DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@99d669d at 2025-12-06T04:39:52Z on 941bb339cd9a

Generated at : 2025-12-06T04:39:52Z
Runner Host  : 941bb339cd9a
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 99d669d HEAD -> master

.archive/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.archive/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.archive/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 name: 💙 Generating a PUBLIC Live ISO.
 

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.512.2025.11.27"
+      placeholder: "e.g., Master V8.13.768.2025.12.06"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.512.2025.11.27
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.512.2025.11.27
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.512.2025.11.27
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.512.2025.11.27
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -65,6 +65,7 @@ jobs:
             bash \
             bat \
             ca-certificates \
+            cryptsetup \
             curl \
             debootstrap \
             git \
@@ -183,6 +184,7 @@ jobs:
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
 
@@ -196,6 +198,7 @@ jobs:
           echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
           echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
           echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
+          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
           echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
           echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
 
@@ -204,20 +207,22 @@ jobs:
           set -euo pipefail
           chmod 0700 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
           ./ciss_live_builder.sh \
             --architecture amd64 \
-            --autobuild=6.16.3+deb13-amd64 \
+            --autobuild=6.17.8+deb13-amd64 \
             --build-directory /opt/cdlb \
             --cdi \
+            --change-splash hexagon \
             --control "${timestamp}" \
-            --debug \
             --dhcp-centurion \
             --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
             --key_age=keys.txt \
             --key_luks=luks.txt \
             --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
             --root-password-file /dev/shm/cdlb_secrets/password.txt \
+            --signing_ca=signing_ca.asc \
             --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
             --signing_key_pass=signing_key_pass.txt \
             --signing_key=signing_key.asc \
@@ -227,7 +232,6 @@ jobs:
             --trixie
 
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
-        shell: bash
         env:
           NC_BASE: "https://cloud.e2ee.li"
           SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
@@ -237,11 +241,8 @@ jobs:
           SHARE_SUBDIR=""
 
           echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
+
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-          -X PROPFIND \
-          -H "Depth: 1" \
-          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
           -o propfind_public.xml
 
           echo "📥 Filter .iso files from the PROPFIND response ..."
@@ -249,46 +250,65 @@ jobs:
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+
             echo "💡 Old ISO files found and deleted :"
+
             while IFS= read -r href; do
+
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
-              if curl -s \
+
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
-                  -X DELETE "${FILE_URL}"; then
+
                 echo "    ✅ Successfully deleted: $(basename "${href}")"
+
               else
+
                 echo "    ❌ Error: $(basename "${href}") could not be deleted"
+
               fi
+
             done < public_iso_list.txt
+
           else
+
             echo "💡 No old ISO files found to delete."
+
           fi
 
       - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
-        shell: bash
         env:
           NC_BASE: "https://cloud.e2ee.li"
           SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
           SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
         run: |
           set -euo pipefail
+
           if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
             echo "❌ There must be exactly one .iso file in the directory!"
             exit 1
+
           else
+
             VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
             VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
             echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
           fi
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+
           if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
           --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+
             echo "✅ New ISO successfully uploaded."
+
           else
+
             echo "❌ Uploading the new ISO failed."
             exit 1
+
           fi
 
       - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -65,6 +65,7 @@ jobs:
             bash \
             bat \
             ca-certificates \
+            cryptsetup \
             curl \
             debootstrap \
             git \
@@ -183,6 +184,7 @@ jobs:
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
 
@@ -196,6 +198,7 @@ jobs:
           echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
           echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
           echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
+          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
           echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
           echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
 
@@ -204,17 +207,20 @@ jobs:
           set -euo pipefail
           chmod 0700 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
           ./ciss_live_builder.sh \
             --architecture amd64 \
-            --autobuild=6.16.3+deb13-amd64 \
+            --autobuild=6.17.8+deb13-amd64 \
             --build-directory /opt/cdlb \
             --cdi \
+            --change-splash hexagon \
             --control "${timestamp}" \
             --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
             --key_age=keys.txt \
             --key_luks=luks.txt \
             --root-password-file /dev/shm/cdlb_secrets/password.txt \
+            --signing_ca=signing_ca.asc \
             --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
             --signing_key_pass=signing_key_pass.txt \
             --signing_key=signing_key.asc \
@@ -291,7 +297,7 @@ jobs:
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
 
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
           --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
 
             echo "✅ New ISO successfully uploaded."

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 name: 💙 Generating a PUBLIC Live ISO.
 
@@ -65,6 +65,7 @@ jobs:
             bash \
             bat \
             ca-certificates \
+            cryptsetup \
             curl \
             debootstrap \
             git \
@@ -183,14 +184,14 @@ jobs:
           set -euo pipefail
           chmod 0700 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
           ./ciss_live_builder.sh \
             --architecture amd64 \
-            --autobuild=6.16.3+deb13-amd64 \
+            --autobuild=6.17.8+deb13-amd64 \
             --build-directory /opt/cdlb \
-            --cdi \
+            --change-splash hexagon \
             --control "${timestamp}" \
-            --debug \
             --root-password-file /dev/shm/cdlb_secrets/password.txt \
             --ssh-port 42137 \
             --ssh-pubkey /dev/shm/cdlb_secrets \
@@ -264,7 +265,7 @@ jobs:
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
 
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
           --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
 
             echo "✅ New ISO successfully uploaded."

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.512.2025.11.27"
+properties_version="V8.13.768.2025.12.06"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.512.2025.11.27
+PackageVersion: Master V8.13.768.2025.12.06
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-27; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-11-27T23:55:26Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:39:51Z"
 
 ✅ The last linter check was successful. ✅
 

LIVE_ISO_TRIXIE_0.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-08; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-11-08T19:46:24Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T03:44:29Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_11_08T18_57_19Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T02_53_28Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  11065e6ed8f99b533352ad86bd5b4cc9b407652e79a34718da6aad46a5f603738553fde6fbcceaa3128bfbbfa4c1674c05552232d4620ea250bc029545600718
+  2bf967b902455fe1f4d3ba1cb0b3c5983c6812181ae95b10ce837c0aaae084207bf15c22add2709c21c45f4262db2a2f787b2c93f3a1c507289c020e70314707
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQ+eEAAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOmnQAKCRA85KY4hzOw
-IcJaAP9FYAzawGRXQqt5mEL3SQy4cSDkc5/r/KDhy+ABdVNMvAEA1ReKZ7qXrESP
+IcItAQDvE6vEkbslGR5BLMVV+DKi2GDnIzIMVs7zROiPsKb3BgEA1Koqx7ccc+H2
-rgP2MsHaXHVBWGJUvFyMf6dUpbjEnA8=
+MmNv12w674dS2xmTZHOViYePe2KWLw0=
-=SkUY
+=I8w2
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_1.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-10-29T21:52:45Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:35:36Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_29T20_59_34Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T03_45_41Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  c2b295aa3bd7ccfbe6c83aa27aeeace796251ad93ebfbf999bc6b1ae7c3c881efeeeda5e9235c5f5b7ad022ee465bc61e04c46906c6a7ca79214866ae62e160d
+  fe9481d92cf61554da92ff883a58d9aaa2ae5fe86d9c3dd634a1c3a79e1b6ca5e08693d4f9b0870077fc0bf2f840a3e678d9c9dc44f9b8dae5d474a6d39e16b2
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQKMrQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOymAAKCRA85KY4hzOw
-ISgMAQDy82Yr4/F3cI/ZzLQJyoFSY2qgPl8d84eJZFhhTFpD3AEAmMBws55fQAzz
+Ic1iAQDVxT891Nv+LHzQs3vL31/1wqeOjiGmZbEJR8XvBoRe4wEAjdmvUpEXyb1Y
-Q9DBRAvRYgMDLmqsog+m3FEH7cXtDAg=
+qhaFcxWDrRgiVKaitGkbNo2w6yICdgY=
-=o+0d
+=TQPs
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.512.2025.11.27-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.768.2025.12.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -27,26 +27,67 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
-This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
+**CISS.debian.live.builder — First of its own.**<br>
-and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
+**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
-cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows 
+
-based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
+Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed 
+to serve as a reference implementation for hardened, image-based Debian deployments.
+
+This shell wrapper automates the creation of a Debian Trixie live ISO hardened according to the latest best practices in server
+and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud
+deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows based
+on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
 changes and made publicly available for download. The latest generic ISO is available at:
 **[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)**
 
-Check out more:
+Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fully encrypted, integrity-protected live medium**
-* [CenturionNet Services](https://coresecret.eu/cnet/) 
+in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
+with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships 
+with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a 
+customised `verify-checksums` path providing both ISO-edge verification and runtime attestation of the live root. All components
+are aligned with the `CISS.debian.installer` baseline, ensuring a unified cryptographic and security posture from first boot to 
+an installed system. For an overview of the entire build process, see:
+**[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
+
+When built with the ``--dhcp-centurion`` profile, the live system ships with a strict network and resolver policy: 
+``systemd-networkd`` and ``systemd-resolved`` are pre-configured to use ``DNS-over-TLS (DoT)`` exclusively against the 
+**CenturionDNS** resolver infrastructure; plain DNS is not used and connectivity failures are treated as hard errors. DNSSEC 
+validation is enforced in a fail-closed manner: zones with invalid or broken signatures result in ``SERVFAIL`` and are not 
+silently downgraded. Multicast name resolution via ``mDNS`` and ``LLMNR`` is disabled globally to avoid unintended name leakage
+and spoofing surfaces.
+
+Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
+(`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
+line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
+that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
+transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
+wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
+encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
+named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
+
+Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
 * [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
+* [CenturionMeet](https://talk.e2ee.li/)
+* [CenturionNet Services](https://coresecret.eu/cnet/)
 * [CenturionNet Status](https://uptime.coresecret.eu/) 
-* [CenturionMeet](https://talk.e2ee.li/) 
+
+**Contact the author:**
 * [Contact the author](https://coresecret.eu/contact/)
 
+**Legal Disclaimer:**
+* This project is not affiliated with, authorized, maintained, sponsored, or endorsed by the [Debian Project](https://www.debian.org/) 
+* [Licensing & Compliance](#6-licensing--compliance)
+* [Disclaimer](#7-disclaimer)
+* [Centurion Imprint & Legal Notice](https://coresecret.eu/imprint/)
+* [Centurion Privacy Policy](https://coresecret.eu/privacy/)
+
 ## 1.1. Preliminary Remarks
 
 ### 1.1.1. HSM
+
 Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to 
 move to a room-gapped environment. ^^
 
@@ -58,57 +99,48 @@ add_header Expect-CT                 "max-age=86400, enforce"
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 ````
 
-* Additionally, the entire zone is dual-signed with **DNSSEC**. See the current **DNSSEC** status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
+* The zones behind this project are dual-signed with **DNSSEC**. The current validation state is documented in the **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
-* A comprehensive TLS audit of the **`git.coresecret.dev`** Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)**
+* The TLS surface of **``git.coresecret.dev``** is independently audited, and the findings are held in the **[TLS Audit Report](/docs/AUDIT_TLS.md)**
-* The infrastructure of the **`CISS.debian.live.builder`** building system is visualized here. See: **[Centurion Net](/docs/CNET.md)**
+* The topology of the underlying **`CISS.debian.live.builder`** building infrastructure is described in **[Centurion Net](/docs/CNET.md)**
 
 ### 1.1.3. Gitea Action Runner Hardening
 
-The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely 
+The CI runners live on a host in a separate autonomous system, and that host has exactly one purpose: run Gitea Actions runners. 
-dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using 
+Each runner receives its own service account without a login shell, is bound to a separate directory tree, and inherits a 
-non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own 
+hardened systemd unit with ``DynamicUser``, reduced capabilities, and restrictive sandboxing. A ``systemd-analyze security`` score 
-separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a ``systemd-analyze security`` 
+of around **``2.6``** is the baseline, not an aspiration. Traffic from those runners traverses both a software firewall (UFW) 
-rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
+and dedicated hardware firewall appliances. Docker, where used, runs unprivileged.
-of both UFW software firewalls and dedicated hardware firewall appliances.
 
 ## 1.2. Match Host and Target Versions
 
-Build, for example, a Debian Trixie live image only on a Debian Trixie host. The build toolchain and boot artifacts are 
+I always build a Debian Trixie live image on a Debian Trixie host. The toolchain and all boot components that matter to 
-release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``kernel/initramfs`` tools, ``mksquashfs``, 
+reproducibility are release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``mksquashfs``, ``grub``, 
-``GRUB/ISOLINUX``, and even ``dpkg/apt`` often change defaults and formats between releases (e.g., compression modes, SquashFS 
+the ``kernel``, ``initramfs`` tooling, and even ``dpkg`` and ``apt`` defaults evolve from one release to the next. Mixing 
-options, hook ordering, systemd/udev behavior). Building on a different host release commonly yields non-reproducible or even 
+generations produces fragile or outright broken ISOs, sometimes subtly, sometimes catastrophically. Keeping host and target in 
-unbootable ISOs (missing modules/firmware, ABI mismatches, divergent paths). Keeping host and target on the same version ensures
+lockstep avoids those mismatches and gives me predictable artifacts across builds.
-reproducible builds, matching dependencies, and compatible boot artifacts.
 
-## 1.3. Immutable Source-of-Truth System
+## 1.3. Immutable Source-of-Truth System and Encrypted Live Root
 
-This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
+The live ISO acts as a sealed, immutable execution environment. All relevant configuration, all installation logic, and all 
-source-code definitions. All configurations, system components, and installation routines are embedded during build time and 
+security decisions are rendered into the image at build time and treated as read-only at runtime. On top of that logical 
-locked for runtime immutability. This ensures that the live environment functions as a trusted **Source of Truth** — not only 
+ immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container
-for boot-time operations, but for deploying entire systems in a secure and reproducible way.<br>
+file with dm-integrity that wraps the SquashFS payload. The initramfs knows how to locate this container, unlock it, verify its 
+integrity, and then present the decrypted SquashFS as the root component of an OverlayFS stack. The detailed boot and 
+verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**<br>
 
-Once booted, the environment optionally launches a fully scripted installer, via the forthcoming `CISS.debian.installer`,
+In compact form, my expectations for the system are:<br>
-yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external 
-dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not 
-secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully 
-secured provisioning. Combined with checksum verification, **activated by default**, at boot and strict firewall defaults, this 
-architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.<br>
 
-An even more secure deployment variant — an unattended and headless version — can be built without any active network interface
+* Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM.
-or shell-access, also via the forthcoming `CISS.debian.installer`. Such a version performs all verification steps autonomously, 
+* The live root runs out of a LUKS2 dm-integrity container so that a tampered or bit-rotted SquashFS never becomes a trusted root.
-provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then 
+* Verification steps are not advisory. Any anomaly causes a hard abort during boot.
-awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports
+* After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed.
-without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of 
+* For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition.
-`grub2 (2.12-9)`.<br>
 
-This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in 
+These combinations give me a provisioning chain that is auditable, reproducible, and robust against both casual and targeted tampering.<br>
-source-defined infrastructure logic.<br>
 
-After build and configuration, the following audit reports can be generated:
+Once the system is up, I can trigger a set of audits from within the live environment:
 
-* **Haveged Audit Report**: Validates entropy daemon health and confirms `/dev/random` seeding performance.
+* **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 93%+ hardening baseline.
-  Type `chkhvg` at the prompt. See example report: **[Haveged Audit Report](/docs/AUDIT_HAVEGED.md)**
-* **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
   Type `lsadt` at the prompt. See example report: **[Lynis Audit Report](/docs/AUDIT_LYNIS.md)**
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
   Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
@@ -117,42 +149,33 @@ After build and configuration, the following audit reports can be generated:
 
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
 
-## 1.5. Caution. Significant information for those considering using D-I.
+## 1.5. Caution. Debian Installer and Security Context
-
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
 
-Regardless of whether you start it:
+The classical Debian Installer (d-i) always boots its own kernel and its own initramfs. That effect is independent of the way it
-* via the boot menu of your Live ISO (grub, isolinux) like **CISS.debian.live.builder**,
+is launched: 
-* via kexec in the running system,
-* via the debian-installer-launcher package,
-* or even via a graphical installer shortcut.
 
