DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@99d669d at 2025-12-06T04:39:52Z on 941bb339cd9a

Generated at : 2025-12-06T04:39:52Z
Runner Host  : 941bb339cd9a
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 99d669d HEAD -> master

.archive/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.archive/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.archive/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 name: 💙 Generating a PUBLIC Live ISO.
 

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.544.2025.12.05"
+      placeholder: "e.g., Master V8.13.768.2025.12.06"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.544.2025.12.05
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.544.2025.12.05
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.544.2025.12.05
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.544.2025.12.05
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -216,7 +216,6 @@ jobs:
             --cdi \
             --change-splash hexagon \
             --control "${timestamp}" \
-            --debug \
             --dhcp-centurion \
             --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
             --key_age=keys.txt \
@@ -233,7 +232,6 @@ jobs:
             --trixie
 
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
-        shell: bash
         env:
           NC_BASE: "https://cloud.e2ee.li"
           SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
@@ -243,11 +241,8 @@ jobs:
           SHARE_SUBDIR=""
 
           echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
+
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
-          -X PROPFIND \
-          -H "Depth: 1" \
-          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
           -o propfind_public.xml
 
           echo "📥 Filter .iso files from the PROPFIND response ..."
@@ -255,46 +250,65 @@ jobs:
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+
             echo "💡 Old ISO files found and deleted :"
+
             while IFS= read -r href; do
+
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
-              if curl -s \
+
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
-                  -X DELETE "${FILE_URL}"; then
+
                 echo "    ✅ Successfully deleted: $(basename "${href}")"
+
               else
+
                 echo "    ❌ Error: $(basename "${href}") could not be deleted"
+
               fi
+
             done < public_iso_list.txt
+
           else
+
             echo "💡 No old ISO files found to delete."
+
           fi
 
       - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
-        shell: bash
         env:
           NC_BASE: "https://cloud.e2ee.li"
           SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
           SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
         run: |
           set -euo pipefail
+
           if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
             echo "❌ There must be exactly one .iso file in the directory!"
             exit 1
+
           else
+
             VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
             VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
             echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
           fi
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+
           if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
           --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+
             echo "✅ New ISO successfully uploaded."
+
           else
+
             echo "❌ Uploading the new ISO failed."
             exit 1
+
           fi
 
       - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -297,7 +297,7 @@ jobs:
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
 
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
           --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
 
             echo "✅ New ISO successfully uploaded."

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 name: 💙 Generating a PUBLIC Live ISO.
 
@@ -190,10 +190,8 @@ jobs:
             --architecture amd64 \
             --autobuild=6.17.8+deb13-amd64 \
             --build-directory /opt/cdlb \
-            --cdi \
             --change-splash hexagon \
             --control "${timestamp}" \
-            --debug \
             --root-password-file /dev/shm/cdlb_secrets/password.txt \
             --ssh-port 42137 \
             --ssh-pubkey /dev/shm/cdlb_secrets \
@@ -267,7 +265,7 @@ jobs:
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
 
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
           --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
 
             echo "✅ New ISO successfully uploaded."

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.544.2025.12.05"
+properties_version="V8.13.768.2025.12.06"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.544.2025.12.05
+PackageVersion: Master V8.13.768.2025.12.06
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-12-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-12-05T00:49:27Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:39:51Z"
 
