DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]

X-CI-Metadata: master@27b59ba at 2025-06-23T09:04:52Z on fd3d8b329394

Generated at : 2025-06-23T09:04:52Z
Runner Host  : fd3d8b329394
Workflow ID  : 💙 Generating a PUBLIC Live ISO.
Git Commit   : 27b59ba HEAD -> master

.archive/icon.lib

@@ -46,4 +46,10 @@
 🧠
 📅
 🎯
+🌐
+🔗
+💬
+☢️
+☣️
+•
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.644.2025.06.07"
+      placeholder: "e.g., Master V8.03.768.2025.06.23"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.23
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.23
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.768.2025.06.23
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.768.2025.06.23
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.768.2025.06.23
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.768.2025.06.23
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.22
 
 name: 🔐 Generating a Private Live ISO FLV 0.
 
@@ -270,7 +270,7 @@ jobs:
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
           ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.12.30+bpo-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
@@ -386,7 +386,7 @@ jobs:
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"
           CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
           CISS.debian.live.builder ISO sha512 sign :
             $(< "${SIGNATURE_FILE}")
 

.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.512.2025.06.06
+### Version Master V8.03.768.2025.06.22
 
 name: 🔐 Generating a Private Live ISO FLV 1.
 
@@ -270,7 +270,7 @@ jobs:
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
           ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.12.30+bpo-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
@@ -383,7 +383,7 @@ jobs:
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"
           CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
           CISS.debian.live.builder ISO sha512 sign :
             $(< "${SIGNATURE_FILE}")
 

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.22
 
 name: 💙 Generating a PUBLIC Live ISO.
 
@@ -271,7 +271,7 @@ jobs:
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
           ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.12.30+bpo-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
@@ -383,7 +383,7 @@ jobs:
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"
           CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
           CISS.debian.live.builder ISO sha512 sign :
             $(< "${SIGNATURE_FILE}")
 

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.23
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.23
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.23
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.644.2025.06.07"
+properties_version="V8.03.768.2025.06.23"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.644.2025.06.07
+PackageVersion: Master V8.03.768.2025.06.23
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-07T13:59:44Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-23T06:21:19Z".
 
 ✅ The last linter check was successful. ✅
 

LIVE_ISO.public

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-07T13:28:13Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-23T09:04:49Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_07T12_48_35Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_23T08_20_37Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_07T12_48_35Z-amd64.hybrid.iso.sha512"
+  86a8be09e16299892ae99d195b56a04356bcf5d2202016da8f8fa7441077c43fab68ebefcb8c39b3423f085a74b607907fb691ac71fdef92af33782bd2ac0ce5
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEQ+bQAKCRA85KY4hzOw
-IdnhAQC+NGhgMMPqZgS51p59kCYSoGLDzodY7TtFOJOxLo5LeAD/bgJifC51JFju
-RKy7e3am5Z80cAGZJ1RFliRgjJVZeAU=
-=P9Qk
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFkYsQAKCRA85KY4hzOw
+IbrbAQDeOIS3QYKIPkMhYlNPIcsJjv/dh3TdYiuQbkvfwVI+/gD/TiB+ska62vJk
+LGfwjuaxMC0KHG1/UTICytOeAnTrXAc=
+=qk8B
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_0.private

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-07T11:52:28Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-23T07:15:07Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_07T11_12_45Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_23T06_28_42Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_07T11_12_45Z-amd64.hybrid.iso.sha512"
+  e0ec5e6be762858378a7eab74634676b1dd431f1cec9f3ecd57778249da4694af2df40dd5adb546360e69ddbad1379200031558ca580f55d9e8c242edb193e2f
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEQn/AAKCRA85KY4hzOw
-IeMFAP0ZsIuEHFz3EgDpk1rN066VZ2nGrx3NvQenvjg5EQsRNAD+MNlJ4JE9zk17
-pvWF+r0l2K7P6CmxlK7WZFU2Hs6KYwc=
-=6azh
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFj++wAKCRA85KY4hzOw
+IXOYAP9FahdpIrwvHpEAddsem7UDdtO/zOzzDzx+TuycmdFttQEA20BgLvFLCiDr
+2zYSWBFHsEnlOrMoqUmjwDH/rjV6wAs=
+=cssu
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_1.private