-The following happens in all cases:
+* from a GRUB entry on the live medium, 
-* The installer kernel (/install/vmlinuz) + initrd.gz are started.
+* from within a running live session via a graphical shortcut, 
-* The existing live system is exited.
+* through kexec, 
-* The memory is overwritten.
+* or via helper packages such as debian-installer-launcher.
-* All running processes - e.g., firewall, hardened SSH access, etc. pp. - cease to exist.
 
-The Debian Installer loads:
+In all of these cases the running live system is discarded. The memory contents of the hardened live environment vanish, the 
-* its own kernel,
+firewall disappears, the hardened SSH daemon is terminated, and the hardened kernel is replaced by the installer kernel. The 
-* its own initramfs,
+installer brings its own minimal root file system, usually BusyBox plus a limited set of udeb packages, and it does not 
-* its own minimal root filesystem (BusyBox + udeb packages),
+implement my firewall, my AppArmor profiles, my logging configuration, or my remote access policies, unless I explicitly 
-* no SSH access (unless explicitly enabled via preseed)
+reintroduce those elements via preseed.
-* no firewall, AppArmor, logging, etc. pp.,
-* it disables all running network services, even if you were previously in the live system.
 
-This means function status of the **CISS.2025.debian.live.builder** ISO after d-i start:
+In that phase the security properties are therefore those of d-i, not those of CISS.debian.live.builder. This is not a defect in
-* ufw, iptables, nftables ✘ disabled, not loaded,
+Debian, it is a property of how any installer that boots its own kernel behaves. It is important to keep this distinction in 
-* sshd with hardening ✘ stopped (processes gone),
+mind when deciding whether a workflow must stay inside the hardened live context or may trade that environment for the standard 
-* the running kernel ✘ replaced,
+installer toolchain.
-* Logging (rsyslog, journald) ✘ not active,
-* preseed control over the network is possible (but without any protection).
 
 ## 1.6. Versioning Schema
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.13.512.2025.11.27`
+Example: `V8.13.768.2025.12.06`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
@@ -168,74 +191,76 @@ and only when, they appear in all capitals, as shown here.
 
 # 2. Features & Rationale
 
-Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.
+Below I walk through the major hardening components, with a focus on why I implemented them the way I did and how they interact.
+I treat this builder as a reference implementation for my own infrastructure; **it is not a toy**.
 
 ## 2.1. Kernel Hardening
 
-### 2.1.1. Boot Parameters
+### 2.1.1. Unified Hardened Boot Parameters
 
-* **Description**: Customizes kernel command-line flags to disable unused features and enable mitigations.
+Both the ``CISS.debian.live.builder`` LIVE ISO and the ``CISS.debian.installer`` rely on the same kernel command line. I consider
-* **Key Parameters**:
+a diverging kernel baseline between installer and live system operationally dangerous, because it leads to two distinct sets of 
-  * `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.
+expectations about mitigations and attack surface. The boot parameters I apply are:
-  * `audit=1`: Enables kernel auditing from boot to record system calls and security events.
+
-  * `cfi=kcfi`: Activates kernel control-flow integrity using kCFI to protect against control-flow hijacking.
+````bash
-  * `debugfs=off`: Disables debugfs to prevent non-privileged access to kernel internals.
+apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off \
-  * `efi=disable_early_pci_dma`: Stops early PCI DMA under EFI to mitigate DMA-based attacks during boot.
+efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 \
-  * `efi_no_storage_paranoia`: Disables extra EFI storage checks to streamline boot without compromising expected storage integrity.
+init_on_alloc=1 init_on_free=1 \
-  * `hardened_usercopy=1`: Enables stringent checks on copy operations between user and kernel space to prevent buffer overflows.
+iommu.passthrough=0 iommu.strict=1 iommu=force \
-  * `ia32_emulation=0`: Turns off 32-bit compatibility modes to reduce attack surface on 64-bit hosts.
+kfence.sample_interval=100 kvm.nx_huge_pages=force \
-  * `init_on_alloc=1`: Zeroes memory on allocation to prevent leakage of previous data.
+l1d_flush=on lockdown=integrity loglevel=0 \
-  * `init_on_free=1`: Initializes memory on free to catch use-after-free bugs.
+mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force \
-  * `iommu=force`: Enforces IOMMU for all devices to isolate DMA-capable hardware.
+oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on \
-  * `kfence.sample_interval=100`: Configures the kernel fence memory safety tool to sample every 100 allocations.
+random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on \
-  * `kvm.nx_huge_pages=force`: Enforces non-executable huge pages in KVM to mitigate code injection.
+retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none
-  * `l1d_flush=on`: Flushes L1 data cache on context switch to mitigate L1D vulnerabilities.
+````
-  * `lockdown=confidentiality`: Puts the kernel in confidentiality lockdown to restrict direct hardware access.
+
-  * `loglevel=0`: Suppresses non-critical kernel messages to reduce information leakage.
+The parameters fall into several categories.
-  * `mce=0`: Disables machine check exceptions to prevent side-channel data leaks from hardware error reporting.
+
-  * `mitigations=auto,nosmt`: Enables all automatic CPU mitigations and disables SMT to reduce side-channel risks.
+* The AppArmor-related flags ``apparmor=1``, ``security=apparmor`` guarantee that AppArmor is not an afterthought but an integral part of the security architecture from the first instruction. I do not accept a boot sequence that comes up without LSM enforcement and then attempts to enable it later.
-  * `mmio_stale_data=full,nosmt`: Ensures stale MMIO data is fully flushed and disables SMT for added protection.
+* The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
-  * `oops=panic`: Forces a kernel oops to trigger a panic, preventing the system from running in an inconsistent state.
+* The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
-  * `page_alloc.shuffle=1`: Randomizes physical page allocation to hinder memory layout prediction attacks.
+* Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
-  * `page_poison=1`: Fills freed pages with a poison pattern to detect use-after-free.
+* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough ``iommu.passthrough=0`` and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
-  * `panic=-1`: Disables automatic reboot on panic to preserve the system state for forensic analysis.
+* ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
-  * `pti=on`: Enables page table isolation to mitigate Meltdown attacks.
+* Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
-  * `random.trust_bootloader=off`: Prevents trusting entropy provided by the bootloader.
+* ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.
-  * `random.trust_cpu=off`: Disables trusting CPU-provided randomness, enforcing external entropy sources.
+* Speculative execution and microarchitectural issues are covered by ``mitigations=auto,nosmt``,`` mmio_stale_data=full,force``, and ``retbleed=auto,nosmt``. I combine the automatic mitigation set provided by the kernel with a forced Single Thread mode where it is required because simultaneous multithreading is simply not worth the residual risk profile in many server contexts.
-  * `randomize_kstack_offset=on`: Randomizes the kernel stack offset on each syscall entry to harden against stack probing.
+* ``nosmt=force`` acts as a guardrail here. It prevents a misconfiguration from quietly re-enabling SMT while the system operator assumes it is disabled.
-  * `randomize_va_space=2`: Enables full address space layout randomization (ASLR) for user space.
+* Fault handling is configured through ``oops=panic`` and ``panic=0``. An oops triggers a panic so that I do not continue to run a kernel in an undefined state. At the same time I instruct the system not to reboot automatically on panic, to preserve the state for post-mortem analysis rather than cutting the ground away under a debugging session.
-  * `retbleed=auto,nosmt`: Enables automatic RETBLEED mitigations and disables SMT for better side-channel resistance.
+* ``pti=on``, ``rodata=on``, and ``slab_nomerge`` are classical hardening parameters that I still consider essential. Page-table isolation, read-only data segments, and prohibiting slab merging collectively prevent a wide range of exploits, especially under pressure from speculative execution attacks.
-  * `rodata=on`: Marks kernel read-only data sections to prevent runtime modification.
+* To avoid brittle side assumptions, I remove legacy or obsolete interfaces: ``vdso32=0`` and ``vsyscall=none`` shut down the remaining vestiges of 32-bit vDSO and vsyscall support on 64-bit systems. ``ia32_emulation=0`` it again narrows the attack surface by disabling full 32-bit compatibility on 64-bit kernels.
-  * `tsx=off`: Disables Intel TSX extensions to eliminate related speculative execution vulnerabilities.
+* Finally, I do not trust entropy claims either from the bootloader or the CPU itself. I opt out of both with ``random.trust_bootloader=off`` and ``random.trust_cpu=off`` and rely on my own entropy strategy described later.
-  * `vdso32=0`: Disables 32-bit vDSO to prevent unintended cross-mode calls.
+
-  * `vsyscall=none`: Disables legacy vsyscall support to close a potential attack vector.
+All of these parameters are applied in exactly the same way for the live ISO and for the installer environment. That is a 
-* **Rationale**: Ensures early activation of protections, reducing exposure to CPU vulnerabilities before the system fully boots.
+deliberate design decision.
 
 ### 2.1.2. CPU Vulnerability Mitigations
 
-* **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).
+I build the kernels with the relevant mitigations for Spectre, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
-* **Rationale**: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in
+The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they 
-  multi-tenant cloud environments.
+are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the 
+context I am targeting; stale mitigations can be revisited, but missing mitigations will not be.
 
 ### 2.1.3. Kernel Self-Protection
 
-* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self-protections.
+I enable the standard set of self-protection options, such as strict module page permissions, read-only data enforcement, and 
-* **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.
+restrictions around kprobes and BPF. The builder is not a kernel configuration tool, but it carries the expectation that the 
+kernels it runs with are compiled according to this hardening profile. I treat deviations from that profile as unsupported.
 
 ### 2.1.4. Local Kernel Hardening
 
-* **Description**: The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/99_local.hardened`:
+The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/90-ciss-local.hardened`:
 ````bash
-###########################################################################################
+#######################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
-#  none
+#   None
-###########################################################################################
+#######################################
-# shellcheck disable=SC2317
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/90-ciss-local.hardened
-  # sleep 1
+  # shellcheck disable=SC2312
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 ````
 * **Key measures loaded by this file include:**
@@ -251,16 +276,36 @@ Once applied, some hardening settings cannot be undone via `sysctl` without a re
 until the next boot. Automatic enforcement at startup is therefore omitted by design—run `sysp()` manually and plan a reboot to 
 apply or revert these controls.
 
+In case you provide the ``--cdi`` option to the installer, the ``sysp()`` function is automatically applied at the boot process via:
+[9999_cdi_starter.sh](scripts/usr/local/sbin/9999_cdi_starter.sh).
+
+For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
+
 ## 2.2. Module Blacklisting
 
 * **Description**: Disables and blacklists non-essential or insecure kernel modules.
 * **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
 
+For further details see: **[30-ciss-hardening.conf.md](docs/documentation/30-ciss-hardening.conf.md)**
+
 ## 2.3. Network Hardening
 
-* **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
+At the kernel level classical ``sysctl`` settings are applied that defend against spoofing and sloppy network behavior. Reverse path 
-  inbound/outbound traffic behaviors.
+filtering is enabled, ARP handling is pinned down, and loose binding of addresses is discouraged. Where appropriate, IPv6 
-* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
+receives the same level of attention as IPv4. The network stack is switched firmly to ``systemd-networkd`` and ``systemd-resolved``. 
+The hook [0000_basic_chroot_setup.chroot](config/hooks/live/0000_basic_chroot_setup.chroot) removes ``ifupdown``, wires up 
+``systemd-networkd`` and ``systemd-resolved`` via explicit WantedBy symlinks, and ensures that the stub resolver at ``127.0.0.53``
+is the canonical ``resolv.conf`` target. The same hook writes dedicated configuration snippets:
+
+``/etc/systemd/resolved.conf.d/10-ciss-dnssec.conf`` enforces opportunistic ``DNS-over-TLS`` and full ``DNSSEC`` validation 
+while disabling ``LLMNR`` and ``MulticastDNS``.
+
+This converges the system on a single, hardened DNS resolution path and avoids the common situation where multiple name 
+resolution mechanisms step on each other. Where desired, this resolution chain can be plugged into **CenturionDNS**, a resolver
+infrastructure that I control and that enforces DNSSEC validation, QNAME minimisation, and a curated blocklist. For sensitive 
+deployments, this stack is used as the default.
+
+For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
 
 ## 2.4. Core Dump & Kernel Hardening
 
@@ -424,9 +469,12 @@ predictable script behavior.
 
 # 4. Prerequisites
 
-* **Host**: Debian Trixie with `live-build` and ``debootstrap`` packages installed.
+To use **``CISS.debian.live.builder``** as intended, the following baseline is expected:<br>
-* **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
+
-* **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
+* The build host runs Debian 13 Trixie, fully updated. Building a Trixie image on an older or newer release is technically possible but explicitly not supported.
+* The host has the standard live-build stack installed ``live-build``, ``live-boot``, ``live-config``, ``debootstrap`` and the cryptographic tooling required for ``LUKS2``, ``dm-integrity``, ``cryptsetup``, ``gpg``.
+* Disk space must be sufficient to hold the chroot, the temporary build artifacts, and the final ISO with encrypted root. For comfortable work I assume around 30–40 gigabytes of free space.
+* The user running the builder has root privileges and understands that the script is capable of creating, mounting, and manipulating block devices.
 
 # 5. Installation & Usage
 
@@ -589,13 +637,22 @@ preview it or run it.
 
 # 6. Licensing & Compliance
 
-This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure
+Unless stated otherwise in individual files via SPDX headers, this project is licensed under the European Union Public License (EUPL 1.2).
-clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX
+That license is OSI-approved and compatible with internal use in both public sector and private environments. Several files carry
-standard for license expressions and metadata.
+dual or multi-license statements, for example **``LicenseRef-CNCL-1.1``** and / or **``LicenseRef-CCLA-1.1``**, where I offer a 
+non-commercial license for community use and a commercial license for professional integration. The SPDX headers in each file 
+are authoritative. If you plan to integrate **``CISS.debian.live.builder``** into a commercial product or a managed service 
+offering, you should treat these license markers as binding and reach out for a proper agreement where required.
 
 # 7. Disclaimer
 
-This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
+This repository is designed for well-experienced administrators and security professionals who are comfortable with low-level 
+Linux tooling, cryptography, and automation. It can and will create, format, and encrypt devices. It is entirely possible to 
+destroy data if you use it carelessly. I publish this work in good faith and with a strong focus on correctness and robustness. 
+Nevertheless, there is no warranty of any kind. You are responsible for understanding what you are doing, for validating your 
+own threat model, and for ensuring that this tool fits your regulatory and operational environment. If you treat the builder, and 
+the resulting images with the same discipline with which they were created, you will obtain a hardened, reproducible, and 
+auditable base for serious systems. If you treat them casually, they will not save you from yourself.
 
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**

REPOSITORY.md

@@ -8,15 +8,15 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
-# 2.1. Repository Structure
+# 2. Repository Structure
 
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.512.2025.11.27** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.768.2025.12.06** (as of 2025-10-11)
 
-## 2.2. Top-Level Layout
+## 3.1. Top-Level Layout
 
 ````text
 CISS.debian.live.builder/
@@ -59,15 +59,15 @@ CISS.debian.live.builder/
 
 > **Note:** The ISO marker files (`LIVE_ISO.*`) are produced by CI workflows for convenient retrieval of generated images.
 
