DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@4445a0a at 2025-07-15T17:55:22Z on deea7eb4a68b

Generated at : 2025-07-15T17:55:22Z
Runner Host  : deea7eb4a68b
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 4445a0a HEAD -> master

.archive/.0000_lib_usage.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Usage Wrapper CISS.debian.live.builder
+# Globals:
+#   none
+# Arguments:
+#   $0: Script name
+#######################################
+usage() {
+  clear
+  cat << EOF
+$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
+$(echo -e "\e[92mMaster V8.03.864.2025.07.15\e[0m")
+$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
+
+$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
+$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+
+"${0} <option>", where <option> is one or more of:
+
+$(echo -e "\e[97m  --help, -h\e[0m")
+    What you're looking at.
+
+$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
+    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
+    selector dialog. Change '*' to your desired Linux kernel and trim the
+    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
+
+$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
+    A string reflecting the architecture of the Live System.
+    MUST be provided.
+
+$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
+    Where the Debian Live Build Image should be generated.
+    MUST be provided.
+
+$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
+    A string reflecting the GRub Boot Screen Splash you want to use.
+    If omitted defaults to "./.archive/background/club.png".
+
+$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
+    This option generates a boot menu entry to start the forthcoming
+    'CISS.debian.installer', which will be executed after
+    the system has successfully booted up.
+
+$(echo -e "\e[97m  --contact, -c\e[0m")
+    Displays contact information of the author.
+
+$(echo -e "\e[97m  --control <INTEGER>\e[0m")
+    An integer that reflects the version of your Live ISO Image.
+    MUST be provided.
+
+$(echo -e "\e[97m  --debug\e[0m")
+    Enables debug logging for the main program routine. Detailed logging
+    information are written to "/tmp/ciss_live_builder_$$.log"
+
+$(echo -e "\e[97m  --dhcp-centurion\e[0m")
+    If a DHCP lease is provided, the provider's nameserver will be overridden,
+    and only the hardened, privacy-focused Centurion DNS servers will be used:
+      - https://dns01.eddns.eu/
+      - https://dns02.eddns.de/
+      - https://dns03.eddns.eu/
+
+$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
+    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
+    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
+    If provided, than it MUST be a <SPACE> separated list.
+    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
+
+$(echo -e "\e[97m  --log-statistics-only\e[0m")
+    Provides statistic only after successful building a
+    CISS.debian.live-ISO. While enabling "--log-statistics-only"
+    the argument "--build-directory" MUST be provided while
+    all further options MUST be omitted.
+
+$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
+    Activates IPv6 support for Netcup Root Server. One unique
+    IPv6 address MUST be provided in this case and MUST be encapsulated
+    with [], e.g., [1234::abcd].
+
+$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
+    Reset the nice priority value of the script and all its children
+    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
+    Negative (higher) values MUST be enclosed in double quotes '"'.
+
+$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
+    Reset the ionice priority value of the script and all its children
+    to the desired <CLASS>. MUST be an integer:
+      1: realtime
+      2: best-effort
+      3: idle
+    Defaults to '2'.
+    Whereas <PRIORITY> MUST be an integer as well between:
+      0: highest priority and
+      7: lowest priority.
+    Defaults to '4'.
+    A real-time I/O process can significantly slow down other processes
+    or even cause them to starve if it continuously requests I/O.
+
+$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
+    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
+    and MUST NOT contain the special character '"'.
+    If the argument is omitted, no further login authentication is required for
+    the local console. The root password is hashed with an 16 Byte '/dev/random'
+    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
+    after Hash generation all Variables containing plain password fragments are
+    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
+    further prompt after password hash has been successfully generated via:
+    'shred -vfzu 5 -f'.
+    No tracing of any plain text password fragment in any debug log.
+
+$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
+    The desired Port SSH should listen to.
+    If not provided defaults to Port 22.
+
+$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
+    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
+    specified PATH into the Live ISO. MUST be provided.
+
+$(echo -e "\e[97m  --version, -v\e[0m")
+    Displays version of ${0}.
+
+$(echo -e "\e[93m💡 Notes:\e[0m")
+🔵 You MUST be 'root' to run this script.
+
+$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
+$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
+
+EOF
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.768.2025.06.23"
+      placeholder: "e.g., Master V8.03.864.2025.07.15"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.23
+### Version Master V8.03.864.2025.07.15
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.23
+### Version Master V8.03.864.2025.07.15
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.768.2025.06.23
+  version: V8.03.864.2025.07.15
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.768.2025.06.23
+  version: V8.03.864.2025.07.15
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.768.2025.06.23
+  version: V8.03.864.2025.07.15
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.768.2025.06.23
+  version: V8.03.864.2025.07.15
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.22
+### Version Master V8.03.864.2025.07.15
 
 name: 🔐 Generating a Private Live ISO FLV 0.
 

.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.22
+### Version Master V8.03.864.2025.07.15
 
 name: 🔐 Generating a Private Live ISO FLV 1.
 

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.22
+### Version Master V8.03.864.2025.07.15
 
 name: 💙 Generating a PUBLIC Live ISO.
 

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.23
+### Version Master V8.03.864.2025.07.15
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.23
+### Version Master V8.03.864.2025.07.15
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.23
+### Version Master V8.03.864.2025.07.15
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.768.2025.06.23"
+properties_version="V8.03.864.2025.07.15"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.768.2025.06.23
+PackageVersion: Master V8.03.864.2025.07.15
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-23T06:21:19Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-07-15T17:55:19Z".
 
 ✅ The last linter check was successful. ✅
 

LIVE_ISO.public

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-23T09:04:49Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-07-15T13:01:05Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_23T08_20_37Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_07_15T12_12_23Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  86a8be09e16299892ae99d195b56a04356bcf5d2202016da8f8fa7441077c43fab68ebefcb8c39b3423f085a74b607907fb691ac71fdef92af33782bd2ac0ce5
+  e94f1f698fb6d6a078d3aed785302ffcad25221c92439e84bb505a39d7b4da50674063cc2f7957cca655afdcdb55871ed4990aebbb096f964336af682891aed0
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFkYsQAKCRA85KY4hzOw
-IbrbAQDeOIS3QYKIPkMhYlNPIcsJjv/dh3TdYiuQbkvfwVI+/gD/TiB+ska62vJk
-LGfwjuaxMC0KHG1/UTICytOeAnTrXAc=
-=qk8B
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHZREQAKCRA85KY4hzOw
+IQE/APsGY1Q8yonOxKTBUxgPPIA7ugHTfub9yWbPLcisC7J+sQEA17e8hmjJSX+O
+NpAtnhF4dfZheybcyfJwsscrNtOieAM=
+=V2i8
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_0.private