 ✅ The last linter check was successful. ✅
 

LIVE_ISO_TRIXIE_0.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-08; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-11-08T19:46:24Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T03:44:29Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_11_08T18_57_19Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T02_53_28Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  11065e6ed8f99b533352ad86bd5b4cc9b407652e79a34718da6aad46a5f603738553fde6fbcceaa3128bfbbfa4c1674c05552232d4620ea250bc029545600718
+  2bf967b902455fe1f4d3ba1cb0b3c5983c6812181ae95b10ce837c0aaae084207bf15c22add2709c21c45f4262db2a2f787b2c93f3a1c507289c020e70314707
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQ+eEAAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOmnQAKCRA85KY4hzOw
-IcJaAP9FYAzawGRXQqt5mEL3SQy4cSDkc5/r/KDhy+ABdVNMvAEA1ReKZ7qXrESP
+IcItAQDvE6vEkbslGR5BLMVV+DKi2GDnIzIMVs7zROiPsKb3BgEA1Koqx7ccc+H2
-rgP2MsHaXHVBWGJUvFyMf6dUpbjEnA8=
+MmNv12w674dS2xmTZHOViYePe2KWLw0=
-=SkUY
+=I8w2
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_1.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-10-29T21:52:45Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:35:36Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_29T20_59_34Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T03_45_41Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  c2b295aa3bd7ccfbe6c83aa27aeeace796251ad93ebfbf999bc6b1ae7c3c881efeeeda5e9235c5f5b7ad022ee465bc61e04c46906c6a7ca79214866ae62e160d
+  fe9481d92cf61554da92ff883a58d9aaa2ae5fe86d9c3dd634a1c3a79e1b6ca5e08693d4f9b0870077fc0bf2f840a3e678d9c9dc44f9b8dae5d474a6d39e16b2
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQKMrQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOymAAKCRA85KY4hzOw
-ISgMAQDy82Yr4/F3cI/ZzLQJyoFSY2qgPl8d84eJZFhhTFpD3AEAmMBws55fQAzz
+Ic1iAQDVxT891Nv+LHzQs3vL31/1wqeOjiGmZbEJR8XvBoRe4wEAjdmvUpEXyb1Y
-Q9DBRAvRYgMDLmqsog+m3FEH7cXtDAg=
+qhaFcxWDrRgiVKaitGkbNo2w6yICdgY=
-=o+0d
+=TQPs
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.544.2025.12.05-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.768.2025.12.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.13.544.2025.12.05`
+Example: `V8.13.768.2025.12.06`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
@@ -286,6 +286,8 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis
 * **Description**: Disables and blacklists non-essential or insecure kernel modules.
 * **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
 
+For further details see: **[30-ciss-hardening.conf.md](docs/documentation/30-ciss-hardening.conf.md)**
+
 ## 2.3. Network Hardening
 
 At the kernel level classical ``sysctl`` settings are applied that defend against spoofing and sloppy network behavior. Reverse path 

REPOSITORY.md

@@ -8,15 +8,15 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
-# 2.1. Repository Structure
+# 2. Repository Structure
 
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.544.2025.12.05** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.768.2025.12.06** (as of 2025-10-11)
 