-## 2.3. Directory Semantics
+## 3.2. Directory Semantics
 
-### 2.3.1. `.gitea/` — CI/CD Orchestration
+### 3.2.1. `.gitea/` — CI/CD Orchestration
 - **`workflows/`**: Declarative Gitea Actions to lint shell scripts, render Graphviz/DNSSEC status, and generate **PUBLIC**/**PRIVATE (TRIXIE)** ISOs reproducibly.
 - **`trigger/`**: Manual/auxiliary trigger manifests (`t_generate_PUBLIC.yaml`, `t_generate_PRIVATE_trixie_{0,1}.yaml`, `t_generate_dns.yaml`) to drive pipeline variants.
 - **`ISSUE_TEMPLATE/`**: Issue and pull request templates to standardize change management.
 - **`properties/`** and **`TODO/`**: Auxiliary config fragments (JSON/Lua) and maintenance utilities (e.g., `render-md-to-html.yaml`).
 
-### 2.3.2. `config/` — Live-Build Configuration
+### 3.2.2. `config/` — Live-Build Configuration
 - **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
 - **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_hardening_fail2ban.chroot`).
 - **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
@@ -77,40 +77,40 @@ CISS.debian.live.builder/
   - `root/` (administrator dotfiles and keys).
 - **`package-lists/`**: Architecture-specific and common package manifests (`amd64`, `arm64`, `common`) used by `live-build`.
 
-### 2.3.3. `docs/` — Documentation Corpus
+### 3.2.3. `docs/` — Documentation Corpus
 Audit reports (DNSSEC, Lynis, SSH, TLS, Haveged), **BOOTPARAMS**, **CHANGELOG**, **CODING_CONVENTION**, **CONTRIBUTING**, **REFERENCES**; plus `SECURITY/`, `LICENSES/`, architecture diagrams under `graphviz/`, and illustrative `screenshots/`.
 
-### 2.3.4. `lib/` — Shell Library Modules
+### 3.2.4. `lib/` — Shell Library Modules
 Composable, single-purpose modules used by the wrapper and CI steps (argument parsing and validation, kernel/CPU mitigation checks, provider support, `lb config/build` scaffolding, usage/version banners, sanitization and traps, SSH/root-password hardening, ultra-hardening profile, etc.).
 
-### 2.3.5. `scripts/` — Operational Helpers
+### 3.2.5. `scripts/` — Operational Helpers
 Ancillary scripts for DHCP supersedes, resolver bootstrapping, and live-boot verification; targeted paths such as `scripts/etc/network/` and `scripts/live-boot/` encapsulate deploy-time adjustments and integrity checks.
 
-### 2.3.6. `var/` — Variables & Defaults
+### 3.2.6. `var/` — Variables & Defaults
 Layered variable sets (`early.var.sh`, `global.var.sh`, `bash.var.sh`, `color.var.sh`) providing early-boot defaults, global tuning, and TTY/UI niceties.
 
-## 2.4. Key Files
+## 3.3. Key Files
 
 - **`ciss_live_builder.sh`** — Primary entrypoint; orchestrates argument parsing, environment preparation, `lb config`/`lb build` execution and post-processing.
 - **`makefile`** & **`config.mk.sample`** — Make-based convenience wrapper and a sample configuration surface.
 - **`README.md`, `SECURITY.md`, `LICENSE`, `CISS.debian.live.builder.spdx`** — Project overview, security policy, licensing, and SPDX manifest for compliance.
 - **ISO markers**: `LIVE_ISO.public`, `LIVE_ISO_TRIXIE_{0,1}.private` reflect CI pipeline outputs.
 
-## 2.5. Conventions & Build Logic
+## 3.4. Conventions & Build Logic
 
 - **Hook Ordering**: Numeric prefixes (`0000_…` → `99xx_…`) strictly determine execution sequencing within `config/hooks/live/`. Early hooks establish base state (initramfs modules, checksums), mid-range hooks integrate security services (AppArmor, Chrony/NTPsec, Lynis, UFW, Fail2Ban, SSH auditing), late hooks enforce hardening and cleanup (SSH tightening, memory-dump policies, service disablement).
 - **Binary vs. Chroot Includes**: Assets under `includes.binary/` affect the ISO’s bootloader stage; `includes.chroot/` become part of the runtime filesystem.
 - **Architecture Scoping**: Package lists are split into `*amd64*`, `*arm64*`, and `*common*` to keep images minimal and deterministic.
 - **CI/CD**: Reproducible ISO builds are executed via Gitea workflows; dedicated `trigger/` manifests parameterize public vs. private images and auxiliary rendering jobs (e.g., DNSSEC status, Graphviz diagrams).
 
-## 2.6. Cross-References (Documentation)
+## 3.5. Cross-References (Documentation)
 
 - **Boot Parameters**: see `docs/BOOTPARAMS.md`.
 - **Audits**: `docs/AUDIT_*.md` (DNSSEC, Lynis, SSH, TLS, Haveged).
 - **Coding & Contribution**: `docs/CODING_CONVENTION.md`, `docs/CONTRIBUTING.md`.
 - **Change Log & References**: `docs/CHANGELOG.md`, `docs/REFERENCES.md`.
 
-## 2.7. Licensing & Compliance
+## 3.6. Licensing & Compliance
 
 The repository is **SPDX-compliant**; source files carry SPDX identifiers. See `CISS.debian.live.builder.spdx` and `LICENSE` for details.
 

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -236,13 +236,54 @@ rm -f /etc/cron.daily/apt-show-versions || true
 [[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums
 
 ### Ensure proper 0755 rights for CISS initramfs scripts  ----------------------------------------------------------------------
-[[ -x /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh ]] \
+find /usr/lib/live/boot -type f -exec chmod 0755 {} +
-  && chmod 0755 /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh
+
-[[ -x /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \
+[[ -e /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \
   && chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
-[[ -x /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \
+
+[[ -e /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \
   && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 
+### Ensure proper systemd directories exist ------------------------------------------------------------------------------------
+mkdir -p /etc/systemd/resolved.conf.d
+mkdir -p /etc/systemd/system
+mkdir -p /etc/systemd/system/multi-user.target.wants
+mkdir -p /etc/systemd/system/sockets.target.wants
+
+### Enable clean systemd-networkd stack ----------------------------------------------------------------------------------------
+apt-get -y purge ifupdown || true
+
+ln -sf /lib/systemd/system/systemd-networkd.service /etc/systemd/system/multi-user.target.wants/systemd-networkd.service
+
+ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
+
+ln -sf /lib/systemd/system/systemd-resolved.socket  /etc/systemd/system/sockets.target.wants/systemd-resolved.socket
+
+cat << EOF >| /etc/systemd/system/ciss-fix-resolvconf.service
+[Unit]
+Description=Force systemd-resolved stub resolv.conf
+After=network-online.target
+Before=apt-daily.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/rm -f /etc/resolv.conf
+ExecStart=/usr/bin/ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+ln -sf /etc/systemd/system/ciss-fix-resolvconf.service /etc/systemd/system/multi-user.target.wants/ciss-fix-resolvconf.service
+
+cat << EOF >| /etc/systemd/resolved.conf.d/10-ciss-dnssec.conf
+[Resolve]
+DNSOverTLS=opportunistic
+DNSSEC=yes
+LLMNR=no
+MulticastDNS=no
+EOF
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/0822_ssh_restart_hook.chroot

@@ -13,36 +13,17 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
-cd /root
+mkdir -p /etc/systemd/system/ssh.service.d
-declare target_script="/etc/cron.d/restart-ssh"
 
-cat << 'EOF' >| "${target_script}"
+cat << EOF >| /etc/systemd/system/ssh.service.d/10-ciss-network.conf
-@reboot root /usr/local/bin/restart-ssh.sh
+[Unit]
+After=network-online.target ufw.service fail2ban.service
+Wants=network-online.target
+
+[Service]
+ExecStartPre=/bin/sleep 5
 EOF
 
-chmod 0444 "${target_script}"
-
-cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Script to restart SSH at boot
-systemctl stop ssh
-sleep 5
-systemctl start ssh
-EOF
-
-chmod +x /usr/local/bin/restart-ssh.sh
-
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/0900_ufw_setup.chroot

@@ -41,6 +41,7 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
   ufw allow out  443/tcp comment 'Outgoing HTTPS'
   ufw allow out  465/tcp comment 'Outgoing SMTPS'
   ufw allow out  587/tcp comment 'Outgoing SMTPS'
+  ufw allow out  853/tcp comment 'Outgoing DoT'
   ufw allow out  993/tcp comment 'Outgoing IMAPS'
   ufw allow out 4460/tcp comment 'Outgoing NTS'
   ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'

config/hooks/live/9930_hardening_ssh.chroot

@@ -44,8 +44,11 @@ chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
-chmod 0440 /etc/ssh/*sha256sum.txt
+
-chown root:root /etc/ssh/*sha256sum.txt
+if compgen -G "/etc/ssh/*sha256sum.txt" > /dev/null; then
+  chmod 0440 /etc/ssh/*sha256sum.txt
+  chown root:root /etc/ssh/*sha256sum.txt
+fi
 
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli

config/hooks/live/9935_hardening_ssl.chroot

@@ -0,0 +1,454 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-12-03; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+mkdir -p /root/.ciss/cdlb/backup/etc/ssl
+
+mv /etc/ssl/openssl.cnf /root/.ciss/cdlb/backup/etc/ssl/openssl.cnf.bak
+
+cat << 'EOF' >| /etc/ssl/openssl.cnf
+#
+# OpenSSL example configuration file.
+# See doc/man5/config.pod for more information.
+#
+# This is mostly being used for generation of certificate requests,
+# but may be used for autoloading of providers
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+openssl_conf = default_conf
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+
+# Use this to automatically load providers.
+openssl_conf = openssl_init
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+# Extra OBJECT IDENTIFIER information:
+# oid_file       = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca,' 'req,' and 'ts.'
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+# For FIPS
+# Optionally include a file that is generated by the OpenSSL fipsinstall
+# application. This file contains configuration data required by the OpenSSL
+# fips provider. It contains a named section e.g., [fips_sect] which is
+# referenced from the [provider_sect] below.
+# Refer to the OpenSSL security policy for more information.
+# .include fipsmodule.cnf
+
+[openssl_init]
+providers = provider_sect
+
+# List of providers to load
+[provider_sect]
+default = default_sect
+# The fips section name should match the section name inside the
+# included fipsmodule.cnf.
+# fips = fips_sect
+
+# If no providers are activated explicitly, the default one is activated implicitly.
+# See man 7 OSSL_PROVIDER-default for more details.
+#
+# If you add a section explicitly activating any other provider(s), you most
+# probably need to explicitly activate the default provider, otherwise it
+# becomes unavailable in openssl.  As a consequence, applications depending on
+# OpenSSL may not work correctly, which could lead to significant system
+# problems including inability to remotely access the system.
+[default_sect]
+# activate = 1
+
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of several certs with the same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few different ways of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that.
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 4096
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self-signed cert
+
+# Passwords for private keys if not present, they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2-letter code)
+countryName_default		= AU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+
+localityName			= Locality Name (e.g., city)
+
+0.organizationName		= Organization Name (e.g., company)
+0.organizationName_default	= Internet Widgits Pty Ltd
+
+# we can do this, but it is unnecessary normally
+#1.organizationName		= Second Organization Name (e.g., company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (e.g., section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (e.g., server FQDN or YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines, but some CAs do it, and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated, according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However, since it will
+# prevent it being used as a test self-signed certificate, it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines, but some CAs do it, and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated, according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= ./demoCA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
+ess_cert_id_alg		= sha256	# algorithm to compute certificate
+				# identifier (optional, default: sha256)
+
+[insta] # CMP using Insta Demo CA
+# Message transfer
+server = pki.certificate.fi:8700
+# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
+# tls_use = 0
+path = pkix/
+
+# Server authentication
+recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
+ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
+unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
+extracertsout = insta.extracerts.pem
+
+# Client authentication
+ref = 3078 # user identification
+secret = pass:insta # can be used for both client and server side
+
+# Generic message options
+cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
+
+# Certificate enrollment
+subject = "/CN=openssl-cmp-test"
+newkey = insta.priv.pem
+out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
+certout = insta.cert.pem
+
+[pbm] # Password-based protection for Insta CA
+# Server and client authentication
+ref = $insta::ref # 3078
+secret = $insta::secret # pass:insta
+
+[signature] # Signature-based protection for Insta CA
+# Server authentication
+trusted = $insta::out_trusted # apps/insta.ca.crt
+
+# Client authentication
+secret = # disable the PBM
+key = $insta::newkey # insta.priv.pem
+cert = $insta::certout # insta.cert.pem
+
+[ir]
+cmd = ir
+
+[cr]
+cmd = cr
+
+[kur]
+# Certificate update
+cmd = kur
+oldcert = $insta::certout # insta.cert.pem
+
+[rr]
+# Certificate revocation
+cmd = rr
+oldcert = $insta::certout # insta.cert.pem
+
+##### Added by CISS.debian.live.builder #####
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+# Protocol floor / ceiling:
+# - only TLS 1.2 and 1.3.
+# - TLS 1.3 is FS by design;
+# - TLS 1.2 FS enforced via the cipher list.
+MinProtocol = TLSv1.2
+MaxProtocol = TLSv1.3
+
+# TLS 1.2 cipher policy:
+# - Forward secrecy only: ECDHE or DHE (no static RSA kx);
+# - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
+# - Keep distro default SECLEVEL=2 explicitly.
+CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
+
+# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+
+# Prefer strong, widely supported ECDHE groups (first = most preferred):
+Groups = X448:P-521:P-384
+
+SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
+
+# Operational flags:
+# -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
+# ServerPreference: honor server cipher order (TLS 1.2)
+# NoRenegotiation : disallow TLS 1.2 renegotiation
+Options = -SessionTicket,ServerPreference,NoRenegotiation
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9999_zzzz.chroot