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-23T07:15:07Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-07-15T11:05:11Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_23T06_28_42Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_07_15T10_13_20Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  e0ec5e6be762858378a7eab74634676b1dd431f1cec9f3ecd57778249da4694af2df40dd5adb546360e69ddbad1379200031558ca580f55d9e8c242edb193e2f
+  b18d79055f12e6f61a1d0b46f8648f8097da419701f3366ba127b0eff1bb0d9ef4794b1a59b66ad8d48c3e3812a1fbc81f948a66b913b036cf2b740a778a88cd
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFj++wAKCRA85KY4hzOw
-IXOYAP9FahdpIrwvHpEAddsem7UDdtO/zOzzDzx+TuycmdFttQEA20BgLvFLCiDr
-2zYSWBFHsEnlOrMoqUmjwDH/rjV6wAs=
-=cssu
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHY15wAKCRA85KY4hzOw
+Idw3AQDzmYnaCI3OADP+DB+u805S8F+QUmVIcfmUGnM0sDz78gD+I+m+BHte8lzp
+rwudtbEBn9wZvy2KyFWcxlSCn3go2gU=
+=nGnJ
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_1.private

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-23T08:10:36Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-07-15T12:03:16Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_23T07_24_33Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_07_15T11_14_23Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  70fc1bcdcf3362278f77344c5c6cf5c682362afaf22e4013026f87d3279a044bcebd830b0958bdfb9c080f06d1f873a61a30ca5e56787d41668c9b758a964ad7
+  a022fe082d5d06db05e4c53f09b59ee57f483a3d2a2a143403d93c27a2d454ec8982ccaeb957f654c0879276befc7d9ab2333f407c8089306348c7a10fd39a20
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFkL/AAKCRA85KY4hzOw
-ISe+AQC8m7ZFFP9zYtSae/IjpJy4XtDsnuO4ager49y7BDx38gEAllfQHZiMxelr
-qryf1KI+nXUj2EgKtk0vy9SDI6H1KgY=
-=NdC5
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHZDhAAKCRA85KY4hzOw
+IV0hAQCl7xeM8Art2obImFmhUBKDOLcLifegqY/jKY9729EM/wEAzJTRuLts9Jzy
+PXje4fYxZiNOoFv3hz7Xwt5q9rPn/AE=
+=S0vW
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.768.2025.06.23-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.864.2025.07.15-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -11,8 +11,8 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)  
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)  
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -142,7 +142,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.03.768.2025.06.23`
+Example: `V8.03.864.2025.07.15`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
@@ -420,12 +420,13 @@ predictable script behavior.
    5. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
 
-   ```yaml
+   ````bash
    chmod 0700 ./ciss_live_builder.sh
+   timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
    ./ciss_live_builder.sh --architecture amd64 \
                           --build-directory /opt/livebuild \
                           --change-splash hexagon \
-                          --control 384 \
+                          --control "${timestamp}" \
                           --debug \
                           --dhcp-centurion \
                           --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
@@ -435,7 +436,7 @@ predictable script behavior.
                           --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
                           --ssh-port 4242 \
                           --ssh-pubkey /opt/gitea/CISS.debian.live.builder
-   ```
+   ````
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.

ciss_live_builder.sh

@@ -40,17 +40,19 @@
 [[ ${#} -eq 0 ]] && {
   . ./lib/lib_usage.sh; usage; exit 1; }
 
-### SOURCING MUST SET EARLY VARIABLES AND GUARD_SOURCING()
+### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
 . ./var/early.var.sh
 . ./lib/lib_guard_sourcing.sh
+. ./lib/lib_git_var.sh
 
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done
 
 ### ALL CHECKS DONE. READY TO START THE SCRIPT
-for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; check_git; debugger "${@}";; esac; done
+check_git
+for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 declare -gx VAR_SETUP="true"
 
 ### SOURCING VARIABLES

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.23
+### Version Master V8.03.864.2025.07.15
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.23
+### Version Master V8.03.864.2025.07.15
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.03.768.2025.06.23"
+declare -gr VERSION="Master V8.03.864.2025.07.15"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.768.2025.06.23 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.03.864.2025.07.15 at: 10:18:37.9542

config/package-lists/live.list.common.chroot

@@ -26,6 +26,7 @@ ca-certificates
 clamav
 clamav-daemon
 console-setup
+cpuid
 cryptsetup
 cryptsetup-nuke-password
 curl
@@ -49,6 +50,7 @@ expect
 fail2ban
 fdisk
 figlet
+fio
 fzf
 gawk
 gdisk
@@ -111,6 +113,7 @@ speedtest-cli
 squashfs-tools
 ssh
 ssl-cert
+stress
 sudo
 sysstat
 systemd-sysv

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. TLS Audit:
 
@@ -26,313 +26,7 @@ include_toc: true
   Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
   on kali:./bin/openssl.Linux.x86_64
 