-## 2.2. Top-Level Layout
+## 3.1. Top-Level Layout
 
 ````text
 CISS.debian.live.builder/
@@ -59,15 +59,15 @@ CISS.debian.live.builder/
 
 > **Note:** The ISO marker files (`LIVE_ISO.*`) are produced by CI workflows for convenient retrieval of generated images.
 
-## 2.3. Directory Semantics
+## 3.2. Directory Semantics
 
-### 2.3.1. `.gitea/` — CI/CD Orchestration
+### 3.2.1. `.gitea/` — CI/CD Orchestration
 - **`workflows/`**: Declarative Gitea Actions to lint shell scripts, render Graphviz/DNSSEC status, and generate **PUBLIC**/**PRIVATE (TRIXIE)** ISOs reproducibly.
 - **`trigger/`**: Manual/auxiliary trigger manifests (`t_generate_PUBLIC.yaml`, `t_generate_PRIVATE_trixie_{0,1}.yaml`, `t_generate_dns.yaml`) to drive pipeline variants.
 - **`ISSUE_TEMPLATE/`**: Issue and pull request templates to standardize change management.
 - **`properties/`** and **`TODO/`**: Auxiliary config fragments (JSON/Lua) and maintenance utilities (e.g., `render-md-to-html.yaml`).
 
-### 2.3.2. `config/` — Live-Build Configuration
+### 3.2.2. `config/` — Live-Build Configuration
 - **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
 - **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_hardening_fail2ban.chroot`).
 - **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
@@ -77,40 +77,40 @@ CISS.debian.live.builder/
   - `root/` (administrator dotfiles and keys).
 - **`package-lists/`**: Architecture-specific and common package manifests (`amd64`, `arm64`, `common`) used by `live-build`.
 
-### 2.3.3. `docs/` — Documentation Corpus
+### 3.2.3. `docs/` — Documentation Corpus
 Audit reports (DNSSEC, Lynis, SSH, TLS, Haveged), **BOOTPARAMS**, **CHANGELOG**, **CODING_CONVENTION**, **CONTRIBUTING**, **REFERENCES**; plus `SECURITY/`, `LICENSES/`, architecture diagrams under `graphviz/`, and illustrative `screenshots/`.
 
-### 2.3.4. `lib/` — Shell Library Modules
+### 3.2.4. `lib/` — Shell Library Modules
 Composable, single-purpose modules used by the wrapper and CI steps (argument parsing and validation, kernel/CPU mitigation checks, provider support, `lb config/build` scaffolding, usage/version banners, sanitization and traps, SSH/root-password hardening, ultra-hardening profile, etc.).
 
-### 2.3.5. `scripts/` — Operational Helpers
+### 3.2.5. `scripts/` — Operational Helpers
 Ancillary scripts for DHCP supersedes, resolver bootstrapping, and live-boot verification; targeted paths such as `scripts/etc/network/` and `scripts/live-boot/` encapsulate deploy-time adjustments and integrity checks.
 
-### 2.3.6. `var/` — Variables & Defaults
+### 3.2.6. `var/` — Variables & Defaults
 Layered variable sets (`early.var.sh`, `global.var.sh`, `bash.var.sh`, `color.var.sh`) providing early-boot defaults, global tuning, and TTY/UI niceties.
 
-## 2.4. Key Files
+## 3.3. Key Files
 
 - **`ciss_live_builder.sh`** — Primary entrypoint; orchestrates argument parsing, environment preparation, `lb config`/`lb build` execution and post-processing.
 - **`makefile`** & **`config.mk.sample`** — Make-based convenience wrapper and a sample configuration surface.
 - **`README.md`, `SECURITY.md`, `LICENSE`, `CISS.debian.live.builder.spdx`** — Project overview, security policy, licensing, and SPDX manifest for compliance.
 - **ISO markers**: `LIVE_ISO.public`, `LIVE_ISO_TRIXIE_{0,1}.private` reflect CI pipeline outputs.
 
-## 2.5. Conventions & Build Logic
+## 3.4. Conventions & Build Logic
 
 - **Hook Ordering**: Numeric prefixes (`0000_…` → `99xx_…`) strictly determine execution sequencing within `config/hooks/live/`. Early hooks establish base state (initramfs modules, checksums), mid-range hooks integrate security services (AppArmor, Chrony/NTPsec, Lynis, UFW, Fail2Ban, SSH auditing), late hooks enforce hardening and cleanup (SSH tightening, memory-dump policies, service disablement).
 - **Binary vs. Chroot Includes**: Assets under `includes.binary/` affect the ISO’s bootloader stage; `includes.chroot/` become part of the runtime filesystem.
 - **Architecture Scoping**: Package lists are split into `*amd64*`, `*arm64*`, and `*common*` to keep images minimal and deterministic.