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-07T12:39:29Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-23T08:10:36Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_07T12_01_03Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_23T07_24_33Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_07T12_01_03Z-amd64.hybrid.iso.sha512"
+  70fc1bcdcf3362278f77344c5c6cf5c682362afaf22e4013026f87d3279a044bcebd830b0958bdfb9c080f06d1f873a61a30ca5e56787d41668c9b758a964ad7
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEQzAQAKCRA85KY4hzOw
-IedVAQDj71Q0oAweOhYGabzgECIwgIxHPypvidif0fnjucGuIgD+O5XAvFsPnUzQ
-7lXvBLPURbSoa5//sgkXL3Pmik2vvwk=
-=TJPq
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFkL/AAKCRA85KY4hzOw
+ISe+AQC8m7ZFFP9zYtSae/IjpJy4XtDsnuO4ager49y7BDx38gEAllfQHZiMxelr
+qryf1KI+nXUj2EgKtk0vy9SDI6H1KgY=
+=NdC5
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.644.2025.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.768.2025.06.23-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -12,7 +12,7 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)  
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -37,7 +37,7 @@ changes and made publicly available for download. The latest generic ISO is avai
 
 Check out more:
 * [CenturionNet Services](https://coresecret.eu/cnet/) 
-* [CenturionDNS Resolver](https://dns.eddns.eu/)
+* [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
 * [CenturionNet Status](https://uptime.coresecret.eu/) 
 * [CenturionMeet](https://talk.e2ee.li/) 
@@ -142,13 +142,20 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `8.03.384.2025.06.03`
+Example: `V8.03.768.2025.06.23`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
 Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
 reproducibility and traceability.
 
+## 1.6. Keywords
+
+The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
+"MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], 
+[[RFC2119](https://datatracker.ietf.org/doc/html/rfc2119)], [[RFC8174](https://datatracker.ietf.org/doc/html/rfc8174)] when,
+and only when, they appear in all capitals, as shown here.
+
 # 2. Features & Rationale
 
 Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.

ciss_live_builder.sh

@@ -37,65 +37,94 @@
   . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
   . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+[[ ${#} -eq 0 ]] && {
+  . ./lib/lib_usage.sh; usage; exit 1; }
 
-declare -g VAR_HANDLER_AUTOBUILD="false"
-declare -gr VAR_CONTACT="security@coresecret.eu"
-declare -gr VAR_VERSION="Master V8.03.644.2025.06.07"
+declare -gx VAR_CONTACT="security@coresecret.eu"
+declare -gx VAR_VERSION="Master V8.03.768.2025.06.23"
 
-### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
-declare arg
-if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi
-for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -g VAR_HANDLER_AUTOBUILD=true; declare -g VAR_KERNEL="${arg#*=}";; esac; done
-for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${VAR_CONTACT}"; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done
+### CHECK FOR CONTACT, HELP, AND VERSION STRING
+for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
-unset arg
+declare -gx VAR_SETUP="true"
 
-### VERY EARLY CHECK FOR XTRACE DEBUGGING
+### CHECK FOR XTRACE DEBUG
 if [[ $* == *" --debug "* ]]; then
   . ./lib/lib_debug.sh
+  . ./lib/lib_debug_header.sh
   debugger "${@}"
 else
-  declare -grx VAR_EARLY_DEBUG=false
+  declare -gx VAR_EARLY_DEBUG="false"
 fi
 
-### Advisory Lock
-exec 127>/var/lock/ciss_live_builder.lock || {
+### SOURCING VARIABLES
+[[ "${VAR_SETUP}" == true ]] && {
+  . ./var/bash.var.sh
+  . ./var/color.var.sh
   . ./var/global.var.sh
+}
+
+### SOURCING LIBRARIES
+[[ "${VAR_SETUP}" == true ]] && {
+  . ./lib/lib_arg_parser.sh
+  . ./lib/lib_arg_priority_check.sh
+  . ./lib/lib_boot_screen.sh
+  . ./lib/lib_cdi.sh
+  . ./lib/lib_change_splash.sh
+  . ./lib/lib_check_dhcp.sh
+  . ./lib/lib_check_hooks.sh
+  . ./lib/lib_check_kernel.sh
+  . ./lib/lib_check_pkgs.sh
+  . ./lib/lib_check_provider.sh
+  . ./lib/lib_check_stats.sh
+  . ./lib/lib_check_var.sh
+  . ./lib/lib_clean_screen.sh
+  . ./lib/lib_clean_up.sh
+  . ./lib/lib_copy_integrity.sh
+  . ./lib/lib_hardening_root_pw.sh
+  . ./lib/lib_hardening_ssh.sh
+  . ./lib/lib_hardening_ultra.sh
+  . ./lib/lib_helper_ip.sh
+  . ./lib/lib_lb_build_start.sh
+  . ./lib/lib_lb_config_start.sh
+  . ./lib/lib_lb_config_write.sh
+  . ./lib/lib_provider_netcup.sh
+  . ./lib/lib_run_analysis.sh
+  . ./lib/lib_sanitizer.sh
+  . ./lib/lib_trap_on_err.sh
+  . ./lib/lib_trap_on_exit.sh
+  . ./lib/lib_usage.sh
+}
+
+### ADVISORY LOCK
+exec 127>/var/lock/ciss_live_builder.lock || {
   printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
   exit "${ERR_FLOCK_WRTG}"
 }
 