@@ -20,7 +20,7 @@ rm -f  /root/ciss_xdg_tmp.sh
 rm -fr /root/build
 find /etc /home /root /usr /var -type f -name '.keep' -print -delete
 
-### Securing '/root/.ciss' ----------------------------------------------------------------------------------------------------------
+### Securing '/root/.ciss' -----------------------------------------------------------------------------------------------------
 find /root/.ciss -type d -exec chmod 0700 {} +
 find /root/.ciss -type f -exec chmod 0440 {} +
 
@@ -30,6 +30,10 @@ find /etc/ciss/keys -type f -exec chmod 0440 {} +
 ### Regenerate the initramfs for the live system kernel ------------------------------------------------------------------------
 update-initramfs -u -k all -v
 
+### Prepare '/etc/resolv.conf' for systemd-networkd ----------------------------------------------------------------------------
+rm -f /etc/resolv.conf
+ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
 ### Determine the canonical systemd unit dir inside chroot ---------------------------------------------------------------------
 if [[ -d /lib/systemd/system ]]; then
 

config/hooks/live/zzzz_ciss_crypt_squash.hook.binary

@@ -45,12 +45,12 @@ preallocate() {
 
   if dd if=/dev/zero of="${file}" bs="${blocksize}" count="${blockcounter}" status=progress conv=fsync; then
 
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync ] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
     return 0
 
   else
 
-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync ] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
     return 42
 
   fi
@@ -71,8 +71,8 @@ declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}")
 #   - dm-integrity Overhead (Tags and Journal)
 #   - Filesystem-Slack
 declare -i OVERHEAD_FIXED=$((64 * 1024 * 1024))
-declare -i OVERHEAD_PCT=1.6
+declare -i OVERHEAD_PCT=2
-declare -i ALIGN_BYTES=$(( 2048 * 1024 ))
+declare -i ALIGN_BYTES=$(( 4096 * 1024 ))
 declare -i BASE_SIZE=$(( VAR_ROOTFS_SIZE + OVERHEAD_FIXED + (VAR_ROOTFS_SIZE * OVERHEAD_PCT / 100) ))
 declare -i VAR_LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) * ALIGN_BYTES ))
 
@@ -80,22 +80,44 @@ preallocate "${LUKSFS}" "${VAR_LUKSFS_SIZE}"
 
 exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt"
 
-cryptsetup luksFormat \
+if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
-  --batch-mode \
+
-  --cipher aes-xts-plain64 \
+  cryptsetup luksFormat \
-  --integrity hmac-sha512 \
+    --batch-mode \
-  --iter-time 1000 \
+    --cipher aes-xts-plain64 \
-  --key-file "/proc/$$/fd/${KEYFD}" \
+    --integrity hmac-sha512 \
-  --key-size 512 \
+    --iter-time 1000 \
-  --label crypt_liveiso \
+    --key-file "/proc/$$/fd/${KEYFD}" \
-  --luks2-keyslots-size 16777216 \
+    --key-size 512 \
-  --luks2-metadata-size 4194304 \
+    --label crypt_liveiso \
-  --pbkdf argon2id \
+    --luks2-keyslots-size 16777216 \
-  --sector-size 4096 \
+    --luks2-metadata-size 4194304 \
-  --type luks2 \
+    --pbkdf argon2id \
-  --use-random \
+    --sector-size 4096 \
-  --verbose \
+    --type luks2 \
-  "${LUKSFS}"
+    --use-random \
+    --verbose \
+    "${LUKSFS}"
+
+elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
+
+  cryptsetup luksFormat \
+    --batch-mode \
+    --cipher aes-xts-plain64 \
+    --iter-time 1000 \
+    --key-file "/proc/$$/fd/${KEYFD}" \
+    --key-size 512 \
+    --label crypt_liveiso \
+    --luks2-keyslots-size 16777216 \
+    --luks2-metadata-size 4194304 \
+    --pbkdf argon2id \
+    --sector-size 4096 \
+    --type luks2 \
+    --use-random \
+    --verbose \
+    "${LUKSFS}"
+
+fi
 
 cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" crypt_liveiso
 
@@ -105,11 +127,11 @@ declare -i SQUASH_FS="${VAR_ROOTFS_SIZE}"
 
 if (( LUKS_FREE >= SQUASH_FS )); then
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
 
 else
 
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
   exit 42
 
 fi

config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh

@@ -293,7 +293,7 @@ verify_script() {
 
   for item in "${algo[@]}"; do
 
-    hashfile="${dir}/${script}.sha${item}sum.txt"
+    hashfile="${dir}/${script}.${item}sum.txt"
     sigfile="${hashfile}.sig"
     cmd="${item}sum"
 
@@ -341,8 +341,8 @@ readonly -f verify_script
 #######################################
 # Main Program Sequence.
 # Globals:
+#   CDLB_MAPPER_DEV
 #   CURRENTDATE
-#   DEVICES_LUKS
 #   GRE
 #   MAG
 #   NL
@@ -354,6 +354,9 @@ readonly -f verify_script
 main() {
   declare PASS="" COUNTER=0 PASS_SENT=0 WAIT_LOOP=0
 
+  mkdir -p /var/log
+  : >| /var/log/wtmp
+
   exec 1>&2
 
   trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
@@ -382,7 +385,7 @@ main() {
 
     fi
 
-    if [[ "${COUNTER}" -eq 3 ]]; then
+    if [[ "${COUNTER}" -ge 3 && "${PASS_SENT}" -eq 0 ]]; then
 
       secure_unset_pass
       break
@@ -391,6 +394,8 @@ main() {
 
     if [[ "${PASS_SENT}" -eq 0 ]]; then
 
+      COUNTER=$((COUNTER + 1))
+
       # shellcheck disable=SC2310
       read_passphrase || continue
 

config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042-ciss-post-decrypt-attest.sh

@@ -1,181 +0,0 @@
-#!/bin/sh
-# bashsupport disable=BP5007
-# shellcheck disable=SC2249
-# shellcheck shell=sh
-
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Purpose: Late rootfs attestation and dmsetup health checking.
-# Phase  : bottom (executed by live-boot inside the initramfs).
-
-_SAVED_SET_OPTS="$(set +o)"
-
-set -eu
-
-printf "\e[95m[INFO] Starting             : [/etc/initramfs-tools/scripts/init-bottom/0042-ciss-post-decrypt-attest] \n\e[0m"
-
-### Declare variables ----------------------------------------------------------------------------------------------------------
-
-### Will be replaced at build time:
-export CDLB_EXP_FPR="@EXP_FPR@"
-export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
-
-### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ----------------------
-CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
-
-### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
-CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt}"
-CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt.sig}"
-CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
-
-### Declare functions ----------------------------------------------------------------------------------------------------------
-
-#######################################
-# Helper for colored text output on stdout.
-# Globals:
-#   None
-# Arguments:
-#   *: String to print
-#######################################
-log_in() { printf '\e[95m[INFO]  %s \n\e[0m' "$*"; }
-
-#######################################
-# Helper for colored text output on stdout.
-# Globals:
-#   None
-# Arguments:
-#   *: String to print
-#######################################
-log_ok() { printf '\e[92m[INFO]  %s \n\e[0m' "$*"; }
-
-#######################################
-# Helper for colored text output on stdout.
-# Globals:
-#   None
-# Arguments:
-#   *: String to print
-#######################################
-log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
-
-### Locate decrypted rootfs mount ----------------------------------------------------------------------------------------------
-_mp=""
-ROOTMP=""
-
-for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ; do
-
-  if [ -d "${_mp}" ] && [ -e "${_mp}/etc" ]; then ROOTMP="${_mp}"; break; fi
-
-done
-
-if [ -z "${ROOTMP}" ]; then
-
-  log_er "No decrypted rootfs mount found."
-  sleep 8
-  panic "[FATAL] No decrypted rootfs mount found."
-
-fi
-
-log_ok "Decrypted rootfs at: [${ROOTMP}]"
-
-HASH_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SHA}"
-SIGN_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SIG}"
-KEYFILE="${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
-
-[ -s "${KEYFILE}" ]   || { log_er "No public key found under: [${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; }
-[ -s "${HASH_FILE}" ] || { log_er "Attestation data missing: [${HASH_FILE}]"; exit 42; }
-[ -s "${SIGN_FILE}" ] || { log_er "Attestation signature missing: [${SIGN_FILE}]"; exit 42; }
-
-log_in "Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
-_STATUS="$(gpgv --no-default-keyring --keyring "${KEYFILE}" --status-fd 1 --verify "${SIGN_FILE}" "${HASH_FILE}" 2>/dev/null)"
-_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
-
-### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
-if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
-
-  log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
-
-else
-
-  log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
-  sleep 8
-  panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
-
-fi
-
-### 'dmsetup' health check -----------------------------------------------------------------------------------------------------
-MAP_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
-if [ -e "${MAP_DEV}" ]; then
-
-  log_in "Checking dmsetup table for ${MAP_DEV}"
-
-  TOP_LINE="$(/usr/sbin/dmsetup table --showkeys "${MAP_DEV}" 2>/dev/null | awk 'NR==1{print; exit}')"
-  if printf '%s\n' "${TOP_LINE}" | grep -q ' crypt '; then
-
-    log_ok "Top layer is 'crypt'."
-
-  else
-
-    log_er "Top layer is NOT 'crypt'."
-    sleep 8
-    panic "[FATAL] Top layer is NOT 'crypt'."
-
-  fi
-
-  if printf '%s\n' "${TOP_LINE}" | grep -Eq ' xts|aes-xts'; then
-
-    log_ok "Cipher looks like AES-XTS."
-
-  else
-
-    log_er "Cipher does not look like AES-XTS."
-    sleep 8
-    panic "[FATAL] Cipher does not look like AES-XTS."
-
-  fi
-
-### Extract child device token (the second last field is 'device', the last is 'offset.') --------------------------------------
-CHILD_TOK="$(printf '%s\n' "${TOP_LINE}" | awk '{print $(NF-1)}')"
-CHILD_NAME="${CHILD_TOK}"
-
-case "${CHILD_TOK}" in
-
-  *:* )
-    if [ -e "/sys/dev/block/${CHILD_TOK}/dm/name" ]; then
-      CHILD_NAME="$(cat "/sys/dev/block/${CHILD_TOK}/dm/name" 2>/dev/null || true)"
-      [ -n "${CHILD_NAME}" ] || CHILD_NAME="${CHILD_TOK}"
-    fi
-    ;;
-
-  /dev/* )
-    CHILD_NAME="$(basename -- "${CHILD_TOK}")"
-    ;;
-
-esac
-
-#### Child layer must be 'integrity' with hmac and sha512 and 4096-byte sectors (best-effort greps). ---------------------------
-log_in "Checking underlying integrity target: ${CHILD_NAME}"
-
-CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)"
-printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "Underlying layer is not 'integrity'"; }
-printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac'       || { log_er "Integrity target not using keyed MAC (hmac)"; }
-printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512'     || { log_er "Integrity algo not sha512"; }
-printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b'   || { log_er "Expected 4096-byte sector size not found"; }
-
-log_ok "dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
-
-fi
-
-eval "${_SAVED_SET_OPTS}"
-
-printf "\e[92m[INFO] Successfully applied : [/etc/initramfs-tools/scripts/init-bottom/0042-ciss-post-decrypt-attest] \n\e[0m"
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh

@@ -22,6 +22,9 @@ case "${1}" in
   prereqs) prereqs; exit 0 ;;
 esac
 
+mkdir -p /var/log
+: >| /var/log/wtmp
+
 mkdir -p /run/ciss
 printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_early.log
 

config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh

@@ -22,6 +22,9 @@ case "${1}" in
   prereqs) prereqs; exit 0 ;;
 esac
 
+mkdir -p /var/log
+: >| /var/log/wtmp
+
 mkdir -p /run/ciss
 printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_top_early.log
 

config/includes.chroot/etc/modprobe.d/30-ciss-hardening.conf

@@ -94,9 +94,11 @@ blacklist gfs2
 # The vivid driver is only useful for testing purposes and has been the cause of privilege escalation vulnerabilities, so it should be disabled.
 install vivid /bin/true
 
-##### Disable access to USB #####
+##### Disable access to USB and UAS #####
-install usb_storage /bin/true
+install usb-storage /bin/true
+install uas /bin/true
 blacklist usb-storage
+blacklist uas
 
 ##### Disable access to IEEE1394 #####
 install firewire-core /bin/true

config/includes.chroot/etc/resolv.conf

@@ -1,16 +0,0 @@
-# bashsupport disable=BP5007
-
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-ln -s /run/systemd/resolve/stub-resolv.conf /run/systemd/resolve/stub-resolv.conf
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

config/includes.chroot/etc/ssh/ssh_known_hosts

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened

@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V8.13.768.2025.12.06
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network

@@ -18,16 +18,16 @@ DNSOverTLS=opportunistic
 DNSSEC=yes
 IPv6AcceptRA=yes
 LinkLocalAddressing=ipv6
+LLMNR=no
+MulticastDNS=no
 
 [DHCPv4]
-RoutesToDNS=no
 UseDNS=yes
 UseDomains=no
 UseHostname=no
 UseNTP=no
 
 [DHCPv6]
-RoutesToDNS=no
 UseDNS=yes
 UseDomains=no
 UseHostname=no

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.512.2025.11.27"
+declare -gr VERSION="Master V8.13.768.2025.12.06"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.512.2025.11.27 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.768.2025.12.06 at: 10:18:37.9542

config/includes.chroot/root/.ciss/alias

@@ -70,6 +70,8 @@ alias dev='lsblk -o NAME,MAJ:MIN,FSTYPE,FSVER,SIZE,UUID,MOUNTPOINT,PATH'
 alias i='echo "$(whoami) @ $(uname -a)"'
 alias ipunused='iptables -L -v -n'
 alias jboot='journalctl --boot=0'
+alias logb='journalctl --boot=0'
+alias logr='resolvectl; resolvectl query coresecret.eu; systemctl status systemd-resolved --no-pager'
 alias lsadt='lynis audit system --auditor Centurion_Intelligence_Consulting_Agency'
 alias lsadtdoc='lynis audit system --auditor Centurion_Intelligence_Consulting_Agency > /root/lynis-$(date +%F_%H-%M-%S).txt 2>&1'
 alias n='nano'
@@ -226,7 +228,7 @@ swget() {
 #   None
 #######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/90-ciss-local.hardened
   # shellcheck disable=SC2312
   sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }

config/includes.chroot/root/.ciss/shortcuts

@@ -47,6 +47,8 @@ declare -ga shortcuts=(
   "i: who you are"
   "ipunused: iptables -L -v -n"
   "jboot: journalctl --boot=0"
+  "logj: journalctl --boot=0"
+  "logr: resolvectl"
   "l: ls"
   "la: ls"
   "ll: ls"

config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash

@@ -364,17 +364,26 @@ done
 if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
 
   printf "\e[91m[WARN] CISS LUKS decryption : Timeout LUKS mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}"
+
   kill "${PID_PROMPT}" 2>/dev/null || true
   kill "${PID_BROKER}" 2>/dev/null || true
+  wait "${PID_PROMPT}" 2>/dev/null || true
+  wait "${PID_BROKER}" 2>/dev/null || true
+
   rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+
   sleep 60
+
   log   "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds."
   panic "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds."
 
 fi
 
 kill "${PID_PROMPT}" 2>/dev/null || true
+kill "${PID_BROKER}" 2>/dev/null || true
+wait "${PID_PROMPT}" 2>/dev/null || true
 wait "${PID_BROKER}" 2>/dev/null || true
+
 rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
 
 printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"

config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums

@@ -16,7 +16,7 @@
 
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
-### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
+### If the offered checksum is successfully verified, proceed with booting. Otherwise, panic.
 