- Start 2025-06-23 06:37:04        -->> 135.181.207.105:443 (dns01.eddns.eu) <<--
-
- Further IP addresses:   2a01:4f9:c012:a813:135:181:207:105
- rDNS (135.181.207.105): dns01.eddns.eu.
- Service detected:       HTTP
-
- Testing protocols via sockets except NPN+ALPN
-
- SSLv2      not offered (OK)
- SSLv3      not offered (OK)
- TLS 1      not offered
- TLS 1.1    not offered
- TLS 1.2    offered (OK)
- TLS 1.3    offered (OK): final
- NPN/SPDY   not offered
- ALPN/HTTP2 h2, http/1.1 (offered)
-
- Testing for server implementation bugs
-
- No bugs found.
-
- Testing cipher categories
-
- NULL ciphers (no encryption)                      not offered (OK)
- Anonymous NULL Ciphers (no authentication)        not offered (OK)
- Export ciphers (w/o ADH+NULL)                     not offered (OK)
- LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      not offered (OK)
- Triple DES Ciphers / IDEA                         not offered
- Obsoleted CBC ciphers (AES, ARIA etc.)            not offered
- Strong encryption (AEAD ciphers) with no FS       not offered
- Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)
-
-
- Testing server's cipher preferences
-
-Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
------------------------------------------------------------------------------------------------------------------------------
-SSLv2
- -
-SSLv3
- -
-TLSv1
- -
-TLSv1.1
- -
-TLSv1.2 (server order)
- xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 448   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 448   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-TLSv1.3 (server order)
- x1302   TLS_AES_256_GCM_SHA384            ECDH 448   AESGCM      256      TLS_AES_256_GCM_SHA384
- x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 448   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
-
- Has server cipher order?     yes (OK) -- TLS 1.3 and below
-
-
- Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
-
- FS is offered (OK) , ciphers follow (client/browser support is important here)
-
-Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
------------------------------------------------------------------------------------------------------------------------------
- x1302   TLS_AES_256_GCM_SHA384            ECDH 448   AESGCM      256      TLS_AES_256_GCM_SHA384                             available
- x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 448   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       available
- xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH       ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD  not a/v
- xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH       ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD    not a/v
- xcc15   DHE-RSA-CHACHA20-POLY1305-OLD     DH         ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD      not a/v
- xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 521   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              available
- xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH       AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            not a/v
- xc028   ECDHE-RSA-AES256-SHA384           ECDH       AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              not a/v
- xc024   ECDHE-ECDSA-AES256-SHA384         ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384            not a/v
- xc014   ECDHE-RSA-AES256-SHA              ECDH       AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 not a/v
- xc00a   ECDHE-ECDSA-AES256-SHA            ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA               not a/v
- xa3     DHE-DSS-AES256-GCM-SHA384         DH         AESGCM      256      TLS_DHE_DSS_WITH_AES_256_GCM_SHA384                not a/v
- x9f     DHE-RSA-AES256-GCM-SHA384         DH         AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                not a/v
- xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH       ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256      not a/v
- xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 448   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        available
- xccaa   DHE-RSA-CHACHA20-POLY1305         DH         ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256          not a/v
- xc0af   ECDHE-ECDSA-AES256-CCM8           ECDH       AESCCM8     256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8                 not a/v
- xc0ad   ECDHE-ECDSA-AES256-CCM            ECDH       AESCCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM                   not a/v
- xc0a3   DHE-RSA-AES256-CCM8               DH         AESCCM8     256      TLS_DHE_RSA_WITH_AES_256_CCM_8                     not a/v
- xc09f   DHE-RSA-AES256-CCM                DH         AESCCM      256      TLS_DHE_RSA_WITH_AES_256_CCM                       not a/v
- x6b     DHE-RSA-AES256-SHA256             DH         AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                not a/v
- x6a     DHE-DSS-AES256-SHA256             DH         AES         256      TLS_DHE_DSS_WITH_AES_256_CBC_SHA256                not a/v
- x39     DHE-RSA-AES256-SHA                DH         AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   not a/v
- x38     DHE-DSS-AES256-SHA                DH         AES         256      TLS_DHE_DSS_WITH_AES_256_CBC_SHA                   not a/v
- xc077   ECDHE-RSA-CAMELLIA256-SHA384      ECDH       Camellia    256      TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384         not a/v
- xc073   ECDHE-ECDSA-CAMELLIA256-SHA384    ECDH       Camellia    256      TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384       not a/v
- xc4     DHE-RSA-CAMELLIA256-SHA256        DH         Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256           not a/v
- xc3     DHE-DSS-CAMELLIA256-SHA256        DH         Camellia    256      TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256           not a/v
- x88     DHE-RSA-CAMELLIA256-SHA           DH         Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA              not a/v
- x87     DHE-DSS-CAMELLIA256-SHA           DH         Camellia    256      TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA              not a/v
- xc043   DHE-DSS-ARIA256-CBC-SHA384        DH         ARIA        256      TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384               not a/v
- xc045   DHE-RSA-ARIA256-CBC-SHA384        DH         ARIA        256      TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384               not a/v
- xc049   ECDHE-ECDSA-ARIA256-CBC-SHA384    ECDH       ARIA        256      TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384           not a/v
- xc04d   ECDHE-RSA-ARIA256-CBC-SHA384      ECDH       ARIA        256      TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384             not a/v
- xc053   DHE-RSA-ARIA256-GCM-SHA384        DH         ARIAGCM     256      TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384               not a/v
- xc057   DHE-DSS-ARIA256-GCM-SHA384        DH         ARIAGCM     256      TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384               not a/v
- xc05d   ECDHE-ECDSA-ARIA256-GCM-SHA384    ECDH       ARIAGCM     256      TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384           not a/v
- xc061   ECDHE-ARIA256-GCM-SHA384          ECDH       ARIAGCM     256      TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384             not a/v
- xc07d   -                                 DH         CamelliaGCM 256      TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384           not a/v
- xc081   -                                 DH         CamelliaGCM 256      TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384           not a/v
- xc087   -                                 ECDH       CamelliaGCM 256      TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384       not a/v
- xc08b   -                                 ECDH       CamelliaGCM 256      TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384         not a/v
- x1301   TLS_AES_128_GCM_SHA256            any        AESGCM      128      TLS_AES_128_GCM_SHA256                             not a/v
- x1304   TLS_AES_128_CCM_SHA256            any        AESCCM      128      TLS_AES_128_CCM_SHA256                             not a/v
- x1305   TLS_AES_128_CCM_8_SHA256          any        AESCCM8     128      TLS_AES_128_CCM_8_SHA256                           not a/v
- xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH       AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              not a/v
- xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH       AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256            not a/v
- xc027   ECDHE-RSA-AES128-SHA256           ECDH       AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              not a/v
- xc023   ECDHE-ECDSA-AES128-SHA256         ECDH       AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256            not a/v
- xc013   ECDHE-RSA-AES128-SHA              ECDH       AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 not a/v
- xc009   ECDHE-ECDSA-AES128-SHA            ECDH       AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA               not a/v
- xa2     DHE-DSS-AES128-GCM-SHA256         DH         AESGCM      128      TLS_DHE_DSS_WITH_AES_128_GCM_SHA256                not a/v
- x9e     DHE-RSA-AES128-GCM-SHA256         DH         AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256                not a/v
- xc0ae   ECDHE-ECDSA-AES128-CCM8           ECDH       AESCCM8     128      TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8                 not a/v
- xc0ac   ECDHE-ECDSA-AES128-CCM            ECDH       AESCCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_CCM                   not a/v
- xc0a2   DHE-RSA-AES128-CCM8               DH         AESCCM8     128      TLS_DHE_RSA_WITH_AES_128_CCM_8                     not a/v
- xc09e   DHE-RSA-AES128-CCM                DH         AESCCM      128      TLS_DHE_RSA_WITH_AES_128_CCM                       not a/v
- x67     DHE-RSA-AES128-SHA256             DH         AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256                not a/v
- x40     DHE-DSS-AES128-SHA256             DH         AES         128      TLS_DHE_DSS_WITH_AES_128_CBC_SHA256                not a/v
- x33     DHE-RSA-AES128-SHA                DH         AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   not a/v
- x32     DHE-DSS-AES128-SHA                DH         AES         128      TLS_DHE_DSS_WITH_AES_128_CBC_SHA                   not a/v
- xc076   ECDHE-RSA-CAMELLIA128-SHA256      ECDH       Camellia    128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256         not a/v
- xc072   ECDHE-ECDSA-CAMELLIA128-SHA256    ECDH       Camellia    128      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256       not a/v
- xbe     DHE-RSA-CAMELLIA128-SHA256        DH         Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256           not a/v
- xbd     DHE-DSS-CAMELLIA128-SHA256        DH         Camellia    128      TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256           not a/v
- x9a     DHE-RSA-SEED-SHA                  DH         SEED        128      TLS_DHE_RSA_WITH_SEED_CBC_SHA                      not a/v
- x99     DHE-DSS-SEED-SHA                  DH         SEED        128      TLS_DHE_DSS_WITH_SEED_CBC_SHA                      not a/v
- x45     DHE-RSA-CAMELLIA128-SHA           DH         Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA              not a/v
- x44     DHE-DSS-CAMELLIA128-SHA           DH         Camellia    128      TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA              not a/v
- xc042   DHE-DSS-ARIA128-CBC-SHA256        DH         ARIA        128      TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256               not a/v
