
 
 ## V8.03.768.2025.06.17
 
-* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64``
+* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64``
 
 ## V8.03.768.2025.06.11
 
-* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64``
+* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64``
 
 ## V8.03.768.2025.06.09
 
-* Added: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
+* **Added**: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
-* Updated: [alias](../config/includes.chroot/root/.ciss/alias)
+* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
   * ``scurl()``
   * ``swget()``
 
 ## V8.03.644.2025.06.07
 
-* Updated workflows ISO Generators Runners. 
+* **Updated**: Workflows ISO Generators Runners. 
 * Installing ``bookworm-backports`` Versions of:
   * ``btrfs-progs``
   * ``curl``
@@ -121,12 +139,12 @@ include_toc: true
 * LIVE ISO generated by workflow tested against:
   * Netcup Root Server
   * Proxmox 
-* LIVE ISO generated by script tested against:
+* LIVE ISO generated by the script tested against:
   * Netcup Root Server
 
 ## V8.03.512.2025.06.06
 
-* Updated workflows: 
+* **Updated**: Workflows: 
   1. ``git stash push``
   2. ``git fetch origin master``
   3. ``git merge --no-edit origin/master``

docs/CNET.md

@@ -7,8 +7,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -7,8 +7,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -7,8 +7,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -7,8 +7,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -7,8 +7,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -7,13 +7,13 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.04.002.2025.08.11
+Master V8.13.008.2025.08.22
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
@@ -121,7 +121,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
     specified PATH into the Live ISO. MUST be provided.
 
   --trixie
-    Create a Debian Trixie Live ISO. Experimental Feature.
+    Create a Debian Trixie Live ISO.
 
   --version, -v
     Displays version of ./ciss_live_builder.sh.
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.04.002.2025.08.11
+Master V8.13.008.2025.08.22
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025

docs/REFERENCES.md

@@ -7,8 +7,8 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.04.002.2025.08.11<br>
+**Build**: V8.13.008.2025.08.22<br>
 
 # 2. Resources
 

lib/lib_arg_priority_check.sh

@@ -23,22 +23,30 @@ guard_sourcing
 #######################################
 arg_priority_check() {
   declare var
-  # Check if nice PRIORITY is set and adjust nice priority.
+  ### Check if nice PRIORITY is set and adjust nice priority.
-  if [[ -n ${VAR_HANDLER_PRIORITY} ]]; then
+  if [[  "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
+    if command -v renice >/dev/null; then
       renice "${VAR_HANDLER_PRIORITY}" -p "$$"
       var=$(ps -o ni= -p $$) > /dev/null 2>&1
       printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
       # sleep 1
       unset var
+    else
+      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ renice not installed (util-linux) \e[0m\n"
+    fi
   fi
 
-  # Check if ionice PRIORITY is set and adjust ionice priority.
+  ### Check if ionice PRIORITY is set and adjust ionice priority.
-  if [[ -n ${VAR_REIONICE_CLASS} ]]; then
+  if [[ "${VAR_REIONICE_CLASS:-}" -ne 2 ]]; then
+    if command -v ionice >/dev/null; then
       ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
       var=$(ionice -p $$) > /dev/null 2>&1
       printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
       # sleep 1
       unset var
+    else
+      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ionice not installed (util-linux) \e[0m\n"
+    fi
   fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_boot_screen.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_cdi.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_check_hooks.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_check_var.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_clean_screen.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_copy_integrity.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_debug.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_debug_header.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_git_var.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_guard_sourcing.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_hardening_ultra.sh

@@ -29,53 +29,97 @@ hardening_ultra() {
   # shellcheck disable=SC2164
   cd "${VAR_WORKDIR}"
 
+
+  ### ./config/bootloaders
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
+
   if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
+
     mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders"
     cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
+
   else
+
     cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
+
   fi
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
 
+
+  ### ./config/includes.binary
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
+
   if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
+
     mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
     cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
+
   else
+
     cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
+
   fi
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
 
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
-  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
-    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
-    cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
-  else
-    cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
-  fi
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
-
-  if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
-    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
-    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then
-      mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/early"
-      cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
-    else
-      cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
-    fi
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n"
-  fi
 
+  ### ./config/includes.chroot
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
+
   if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
+
     mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
     cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
+
   else
+
     cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
+
   fi
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
 