 #######################################
 # Modified checksum-integrity and authenticity-verification-script depending on pinned GPG FPR for boot process verification.
@@ -46,7 +46,7 @@ Verify_checksums() {
   # Arguments:
   #   *: String to print
   #######################################
-  log_in() { printf '\e[95m[INFO]  %s \n\e[0m' "$*"; }
+  log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; }
 
 
   #######################################
@@ -56,7 +56,7 @@ Verify_checksums() {
   # Arguments:
   #   *: String to print
   #######################################
-  log_ok() { printf '\e[92m[INFO]  %s \n\e[0m' "$*"; }
+  log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
 
   #######################################
   # Helper for colored text output on stdout.
@@ -299,16 +299,14 @@ Verify_checksums() {
   case "${_RETURN_PGP},${_RETURN_SHA}" in
 
     "0,0")
-      log_ok "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
+      log_ok "Verification of [GPG signature] and [sha checksum] file successful; continuing booting."
-      log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
+      log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting."
-      sleep 8
       return 0
       ;;
 
     "na,0")
-      log_ok "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
+      log_ok "Verification of [sha checksum] file successful; continuing booting."
-      log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
+      log_success_msg "Verification of [sha checksum] file successful; continuing booting."
-      sleep 8
       return 0
       ;;
 

config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest

@@ -0,0 +1,115 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck disable=SC2249
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Purpose: Late rootfs attestation and dmsetup health checking.
+# Phase  : executed by live-boot inside the 9990-main.sh.
+
+_SAVED_SET_OPTS="$(set +o)"
+
+set -eu
+
+printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m"
+
+### Declare variables ----------------------------------------------------------------------------------------------------------
+
+### Will be replaced at build time:
+export CDLB_EXP_FPR="@EXP_FPR@"
+export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
+
+### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ----------------------
+CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
+
+### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
+CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt}"
+CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/root/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt.sig}"
+CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
+
+### Declare functions ----------------------------------------------------------------------------------------------------------
+
+#######################################
+# Helper for colored text output on stdout.
+# Globals:
+#   None
+# Arguments:
+#   *: String to print
+#######################################
+log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; }
+
+#######################################
+# Helper for colored text output on stdout.
+# Globals:
+#   None
+# Arguments:
+#   *: String to print
+#######################################
+log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
+
+#######################################
+# Helper for colored text output on stdout.
+# Globals:
+#   None
+# Arguments:
+#   *: String to print
+#######################################
+log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
+
+HASH_FILE="${CDLB_ATTEST_FPR_SHA}"
+SIGN_FILE="${CDLB_ATTEST_FPR_SIG}"
+KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
+
+if [ -s "${KEYFILE}" ]; then
+
+  log_er "0042()              : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
+  panic  "0042()              : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
+
+fi
+
+if [ -s "${HASH_FILE}" ]; then
+
+  log_er "0042()              : Attestation data missing: [${HASH_FILE}]"
+  panic  "0042()              : Attestation data missing: [${HASH_FILE}]"
+
+fi
+
+if [ -s "${SIGN_FILE}" ]; then
+
+  log_er "0042()              : Attestation signature missing: [${SIGN_FILE}]"
+  panic  "0042()              : Attestation signature missing: [${SIGN_FILE}]"
+
+fi
+
+log_in "0042()               : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
+_STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}")"
+_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
+
+### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
+if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
+
+  log_ok "0042()               : Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
+
+else
+
+  log_er "0042()              : Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
+  sleep 8
+  panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
+
+fi
+
+eval "${_SAVED_SET_OPTS}"
+
+printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/usr/lib/live/boot/9990-main.sh

@@ -15,8 +15,8 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-main.shh'
+### https://salsa.debian.org/live-team/live-boot 'components/9990-main.sh'
-### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash).
+### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
 
 # set -e
 
@@ -234,18 +234,20 @@ Live ()
     log_end_msg
   fi
 
-  if [ -L /root/etc/resolv.conf ] ; then
+  ### CISS override for systemd-networkd stack ---------------------------------------------------------------------------------
-    # assume we have resolvconf
+  #if [ -L /root/etc/resolv.conf ] ; then
-    DNSFILE="${rootmnt}/etc/resolvconf/resolv.conf.d/base"
+  #  # assume we have resolvconf
-  else
+  #  DNSFILE="${rootmnt}/etc/resolvconf/resolv.conf.d/base"
-    DNSFILE="${rootmnt}/etc/resolv.conf"
+  #else
-  fi
+  #  DNSFILE="${rootmnt}/etc/resolv.conf"
-  if [ -f /etc/resolv.conf ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${DNSFILE}"
+  #fi
-  then
+  #if [ -f /etc/resolv.conf ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${DNSFILE}"
-    log_begin_msg "Copying /etc/resolv.conf to ${DNSFILE}"
+  #then
-    cp -v /etc/resolv.conf "${DNSFILE}"
+  #  log_begin_msg "Copying /etc/resolv.conf to ${DNSFILE}"
-    log_end_msg
+  #  cp -v /etc/resolv.conf "${DNSFILE}"
-  fi
+  #  log_end_msg
+  #fi
+  ### CISS override for systemd-networkd stack ---------------------------------------------------------------------------------
 
   if ! [ -d "/lib/live/boot" ]
   then
@@ -264,5 +266,7 @@ Live ()
     cp boot.log "${rootmnt}/var/log/live" 2>/dev/null; \
     cp fsck.log "${rootmnt}/var/log/live" 2>/dev/null )
 
+  sleep 3
+
   printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"
 }

config/includes.chroot/usr/lib/live/boot/9990-networking.sh

@@ -0,0 +1,224 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck disable=SC2249
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-12-03; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Modified Version of the original file:
+### https://salsa.debian.org/live-team/live-boot 'components/9990-networking.sh'
+### Change the behavior so that the systemd-networkd stack '/etc/resolv.conf' is not overwritten.
+
+# set -e
+
+printf "\e[95m[INFO] Sourcing             : [/usr/lib/live/boot/9990-networking.sh] \n\e[0m"
+
+Device_from_bootif ()
+{
+  # Support for Syslinux IPAPPEND parameter
+  # it sets the BOOTIF variable on the kernel parameter
+
+  if [ -n "${BOOTIF}" ]
+  then
+    # Pxelinux sets BOOTIF to a value based on the mac address of the
+    # network card used to PXE boot, so use this value for DEVICE rather
+    # than a hard-coded device name from initramfs.conf. This facilitates
+    # network booting when machines may have multiple network cards.
+    # Pxelinux sets BOOTIF to 01-$mac_address
+
+    # Strip off the leading "01-", which isn't part of the mac
+    # address
+    temp_mac=${BOOTIF#*-}
+
+    # Convert to the typical mac address format by replacing "-" with ":"
+    bootif_mac=""
+    IFS='-'
+    for x in ${temp_mac}
+    do
+      if [ -z "${bootif_mac}" ]
+      then
+        bootif_mac="${x}"
+      else
+        bootif_mac="${bootif_mac}:${x}"
+      fi
+    done
+    unset IFS
+
+    # Look for devices with matching mac address and set DEVICE to
+    # appropriate value if match is found.
+
+    for device in /sys/class/net/*
+    do
+      if [ -f "${device}/address" ]
+      then
+        current_mac=$(cat "${device}/address")
+
+        if [ "${bootif_mac}" = "${current_mac}" ]
+        then
+          DEVICE=${device##*/}
+          break
+        fi
+      fi
+    done
+  fi
+}
+
+do_netsetup ()
+{
+  printf "\e[95m[INFO] do_netsetup()        : [/usr/lib/live/boot/9990-networking.sh] \n\e[0m"
+  modprobe -q af_packet # For DHCP
+
+  udevadm trigger
+  udevadm settle
+
+  [ -n "${ETHDEV_TIMEOUT}" ] || ETHDEV_TIMEOUT=15
+  echo "Using timeout of ${ETHDEV_TIMEOUT} seconds for network configuration."
+
+  if [ -z "${NETBOOT}" ] && [ -z "${FETCH}" ] && [ -z "${HTTPFS}" ] && [ -z "${FTPFS}" ]
+  then
+    # See if we can select the device from BOOTIF
+    Device_from_bootif
+
+    # if ethdevice was not specified on the kernel command line,
+    # make sure we try to get a working network configuration
+    # for *every* present network device (except for loopback of course)
+    if [ -z "${ETHDEVICE}" ]
+    then
+      echo "If you want to boot from a specific device use bootoption ethdevice=..."
+      for device in /sys/class/net/*
+      do
+        dev=${device##*/}
+        if [ "${dev}" != "lo" ]
+        then
+          ETHDEVICE="${ETHDEVICE} ${dev}"
+        fi
+      done
+    fi
+
+    # Split args of ethdevice=eth0,eth1 into "eth0 eth1"
+    for device in $(echo "${ETHDEVICE}" | sed 's/,/ /g')
+    do
+      devlist="${devlist} ${device}"
+    done
+
+    for dev in ${devlist}
+    do
+      echo "Executing ipconfig -t ${ETHDEV_TIMEOUT} ${dev}"
+      ipconfig -t "${ETHDEV_TIMEOUT}" "${dev}" | tee -a /netboot.config
+
+      # if configuration of a device worked, we should have an assigned
+      # IP address, if so, let's use the device as $DEVICE for later usage.
+      # Simple and primitive approach, which seems to work fine
+      if ifconfig "${dev}" | grep -q -E 'inet.*addr:|inet [0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*'
+      then
+        export DEVICE="${dev}"
+        break
+      fi
+    done
+  else
+    for interface in ${DEVICE}; do
+      ipconfig -t "${ETHDEV_TIMEOUT}" "${interface}" | tee "/netboot-${interface}.config"
+
+      # shellcheck disable=SC1090
+      [ -e "/run/net-${interface}.conf" ] && . "/run/net-${interface}.conf"
+
+      if [ "${IPV4ADDR}" != "0.0.0.0" ]
+      then
+        break
+      fi
+    done
+  fi
+
+  for interface in ${DEVICE}
+  do
+    # source relevant ipconfig output
+    OLDHOSTNAME=${HOSTNAME}
+
+    # shellcheck disable=SC1090
+    [ -e "/run/net-${interface}.conf" ] && . "/run/net-${interface}.conf"
+
+    [ -z "${HOSTNAME}" ] && HOSTNAME="${OLDHOSTNAME}"
+    export HOSTNAME
+
+    if [ -n "${interface}" ]
+    then
+      # HWADDR used by do_iscsi from 9990-mount-iscsi.sh
+      # shellcheck disable=SC2034
+      HWADDR="$(cat "/sys/class/net/${interface}/address")"
+    fi
+
+    if [ ! -e "/etc/hostname" ] && [ -n "${HOSTNAME}" ]
+    then
+      echo "Creating /etc/hostname"
+      echo "${HOSTNAME}" > /etc/hostname
+    fi
+
+    # Only create /etc/hosts if FQDN is known (to let 'hostname -f' query
+    # this file). Otherwise, DNS will be queried to determine the FQDN.
+    if [ ! -e "/etc/hosts" ] && [ -n "${DNSDOMAIN}" ]
+    then
+      echo "Creating /etc/hosts"
+      cat > /etc/hosts <<EOF
+127.0.0.1	localhost
+127.0.1.1	${HOSTNAME}.${DNSDOMAIN}	${HOSTNAME}
+
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+EOF
+    fi
+
+    if [ ! -e "/etc/resolv.conf" ]
+    then
+      echo "Creating /etc/resolv.conf"
+
+      if [ -n "${DNSDOMAIN}" ]
+      then
+        echo "domain ${DNSDOMAIN}" > /etc/resolv.conf
+      fi
+
+      for i in ${IPV4DNS0} ${IPV4DNS1} ${IPV4DNS1} ${DNSSERVERS}; do
+
+        case "${i}" in
+
+          ""|0.0.0.0|dhcp|DHCP)
+            continue
+            ;;
+
+        esac
+
+        echo "nameserver ${i}" >> /etc/resolv.conf
+
+      done
+
+      if [ -n "${DOMAINSEARCH}" ]
+      then
+        echo "search ${DOMAINSEARCH}" >> /etc/resolv.conf
+      elif [ -n "${DNSDOMAIN}" ]
+      then
+        echo "search ${DNSDOMAIN}" >> /etc/resolv.conf
+      fi
+    fi
+
+    # Check if we have a network device at all
+    if ! ls /sys/class/net/"${interface}" > /dev/null 2>&1 && \
+      ! ls /sys/class/net/eth0 > /dev/null 2>&1 && \
+      ! ls /sys/class/net/wlan0 > /dev/null 2>&1 && \
+      ! ls /sys/class/net/ath0 > /dev/null 2>&1 && \
+      ! ls /sys/class/net/ra0 > /dev/null 2>&1
+    then
+      panic "No supported network device found, maybe a non-mainline driver is required."
+    fi
+  done
+  printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-networking.sh/do_netsetup()] \n\e[0m"
+}

config/includes.chroot/usr/lib/live/boot/9990-overlay.sh

@@ -16,7 +16,7 @@
 
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
-### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash).
+### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
 
 #set -e
 
@@ -488,5 +488,11 @@ setup_unionfs ()
     done
   fi
 
+  ### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
+  printf "\e[95m[INFO] Calling              : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] ... \n\e[0m"
+  [ -x /usr/lib/live/boot/0042_ciss_post_decrypt_attest ] && /usr/lib/live/boot/0042_ciss_post_decrypt_attest
+  printf "\e[92m[INFO] Calling              : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] done. \n\e[0m"
+  ### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
+
   printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
 }

config/includes.chroot/usr/lib/systemd/.keep

@@ -1,10 +0,0 @@
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu

config/package-lists/live.list.common.chroot

@@ -128,7 +128,9 @@ ssl-cert
 stress
 sudo
 sysstat
+systemd
 systemd-sysv
+systemd-resolved
 tar
 tmux
 tree