- xc044   DHE-RSA-ARIA128-CBC-SHA256        DH         ARIA        128      TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256               not a/v
- xc048   ECDHE-ECDSA-ARIA128-CBC-SHA256    ECDH       ARIA        128      TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256           not a/v
- xc04c   ECDHE-RSA-ARIA128-CBC-SHA256      ECDH       ARIA        128      TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256             not a/v
- xc052   DHE-RSA-ARIA128-GCM-SHA256        DH         ARIAGCM     128      TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256               not a/v
- xc056   DHE-DSS-ARIA128-GCM-SHA256        DH         ARIAGCM     128      TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256               not a/v
- xc05c   ECDHE-ECDSA-ARIA128-GCM-SHA256    ECDH       ARIAGCM     128      TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256           not a/v
- xc060   ECDHE-ARIA128-GCM-SHA256          ECDH       ARIAGCM     128      TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256             not a/v
- xc07c   -                                 DH         CamelliaGCM 128      TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256           not a/v
- xc080   -                                 DH         CamelliaGCM 128      TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256           not a/v
- xc086   -                                 ECDH       CamelliaGCM 128      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256       not a/v
- xc08a   -                                 ECDH       CamelliaGCM 128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256         not a/v
-
- Elliptic curves offered:     secp384r1 secp521r1 X448
- TLS 1.2 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224
- TLS 1.3 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512
-
- Testing server defaults (Server Hello)
-
- TLS extensions (standard)    "server name/#0" "max fragment length/#1" "status request/#5" "supported_groups/#10" "EC point formats/#11"
-                              "application layer protocol negotiation/#16" "extended master secret/#23" "supported versions/#43" "key share/#51"
-                              "renegotiation info/#65281"
- Session Ticket RFC 5077 hint no -- no lifetime advertised
- SSL Session ID support       yes
- Session Resumption           Tickets no, ID: yes
- TLS clock skew               Random values, no fingerprinting possible
- Certificate Compression      none
- Client Authentication        none
- Signature Algorithm          SHA384 with RSA
- Server key size              RSA 4096 bits (exponent is 262147)
- Server key usage             Digital Signature, Key Encipherment
- Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
- Serial                       A39CFE0064280D467269C012636F9EE8 (OK: length 16)
- Fingerprints                 SHA1 9E19BE00A07E50CC5DB94A51419D431E845F810A
-                              SHA256 92D01842FB6275890EF74AAD742990EFD76ABA0604203B327F3270E805B6F356
- Common Name (CN)             eddns.eu
- subjectAltName (SAN)         eddns.eu dns01.eddns.eu dns02.eddns.de dns03.eddns.eu eddns.de
- Trust (hostname)             Ok via SAN (same w/o SNI)
- Chain of trust               Ok
- EV cert (experimental)       no
- Certificate Validity (UTC)   358 >= 60 days (2025-06-16 00:00 --> 2026-06-16 23:59)
- ETS/"eTLS", visibility info  not present
- In pwnedkeys.com DB          not in database
- Certificate Revocation List  --
- OCSP URI                     http://zerossl.ocsp.sectigo.com, not revoked
- OCSP stapling                offered, not revoked
- OCSP must staple extension   supported
- DNS CAA RR (experimental)    available - please check for match with "Issuer" below
-                              communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl,
-                              issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
-                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
-                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
- Certificate Transparency     yes (certificate extension)
- Certificates provided        2
- Issuer                       ZeroSSL RSA Domain Secure Site CA (ZeroSSL from AT)
- Intermediate cert validity   #1: ok > 40 days (2030-01-29 23:59). ZeroSSL RSA Domain Secure Site CA <-- USERTrust RSA Certification Authority
- Intermediate Bad OCSP (exp.) Ok
-
-
- Testing HTTP header response @ "/"
-
- HTTP Status Code             200 OK
- HTTP clock skew              0 sec from localtime
- Strict Transport Security    730 days=63072000 s, includeSubDomains, preload
- Public Key Pinning           --
- Server banner                nginx
- Application banner           --
- Cookie(s)                    (none issued at "/")
- Security headers             X-Frame-Options: SAMEORIGIN
-                              X-Content-Type-Options: nosniff
-                              Expect-CT: max-age=86400, enforce
-                              Permissions-Policy: interest-cohort=()
-                              Cross-Origin-Opener-Policy: same-origin
-                              Cross-Origin-Resource-Policy: cross-origin
-                              Cross-Origin-Embedder-Policy: credentialless
-                              X-XSS-Protection: 1; mode=block
-                              Access-Control-Allow-Origin: https://dns01.eddns.eu
-                              Permissions-Policy: interest-cohort=()
-                              Referrer-Policy: same-origin
-                              Cache-Control: no-cache
- Reverse Proxy banner         --
-
-
- Testing vulnerabilities
-
- Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
- CCS (CVE-2014-0224)                       not vulnerable (OK)
- Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK), no session ticket extension
- ROBOT                                     Server does not support any cipher suites that use RSA key transport
- Secure Renegotiation (RFC 5746)           supported (OK)
- Secure Client-Initiated Renegotiation     not vulnerable (OK)
- CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
- BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested
- POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
- TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
- SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
- FREAK (CVE-2015-0204)                     not vulnerable (OK)
- DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
-                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
-                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=92D01842FB6275890EF74AAD742990EFD76ABA0604203B327F3270E805B6F356
- LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
- BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
- LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
- Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
- RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
-
-
- Running client simulations (HTTP) via sockets
-
- Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
-------------------------------------------------------------------------------------------------
- Android 7.0 (native)         No connection
- Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
- Android 9.0 (native)         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Android 10.0 (native)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Android 11/12 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Android 13/14 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Android 15 (native)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Chrome 101 (Win 10)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Chromium 137 (Win 11)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Firefox 100 (Win 10)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
- Firefox 137 (Win 11)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
- IE 8 Win 7                   No connection
- IE 11 Win 7                  No connection
- IE 11 Win 8.1                No connection
- IE 11 Win Phone 8.1          No connection
- IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
- Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
- Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Edge 133 Win 11 23H2         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Safari 18.4 (iOS 18.4)       TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
- Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
- Safari 18.4 (macOS 15.4)     TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
- Java 7u25                    No connection
- Java 8u442 (OpenJDK)         TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
- Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
- Java 17.0.3 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
- Java 21.0.6 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
- go 1.17.8                    TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
- LibreSSL 3.3.6 (macOS)       TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
- OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       521 bit ECDH (P-521)
- OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
- OpenSSL 3.0.15 (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
- OpenSSL 3.5.0 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
- Apple Mail (16.0)            TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       521 bit ECDH (P-521)
- Thunderbird (91.9)           TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
-
-
- Rating (experimental)
-
- Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
- Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
- Protocol Support (weighted)  100 (30)
- Key Exchange     (weighted)  100 (30)
- Cipher Strength  (weighted)  100 (40)
- Final Score                  100
- Overall Grade                A+
-
- Done 2025-06-23 06:38:43 [ 102s] -->> 135.181.207.105:443 (dns01.eddns.eu) <<--
-
-
-25-06-23|root@kali.ed448.eu:/root/gitea/testssl.sh/>>1|~#> ./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
-
-#####################################################################
-  testssl.sh version 3.2.1 from https://testssl.sh/
-  (81471c3 2025-06-15 09:48:31)
-
-  This program is free software. Distribution and modification under
-  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
-
-  Please file bugs @ https://testssl.sh/bugs/
-#####################################################################
-
-  Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
-  on kali:./bin/openssl.Linux.x86_64
-
- Start 2025-06-23 06:55:40        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Start 2025-06-23 17:58:48        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 
  Further IP addresses:   2a0a:4cc0:80:330f:152:53:110:40
  rDNS (152.53.110.40):   git.coresecret.dev.
@@ -510,8 +204,8 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  OCSP stapling                offered, not revoked
  OCSP must staple extension   --
  DNS CAA RR (experimental)    available - please check for match with "Issuer" below
-                              iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl, issue=letsencrypt.org;,
-                              issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
+                              communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl,
+                              issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
                               issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
                               issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
  Certificate Transparency     yes (certificate extension)
@@ -623,7 +317,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Final Score                  100
  Overall Grade                A+
 