 if ! flock -x -n 127; then
-  . ./var/global.var.sh
   printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2
   exit "${ERR_FLOCK_COLL}"
 fi
 
-### Checking required packages
-. ./lib/lib_check_pkgs.sh
+### CHECK FOR AUTOBUILD MODE
+declare -gx VAR_HANDLER_AUTOBUILD="false"
+for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done
+unset arg
+for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
+
+### CHECKING REQUIRED PACKAGES
 check_pkgs
 
-### Dialog Output for Initialization
-if ! $VAR_HANDLER_AUTOBUILD; then . ./lib/lib_boot_screen.sh && boot_screen; fi
+### DIALOG OUTPUT FOR INITIALIZATION
+if ! $VAR_HANDLER_AUTOBUILD; then boot_screen; fi
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3; fi
-. ./var/global.var.sh
-. ./var/colors.var.sh
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3; fi
-### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
-set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
-set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
-set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
-set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
-set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
-set -o noclobber # Prevent overwriting, the same as "set -C".
-
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 ### Initialization
 declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
@@ -108,42 +137,13 @@ declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
-. ./lib/lib_arg_parser.sh
-. ./lib/lib_arg_priority_check.sh
-. ./lib/lib_cdi.sh
-. ./lib/lib_change_splash.sh
-. ./lib/lib_check_dhcp.sh
-. ./lib/lib_check_hooks.sh
-. ./lib/lib_check_kernel.sh
-. ./lib/lib_check_provider.sh
-. ./lib/lib_check_stats.sh
-. ./lib/lib_check_var.sh
-. ./lib/lib_clean_screen.sh
-. ./lib/lib_clean_up.sh
-. ./lib/lib_copy_integrity.sh
-. ./lib/lib_hardening_root_pw.sh
-. ./lib/lib_hardening_ssh.sh
-. ./lib/lib_hardening_ultra.sh
-. ./lib/lib_helper_ip.sh
-. ./lib/lib_lb_build_start.sh
-. ./lib/lib_lb_config_start.sh
-. ./lib/lib_lb_config_write.sh
-. ./lib/lib_provider_netcup.sh
-. ./lib/lib_run_analysis.sh
-. ./lib/lib_sanitizer.sh
-. ./lib/lib_trap_on_err.sh
-. ./lib/lib_trap_on_exit.sh
-. ./lib/lib_usage.sh
-
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
-### Following the CISS Bash naming and ordering scheme
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
 declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
@@ -159,6 +159,7 @@ clean_ip
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 
+### Turn off Dialog Wrapper
 if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
 
 ### MAIN Program

config/hooks/live/9985_clamav.chroot

@@ -32,8 +32,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav /run/clamav
 
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
-CPUShares=512
+#MemoryLimit=4096M
+#CPUShares=512
 
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
@@ -58,8 +58,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav
 
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
-CPUShares=512
+#MemoryLimit=4096M
+#CPUShares=512
 
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes

config/hooks/live/9990_final_purge.chroot

@@ -16,13 +16,13 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 apt-get update -y
 
-apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config \
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 
-apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config \
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 
-dpkg --get-selections | grep deinstall >> /tmp/deinstall.log || true
+dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 
 if [[ -s /tmp/deinstall.log ]]; then
   printf "\n"

config/hooks/live/9991_file_permissions.chroot

@@ -39,7 +39,7 @@ EOF
 
 cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
 
-sed -i 's/LOGIN_TIMEOUT       60/LOGIN_TIMEOUT       180/' /etc/login.defs
+sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
 sed -i 's/PASS_MAX_DAYS	99999/PASS_MAX_DAYS	16384/' /etc/login.defs
 sed -i 's/PASS_MIN_DAYS	0/PASS_MIN_DAYS	1/' /etc/login.defs

config/hooks/live/9994_password_policy.chroot

@@ -51,7 +51,7 @@ difok = 4
 ### Minimum acceptable size for the new password (plus one if
 ### credits are not disabled, which is the default). (See pam_cracklib manual.)
 ### Cannot be set to a lower value than 6.
-minlen = 20
+minlen = 40
 
 ### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
 ### NIST SP 800-63B advises against rigid complexity rules (numbers, symbols, uppercase)

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.23
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -51,7 +51,7 @@ MaxSessions                  2
 MaxStartups                  08:64:16
 ### Restrict each individual source IP to only 4 unauthenticated connection slot
 ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
-PerSourceMaxStartups         4
+PerSourceMaxStartups         8
 ClientAliveInterval          300
 ClientAliveCountMax          2
 

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.23
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.03.644.2025.06.07"
+declare -gr VERSION="Master V8.03.768.2025.06.23"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.644.2025.06.07 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.03.768.2025.06.23 at: 10:18:37.9542

config/includes.chroot/root/.bashrc

@@ -33,6 +33,7 @@
 
 trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
 source /root/.ciss/alias
+source /root/.ciss/f2bchk.sh
 source /root/.ciss/shortcuts
 source /root/.ciss/scan_libwrap
 

config/includes.chroot/root/.ciss/alias

@@ -149,64 +149,85 @@ genpasswdhash() {
   mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
 }
 
-###########################################################################################
-# Globals: Wrapper for secure curl
+#######################################
+# Wrapper for secure curl
 # Arguments:
 #  $1: URL from which to download a specific file
 #  $2: /path/to/file to be saved to
-###########################################################################################
-# shellcheck disable=SC2317
+# Returns:
+#   0: Download successful
+#   1: Usage error
+#   2: Download failure
+#######################################
 scurl() {
   if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>. \e[0m\n" >&2
+    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
     return 1
   fi
-
-  if ! curl --proto '=https' --tlsv1.3 -sSf -o "${2}" "${1}"; then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2
+  declare url="$1"
+  declare output_path="$2"
+  if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
+            --doh-cert-status \
+            --tlsv1.3 \
+            -sSf \
+            -o "${output_path}" \
+            "${url}"
+  then
+    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
     return 2
   fi
+  return 0
 }
 
-###########################################################################################
-# Globals: Wrapper for secure wget
+#######################################
+# Wrapper for secure wget
 # Arguments:
 #  $1: URL from which to download a specific file
 #  $2: /path/to/file to be saved to
-###########################################################################################
-# shellcheck disable=SC2317
+# Returns:
+#   0: Download successful
+#   1: Usage error
+#   2: Download failure
+#######################################
 swget() {
   if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>. \e[0m\n" >&2
+    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
     return 1
   fi
-
-  if ! wget --no-clobber --https-only --secure-protocol=TLSv1_3 -qO "${2}" "${1}"; then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2
+  declare url="$1"
+  declare output_path="$2"
+  mkdir -p "$(dirname "${output_path}")"
+  if ! wget --show-progress \
+            --no-clobber \
+            --https-only \
+            --secure-protocol=TLSv1_3 \
+            -qO "${output_path}" \
+            "${url}"
+  then
+    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
     return 2
   fi
+  return 0
 }
 