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. TLS Audit:
 ````text

docs/BOOTPARAMS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Hardened Kernel Boot Parameters
 

docs/CHANGELOG.md

@@ -8,18 +8,45 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Changelog
 
+## V8.13.768.2025.12.06
+* **Global**: Stable Release
+
+## V8.13.544.2025.12.05
+* **Added**: [30-ciss-hardening.conf.md](documentation/30-ciss-hardening.conf.md)
+* **Added**: [90-ciss-local.hardened.md](documentation/90-ciss-local.hardened.md)
+* * **Bugfixes**: [zzzz_ciss_crypt_squash.hook.binary](../config/hooks/live/zzzz_ciss_crypt_squash.hook.binary) + Adjusted ``OVERHEAD_PCT`` for Gitea Runner
+
+## V8.13.536.2025.12.04
+* **Added**: [ciss_live_builder.sh.md](documentation/ciss_live_builder.sh.md)
+* **Bugfixes**: Unified network management via ``systemd-networkd``
+* **Bugfixes**: [0822_ssh_restart_hook.chroot](../config/hooks/live/0822_ssh_restart_hook.chroot) + ssh restart cron job replaced by systemd override
+* **Bugfixes**: [unlock_wrapper.sh](../config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh) + ``: > /var/log/wtmp``
+* **Bugfixes**: [1000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh) + ``: > /var/log/wtmp``
+* **Bugfixes**: [0000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh) + ``: > /var/log/wtmp``
+* **Bugfixes**: [30-ciss-hardening.conf](../config/includes.chroot/etc/modprobe.d/30-ciss-hardening.conf) + UAS blacklisting
+* **Bugfixes**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + unified ``kill`` & ``wait`` handling for ``BROKER`` & ``PROMPT`` PIDs
+* **Removed** [0100_ciss_mem_wipe.chroot](../.archive/0100_ciss_mem_wipe.chroot)
+
+## V8.13.528.2025.12.03
+* **Bugfixes**: Unified network management via ``systemd-networkd``
+
+## V8.13.520.2025.12.02
+* **Bugfixes**: Unified network management via ``systemd-networkd``
+
+## V8.13.512.2025.11.28
+* **Bugfixes**: Unified network management via ``systemd-networkd``
+
 ## V8.13.512.2025.11.27
 * **Global**: Unified network management via ``systemd-networkd``
 * **Global**: Transition of license agreements to: 
   * [CCLA-1.1.txt](LICENSES/CCLA-1.1.txt)
   * [CNCL-1.1.txt](LICENSES/CNCL-1.1.txt)
-* **Added**: [resolv.conf](../config/includes.chroot/etc/resolv.conf)
 * **Added**: [90-ciss-ethernet.network](../config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network)
-* **Added**: [90-ciss-networkd.preset](../config/includes.chroot/usr/lib/systemd/system-preset/90-ciss-networkd.preset)
+* **Added**: [90-ciss-networkd.preset](../.archive/90-ciss-networkd.preset)
 * **Changed**: [unlock_wrapper.sh](../config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh)
 * **Changed**: [lib_provider_netcup.sh](../lib/lib_provider_netcup.sh)
 * **Changed**: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
@@ -33,7 +60,7 @@ include_toc: true
 * **Bugfixes**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash)
 * **Bugfixes**: [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl)
 * **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums)
-* **Bugfixes**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042-ciss-post-decrypt-attest.sh)
+* **Bugfixes**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest)
 
 ## V8.13.432.2025.11.18
 * **Bugfixes**: [0003_cdi_autostart.chroot](../config/hooks/live/0003_cdi_autostart.chroot)
@@ -41,15 +68,15 @@ include_toc: true
 
 ## V8.13.416.2025.11.17
 * **Global**: Explicit ``export INITRD="No"``
-* **Changed**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot)
+* **Changed**: [0100_ciss_mem_wipe.chroot](../.archive/0100_ciss_mem_wipe.chroot)
 
 ## V8.13.408.2025.11.13
 * **Added**: [0002_hardening_overlay_tmpfs.chroot](../config/hooks/live/0002_hardening_overlay_tmpfs.chroot) + Remount overlay root with ``nosuid,nodev``.
-* **Added**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping.
+* **Added**: [0100_ciss_mem_wipe.chroot](../.archive/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping.
 * **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
 * **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``.
 * **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) + Enforce early sysctls before services start.
-* **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042-ciss-post-decrypt-attest.sh) + Late rootfs attestation and dmsetup health checking.
+* **Added**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) + Late rootfs attestation and dmsetup health checking.
 * **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md)
 * **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection.
 * **Bugfixes**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot) + mv original files to a safe backup location.
@@ -232,7 +259,7 @@ include_toc: true
 * **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc) added HISTIGNORE and EDITOR
 
 ## V8.13.144.2025.10.16
-* **Bugfixes**: [99_local.hardened](../config/includes.chroot/etc/sysctl.d/99_local.hardened)
+* **Bugfixes**: [99_local.hardened](../config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened)
 * **Updated**:  [check_chrony.sh](../config/includes.chroot/root/.ciss/check_chrony.sh)
 * **Changed**:  [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
 

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2.1. Usage
 ````text
                         CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.512.2025.11.27
+Master V8.13.768.2025.12.06
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
@@ -47,7 +47,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
     This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed
     once the system has successfully booted up.
 
-  --contact, -c\ e[0m
+  --contact, -c
     Show author contact information.
 
   --control <STRING>
@@ -146,7 +146,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
 
-                        V8.13.512.2025.11.27                        2025-11-06                         CDLB(1)
+                        V8.13.768.2025.12.06                        2025-11-06                         CDLB(1)
 ````
 
 # 3. Booting

docs/MAN_CISS_ISO_BOOT_CHAIN.md

@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
 
 **Status:** 2025-11-12<br>
 **Audience:** CICA CISO, CISS staff, technically proficient administrators<br>
-**Summary:** The CISS.debian.live.builder Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.<br>
+**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.<br>
 
 # 3. Overview
 
@@ -23,8 +23,9 @@ include_toc: true
 
   1. **Early:** Verify `sha512sum.txt` at the ISO edge using `gpgv` and FPR pin.
   2. **Late:** Verify an attestation hash list inside the decrypted root FS using `gpgv` and FPR pin.
+
 * **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
-* **Remotely unlock:** Hardened Dropbear (modern primitives only), no passwords, no agent/forwarding.
+* **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding.
 
 # 4. Primitives & Parameters
 
@@ -33,12 +34,12 @@ include_toc: true
 | LUKS2        | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS)                        |
 | dm-integrity | `hmac-sha512` (keyed), journal                            | Adversary-resistant per-sector integrity, authenticity |
 | PBKDF        | `argon2id`, `--iter-time 1000` ms                         | Key derivation, hardware-agnostic                      |
-| Signatures   | Ed25519, RSA-4096 (FPR pinned)                            | Public verifiability, non-repudiation                  |
+| Signatures   | Ed25519 or RSA-4096 (FPR pinned)                          | Public verifiability, non-repudiation                  |
 | Verification | `gpgv --no-default-keyring`                               | No agent dependency in initramfs                       |
 | Hash lists   | `sha512sum` format                                        | Deterministic content verification                     |
 | Dropbear     | Modern KEX/AEAD (per `localoptions.h`)                    | Minimal attack surface, remote unlock                  |
 
-# 5. Diagram: CISS Live ISO Boot Flow, complete
+# 5. Diagram: CISS Live ISO Boot Flow
 ```mermaid
 flowchart TD
   subgraph Trusted HW Manufacturer
@@ -109,7 +110,7 @@ flowchart TD
 0142 -- FAIL --> X;
 ```
 
-# 6. Diagram: CISS Live ISO LUKS and dm-integrity layering, complete
+# 6. Diagram: CISS Live ISO LUKS and dm-integrity layering
 ```mermaid
 ---
 config:
@@ -127,7 +128,7 @@ flowchart TD
 
 **Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
 
-# 7. CISS Live ISO LUKS Build-Time Core Steps, complete
+# 7. CISS Live ISO LUKS Build-Time Core Steps
 ```sh
 cryptsetup luksFormat \
   --batch-mode \
@@ -149,7 +150,7 @@ cryptsetup luksFormat \
 
 **Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain).
 
-# 8. Early ISO-Edge Verification (CISS modified hook 0030, live-bottom)
+# 8. Early ISO-Edge Verification (CISS modified hook 0030-ciss-verify-checksums, live-bottom)
 
 **Goal:** Before consuming any medium content, verify:
 
@@ -164,13 +165,12 @@ cryptsetup luksFormat \
 # parse [GNUPG:] VALIDSIG ... <FPR> ...
 ```
 
-# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0045, live-bottom)
+# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh)
 
 **Goal:** After LUKS unlock, validate the **decrypted** contents and the **actual** mapping topology.
 
-* **Attestation files:** `/root/.ciss/attest/rootfs.sha512sum.txt[.sig]`
+* **Attestation files:** `/root/.ciss/attestation/<FPR>.sha512sum.txt[.sig]`
 * **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
-* **Health check:** `dmsetup table --showkeys` → top `crypt` (AES-XTS), child `integrity` (HMAC-SHA-512, 4096 B)
 
 **Core calls (initramfs):**
 
@@ -180,36 +180,35 @@ cryptsetup luksFormat \
 
 # 2) Optional: Content hash verification
 ( cd "$ROOTMP" && /usr/bin/sha512sum -c --strict --quiet "$DATA" )
-
-# 3) dmsetup health
-dmsetup table --showkeys /dev/mapper/crypt_liveiso
-dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 ```
 
 # 10. Failure Policy (fail-closed, deterministic)
 
-* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology.
+* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key / signature.
 
-# 11. CISS Dropbear (Hardened Remotely Unlock)
+# 11. CISS hardened and built dropbear
 
 ```text
 • Public-key auth only, no passwords
-• Modern KEX/AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
+• Modern KEX / AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
-• No agent/X11/TCP forwarding, no SFTP
+• No agent / X11 / TCP forwarding, no SFTP
-• Strict timeouts/keep-alives, restricted cipher/KEX set
+• Strict timeouts / keep-alives, restricted cipher / KEX set
-• Port 42137 (per CISS convention)
+• Port 44137 (per CISS convention)
 ```
 
-*Concrete selection compiled via your `localoptions.h` at ISO build time.*
+*Concrete selection compiled via [localoptions.h](../upgrades/dropbear/localoptions.h) at ISO build time.*
 
 # 12. Integration Points & Paths
 
 * **Hooks (build view):** 
-  * `/usr/lib/live/boot/0022-ciss-overlay-tmpfs`,
+  * [0022-ciss-overlay-tmpfs](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs),
-  * `/usr/lib/live/boot/0024-ciss-crypt-squash`,
+  * [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash),
-  * `/usr/lib/live/boot/0026-ciss-early-sysctl`,
+  * [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl),
-  * `/usr/lib/live/boot/0030-ciss-verify-checksums`,
+  * [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums),
-  * `/usr/lib/live/boot/0042-ciss-post-decrypt-attest`,
+  * [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest),
+  * [9990-main.sh](../config/includes.chroot/usr/lib/live/boot/9990-main.sh),
+  * [9990-networking.sh](../config/includes.chroot/usr/lib/live/boot/9990-networking.sh),
+  * [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh).
 * **Hooks (boot view):** 
   * `/scripts/live-premount/0022-ciss-overlay-tmpfs`, 
   * `/scripts/live-premount/0024-ciss-crypt-squash`,
@@ -217,7 +216,7 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
   * `/scripts/live-bottom/0030-ciss-verify-checksums`,
   * `/scripts/live-bottom/0042-ciss-post-decrypt-attest`
 * **Key files:**
-  * ISO edge (for 0030): embedded public key blob (project-specific fpr)
+  * ISO edge (for 0030): embedded public key blob (project-specific FPR)
   * Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
 * **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
 
@@ -262,7 +261,7 @@ I -- FAIL --> X;
 
 # 14. Closing Remarks
 
-This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic.
+This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases make the state transparent and deterministic.
 
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**

docs/MAN_SSH_Host_Key_Policy.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
 

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Resources
 

docs/documentation/30-ciss-hardening.conf.md

@@ -0,0 +1,88 @@
+---
+gitea: none
+include_toc: true
+-----------------
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.768.2025.12.06<br>
+
+# 2. ``30-ciss-hardening.conf``
+
+This module is a kernel module loading policy file intended to be installed under ``/etc/modprobe.d/30-ciss-hardening.conf`` in 
+systems produced by **CISS.debian.live.builder**, and the associated **CISS.debian.installer.secure** framework. It constrains 
+the Linux kernels an automatic module loading mechanism by replacing the load actions for a broad set of rarely required modules 
+with a no-op handler and by blacklisting others, to reduce the attack surface available to unprivileged users and remote attackers.
+
+The configuration addresses the general class of vulnerabilities where an unprivileged actor can provoke the kernel into 
+autoloading a protocol or filesystem module, then exploit a defect in that module. The introductory comment explicitly 
+references CVE-2017-6074 as an example, where the DCCP protocol module could be pulled into memory simply by initiating a 
+DCCP connection. To counter this pattern, the file uses ``install <module> /bin/true`` rules to override the normal modprobe 
+behavior. When user space, or the kernel attempts to load one of these modules, modprobe executes ``/bin/true`` instead of 
+loading the module, returns success, and leaves the module absent from the running kernel.
+
+The first group of ``install`` directives disables a series of network protocol stacks and link layer implementations that are 
+considered exotic in contemporary hardened server or appliance environments. These include ``DCCP``, ``SCTP``, ``RDS``, ``TIPC``,
+``HDLC`` line discipline support, amateur-radio-oriented protocols such as ``AX.25``, ``NET/ROM``, and ``ROSE``, legacy 
+internetworking protocols like ``DECnet``, ``IPX``, and ``AppleTalk``, as well as ``CAN`` bus, ``ATM`` networking, and 
+``IEEE 802.15.4`` support. In the absence of this file, many of these modules could be autoloaded in response to crafted traffic
+reaching the host; with this policy in place, such attempts silently fail at the module loading step, and the packets are 
+processed without activating the corresponding kernel subsystems.
+
+The next section targets filesystem support that is not expected to be needed in the envisaged deployment scenarios. The module 
+defines ``install`` rules and explicit ``blacklist`` entries for legacy or niche on-disk formats such as ``CRAMFS``, ``FreeVxFS``, 
+``JFFS2``, ``HFS``, ``HFS+``, and ``UDF``. On a system using this configuration unmodified, attempts to mount volumes of these 
+types will not cause the kernel modules to load automatically; instead, the mount will fail because the filesystem 
+implementation never becomes available. The combination of ``install /bin/true`` and ``blacklist`` ensures that neither direct
+``modprobe`` calls in user space nor automatic resolution through modalias can pull these modules in.
+
+A separate block disables network filesystems that could otherwise be used to introduce complex protocol stacks and large code 
+paths into the kernel. The file defines ``install`` and ``blacklist`` rules for ``CIFS``, ``NFS``, including explicit ``nfsv3`` 
+and ``nfsv4`` aliases, the in-kernel ``SMB`` server ``ksmbd``, and the cluster filesystem ``gfs2``. Systems hardened with this
+module therefore cannot mount ``CIFS`` or ``NFS`` shares, nor can they serve ``SMB`` via ``ksmbd``, unless this policy file is 
+removed or overridden. This choice is a deliberate constraint: it trades the convenience of built-in remote filesystems for the 
+lower risk profile of a kernel that does not contain these historically vulnerable and feature-rich subsystems.
+
+The configuration also addresses specific devices and miscellaneous drivers. USB mass storage, and the ``USB Attached SCSI (UAS)`` 
+transport are disabled by combining ``install usb-storage /bin/true``, ``install uas /bin/true`` with corresponding ``blacklist`` 
+lines. This prevents the system from interacting with USB storage devices, which mitigates a range of data exfiltration, rogue 
+devices, and untrusted media scenarios. The FireWire core ``firewire-core`` is similarly blocked from loading via an ``install`` 
+rule, removing another hot-plug bus traditionally associated with direct memory access capabilities. The file also disables the 
+``vivid`` video driver, noted in the comment as a testing-only driver with a history of privilege escalation issues, by 
+replacing its load operation with ``/bin/true``.
+
+In its final part, the module incorporates and extends a set of blacklist conventions originating from a kmod configuration in 
+a major distribution. It blacklists the ``evbug`` input event debugging driver, simple USB input drivers ``usbmouse``, ``usbkbd``
+that are typically superseded by more modern subsystems, ``eth1394`` which can create confusing extra network interfaces, and 
+the ``pcspkr`` driver for the legacy PC speaker. These entries do not use ``install /bin/true`` and therefore only prevent 
+automatic loading based on modalias; they do not fully override manual ``modprobe`` invocations, which aligns with their purpose
+as quality-of-life and clarity improvements rather than hard prohibitions.
+
+Within the overall **CISS.debian.live.builder** and **CISS.debian.installer.secure** workflow, this file is purely declarative. 
+Its inputs are the module names hard-coded in the configuration, and the fixed mapping of those names to either ``/bin/true`` or 
+blacklist semantics, and it has no runtime parameters or external dependencies beyond the standard kmod / modprobe stack. The 
+principal side effect is systemic: once present in ``/etc/modprobe.d`` and read by kmod during module resolution, it constrains, 
+which kernel modules can ever be introduced into the running kernel via normal loading pathways. This affects the live system 
+boots produced by the builder as well as installed systems provisioned by the installer, assuming the file is propagated into 
+the target root filesystem.
+
+The configuration assumes that the target systems do not rely on the disabled protocols, filesystems, or device classes. In 
+environments where ``CIFS`` or ``NFS`` mounts, ``CAN`` bus interfaces, ``IEEE 1394`` peripherals, or USB mass storage are 
+operationally required, administrators must explicitly adjust or remove this module. There is no internal mechanism for 
+conditional activation, staging, or feature detection. From a hardening perspective, the absence of dynamic control is 
+intentional: the file embodies a closed, conservative policy that removes entire classes of kernel functionality rather than 
+trying to selectively mediate their use.
+
+There is no error handling logic in the conventional sense, because the file is not an executable script. The only behavioral
+nuance lies in the use of ``/bin/true`` for the ``install`` directives. This design causes callers that request a module to 
+observe a successful return code from the modprobe even though the module is not present afterward. Some tooling that 
+naively checks only the exit status might therefore believe that the module was loaded. For the purposes of hardening, this 
+discrepancy is acceptable: it guarantees that the module never enters the kernel while keeping the calling code simple, at the 
+cost of possibly opaque failure modes that must be understood by system integrators using this configuration.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