- Done 2025-06-23 06:57:01 [  86s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Done 2025-06-23 18:00:16 [  99s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 ````
 
 ---

docs/BOOTPARAMS.md

@@ -0,0 +1,56 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.03<br>
+**Build**: V8.03.864.2025.07.15<br>
+
+# 2. Hardened Kernel Boot Parameters
+
+Below is a curated set of kernel boot parameters optimized for CISS Debian Installer. These parameters enhance security posture,
+restrict legacy interfaces, enforce memory initialization, and disable speculative side channels. Each parameter is documented 
+with a short rationale.
+
+* ``audit=1``: Enable kernel auditing subsystem.
+* ``audit_backlog_limit=8192``: Set audit event buffer depth.
+* ``cfi=kcfi``: Enable Clang's Control Flow Integrity (if supported by kernel).
+* ``debugfs=off``: Disable debugfs mount, prevents access to kernel internals.
+* ``efi=disable_early_pci_dma``: Prevent early PCI DMA via EFI.
+* ``hardened_usercopy=1``: Harden copy_*_user() functions, mitigate heap/memcpy bugs.
+* ``ia32_emulation=0``: Disable 32-bit x86 binary support on 64-bit kernel.
+* ``init_on_alloc=1``: Zero-initialize heap memory on allocation.
+* ``init_on_free=1``: Zero memory on free to prevent reuse data leaks.
+* ``iommu=force``: Enforce use of IOMMU.
+* ``iommu.strict=1``: Enable strict IOMMU mode (always remap).
+* ``iommu.passthrough=0``: Prevent IOMMU passthrough (forces remapping).
+* ``kfence.sample_interval=100``: Enable low-overhead heap-fence sampling.
+* ``kvm.nx_huge_pages=force``: Enforce NX-bit for KVM hugepages to prevent code execution.
+* ``l1d_flush=on``: Flush L1D cache on VM-entry to mitigate cache side-channels.
+* ``lockdown=confidentiality``: Enable kernel lockdown in confidentiality mode.
+* ``loglevel=0``: Silence all kernel messages (only EMERG shown).
+* ``mitigations=auto,nosmt``: Enable all available speculative mitigations, disable SMT.
+* ``mmio_stale_data=full,force,nosmt``: Mitigate MMIO stale data side channel fully.
+* ``nosmt=force``: Force disable Simultaneous Multithreading (SMT/HT).
+* ``oops=panic``: Trigger kernel panic on oops, ensures halt on fault.
+* ``page_alloc.shuffle=1``: Randomize page allocator freelist order.
+* ``page_poison=1``: Fill freed pages with poison patterns to detect UAF.
+* ``panic=-1``: Prevent automatic reboot after panic.
+* ``pti=on``: Enable Page Table Isolation (Meltdown mitigation).
+* ``random.trust_bootloader=off``: Do not trust RNG state from bootloader.
+* ``random.trust_cpu=off``: Do not trust CPU's RDRAND or RDSEED.
+* ``randomize_kstack_offset=on``: Enable randomized kernel stack offset per syscall.
+* ``randomize_va_space=2``: Enable full ASLR for mmap and heap.
+* ``retbleed=auto,nosmt``: Mitigate Retbleed exploit path via branch prediction.
+* ``rodata=on``: Enforce read-only sections for .rodata.
+* ``slab_nomerge``: Disable merging of similar slab caches.
+* ``vdso32=0``: Disable 32-bit vdso mapping (x86 compatibility).
+* ``vsyscall=none``: Disable vsyscall legacy mapping.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

docs/CHANGELOG.md

@@ -8,13 +8,43 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Changelog
 
-## V8.03.768.2025.06.22
+## V8.03.864.2025.07.15
 
-* Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Lock FD and Artifacts.
+* Updated: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
+* Added: [BOOTPARAMS.md](BOOTPARAMS.md)
+* Added: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+
+## V8.03.832.2025.06.25
+
+* Added: [lib_version.sh](../lib/lib_version.sh)
+* Updated:
+  * [lib_contact.sh](../lib/lib_contact.sh)
+  * [lib_usage.sh](../lib/lib_usage.sh)
+* Packages added:
+  * https://packages.debian.org/bookworm/fio
+  * https://packages.debian.org/bookworm/stress 
+* Timezone changed to ``Etc/UTC``
+
+## V8.03.832.2025.06.24
+
+* Updated:
+  * [lib_check_provider.sh](../lib/lib_check_provider.sh)
+  * [lib_debug_header.sh](../lib/lib_debug_header.sh)
+  * [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
+* The Debian package ``bat`` will be installed to enable smooth log reading.
+
+## V8.03.768.2025.06.23
+
+* Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
+* Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh)
+* Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh)
+* Added Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
+* Added ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
+  * to prevent the caller LIB-file from being sourced twice.
 
 ## V8.03.768.2025.06.19
 

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.768.2025.06.23
+Master V8.03.864.2025.07.15
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
@@ -133,7 +133,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.03.768.2025.06.23
+Master V8.03.864.2025.07.15
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.23<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Resources
 

lib/lib_check_pkgs.sh

@@ -20,6 +20,10 @@ guard_sourcing
 check_pkgs() {
   apt-get update -y > /dev/null 2>&1
 
+  if [[ -z "$(command -v batcat || true)" ]]; then
+    apt-get install -y --no-install-recommends bat
+  fi
+
   if [[ -z "$(command -v lsb_release || true)" ]]; then
     apt-get install -y --no-install-recommends lsb-release
   fi
@@ -45,8 +49,7 @@ check_pkgs() {
   fi
 
   if [[ -z "$(command -v mkpasswd || true)" ]]; then
-    apt-get update -y
-    apt-get install --no-install-recommends whois -y
+    apt-get install -y --no-install-recommends whois
   fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_check_provider.sh

@@ -19,8 +19,9 @@ guard_sourcing
 #######################################
 check_provider() {
   clear
-  cat << 'EOF' >| "${VAR_NOTES}"
-Build: Master V8.03.768.2025.06.23
+  cat << EOF >| "${VAR_NOTES}"
+Build  : ${VAR_VERSION}
+Commit : ${VAR_GIT_REL}
 
 Press 'EXIT' to continue with CISS.debian.live.builder.
 

lib/lib_contact.sh

@@ -20,9 +20,9 @@
 contact() {
   clear
   cat << EOF
-$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.768.2025.06.23\e[0m")
-$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
+$(echo -e "\e[97m################################################################################ \e[0m")
+$(echo -e "\e[92m  CISS.debian.live.builder from https://git.coresecret.dev/msw                   \e[0m")
+$(echo -e "\e[92m  A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.     \e[0m")
 