+
+  ### ./config/hooks/early
+  if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
+
+    printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
+
+    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then
+
+      mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/early"
+      cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
+
+    else
+
+      cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
+
+    fi
+
+    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n"
+
+  fi
+
+
+  ### ./config/hooks/live
+  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
+
+  if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
+
+    mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
+    cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
+
+  else
+
+    cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
+
+  fi
+
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
+
+
+
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
   if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
     mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
@@ -98,6 +142,7 @@ hardening_ultra() {
   esac
 
   declare pkgs
+    # shellcheck disable=SC2312
     mapfile -t pkgs < <(
     grep -v '^\s*#' "${arch_list}" | sed '/^\s*$/d'
   )
@@ -140,6 +185,7 @@ hardening_ultra() {
       declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
       sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
       declare line
+      # shellcheck disable=SC2312
       line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
 
       if [[ -z "${line}" ]]; then
@@ -150,7 +196,7 @@ hardening_ultra() {
       declare host
       for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
         ((line++))
-        sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
+        sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
       done
     fi
 
@@ -163,7 +209,7 @@ hardening_ultra() {
     declare -r sshport="${VAR_SSHPORT:-22}"
 
     sed -i "s|^port      = MUST_BE_SET|port      = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
-    sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+    sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
     sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
 
     if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
@@ -171,6 +217,7 @@ hardening_ultra() {
       declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
       sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
       declare line
+      # shellcheck disable=SC2312
       line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
 
       if [[ -z "${line}" ]]; then
@@ -181,7 +228,7 @@ hardening_ultra() {
       declare host
       for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
         ((line++))
-        sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
+        sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
       done
     fi
   fi
@@ -204,6 +251,7 @@ hardening_ultra() {
     declare ips="${ARY_HANDLER_JUMPHOST[*]}"
     # Flatten to a single line and strip literal brackets []
     declare flat_ips
+    # shellcheck disable=SC2312
     flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
     # flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64"
 

lib/lib_helper_ip.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_provider_netcup.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_sanitizer.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_source_guard.sh

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

lib/lib_trap_on_err.sh

@@ -16,7 +16,7 @@ guard_sourcing
 # Print Error Message for Trap on 'ERR' in ${ERROR_LOG}
 # Globals:
 #   VAR_PARAM_COUNT
-#   VAR_PARAM_STRING
+#   VAR_PARAM_STRNG
 #   VAR_ARG_SANITIZED
 #   LOG_DEBUG
 #   ERRCMMD
@@ -46,7 +46,7 @@ print_file_err() {
     printf "❌ Command                : %s \n" "${ERRCMMD}"
     printf "❌ Script Runtime         : %s \n" "${SECONDS}"
     printf "❌ Arguments Counter      : %s \n" "${VAR_PARAM_COUNT}"
-    printf "❌ Arguments Original     : %s \n" "${VAR_PARAM_STRING}"
+    printf "❌ Arguments Original     : %s \n" "${VAR_PARAM_STRNG}"
     printf "❌ Arguments Sanitized    : %s \n" "${VAR_ARG_SANITIZED}"
     if "${VAR_EARLY_DEBUG}"; then
       printf "❌ Vars Dump saved at     : %s \n" "${LOG_VAR}"
@@ -61,7 +61,7 @@ print_file_err() {
 # Print Error Message for Trap on 'ERR' on Terminal
 # Globals:
 #   VAR_PARAM_COUNT
-#   VAR_PARAM_STRING
+#   VAR_PARAM_STRNG
 #   VAR_ARG_SANITIZED
 #   LOG_DEBUG
 #   ERRCMMD
@@ -90,7 +90,7 @@ print_scr_err() {
   printf "\e[91m❌ Command                : %s \e[0m\n" "${ERRCMMD}" >&2
   printf "\e[91m❌ Script Runtime         : %s \e[0m\n" "${SECONDS}" >&2
   printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${VAR_PARAM_COUNT}" >&2
-  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${VAR_PARAM_STRING}" >&2
+  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${VAR_PARAM_STRNG}" >&2
   printf "\e[91m❌ Arguments Sanitized    : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
   printf "\e[91m❌ Error Log saved at     : %s \e[0m\n" "${LOG_ERROR}" >&2
   printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_ERROR}" >&2
@@ -119,15 +119,18 @@ print_scr_err() {
 #   $5: ${BASH_COMMAND}
 #######################################
 trap_on_err() {
-  trap - ERR
+  trap - DEBUG ERR INT TERM
   declare -g ERRCODE="$1"
   declare -g ERRSCRT="$2"
   declare -g ERRLINE="$3"
   declare -g ERRFUNC="$4"
   declare -g ERRCMMD="$5"
+  # shellcheck disable=SC2034
+  declare -g ERRTRAP="true"
+
   if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
   clean_up "${ERRCODE}"
-  if ! $VAR_HANDLER_AUTOBUILD; then clean_screen; fi
+  if ! "${VAR_HANDLER_AUTOBUILD}"; then clean_screen; fi
   print_file_err
   print_scr_err
 }
@@ -148,6 +151,7 @@ dump_user_vars() {
   set +x
   {
     declare var
+    # shellcheck disable=SC2312
     while IFS= read -r var; do
       declare -p "${var}" 2>/dev/null
     done < <(compgen -v | grep -Ev '^(BASH|_).*')