docs/documentation/90-ciss-local.hardened.md

@@ -0,0 +1,109 @@
+---
+gitea: none
+include_toc: true
+-----------------
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.768.2025.12.06<br>
+
+# 2. ``90-ciss-local.hardened``
+
+The configuration fragment ``90-ciss-local.hardened`` defines the local kernel and network hardening baseline that CISS systems 
+apply via the Linux ``sysctl`` mechanism. It is written as a conventional ``sysctl.d`` drop-in and is meant to be consumed by early 
+userspace tooling such as ``systemd-sysctl``, which imports the settings into ``/proc/sys`` during boot.
+
+At a high level, the file does not contain executable shell logic. It consists exclusively of documented key–value assignments 
+in the sysctl namespace plus a number of commented candidates that serve as a catalogue of optional hardening toggles. 
+The numeric prefix ``90-`` places it late in the ``sysctl.d`` processing order, so its values override both distribution defaults 
+and any earlier CISS baseline fragments. Error handling and reporting are delegated to the standard sysctl loader: unknown or
+unsupported keys will be rejected and logged, but the configuration itself does not implement any conditional fallback paths.
+
+The first block targets kernel level attack surface and introspection capabilities. By setting ``kernel.modules_disabled=1`` 
+the configuration irrevocably closes the in-kernel module loader once the sysctl is applied, which prevents any further ``insmod``
+or ``modprobe`` operations and thereby cuts off an entire class of kernel code injection vectors. The embedded warning comments 
+ point out that this implies a very rigid boot pipeline: any device drivers, filesystems, or network stack components that are 
+not built in or preloaded before this switch is flipped will simply never appear, which would otherwise lead to a dead network 
+stack and loss of remote access. Additional restrictions such as ``kernel.unprivileged_bpf_disabled=1``, ``net.core.bpf_jit_harden=2``, 
+``dev.tty.ldisc_autoload=0``, ``vm.unprivileged_userfaultfd=0``, ``kernel.kexec_load_disabled=1`` and ``kernel.unprivileged_userns_clone=0`` 
+collectively neutralize typical exploitation primitives. They disable unprivileged BPF program loading, force the BPF JIT into 
+its hardened mode, prevent automatic loading of TTY line discipline modules, restrict ``userfaultfd`` to privileged callers, 
+shut off in-kernel kexec, and forbid unprivileged user namespace creation. Taken together, these choices assume a server or 
+appliance workload that does not need container-style unprivileged namespaces, local kexec reseating, or dynamic TTY plumbing 
+and is willing to trade flexibility for a markedly smaller attack surface.
+
+A second cluster tightens diagnostic visibility and process inspection. The settings ``kernel.kptr_restrict=2`` and 
+``kernel.dmesg_restrict=1`` remove kernel pointer values and log contents from unprivileged users, while ``kernel.printk=3 3 3 3`` 
+drastically reduces what is emitted on the console during and after boot. TTY injection via the historical TIOCSTI ioctl is 
+disabled with ``dev.tty.legacy_tiocsti=0``, which the comments correctly note may break some screen readers but eliminates a 
+convenient path to smuggle keystrokes into another session. Process debugging is gated using the Yama LSM control 
+``kernel.yama.ptrace_scope=2``, which only permits ``ptrace`` attach operations from processes that hold ``CAP_SYS_PTRACE``; 
+unprivileged users can no longer freely attach debuggers to sibling processes. This aligns the system strongly towards a 
+production profile in which on-host debugging is effectively a privileged maintenance activity rather than a normal user 
+capability.
+
+Crash handling and memory layout are hardened in a deliberate, multistep fashion. Classic process core dumps are effectively 
+disabled by ``fs.suid_dumpable=0`` and ``kernel.core_pattern=|/bin/false``, so even privileged processes do not leave crash images 
+lying around on persistent storage. ``kernel.core_uses_pid=1`` is kept consistent with this policy but has no practical effect 
+once the core pattern is redirected into ``false``. The mapping base randomization knobs ``kernel.randomize_va_space=2``, 
+``vm.mmap_rnd_bits=32`` and ``vm.mmap_rnd_compat_bits=16`` increase address space layout randomization for both native and compat 
+processes, raising the entropy available for exploit mitigation. The comments explicitly point out that the chosen bit widths 
+are tuned for x86 type architectures, and that other CPU families may require different values, so the configuration implicitly 
+assumes a modern x86_64 kernel that implements these sysctls. The pair ``kernel.warn_limit=1`` and ``kernel.oops_limit=1`` 
+introduces an extremely low tolerance for kernel anomalies: in combination with a build that enables ``CONFIG_PANIC_ON_OOPS``, 
+which the commentary references, even a single WARN, BUG, or oops will trigger a reboot cycle rather than allow the kernel to 
+limp along in a potentially corrupted state.
+
+Filesystem-related sysctls are used to close off classes of symlink and hardlink-based attacks against privileged processes. The
+combination of ``fs.protected_symlinks=1``, ``fs.protected_hardlinks=1``, ``fs.protected_fifos=2`` and ``fs.protected_regular=2`` 
+changes how the kernel resolves symbolic links, hardlinks, and special files in world-writable directories. Access is 
+constrained so that following such references across user boundaries or into attacker-controlled locations is significantly more 
+difficult. This is particularly relevant for services that operate within shared directories such as ``/tmp`` and that 
+historically have been exploitable through TOCTOU race conditions on links.
+
+The networking section establishes a host profile that behaves explicitly as an end system, not as a router, and that is hostile
+to in-band reconfiguration from the network. Source routing is disabled for both IPv4 and IPv6 through 
+``net.ipv4.conf.*.accept_source_route=0`` and ``net.ipv6.conf.*.accept_source_route=0``. Redirects are neither accepted nor sent,
+using the cluster ``net.ipv4.conf.*.accept_redirects=0``, ``net.ipv4.conf.*.secure_redirects=0``, ``net.ipv6.conf.*.accept_redirects=0``, 
+and ``net.ipv4.conf.*.send_redirects=0``. Reverse path filtering is enabled with ``net.ipv4.conf.all.rp_filter=1`` and 
+``net.ipv4.conf.default.rp_filter=1``, which offers a basic defense against address spoofing. Logging of martian packets is 
+activated by ``net.ipv4.conf.*.log_martians=1``, so the system will record traffic with obviously bogus source addresses. IP 
+forwarding is forcibly disabled via ``net.ipv4.conf.all.forwarding=0``, reinforcing the assumption that these machines are not 
+supposed to forward traffic between interfaces.
+
+On the IPv6 side, router advertisements are turned off by ``net.ipv6.conf.all.accept_ra=0`` and ``net.ipv6.conf.default.accept_ra=0``, 
+which means that global IPv6 addressing and routing information must be configured statically or via a trusted configuration 
+mechanism. ARP resilience is improved by setting ``net.ipv4.conf.all.arp_ignore=1`` and ``net.ipv4.conf.default.arp_ignore=1``, so 
+the kernel only replies to ARP requests that match the target IP address on the receiving interface; this shrinks the surface 
+for ARP spoofing and gratuitous replies. ICMP behavior is made highly conservative: ``net.ipv4.icmp_echo_ignore_all=1`` and 
+``net.ipv4.icmp_echo_ignore_broadcasts=1`` effectively suppress echo replies entirely and ignore directed broadcasts, which 
+hinders network scanning and mitigates certain amplification attacks at the cost of losing simple ``ping`` diagnostics.
+
+Transport level settings are focused on resilience against SYN flood type denial of service and fingerprinting noise. The switch
+``net.ipv4.tcp_syncookies=1`` activates SYN cookies, ``net.ipv4.tcp_rfc1337=1`` instructs the kernel to protect against time-wait 
+assassination, and ``net.ipv4.tcp_max_syn_backlog=4096`` enlarges the queue for half-open connections, so the system can sustain 
+more parallel handshake attempts before dropping them. ``net.ipv4.tcp_synack_retries=2`` it reduces the number of retransmissions for
+SYN-ACK packets, which shortens the time wasted on unreachable peers and malicious scanners but can marginally penalize very 
+lossy networks. Finally, ``net.ipv4.tcp_timestamps=0`` disables TCP timestamps, which otherwise leak information about host uptime
+and clock behavior and can be abused for subtle fingerprinting.
+
+Beyond the active values, the module also documents several tunables that are intentionally left commented out. These include 
+sysctls for IO_uring disablement, performance event restrictions, memory overcommit policy, dirty page ratios, and swap 
+aggressiveness. Their presence turns the file into a compact reference of hardened defaults that the CISS ecosystem considers 
+defensible, while still leaving room for operator-specific adjustments when hardware constraints or workload characteristics 
+demand different trade-offs.
+
+In terms of preconditions, the configuration assumes a Linux kernel new enough to understand the modern hardening knobs it 
+targets, and a deployment model where almost all required modules and capabilities are either built into the kernel or loaded 
+before sysctl application. It does not itself coordinate with the live boot or initramfs stages: instead, it defines the 
+steady-state behavior of a system that has already pivoted into its real root filesystem. Within the overall 
+**CISS.debian.live.builder** architecture, ``90-ciss-local.hardened`` therefore functions as the final, host level enforcement layer 
+that aligns runtime behavior with the hardened kernel command line and build time options defined elsewhere in the project, 
+closing off residual dynamic features and network behaviors that would otherwise remain available after boot.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