 $(echo -e "\e[97m  (c) Marc S. Weidner, 2018 - 2025 \e[0m")
 $(echo -e "\e[97m  (p) Centurion Press, 2024 - 2025 \e[0m")
@@ -35,6 +35,7 @@ $(echo -e "\e[95m🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F4103
 
 $(echo -e "\e[95m  💷 Please consider donating to my work at: \e[0m")
 $(echo -e "\e[95m  🌐 https://coresecret.eu/spenden/          \e[0m")
+$(echo -e "\e[97m################################################################################ \e[0m")
 
 EOF
 }

lib/lib_debug.sh

@@ -41,8 +41,10 @@ debugger() {
   declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
   # shellcheck disable=SC2155
   declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log"
-  ### Generates empty LOG_DEBUG
+  declare -grx LOG_VAR="/tmp/ciss_live_builder_$$_var.log"
+  ### Generates empty LOG_DEBUG and LOG_VAR
   touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
+  touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
   ### Open file descriptor 42 for writing to the debug log
   exec 42>| "${LOG_DEBUG}"
   ### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables

lib/lib_debug_header.sh

@@ -34,7 +34,7 @@ debug_header() {
   declare -r arg_string="$2"
   {
     printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
-    printf "\e[97m+\e[0m\e[92m%s: Git Commit                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_HEAD_FULL}"
+    printf "\e[97m+\e[0m\e[92m%s: Git Commit                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_REL}"
     printf "\e[97m+\e[0m\e[92m%s: Version                   : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
     printf "\e[97m+\e[0m\e[92m%s: Epoch                     : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
     printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"

lib/lib_guard_sourcing.sh

@@ -16,7 +16,7 @@
 # Globals:
 #   BASH_SOURCE
 # Arguments:
-#   $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.
+#   $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
 # Returns:
 #   0: Returns '0' in both cases as they are intended to be successful.
 #######################################

lib/lib_lb_config_write.sh

@@ -15,20 +15,12 @@ guard_sourcing
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
-#   VAR_HANDLER_ISO_COUNTER
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
+#   VAR_HANDLER_ISO_COUNTER
 #   VAR_KERNEL
-#   VAR_WORKDIR
 #   VAR_VERSION
-# Arguments:
-#  None
-#######################################
-
-#######################################
-# description
-# Globals:
-
+#   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
@@ -46,8 +38,8 @@ lb_config_write() {
     --backports true \
     --binary-filesystem fat32 \
     --binary-image iso-hybrid \
-    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Europe/Lisbon splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Europe/Lisbon toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
     --bootloaders grub-efi \
     --cache true \
     --checksums sha512 sha256 md5 \

lib/lib_trap_on_err.sh

@@ -36,6 +36,7 @@ guard_sourcing
 print_file_err() {
   {
     printf "❌ CISS.debian.live.builder Script failed. \n"
+    printf "❌ Git Commit             : %s \n" "${VAR_GIT_REL}"
     printf "❌ Version                : %s \n" "${VAR_VERSION}"
     printf "❌ Hostsystem             : %s \n" "${VAR_SYSTEM}"
     printf "❌ Error                  : %s \n" "${ERRCODE}"
@@ -50,7 +51,7 @@ print_file_err() {
     if "${VAR_EARLY_DEBUG}"; then
       printf "❌ Vars Dump saved at     : %s \n" "${LOG_VAR}"
       printf "❌ Debug Log saved at     : %s \n" "${LOG_DEBUG}"
-      printf "❌                   cat %s \n" "${LOG_DEBUG}"
+      printf "❌ batcat --pager='less -r' %s \n" "${LOG_DEBUG}"
     fi
     printf "\n"
   } >> "${LOG_ERROR}"
@@ -79,6 +80,7 @@ print_file_err() {
 #######################################
 print_scr_err() {
   printf "\e[91m❌ CISS.debian.live.builder Script failed. \e[0m\n" >&2
+  printf "\e[91m❌ Git Commit             : %s \e[0m\n" "${VAR_GIT_REL}" >&2
   printf "\e[91m❌ Version                : %s \e[0m\n" "${VAR_VERSION}" >&2
   printf "\e[91m❌ Hostsystem             : %s \e[0m\n" "${VAR_SYSTEM}" >&2
   printf "\e[91m❌ Error                  : %s \e[0m\n" "${ERRCODE}" >&2
@@ -91,11 +93,11 @@ print_scr_err() {
   printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
   printf "\e[91m❌ Arguments Sanitized    : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
   printf "\e[91m❌ Error Log saved at     : %s \e[0m\n" "${LOG_ERROR}" >&2
-  printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_ERROR}" >&2
+  printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_ERROR}" >&2
   if "${VAR_EARLY_DEBUG}"; then
     printf "\e[91m❌ Vars Dump saved at     : %s \e[0m\n" "${LOG_VAR}" >&2
     printf "\e[91m❌ Debug Log saved at     : %s \e[0m\n" "${LOG_DEBUG}" >&2
-    printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_DEBUG}" >&2
+    printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_DEBUG}" >&2
   fi
   printf "\n"
 }
@@ -117,12 +119,12 @@ print_scr_err() {
 #   $5: ${BASH_COMMAND}
 #######################################
 trap_on_err() {
+  trap - ERR
   declare -g ERRCODE="$1"
   declare -g ERRSCRT="$2"
   declare -g ERRLINE="$3"
   declare -g ERRFUNC="$4"
   declare -g ERRCMMD="$5"
-  trap - ERR
   if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
   clean_up "${ERRCODE}"
   if ! $VAR_HANDLER_AUTOBUILD; then clean_screen; fi

lib/lib_trap_on_exit.sh

@@ -20,8 +20,8 @@ guard_sourcing
 #   $1: $?
 #######################################
 trap_on_exit() {
-  declare -r var_trap_on_exit_code="$1"
   trap - EXIT
+  declare -r var_trap_on_exit_code="$1"
   if (( var_trap_on_exit_code == 0 )); then
     if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
     clean_up "${var_trap_on_exit_code}"
@@ -57,7 +57,7 @@ print_scr_exit() {
         printf "\e[92m✅ Script Runtime         : %s \e[0m\n" "${SECONDS}"
         printf "\e[92m✅ Vars Dump saved at     : %s \e[0m\n" "${LOG_VAR}"
         printf "\e[92m✅ Debug Log saved at     : %s \e[0m\n" "${LOG_DEBUG}"
-        printf "\e[92m✅                 cat %s \e[0m\n" "${LOG_DEBUG}"
+        printf "\e[92m✅ batcat --pager='less -r' %s \e[0m\n" "${LOG_DEBUG}"
         printf "\n"
       fi
       printf "\e[95m💷 Please consider donating to my work at: \e[0m\n"

lib/lib_usage.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-25; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -12,131 +12,152 @@
 