lib/lib_trap_on_exit.sh

@@ -20,7 +20,7 @@ guard_sourcing
 #   $1: $?
 #######################################
 trap_on_exit() {
-  trap - EXIT
+  trap - DEBUG ERR EXIT INT TERM
   declare -r var_trap_on_exit_code="$1"
   if (( var_trap_on_exit_code == 0 )); then
     if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi

lib/lib_usage.sh

@@ -35,13 +35,13 @@ usage() {
   # shellcheck disable=SC2155
   declare var_header=$(center "CLB(1)                        CISS.debian.live.builder                        CLB(1)" "${var_cols}")
   # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.04.002.2025.08.11                        2025-08-11                        CLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.008.2025.08.22                        2025-08-11                        CLB(1)" "${var_cols}")
 
   {
     echo -e "\e[1;97m${var_header}\e[0m"
     echo
     echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.04.002.2025.08.11\e[0m"
+    echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m"
     echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
     echo
     echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
@@ -149,7 +149,7 @@ usage() {
     echo "    specified PATH into the Live ISO. MUST be provided."
     echo
     echo -e "\e[97m  --trixie \e[0m"
-    echo "    Create a Debian Trixie Live ISO. Experimental Feature"
+    echo "    Create a Debian Trixie Live ISO."
     echo
     echo -e "\e[97m  --version, -v \e[0m"
     echo "    Show version of ${0}."

makefile

@@ -0,0 +1,107 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-21; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Use Bash for recipe shells (not /bin/sh)
+SHELL                := /usr/bin/bash
+.SHELLFLAGS          := -CEeuTo pipefail -O failglob -c
+.ONESHELL            :
+.DELETE_ON_ERROR     :
+.RECIPEPREFIX        :=	### Tabstopp
+.DEFAULT_GOAL        := live
+
+### Local, unversioned overrides (optional):
+-include config.mk
+
+### Timestamp at parse time (UTC); can be overridden:
+TIMESTAMP            ?= $(shell date -u +%Y-%m-%dT%H-%M-%S)
+
+### Core parameters (safe defaults; override in config.mk, rename config.mk.sample to config.mk and apply the remaining values):
+ARCH                 ?= amd64
+AUTOBUILD            ?= 6.12.41+deb13-amd64
+CONTROL              ?= $(TIMESTAMP)
+
+### Nice/ionice settings:
+RENICE               ?= -19
+REIONICE_CLASS       ?= 1
+REIONICE_PRIO        ?= 2
+
+### Feature flags (set to empty to disable):
+FLAG_CDI             ?= 1
+FLAG_DEBUG           ?= 1
+FLAG_DHCP_CENTURION  ?= 1
+FLAG_TRIXIE          ?= 1
+
+### Reusable canned recipe:
+### Usage: $(call COMPOSE_AND,print) -> prints the fully quoted command
+###        $(call COMPOSE_AND,exec)  -> execs the command
+define COMPOSE_AND
+	### Build command as a robust array to avoid word-splitting and globbing issues:
+	cmd=( ./ciss_live_builder.sh )
+	cmd+=( --architecture '$(ARCH)' )
+	cmd+=( --build-directory '$(BUILD_DIR)' )
+	cmd+=( --control '$(CONTROL)' )
+	cmd+=( --root-password-file '$(ROOT_PASSWORD_FILE)' )
+	cmd+=( --ssh-port '$(SSH_PORT)' )
+	cmd+=( --ssh-pubkey '$(SSH_PUBKEY)' )
+	### Optional flags:
+	[[ -n '$(AUTOBUILD)'            ]] && cmd+=( --autobuild=$(AUTOBUILD) )
+	[[ -n '$(FLAG_CDI)'             ]] && cmd+=( --cdi )
+	[[ -n '$(FLAG_DEBUG)'           ]] && cmd+=( --debug )
+	[[ -n '$(FLAG_DHCP_CENTURION)'  ]] && cmd+=( --dhcp-centurion )
+	[[ -n '$(FLAG_TRIXIE)'          ]] && cmd+=( --trixie )
+	[[ -n '$(PROVIDER_NETCUP_IPV6)' ]] && cmd+=( --provider-netcup-ipv6 '$(PROVIDER_NETCUP_IPV6)' )
+	[[ -n '$(RENICE)'               ]] && cmd+=( --renice-priority '$(RENICE)' )
+	if [[ -n '$(REIONICE_CLASS)' && -n '$(REIONICE_PRIO)' ]]; then
+	                                      cmd+=( --reionice-priority '$(REIONICE_CLASS)' '$(REIONICE_PRIO)' )
+	fi
+	### Only add the flag if there is actually at least one host:
+	jh_csv='$(strip $(JUMP_HOSTS))'
+	if [[ -n "$$jh_csv" ]]; then
+	 	### Disable globbing so [fe80::1] isn't treated as a pattern:
+	 	set -f
+	 	IFS=',' read -r -a jh <<< "$$jh_csv"
+		set +f
+		### Emit a single --jump-host followed by N addresses:
+		cmd+=( --jump-host )
+		for h in "$${jh[@]}"; do
+			[[ -n "$$h" ]] && cmd+=( "$$h" )
+		done
+	fi
+	## Act according to the requested mode ($(1) = print|exec):
+	 case "$(1)" in
+		print)
+			printf '\e[92mCommand to run:\e[0m\n'
+			printf '\e[95m%s ' "$${cmd[@]@Q}"; printf '\e[0m\n'
+			;;
+		exec|"")
+			printf '\e[92mThe following command is executed: \e[0m\n'
+			printf '\n'
+			printf '\e[95m%s ' "$${cmd[@]@Q}"; printf '\e[0m\n'
+			printf '\n'
+			printf '\e[92mScript is loading ... \e[0m\n'
+			exec "$${cmd[@]}"
+			;;
+		*)
+			printf 'Unknown mode: %s\n' "$(1)" >&2; exit 2
+			;;
+	esac
+endef
+
+### Targets that reuse the block:
+.PHONY: dry-run live
+
+dry-run:
+	@$(call COMPOSE_AND,print)
+
+live:
+	@$(call COMPOSE_AND,exec)
+
+# vim: set ft=make noet ts=8 sw=8