docs/documentation/ciss_live_builder.sh.md

@@ -0,0 +1,113 @@
+---
+gitea: none
+include_toc: true
+-----------------
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.768.2025.12.06<br>
+
+# 2. ``ciss_live_builder.sh``
+
+This module implements the primary orchestration entry point for the ``CISS.debian.live.builder`` toolchain and drives the 
+complete lifecycle of a hardened Debian live ISO build in a single, linear control flow. It is responsible for validating the 
+execution environment, enforcing strict process invariants, loading all required library components, and then delegating the 
+actual configuration and build steps to the specialized helper libraries in a defined order.<br>
+
+The script assumes a modern Bash runtime and treats any other shell as a hard error. It refuses to run under ``ash``, ``dash``, 
+``ksh``, generic ``sh``, or ``zsh``, and verifies that it is executed, not sourced, by checking ``BASH_SOURCE`` versus ``$0`` 
+and by probing signal handling to detect accidental invocation through ``sh``. It further enforces an effective user id of ``0``
+and requires ``Bash 5.1`` or newer; lower versions or older minor releases result in immediate termination with explicit 
+diagnostics. These checks rely on error codes and constants provided by a shared global variable file that is sourced only when 
+the precondition fails, which keeps the fast path minimal while still centralizing return codes and messages.<br>
+
+At startup the module captures positional parameters into a dedicated array and records several pieces of invocation metadata, 
+such as the raw argument string, the program name, the absolute path to the script location, and a fixed path in tmpfs for 
+secret build artifacts. This secret area, mapped to ``/dev/shm``, is hardened early in the control flow: any symlink at that 
+location is treated as a fatal integrity violation, and existing files below that directory are forced to mode ``0400`` and 
+ownership ``root:root`` in order to prevent privilege erosion or leakage of keys and sensitive configuration. The script also 
+establishes a canonical working directory rooted at the script location and exposes it via ``VAR_WORKDIR`` for downstream 
+components.<br>
+
+Before any complex logic runs, a minimal early-variable configuration and the guard infrastructure are loaded. The module uses a
+``source_guard()`` abstraction to pull in environment and option hardening ``bash.var.sh`` and later the broader variable sets 
+``color.var.sh`` and ``global.var.sh``. This guard layer encapsulates defensive sourcing: it ensures that required files exist, 
+are regular files, and can be safely imported, and it centralizes error handling for missing or malformed dependencies. On top 
+of this, the script interprets a narrow set of meta-arguments that short-circuit the normal control flow. Options for contact 
+information, help text, version output, and a debug mode are resolved in small one-line loops that normalize the argument case, 
+source the corresponding library and call a single function, then exit cleanly. The debug mode delegates to a separate 
+debug wrapper that is expected to toggle xtrace facilities without polluting non-debug runs.<br>
+
+Once the basic environment is secured, the script marks setup completion through a ``VAR_SETUP`` flag and proceeds to load the 
+full set of library modules that provide the actual functionality of the builder. These range from argument parsing, priority 
+checks and on-screen dialog handling to live-build configuration, hardening routines, SSH and root password security tweaks, 
+provider-specific integration for Netcup, microcode updates, GnuPG initialization and signature handling, as well as a family of
+trap and sanitization helpers. The module does not itself implement these behaviors; instead, it acts as a strict dispatcher that
+sequences the library calls, which keeps the main script relatively compact while enforcing one centralized control graph.<br>
+
+A mandatory dependency check is performed via ``check_pkgs()``, which is expected to verify the presence of all external tools 
+that later library calls depend on, including ``live-build``, ``dialog``, cryptographic tools, and network utilities. Only after
+this succeeds does the module attempt to acquire an advisory lock on ``/var/lock/ciss_live_builder.lock``. It assigns file 
+``descriptor 127`` to the lock file and uses ``flock`` in nonblocking exclusive mode. If the lock cannot be acquired, the script
+assumes that another builder instance is running and aborts with a collision error code, thereby ensuring that concurrent runs 
+cannot corrupt the shared build directory or interfere with secret handling.<br>
+
+Command line semantics distinguish between interactive and autobuild modes. The module scans the argument list for ``-a=`` or
+``--autobuild=`` options and, when present, toggles a ``VAR_HANDLER_AUTOBUILD`` flag and records the specified kernel identifier. 
+In autobuild mode, intended for CI pipelines, the dialog-based user interface is suppressed, and the script runs purely 
+non-interactively. Independently of the mode, the script ensures that ``/usr/local/sbin`` and ``/usr/sbin`` are present in ``PATH``, 
+which is relevant when ``live-build`` or other administrative tools are installed in non-standard locations.<br>
+
+For interactive runs, the module uses a dialog-based boot screen abstraction with a gauge that is updated through writes to file
+``descriptor 3``. It announces successive phases of initialization, including trap activation, argument sanitization, parsing, 
+and final checks, incrementally advancing the progress indicator until initialization reaches 100 percent. Sanitization is 
+applied through ``arg_check()``, which rejects malformed or unsupported options and normalizes the argument vector, and the
+result is captured in both an array, and a flattened string for later logging and diagnostics. The dedicated ``arg_parser()``
+then interprets the cleaned arguments into internal configuration variables that govern the behavior of the subsequent build 
+steps. A ``clean_ip()`` routine is invoked as part of final checks, indicating that IP address parameters or environment-derived
+network settings are normalized and scrubbed before being used to contact external resources.<br>
+
+Once initialization completes, the dialog wrapper is dismantled via ``boot_screen_cleaner()`` and the script transitions into 
+the main program. When not in autobuild mode, provider and kernel are verified explicitly; ``check_provider()`` ensures that the
+selected hosting or deployment provider is supported and properly configured, and ``check_kernel()`` validates the target kernel
+flavor or version, matching it against what is available on the build host.<br>
+
+The build preparation sequence starts with ``ciss_upgrades_build()``, which enforces a specific upgrade policy on the build host
+ISO generation, followed by ``hardening_ssh_tcp()``, which introduces transport-level SSH and TCP hardening settings required 
+for the resulting live system. The ``live-build`` tooling is then initialized. The ``lb_config_start()`` helper prepares the 
+build environment, by creating or cleaning the ``live-build`` configuration directory and populating baseline files. Immediately
+afterward ``lb_config_write_trixie()`` writes a fully specified configuration for a Debian Trixie based system, which anchors 
+the release and package universe of the live medium.<br>
+
+Before any cryptographic operations or remote integrations occur, ``init_gnupg()`` provisions a dedicated ``GNUPGHOME`` for this
+build, including keyring directories and trust anchors, to isolate GnuPG state. The following ``init_primordial()`` step 
+integrates an initial SSH identity set into the build context, which designates as "primordial" identities, used for early 
+remote access into the private primordial git repo environment. From that point on, all modifications that touch the future ISO 
+are applied inside the live-build directory referenced by ``VAR_HANDLER_BUILD_DIR`` rather than the repository itself. The 
+``hardening_ultra()`` library is invoked to apply an extended hardening profile across configuration files, sysctl parameters to 
+achieve the stringent security posture expected from the CISS standard.<br>
+
+Integration with the **``CISS.debian.installer``** is performed by the ``cdi()`` helper, which is responsible for embedding 
+autostart logic into the live image so that the installer can be launched in a controlled way directly from the live medium. 
+Subsequent calls tweak the visual and operational characteristics of the image: ``change_splash()`` adjusts boot splash assets, 
+``check_dhcp()`` verifies that DHCP behavior and network defaults are consistent with the target environment, ``ciss_signatures()`` 
+applies cryptographic signatures to artifacts and configuration checkpoints, and ``ciss_upgrades_boot()`` prepares the boot-time
+upgrade mechanism. ``hardening_root_pw()`` finalises the root password policy in the resulting system, ``note_target()`` records
+build metadata about the deployment target, ``provider_netcup()`` executes provider-specific adjustments for Netcup environments, 
+and ``update_microcode()`` brings CPU microcode handling to a defined state inside the image.
+
+Before the actual image build begins, ``x_hooks()`` and ``x_remove()`` are called to integrate additional live-build hooks and to
+remove transient or development-only components from the build tree. The script then temporarily disables error trace propagation 
+with ``set +o errtrace``, runs ``lb_build_start()`` to invoke the ``live-build`` engine and generate the ISO, and re-enables 
+``errtrace`` afterwards so that subsequent failures are again intercepted by the error trap. Post-build analysis is performed by 
+``run_analysis()``, which inspects the build logs, artifact hashes, and runtime, and ISO artifacts. Finally, the script marks 
+``VAR_SCRIPT_SUCCESS`` as true to document a clean run and exits with a zero status code; any earlier failure would be caught by
+the ``ERR`` or ``EXIT`` traps and processed by the ``trap_on_err()`` or ``trap_on_exit()`` handlers defined in the corresponding
+libraries, ensuring consistent diagnostic output and cleanup for both expected and unexpected error conditions.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

lib/lib_arg_parser.sh

@@ -157,6 +157,18 @@ arg_parser() {
           fi
           ;;
 
+        --cicd)
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --cicd MUST NOT be followed by an argument.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_ARG_MSMTCH}"
+          fi
+          # shellcheck disable=SC2034
+          declare -g VAR_GITEA_RUNNER="true"
+          shift 1
+          ;;
+
         --control)
           if [[ -n "${2-}" ]]; then
             # shellcheck disable=SC2034

lib/lib_cdi.sh

@@ -44,7 +44,7 @@ cdi() {
     tmp_entry="$(mktemp)"
     cat << EOF >| "${tmp_entry}"
 menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
-        linux /live/vmlinuz-${VAR_KERNEL} boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components ip=dhcp keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
+        linux /live/vmlinuz-${VAR_KERNEL} boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
         initrd /live/initrd.img-${VAR_KERNEL}
 }
 EOF

lib/lib_ciss_signatures.sh

@@ -17,7 +17,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 # Module to export GPG FPRs into scripts:
 #  - /etc/initramfs-tools/files/unlock_wrapper.sh
 #  - /usr/lib/live/boot/0030-ciss-verify-checksums
-#  - /etc/initramfs-tools/scripts/init-bottom/0042-ciss-post-decrypt-attest.sh
+#  - /usr/lib/live/boot/0042_ciss_post_decrypt_attest
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
@@ -34,8 +34,8 @@ ciss_signatures() {
 
   declare -ar _ary_target=(
     "/etc/initramfs-tools/files/unlock_wrapper.sh"
-    "/etc/initramfs-tools/scripts/init-bottom/0042-ciss-post-decrypt-attest"
     "/usr/lib/live/boot/0030-ciss-verify-checksums"
+    "/usr/lib/live/boot/0042_ciss_post_decrypt_attest"
   )
 
   declare _target="" target=""

lib/lib_clean_up.sh

@@ -15,14 +15,16 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Cleanup wrapper on the traps on 'ERR' and 'EXIT'.
 # Globals:
-#   VAR_CDLB_INSIDE_RUNNER
 #   GNUPGHOME
 #   LOG_ERROR
+#   VAR_CDLB_INSIDE_RUNNER
+#   VAR_EARLY_DEBUG
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_KERNEL_INF
 #   VAR_KERNEL_SRT
 #   VAR_KERNEL_TMP
 #   VAR_NOTES
+#   VAR_TMP_SECRET
 #   VAR_WORKDIR
 # Arguments:
 #   1 : ${trap_on_exit_code} of trap_on_exit()
@@ -95,22 +97,34 @@ clean_up() {
 
   fi
 
+  ### No tracing for security reasons ------------------------------------------------------------------------------------------
+  [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
+
   ### Removes secrets securely.
   # shellcheck disable=SC2312
   find "${VAR_TMP_SECRET}" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
   find "${VAR_TMP_SECRET}" -xdev -depth -type d -empty -delete
 
-  # TODO: activate
   ### Securely shred all regular files below ./includes.chroot, then remove empty dirs.
-  #if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
+  if [[ -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
 
     # shellcheck disable=SC2312
-  #  find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
+    find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -xdev -type f -print0 | xargs -0 --no-run-if-empty shred -fzu -n 5 --
 
     ### Remove empty directories (bottom-up).
-  #  find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete
+    find "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" -depth -xdev -type d -empty -delete
 
-  #fi
+  fi
+
+  ### Delete all files and directories below ./chroot.
+  if [[ -d "${VAR_HANDLER_BUILD_DIR}/chroot" ]]; then
+
+    rm -rf "${VAR_HANDLER_BUILD_DIR}/chroot"
+
+  fi
+
+  ### Turn on tracing again ----------------------------------------------------------------------------------------------------
+  [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
 
   eval "${_old_nullglob}" 2>/dev/null || true
   eval "${_old_dotglob}"  2>/dev/null || true

lib/lib_lb_config_write_trixie.sh

@@ -45,7 +45,7 @@ lb_config_write_trixie() {
     --binary-filesystem fat32 \
     --binary-image iso-hybrid \
     --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components ip=dhcp keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
     --bootloaders grub-efi \
     --cache true \
     --checksums sha512 sha384 sha256 \
@@ -101,7 +101,7 @@ lb_config_write_trixie() {
     --system live \
     --source false \
     --source-images tar \
-    --uefi-secure-boot auto \
+    --uefi-secure-boot enable \
     --updates true \
     --utc-time true \
     --verbose

lib/lib_provider_netcup.sh

@@ -19,7 +19,6 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_NETCUP_IPV6
-#   VAR_WORKDIR
 # Arguments:
 #   None
 # Returns:
@@ -57,10 +56,12 @@ DNS=138.199.237.109
 DNS=2a01:4f9:c012:a813:135:181:207:105
 DNS=2a0a:4cc0:1:e6:89:58:62:53
 DNS=2a01:4f8:c013:8011:138:199:237:109
-DNSOverTLS=opportunistic
+DNSOverTLS=yes
 DNSSEC=yes
 IPv6AcceptRA=no
 LinkLocalAddressing=ipv6
+LLMNR=no
+MulticastDNS=no
 
 [Address]
 Address=${handler_netcup_ipv6_string}/128
@@ -72,18 +73,12 @@ GatewayOnLink=yes
 [DHCPv4]
 UseDNS=no
 UseDomains=no
-RoutesToDNS=no
 UseNTP=no
 UseHostname=no
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
-    #sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot"
-    #rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
-    #cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
-    #chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot"
-
     printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
 
   fi

lib/lib_usage.sh

@@ -39,13 +39,13 @@ usage() {
   # shellcheck disable=SC2155
   declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
   # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.512.2025.11.27                        2025-11-06                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.768.2025.12.06                        2025-12-05                         CDLB(1)" "${var_cols}")
 
   {
     echo -e "\e[1;97m${var_header}\e[0m"
     echo
     echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.512.2025.11.27\e[0m"
+    echo -e "\e[92mMaster V8.13.768.2025.12.06\e[0m"
     echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
     echo
     echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
@@ -77,7 +77,7 @@ usage() {
     echo "    This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed"
     echo "    once the system has successfully booted up."
     echo
-    echo -e "\e[97m  --contact, -c\ e[0m"
+    echo -e "\e[97m  --contact, -c\e[0m"
     echo "    Show author contact information."
     echo
     echo -e "\e[97m  --control <STRING>\e[0m"

scripts/0010_dhcp_supersede.sh

@@ -21,7 +21,7 @@ fi
 
 cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -42,20 +42,18 @@ DNS=138.199.237.109
 DNS=2a01:4f9:c012:a813:135:181:207:105
 DNS=2a0a:4cc0:1:e6:89:58:62:53
 DNS=2a01:4f8:c013:8011:138:199:237:109
-DNSOverTLS=opportunistic
+DNSOverTLS=yes
 DNSSEC=yes
 IPv6AcceptRA=yes
 LinkLocalAddressing=ipv6
 
 [DHCPv4]
-RoutesToDNS=no
 UseDNS=no
 UseDomains=no
 UseHostname=no
 UseNTP=no
 
 [DHCPv6]
-RoutesToDNS=no
 UseDNS=no
 UseDomains=no
 UseHostname=no

scripts/usr/local/sbin/9999_cdi_starter.sh

@@ -130,7 +130,7 @@ main() {
   touch "${var_log}"
 
 
-  printf "CISS.debian.installer Master V8.13.512.2025.11.27 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.768.2025.12.06 is up! \n" >> "${var_log}"
 
   ### Sleep a moment to settle boot artifacts.
   sleep 8
@@ -209,7 +209,7 @@ main() {
 
   ### Timeout reached without acceptable semaphore.
   logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.512.2025.11.27: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.768.2025.12.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
 
   exit 0
 }

var/early.var.sh

@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.512.2025.11.27"
+declare -grx VAR_VERSION="Master V8.13.768.2025.12.06"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
   # Print $4 and $5; include $6 only if it exists
   out = $4

var/global.var.sh

@@ -28,7 +28,6 @@ touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}"
 
 declare -g  __umask=""
 declare -g  VAR_ARCHITECTURE=""
-declare -g  VAR_CDLB_INSIDE_RUNNER="${VAR_CDLB_INSIDE_RUNNER:-false}"
 declare -g  VAR_HANDLER_BUILD_DIR=""
 declare -g  VAR_HANDLER_CDI="false"
 declare -g  VAR_HANDLER_NETCUP_IPV6="false"
@@ -51,6 +50,7 @@ declare -gr VAR_CHROOT_DIR="chroot"
 declare -gr VAR_PACKAGES_FILE="chroot.packages.live"
 declare -gx VAR_AGE="false"
 declare -gx VAR_AGE_KEY=""
+declare -gx VAR_CDLB_INSIDE_RUNNER="${VAR_CDLB_INSIDE_RUNNER:-false}"
 declare -gx VAR_LUKS="false"
 declare -gx VAR_LUKS_KEY=""
 declare -gx VAR_SIGNER="false"