-###########################################################################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
+#######################################
+# Wrapper for loading CISS.2025 hardened Kernel Parameters
 # Arguments:
-#  none
-###########################################################################################
-# shellcheck disable=SC2317
+#  None
+#######################################
 sysp() {
   sysctl -p /etc/sysctl.d/99_local.hardened
   # sleep 1
   sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 
-###########################################################################################
-# Globals: Wrapper for tree
+#######################################
+# Wrapper for tree
 # Arguments:
 #  $1: Depth of Directory Listing
-###########################################################################################
-# shellcheck disable=SC2317
+#######################################
 trel() {
-    declare depth=${1:-3}
-    tree -C -h --dirsfirst -L "${depth}"
+  declare depth=${1:-3}
+  tree -C -h --dirsfirst -L "${depth}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/root/.ciss/f2bchk.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Wrapper for fail2ban filter checks against logs.
+# Usage: f2bchk --mode=ignored || --mode=matched  || --mode=missed \
+#               --filter=/etc/fail2ban/filter.d/ufw.aggressive.conf \
+#               --log=/var/log/ufw.log \
+#               --output=/tmp/f2bchk.log
+# Globals:
+#   DEFAULT_FILTER
+#   DEFAULT_LOG
+#   DEFAULT_MODE
+# Arguments:
+#  None
+# Returns:
+#   1 In case of any errors
+#######################################
+f2bchk(){
+  # Declare default values (readonly)
+  declare -r DEFAULT_MODE="matched"
+  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
+  declare -r DEFAULT_LOG="/var/log/ufw.log"
+
+  declare mode="${DEFAULT_MODE}"
+  declare filter="${DEFAULT_FILTER}"
+  declare log="${DEFAULT_LOG}"
+  declare output=""
+  declare arg=""
+
+  for arg in "$@"; do
+    case "${arg}" in
+      --mode=*)   mode="${arg#--mode=}";;
+      --filter=*) filter="${arg#--filter=}";;
+      --log=*)    log="${arg#--log=}";;
+      --output=*) output="${arg#--output=}";;
+      *)
+        printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
+        return 1
+        ;;
+    esac
+  done
+
+  declare flag suffix
+  case "${mode}" in
+    ignored) flag="--print-all-ignored"; suffix="all.ignored";;
+    matched) flag="--print-all-matched"; suffix="all.matched";;
+    missed)  flag="--print-all-missed";  suffix="all.missed";;
+    *)
+      printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
+      return 1
+      ;;
+  esac
+
+  if [[ -z "${output}" ]]; then
+    declare filter_name="${filter##*/}"
+    filter_name="${filter_name%.conf}"
+    output="/tmp/${filter_name}.${suffix}.log"
+  fi
+  if [[ ! -r "${log}" ]]; then
+    printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
+    return 1
+  fi
+  if [[ ! -r "${filter}" ]]; then
+    printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
+    return 1
+  fi
+
+  printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
+  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
+    printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
+    printf "You can view it with: cat %s\n" "$output"
+  else
+    printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
+    return 1
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/package-lists/live.list.common.chroot