 - **CI/CD**: Reproducible ISO builds are executed via Gitea workflows; dedicated `trigger/` manifests parameterize public vs. private images and auxiliary rendering jobs (e.g., DNSSEC status, Graphviz diagrams).
 
-## 2.6. Cross-References (Documentation)
+## 3.5. Cross-References (Documentation)
 
 - **Boot Parameters**: see `docs/BOOTPARAMS.md`.
 - **Audits**: `docs/AUDIT_*.md` (DNSSEC, Lynis, SSH, TLS, Haveged).
 - **Coding & Contribution**: `docs/CODING_CONVENTION.md`, `docs/CONTRIBUTING.md`.
 - **Change Log & References**: `docs/CHANGELOG.md`, `docs/REFERENCES.md`.
 
-## 2.7. Licensing & Compliance
+## 3.6. Licensing & Compliance
 
 The repository is **SPDX-compliant**; source files carry SPDX identifiers. See `CISS.debian.live.builder.spdx` and `LICENSE` for details.
 

config/hooks/live/zzzz_ciss_crypt_squash.hook.binary

@@ -45,12 +45,12 @@ preallocate() {
 
   if dd if=/dev/zero of="${file}" bs="${blocksize}" count="${blockcounter}" status=progress conv=fsync; then
 
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync ] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
     return 0
 
   else
 
-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync ] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
     return 42
 
   fi
@@ -71,8 +71,8 @@ declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}")
 #   - dm-integrity Overhead (Tags and Journal)
 #   - Filesystem-Slack
 declare -i OVERHEAD_FIXED=$((64 * 1024 * 1024))
-declare -i OVERHEAD_PCT=1
+declare -i OVERHEAD_PCT=2
-declare -i ALIGN_BYTES=$(( 2048 * 1024 ))
+declare -i ALIGN_BYTES=$(( 4096 * 1024 ))
 declare -i BASE_SIZE=$(( VAR_ROOTFS_SIZE + OVERHEAD_FIXED + (VAR_ROOTFS_SIZE * OVERHEAD_PCT / 100) ))
 declare -i VAR_LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) * ALIGN_BYTES ))
 
@@ -80,22 +80,44 @@ preallocate "${LUKSFS}" "${VAR_LUKSFS_SIZE}"
 
 exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt"
 
-cryptsetup luksFormat \
+if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
-  --batch-mode \
+
-  --cipher aes-xts-plain64 \
+  cryptsetup luksFormat \
-  --integrity hmac-sha512 \
+    --batch-mode \
-  --iter-time 1000 \
+    --cipher aes-xts-plain64 \
-  --key-file "/proc/$$/fd/${KEYFD}" \
+    --integrity hmac-sha512 \
-  --key-size 512 \
+    --iter-time 1000 \
-  --label crypt_liveiso \
+    --key-file "/proc/$$/fd/${KEYFD}" \
-  --luks2-keyslots-size 16777216 \
+    --key-size 512 \
-  --luks2-metadata-size 4194304 \
+    --label crypt_liveiso \
-  --pbkdf argon2id \
+    --luks2-keyslots-size 16777216 \
-  --sector-size 4096 \
+    --luks2-metadata-size 4194304 \
-  --type luks2 \
+    --pbkdf argon2id \
-  --use-random \
+    --sector-size 4096 \
-  --verbose \
+    --type luks2 \
-  "${LUKSFS}"
+    --use-random \
+    --verbose \
+    "${LUKSFS}"
+
+elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
+
+  cryptsetup luksFormat \
+    --batch-mode \
+    --cipher aes-xts-plain64 \
+    --iter-time 1000 \
+    --key-file "/proc/$$/fd/${KEYFD}" \
+    --key-size 512 \
+    --label crypt_liveiso \
+    --luks2-keyslots-size 16777216 \
+    --luks2-metadata-size 4194304 \
+    --pbkdf argon2id \
+    --sector-size 4096 \
+    --type luks2 \
+    --use-random \
+    --verbose \
+    "${LUKSFS}"
+
+fi
 
 cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" crypt_liveiso
 
@@ -105,11 +127,11 @@ declare -i SQUASH_FS="${VAR_ROOTFS_SIZE}"
 
 if (( LUKS_FREE >= SQUASH_FS )); then
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
 
 else
 
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
   exit 42
 
 fi

config/includes.chroot/etc/ssh/ssh_known_hosts

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened

@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.544.2025.12.05
+# Version Master V8.13.768.2025.12.06
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.544.2025.12.05"
+declare -gr VERSION="Master V8.13.768.2025.12.06"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.544.2025.12.05 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.768.2025.12.06 at: 10:18:37.9542

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. TLS Audit:
 ````text