scripts/0010_dhcp_supersede.sh

@@ -12,22 +12,79 @@
 set -C -e -u -o pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then
+
   mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp
+
 fi
 
-cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
+cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
 
 # Custom dhclient config to override DHCP DNS
 # dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu;
 
 supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109;
 
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+
+cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Global defaults for all interfaces.
+option host_name
+option domain_name
+option domain_search
+
+### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
+fqdn both
+
+### Enforce static DNS and prevent dhcpcd from writing 'resolv.conf'.
+nooption domain_name_servers
+nohook resolv.conf rdnssd
+
+### Static resolvers (IPv4).
+### (This does NOT write '/etc/resolv.conf' because of nohook above.)
+static domain_name_servers=135.181.207.105 89.58.62.53 138.199.237.109
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+
+cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/resolv.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# static /etc/resolv.conf (CISS)
+
+nameserver 135.181.207.105
+nameserver 89.58.62.53
+nameserver 138.199.237.109
+options edns0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
-# sleep 1
+
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

scripts/9000-cdi-starter

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1
 
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.04.002.2025.08.11 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.13.008.2025.08.22 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
   chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh

scripts/etc/network/9999_interfaces_update_netcup.chroot

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
@@ -25,7 +25,7 @@ cat << 'EOF' >| /etc/network/interfaces
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
@@ -68,7 +68,7 @@ cat << 'EOF' >| /etc/network/interfaces.d/99-netcup-static
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
@@ -91,7 +91,7 @@ cat << 'EOF_SCRIPT' >| /usr/local/bin/insert_net_source.sh
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

scripts/live-boot/0030-verify-checksums

@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 

var/bash.var.sh

@@ -24,11 +24,10 @@ set -o pipefail          # Makes pipelines return the exit status of the last co
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Shopt-Builtin
 shopt -s failglob        # If set, patterns that fail to match filenames during filename expansion result in an expansion error.
 shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option instead of unsetting it in the
-                         # subshell environment. This option is enabled when POSIX mode is enabled.
+                         # subshell environment.
 shopt -s lastpipe        # If set, and job control is not active, the shell runs the last command of a pipeline not executed in
                          # the background in the current shell environment.
-shopt -u expand_aliases  # If set, aliases are expanded as described below under Aliases, Aliases. This option is enabled by
+shopt -u expand_aliases  # If set, aliases are expanded as described. This option is enabled by default for interactive shells.
-                         # default for interactive shells.
 shopt -u dotglob         # If set, Bash includes filenames beginning with a '.' in the results of filename expansion.
 shopt -u extglob         # If set, enable the extended pattern matching features.
 shopt -u nullglob        # If set, filename expansion patterns that match no files expand to nothing and are removed.

var/early.var.sh

@@ -14,7 +14,7 @@
 
 # shellcheck disable=SC2155
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.04.002.2025.08.11"
+declare -grx VAR_VERSION="Master V8.13.008.2025.08.22"
 declare -grx VAR_SYSTEM="$(uname -a)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"