 #######################################
 # Usage Wrapper CISS.debian.live.builder
-# Globals:
-#   none
 # Arguments:
 #   $0: Script name
 #######################################
 usage() {
-  clear
-  cat << EOF
-$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.768.2025.06.23\e[0m")
-$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
+  # shellcheck disable=SC2155
+  declare var_cols=$(tput cols 2>/dev/null || echo 80)
 
-$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
-$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+  #######################################
+  # Header, Footer wrapper for dynamically output.
+  # Arguments:
+  #   $1: Text.
+  #   $2: Width of Terminal.
+  #######################################
+  center() {
+    declare var_text="$1"
+    declare var_width="$2"
+    declare var_padding=$(( (var_width - ${#var_text}) / 2 ))
+    printf "%*s%s%*s\n" "${var_padding}" "" "${var_text}" "${var_padding}" ""
+  }
 
-"${0} <option>", where <option> is one or more of:
+  # shellcheck disable=SC2155
+  declare var_header=$(center "CLB(1)        CISS.debian.live.builder        CLB(1)" "${var_cols}")
+  # shellcheck disable=SC2155
+  declare var_footer=$(center "V8.03.864.2025.07.15        2025-06-25        CLB(1)" "${var_cols}")
 
-$(echo -e "\e[97m  --help, -h\e[0m")
-    What you're looking at.
-
-$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
-    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
-    selector dialog. Change '*' to your desired Linux kernel and trim the
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
-
-$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
-    A string reflecting the architecture of the Live System.
-    MUST be provided.
-
-$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
-    Where the Debian Live Build Image should be generated.
-    MUST be provided.
-
-$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
-    A string reflecting the GRub Boot Screen Splash you want to use.
-    If omitted defaults to "./.archive/background/club.png".
-
-$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
-    This option generates a boot menu entry to start the forthcoming
-    'CISS.debian.installer', which will be executed after
-    the system has successfully booted up.
-
-$(echo -e "\e[97m  --contact, -c\e[0m")
-    Displays contact information of the author.
-
-$(echo -e "\e[97m  --control <INTEGER>\e[0m")
-    An integer that reflects the version of your Live ISO Image.
-    MUST be provided.
-
-$(echo -e "\e[97m  --debug\e[0m")
-    Enables debug logging for the main program routine. Detailed logging
-    information are written to "/tmp/ciss_live_builder_$$.log"
-
-$(echo -e "\e[97m  --dhcp-centurion\e[0m")
-    If a DHCP lease is provided, the provider's nameserver will be overridden,
-    and only the hardened, privacy-focused Centurion DNS servers will be used:
-      - https://dns01.eddns.eu/
-      - https://dns02.eddns.de/
-      - https://dns03.eddns.eu/
-
-$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
-    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
-    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
-    If provided, than it MUST be a <SPACE> separated list.
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
-
-$(echo -e "\e[97m  --log-statistics-only\e[0m")
-    Provides statistic only after successful building a
-    CISS.debian.live-ISO. While enabling "--log-statistics-only"
-    the argument "--build-directory" MUST be provided while
-    all further options MUST be omitted.
-
-$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
-    Activates IPv6 support for Netcup Root Server. One unique
-    IPv6 address MUST be provided in this case and MUST be encapsulated
-    with [], e.g., [1234::abcd].
-
-$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
-    Reset the nice priority value of the script and all its children
-    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
-    Negative (higher) values MUST be enclosed in double quotes '"'.
-
-$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
-    Reset the ionice priority value of the script and all its children
-    to the desired <CLASS>. MUST be an integer:
-      1: realtime
-      2: best-effort
-      3: idle
-    Defaults to '2'.
-    Whereas <PRIORITY> MUST be an integer as well between:
-      0: highest priority and
-      7: lowest priority.
-    Defaults to '4'.
-    A real-time I/O process can significantly slow down other processes
-    or even cause them to starve if it continuously requests I/O.
-
-$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
-    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
-    and MUST NOT contain the special character '"'.
-    If the argument is omitted, no further login authentication is required for
-    the local console. The root password is hashed with an 16 Byte '/dev/random'
-    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
-    after Hash generation all Variables containing plain password fragments are
-    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
-    further prompt after password hash has been successfully generated via:
-    'shred -vfzu 5 -f'.
-    No tracing of any plain text password fragment in any debug log.
-
-$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
-    The desired Port SSH should listen to.
-    If not provided defaults to Port 22.
-
-$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
-    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
-    specified PATH into the Live ISO. MUST be provided.
-
-$(echo -e "\e[97m  --version, -v\e[0m")
-    Displays version of ${0}.
-
-$(echo -e "\e[93m💡 Notes:\e[0m")
-🔵 You MUST be 'root' to run this script.
-
-$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
-$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
-
-EOF
+  {
+    echo -e "\e[1;97m${var_header}\e[0m"
+    echo
+    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
+    echo -e "\e[92mMaster V8.03.864.2025.07.15\e[0m"
+    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
+    echo
+    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
+    echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
+    echo
+    echo -e "\e[97m${0} <option>, where <option> is one or more of: \e[0m"
+    echo
+    echo -e "\e[97m  --help, -h \e[0m"
+    echo "    What you're looking at."
+    echo
+    echo -e "\e[97m  --autobuild=*, -a=* \e[0m"
+    echo "    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel"
+    echo "    selector dialog. Change '*' to your desired Linux kernel and trim the"
+    echo "    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'."
+    echo
+    echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64> \e[0m"
+    echo "    A string reflecting the architecture of the Live System."
+    echo "    MUST be provided."
+    echo
+    echo -e "\e[97m  --build-directory </path/to/build_directory> \e[0m"
+    echo "    Where the Debian Live Build Image should be generated."
+    echo "    MUST be provided."
+    echo
+    echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m"
+    echo "    A string reflecting the Grub Boot Screen Splash you want to use."
+    echo "    If omitted defaults to './.archive/background/club.png'."
+    echo
+    echo -e "\e[97m  --cdi (Experimental Feature)\e[0m"
+    echo "    This option generates a boot menu entry to start the forthcoming"
+    echo "    'CISS.debian.installer', which will be executed after"
+    echo "    the system has successfully booted up."
+    echo
+    echo -e "\e[97m  --contact, -c\ e[0m"
+    echo "    Show author contact information."
+    echo
+    echo -e "\e[97m  --control <INTEGER>\e[0m"
+    echo "    An integer that reflects the version of your Live ISO Image."
+    echo "    MUST be provided."
+    echo
+    echo -e "\e[97m  --debug, -d \e[0m"
+    echo "    Enables debug logging for the main program routine. Detailed logging"
+    echo "    information are written to '/tmp/ciss_live_builder_$$.log'."
+    echo
+    echo -e "\e[97m  --dhcp-centurion \e[0m"
+    echo "    If a DHCP lease is provided, the provider's nameserver will be overridden,"
+    echo "    and only the hardened, privacy-focused Centurion DNS servers will be used:"
+    echo "      - https://dns01.eddns.eu/"
+    echo "      - https://dns02.eddns.de/"
+    echo "      - https://dns03.eddns.eu/"
+    echo
+    echo -e "\e[97m  --jump-host <IP | IP | ... > \e[0m"
+    echo "    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access."
+    echo "    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation."
+    echo "    If provided, than it MUST be a <SPACE> separated list."
+    echo "    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64."
+    echo
+    echo -e "\e[97m  --log-statistics-only\e[0m"
+    echo "    Provides statistic only after successful building a"
+    echo "    CISS.debian.live-ISO. While enabling '--log-statistics-only'"
+    echo "    the argument '--build-directory' MUST be provided while"
+    echo "    all further options MUST be omitted."
+    echo
+    echo -e "\e[97m  --provider-netcup-ipv6 \e[0m"
+    echo "    Activates IPv6 support for Netcup Root Server. One unique"
+    echo "    IPv6 address MUST be provided in this case and MUST be encapsulated"
+    echo "    with [], e.g., [1234::abcd]."
+    echo
+    echo -e "\e[97m  --renice-priority <PRIORITY> \e[0m"
+    echo "    Reset the nice priority value of the script and all its children"
+    echo "    to the desired <PRIORITY>. MUST be an integer (between '-19' and 19)."
+    echo "    Negative (higher) values MUST be enclosed in double quotes '\"'."
+    echo
+    echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY> \e[0m"
+    echo "    Reset the ionice priority value of the script and all its children"
+    echo "    to the desired <CLASS>. MUST be an integer:"
+    echo "      1: realtime"
+    echo "      2: best-effort"
+    echo "      3: idle"
+    echo "    Defaults to '2'."
+    echo "    Whereas <PRIORITY> MUST be an integer as well between:"
+    echo "      0: highest priority and"
+    echo "      7: lowest priority."
+    echo "    Defaults to '4'."
+    echo "    A real-time I/O process can significantly slow down other processes"
+    echo "    or even cause them to starve if it continuously requests I/O."
+    echo
+    echo -e "\e[97m  --root-password-file </path/to/password.txt> \e[0m"
+    echo "    Password file for 'root', if given, MUST be a string of 20 to 64 characters,"
+    echo "    and MUST NOT contain the special character '\"'."
+    echo "    If the argument is omitted, no further login authentication is required for"
+    echo "    the local console. The root password is hashed with an 16 Byte '/dev/random'"
+    echo "    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately"
+    echo "    after Hash generation all Variables containing plain password fragments are"
+    echo "    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without"
+    echo "    further prompt after password hash has been successfully generated via:"
+    echo "    'shred -vfzu 5 -f'."
+    echo "    'No tracing of any plain text password fragment in any debug log."
+    echo
+    echo -e "\e[97m  --ssh-port <INTEGER> \e[0m"
+    echo "    The desired Port SSH should listen to."
+    echo "    If not provided defaults to Port '22'."
+    echo
+    echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/> \e[0m"
+    echo "    Imports the SSH Public Key from the FILE 'authorized_keys' of the"
+    echo "    specified PATH into the Live ISO. MUST be provided."
+    echo
+    echo -e "\e[97m  --version, -v \e[0m"
+    echo "    Show version of ${0}."
+    echo
+    echo -e "\e[93m💡 Notes:\e[0m"
+    echo -e "\e[93m🔵 You MUST be 'root' to run this script.\e[0m"
+    echo
+    echo -e "\e[95m💷 Please consider donating to my work at: \e[0m"
+    echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m"
+    echo
+    echo -e "\e[1;97m${var_footer}\e[0m"
+  } | less -R
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_version.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-25; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Version Wrapper CISS.debian.live.builder
+# Globals:
+#   VAR_VERSION
+# Arguments:
+#   None
+#######################################
+version() {
+  # shellcheck disable=SC2155
+  declare -r var_repo_ver="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
+  # shellcheck disable=SC2155
+  declare -r var_lb_ver="$(lb -v)"
+  # shellcheck disable=SC2155
+  declare -r var_ds_ver="$(debootstrap --version)"
+  # shellcheck disable=SC2155
+  declare -r var_host="$(uname -n)"
+  # shellcheck disable=SC2155
+  declare -r var_bash_ver="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')"
+
+  clear
+  cat << EOF
+$(echo -e "\e[97m################################################################################ \e[0m")
+$(echo -e "\e[92m  CISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m")
+$(echo -e "\e[92m  A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
+
+  Version : ${VAR_VERSION}
+  Git     : ${var_repo_ver}
+
+$(echo -e "\e[97m  This program is free software. Distribution and modification under  \e[0m")
+$(echo -e "\e[97m  EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! \e[0m")
+
+  Please file bugs @
+$(echo -e "\e[95m  https://git.coresecret.dev/msw/CISS.debian.live.builder/issues \e[0m")
+$(echo -e "\e[97m################################################################################\e[0m")
+
+  Using   : lb (${var_lb_ver}) debootstrap (${var_ds_ver})
+  on      : ${var_host}
+  Bash    : ${var_bash_ver}
+
+EOF
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