docs/BOOTPARAMS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Hardened Kernel Boot Parameters
 

docs/CHANGELOG.md

@@ -8,12 +8,17 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Changelog
 
+## V8.13.768.2025.12.06
+* **Global**: Stable Release
+
 ## V8.13.544.2025.12.05
+* **Added**: [30-ciss-hardening.conf.md](documentation/30-ciss-hardening.conf.md)
 * **Added**: [90-ciss-local.hardened.md](documentation/90-ciss-local.hardened.md)
+* * **Bugfixes**: [zzzz_ciss_crypt_squash.hook.binary](../config/hooks/live/zzzz_ciss_crypt_squash.hook.binary) + Adjusted ``OVERHEAD_PCT`` for Gitea Runner
 
 ## V8.13.536.2025.12.04
 * **Added**: [ciss_live_builder.sh.md](documentation/ciss_live_builder.sh.md)

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2.1. Usage
 ````text
                         CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.544.2025.12.05
+Master V8.13.768.2025.12.06
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
@@ -47,7 +47,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
     This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed
     once the system has successfully booted up.
 
-  --contact, -c\ e[0m
+  --contact, -c
     Show author contact information.
 
   --control <STRING>
@@ -146,7 +146,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
 
-                        V8.13.544.2025.12.05                        2025-11-06                         CDLB(1)
+                        V8.13.768.2025.12.06                        2025-11-06                         CDLB(1)
 ````
 
 # 3. Booting

docs/MAN_CISS_ISO_BOOT_CHAIN.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
 

docs/MAN_SSH_Host_Key_Policy.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
 

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
 # 2. Resources
 

docs/documentation/30-ciss-hardening.conf.md

@@ -0,0 +1,88 @@
+---
+gitea: none
+include_toc: true
+-----------------
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.768.2025.12.06<br>
+
+# 2. ``30-ciss-hardening.conf``
+
+This module is a kernel module loading policy file intended to be installed under ``/etc/modprobe.d/30-ciss-hardening.conf`` in 
+systems produced by **CISS.debian.live.builder**, and the associated **CISS.debian.installer.secure** framework. It constrains 
+the Linux kernels an automatic module loading mechanism by replacing the load actions for a broad set of rarely required modules 
+with a no-op handler and by blacklisting others, to reduce the attack surface available to unprivileged users and remote attackers.
+
+The configuration addresses the general class of vulnerabilities where an unprivileged actor can provoke the kernel into 
+autoloading a protocol or filesystem module, then exploit a defect in that module. The introductory comment explicitly 
+references CVE-2017-6074 as an example, where the DCCP protocol module could be pulled into memory simply by initiating a 
+DCCP connection. To counter this pattern, the file uses ``install <module> /bin/true`` rules to override the normal modprobe 
+behavior. When user space, or the kernel attempts to load one of these modules, modprobe executes ``/bin/true`` instead of 
+loading the module, returns success, and leaves the module absent from the running kernel.
+
+The first group of ``install`` directives disables a series of network protocol stacks and link layer implementations that are 
+considered exotic in contemporary hardened server or appliance environments. These include ``DCCP``, ``SCTP``, ``RDS``, ``TIPC``,
+``HDLC`` line discipline support, amateur-radio-oriented protocols such as ``AX.25``, ``NET/ROM``, and ``ROSE``, legacy 
+internetworking protocols like ``DECnet``, ``IPX``, and ``AppleTalk``, as well as ``CAN`` bus, ``ATM`` networking, and 
+``IEEE 802.15.4`` support. In the absence of this file, many of these modules could be autoloaded in response to crafted traffic
+reaching the host; with this policy in place, such attempts silently fail at the module loading step, and the packets are 
+processed without activating the corresponding kernel subsystems.
+
+The next section targets filesystem support that is not expected to be needed in the envisaged deployment scenarios. The module 
+defines ``install`` rules and explicit ``blacklist`` entries for legacy or niche on-disk formats such as ``CRAMFS``, ``FreeVxFS``, 
+``JFFS2``, ``HFS``, ``HFS+``, and ``UDF``. On a system using this configuration unmodified, attempts to mount volumes of these 
+types will not cause the kernel modules to load automatically; instead, the mount will fail because the filesystem 
+implementation never becomes available. The combination of ``install /bin/true`` and ``blacklist`` ensures that neither direct
+``modprobe`` calls in user space nor automatic resolution through modalias can pull these modules in.
+
+A separate block disables network filesystems that could otherwise be used to introduce complex protocol stacks and large code 
+paths into the kernel. The file defines ``install`` and ``blacklist`` rules for ``CIFS``, ``NFS``, including explicit ``nfsv3`` 
+and ``nfsv4`` aliases, the in-kernel ``SMB`` server ``ksmbd``, and the cluster filesystem ``gfs2``. Systems hardened with this
+module therefore cannot mount ``CIFS`` or ``NFS`` shares, nor can they serve ``SMB`` via ``ksmbd``, unless this policy file is 
+removed or overridden. This choice is a deliberate constraint: it trades the convenience of built-in remote filesystems for the 
+lower risk profile of a kernel that does not contain these historically vulnerable and feature-rich subsystems.
+
+The configuration also addresses specific devices and miscellaneous drivers. USB mass storage, and the ``USB Attached SCSI (UAS)`` 
+transport are disabled by combining ``install usb-storage /bin/true``, ``install uas /bin/true`` with corresponding ``blacklist`` 
+lines. This prevents the system from interacting with USB storage devices, which mitigates a range of data exfiltration, rogue 
+devices, and untrusted media scenarios. The FireWire core ``firewire-core`` is similarly blocked from loading via an ``install`` 
+rule, removing another hot-plug bus traditionally associated with direct memory access capabilities. The file also disables the 
+``vivid`` video driver, noted in the comment as a testing-only driver with a history of privilege escalation issues, by 
+replacing its load operation with ``/bin/true``.
+
+In its final part, the module incorporates and extends a set of blacklist conventions originating from a kmod configuration in 
+a major distribution. It blacklists the ``evbug`` input event debugging driver, simple USB input drivers ``usbmouse``, ``usbkbd``
+that are typically superseded by more modern subsystems, ``eth1394`` which can create confusing extra network interfaces, and 
+the ``pcspkr`` driver for the legacy PC speaker. These entries do not use ``install /bin/true`` and therefore only prevent 
+automatic loading based on modalias; they do not fully override manual ``modprobe`` invocations, which aligns with their purpose
+as quality-of-life and clarity improvements rather than hard prohibitions.
+
+Within the overall **CISS.debian.live.builder** and **CISS.debian.installer.secure** workflow, this file is purely declarative. 
+Its inputs are the module names hard-coded in the configuration, and the fixed mapping of those names to either ``/bin/true`` or 
+blacklist semantics, and it has no runtime parameters or external dependencies beyond the standard kmod / modprobe stack. The 
+principal side effect is systemic: once present in ``/etc/modprobe.d`` and read by kmod during module resolution, it constrains, 
+which kernel modules can ever be introduced into the running kernel via normal loading pathways. This affects the live system 
+boots produced by the builder as well as installed systems provisioned by the installer, assuming the file is propagated into 
+the target root filesystem.
+
+The configuration assumes that the target systems do not rely on the disabled protocols, filesystems, or device classes. In 
+environments where ``CIFS`` or ``NFS`` mounts, ``CAN`` bus interfaces, ``IEEE 1394`` peripherals, or USB mass storage are 
+operationally required, administrators must explicitly adjust or remove this module. There is no internal mechanism for 
+conditional activation, staging, or feature detection. From a hardening perspective, the absence of dynamic control is 
+intentional: the file embodies a closed, conservative policy that removes entire classes of kernel functionality rather than 
+trying to selectively mediate their use.
+
+There is no error handling logic in the conventional sense, because the file is not an executable script. The only behavioral
+nuance lies in the use of ``/bin/true`` for the ``install`` directives. This design causes callers that request a module to 
+observe a successful return code from the modprobe even though the module is not present afterward. Some tooling that 
+naively checks only the exit status might therefore believe that the module was loaded. For the purposes of hardening, this 
+discrepancy is acceptable: it guarantees that the module never enters the kernel while keeping the calling code simple, at the 
+cost of possibly opaque failure modes that must be understood by system integrators using this configuration.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

docs/documentation/90-ciss-local.hardened.md

@@ -8,9 +8,9 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
-# 2. 90-ciss-local.hardened
+# 2. ``90-ciss-local.hardened``
 