meta_sources_debug.sh

@@ -10,23 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Prevent this file from being sourced twice. Derive a safe guard-variable name from the script filename.
-var_file_name="${BASH_SOURCE[0]##*/}"
-var_safe_name="${var_file_name//[^a-zA-Z0-9_]/_}"
-var_guard_var="_${var_safe_name}_LOADED"
-
-### If var_guard_var is already set, abort sourcing.
-if [[ -n "${!var_guard_var:-}" ]]; then
-  unset var_file_name var_safe_name var_guard_var
-  return 0
-fi
-
-### Set var_guard_var and make it readonly+exported
-declare -grx "${var_guard_var}"=1
-unset var_file_name var_safe_name var_guard_var
-
 ### Sourcing Debug Libs
 . ./lib/lib_debug.sh
 . ./lib/lib_debug_header.sh
-. ./lib/lib_debug_var_git.sh
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

scripts/0010_dhcp_supersede.sh

@@ -21,9 +21,9 @@ fi
 cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
 
 # Custom dhclient config to override DHCP DNS
-# dns01.eddns.eu, dns02.eddns.de; dns03.eddns.eu;
+# dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu;
 
-supersede domain-name-servers 135.181.207.105, 89.58.62.53; 138.199.237.109;
+supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109;
 
 EOF
 

scripts/9000-cdi-starter

@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1
 
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.03.768.2025.06.23 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.03.864.2025.07.15 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
   chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh

var/early.var.sh

@@ -17,8 +17,9 @@ declare -agx ARY_PARAM_ARRAY=("$@")
 declare -grx VAR_PARAM_COUNT="$#"
 declare -grx VAR_PARAM_STRNG="$*"
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.03.768.2025.06.23"
+declare -grx VAR_VERSION="Master V8.03.864.2025.07.15"
 declare -grx VAR_SYSTEM="$(uname -a)"
+declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"
 umask 0022
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

var/global.var.sh

@@ -17,11 +17,6 @@ declare -gr VAR_KERNEL_TMP="$(mktemp)"
 declare -gr VAR_KERNEL_SRT="$(mktemp)"
 declare -gr VAR_NOTES="$(mktemp)"
 
-if "${VAR_EARLY_DEBUG}"; then
-  declare -gr LOG_VAR="/tmp/ciss_live_builder_$$_var.log"
-  touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
-fi
-
 declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log"
 touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}"