 The configuration fragment ``90-ciss-local.hardened`` defines the local kernel and network hardening baseline that CISS systems 
 apply via the Linux ``sysctl`` mechanism. It is written as a conventional ``sysctl.d`` drop-in and is meant to be consumed by early 

docs/documentation/ciss_live_builder.sh.md

@@ -8,9 +8,9 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.544.2025.12.05<br>
+**Build**: V8.13.768.2025.12.06<br>
 
-# 2. ciss_live_builder.sh
+# 2. ``ciss_live_builder.sh``
 
 This module implements the primary orchestration entry point for the ``CISS.debian.live.builder`` toolchain and drives the 
 complete lifecycle of a hardened Debian live ISO build in a single, linear control flow. It is responsible for validating the 

lib/lib_arg_parser.sh

@@ -157,6 +157,18 @@ arg_parser() {
           fi
           ;;
 
+        --cicd)
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --cicd MUST NOT be followed by an argument.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_ARG_MSMTCH}"
+          fi
+          # shellcheck disable=SC2034
+          declare -g VAR_GITEA_RUNNER="true"
+          shift 1
+          ;;
+
         --control)
           if [[ -n "${2-}" ]]; then
             # shellcheck disable=SC2034

lib/lib_lb_config_write_trixie.sh

@@ -101,7 +101,7 @@ lb_config_write_trixie() {
     --system live \
     --source false \
     --source-images tar \
-    --uefi-secure-boot auto \
+    --uefi-secure-boot enable \
     --updates true \
     --utc-time true \
     --verbose

lib/lib_usage.sh

@@ -39,13 +39,13 @@ usage() {
   # shellcheck disable=SC2155
   declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
   # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.544.2025.12.05                        2025-11-06                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.768.2025.12.06                        2025-12-05                         CDLB(1)" "${var_cols}")
 
   {
     echo -e "\e[1;97m${var_header}\e[0m"
     echo
     echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.544.2025.12.05\e[0m"
+    echo -e "\e[92mMaster V8.13.768.2025.12.06\e[0m"
     echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
     echo
     echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
@@ -77,7 +77,7 @@ usage() {
     echo "    This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed"
     echo "    once the system has successfully booted up."
     echo
-    echo -e "\e[97m  --contact, -c\ e[0m"
+    echo -e "\e[97m  --contact, -c\e[0m"
     echo "    Show author contact information."
     echo
     echo -e "\e[97m  --control <STRING>\e[0m"

scripts/usr/local/sbin/9999_cdi_starter.sh

@@ -130,7 +130,7 @@ main() {
   touch "${var_log}"
 
 
-  printf "CISS.debian.installer Master V8.13.544.2025.12.05 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.768.2025.12.06 is up! \n" >> "${var_log}"
 
   ### Sleep a moment to settle boot artifacts.
   sleep 8
@@ -209,7 +209,7 @@ main() {
 
   ### Timeout reached without acceptable semaphore.
   logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.544.2025.12.05: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V8.13.768.2025.12.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
 
   exit 0
 }

var/early.var.sh

@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V8.13.544.2025.12.05"
+declare -grx VAR_VERSION="Master V8.13.768.2025.12.06"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
   # Print $4 and $5; include $6 only if it exists
   out = $4

var/global.var.sh

@@ -28,7 +28,6 @@ touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}"
 
 declare -g  __umask=""
 declare -g  VAR_ARCHITECTURE=""
-declare -g  VAR_CDLB_INSIDE_RUNNER="${VAR_CDLB_INSIDE_RUNNER:-false}"
 declare -g  VAR_HANDLER_BUILD_DIR=""
 declare -g  VAR_HANDLER_CDI="false"
 declare -g  VAR_HANDLER_NETCUP_IPV6="false"
@@ -51,6 +50,7 @@ declare -gr VAR_CHROOT_DIR="chroot"
 declare -gr VAR_PACKAGES_FILE="chroot.packages.live"
 declare -gx VAR_AGE="false"
 declare -gx VAR_AGE_KEY=""
+declare -gx VAR_CDLB_INSIDE_RUNNER="${VAR_CDLB_INSIDE_RUNNER:-false}"
 declare -gx VAR_LUKS="false"
 declare -gx VAR_LUKS_KEY=""
 declare -gx VAR_SIGNER="false"