@@ -21,6 +21,7 @@ bc
 bind9-dnsutils
 bsdmainutils
 btrfs-progs
+bzip2
 ca-certificates
 clamav
 clamav-daemon
@@ -42,9 +43,11 @@ dirmngr
 dmsetup
 dnsviz
 dosfstools
+e2fsprogs
 efibootmgr
 expect
 fail2ban
+fdisk
 figlet
 fzf
 gawk
@@ -79,6 +82,7 @@ man
 man-db
 manpages
 manpages-dev
+mdadm
 mtr
 nano
 ncat
@@ -110,11 +114,13 @@ ssl-cert
 sudo
 sysstat
 systemd-sysv
+tar
 tree
 tshark
 ufw
 unattended-upgrades
 unzip
+util-linux
 virt-what
 wamerican
 wbritish
@@ -122,6 +128,9 @@ wfrench
 wget
 whois
 wngerman
+xfsprogs
+xz-utils
+yq
 zip
 zsh
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 # 2. TLS Audit:
 
 ````text
 #####################################################################
-  testssl.sh version 3.2rc4 from https://testssl.sh/dev/
-  (6746fa5 2025-04-18 13:17:50)
+  testssl.sh version 3.2.1 from https://testssl.sh/
+  (81471c3 2025-06-15 09:48:31)
 
   This program is free software. Distribution and modification under
   GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -26,7 +26,313 @@ include_toc: true
   Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
   on kali:./bin/openssl.Linux.x86_64
 
- Start 2025-06-02 18:04:19        -->> 152.53.110.40:443 (coresecret.dev) <<--
+ Start 2025-06-23 06:37:04        -->> 135.181.207.105:443 (dns01.eddns.eu) <<--
+
+ Further IP addresses:   2a01:4f9:c012:a813:135:181:207:105
+ rDNS (135.181.207.105): dns01.eddns.eu.
+ Service detected:       HTTP
+
+ Testing protocols via sockets except NPN+ALPN
+
+ SSLv2      not offered (OK)
+ SSLv3      not offered (OK)
+ TLS 1      not offered
+ TLS 1.1    not offered
+ TLS 1.2    offered (OK)
+ TLS 1.3    offered (OK): final
+ NPN/SPDY   not offered
+ ALPN/HTTP2 h2, http/1.1 (offered)
+
+ Testing for server implementation bugs
+
+ No bugs found.
+
+ Testing cipher categories
+
+ NULL ciphers (no encryption)                      not offered (OK)
+ Anonymous NULL Ciphers (no authentication)        not offered (OK)
+ Export ciphers (w/o ADH+NULL)                     not offered (OK)
+ LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      not offered (OK)
+ Triple DES Ciphers / IDEA                         not offered
+ Obsoleted CBC ciphers (AES, ARIA etc.)            not offered
+ Strong encryption (AEAD ciphers) with no FS       not offered
+ Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)
+
+
+ Testing server's cipher preferences
+
+Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
+-----------------------------------------------------------------------------------------------------------------------------
+SSLv2
+ -
+SSLv3
+ -
+TLSv1
+ -
+TLSv1.1
+ -
+TLSv1.2 (server order)
+ xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 448   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 448   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+TLSv1.3 (server order)
+ x1302   TLS_AES_256_GCM_SHA384            ECDH 448   AESGCM      256      TLS_AES_256_GCM_SHA384
+ x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 448   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
+
+ Has server cipher order?     yes (OK) -- TLS 1.3 and below
+
+
+ Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4
+
+ FS is offered (OK) , ciphers follow (client/browser support is important here)
+
+Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
+-----------------------------------------------------------------------------------------------------------------------------
+ x1302   TLS_AES_256_GCM_SHA384            ECDH 448   AESGCM      256      TLS_AES_256_GCM_SHA384                             available
+ x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 448   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       available
+ xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH       ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD  not a/v
+ xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH       ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD    not a/v
+ xcc15   DHE-RSA-CHACHA20-POLY1305-OLD     DH         ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD      not a/v
+ xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 521   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              available
+ xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH       AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            not a/v
+ xc028   ECDHE-RSA-AES256-SHA384           ECDH       AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              not a/v
+ xc024   ECDHE-ECDSA-AES256-SHA384         ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384            not a/v
+ xc014   ECDHE-RSA-AES256-SHA              ECDH       AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 not a/v
+ xc00a   ECDHE-ECDSA-AES256-SHA            ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA               not a/v
+ xa3     DHE-DSS-AES256-GCM-SHA384         DH         AESGCM      256      TLS_DHE_DSS_WITH_AES_256_GCM_SHA384                not a/v
+ x9f     DHE-RSA-AES256-GCM-SHA384         DH         AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                not a/v
+ xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH       ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256      not a/v
+ xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 448   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        available
+ xccaa   DHE-RSA-CHACHA20-POLY1305         DH         ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256          not a/v
+ xc0af   ECDHE-ECDSA-AES256-CCM8           ECDH       AESCCM8     256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8                 not a/v
+ xc0ad   ECDHE-ECDSA-AES256-CCM            ECDH       AESCCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM                   not a/v
+ xc0a3   DHE-RSA-AES256-CCM8               DH         AESCCM8     256      TLS_DHE_RSA_WITH_AES_256_CCM_8                     not a/v
+ xc09f   DHE-RSA-AES256-CCM                DH         AESCCM      256      TLS_DHE_RSA_WITH_AES_256_CCM                       not a/v
+ x6b     DHE-RSA-AES256-SHA256             DH         AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                not a/v
+ x6a     DHE-DSS-AES256-SHA256             DH         AES         256      TLS_DHE_DSS_WITH_AES_256_CBC_SHA256                not a/v
+ x39     DHE-RSA-AES256-SHA                DH         AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   not a/v
+ x38     DHE-DSS-AES256-SHA                DH         AES         256      TLS_DHE_DSS_WITH_AES_256_CBC_SHA                   not a/v
+ xc077   ECDHE-RSA-CAMELLIA256-SHA384      ECDH       Camellia    256      TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384         not a/v
+ xc073   ECDHE-ECDSA-CAMELLIA256-SHA384    ECDH       Camellia    256      TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384       not a/v
+ xc4     DHE-RSA-CAMELLIA256-SHA256        DH         Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256           not a/v
+ xc3     DHE-DSS-CAMELLIA256-SHA256        DH         Camellia    256      TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256           not a/v
+ x88     DHE-RSA-CAMELLIA256-SHA           DH         Camellia    256      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA              not a/v
+ x87     DHE-DSS-CAMELLIA256-SHA           DH         Camellia    256      TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA              not a/v
+ xc043   DHE-DSS-ARIA256-CBC-SHA384        DH         ARIA        256      TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384               not a/v
+ xc045   DHE-RSA-ARIA256-CBC-SHA384        DH         ARIA        256      TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384               not a/v
+ xc049   ECDHE-ECDSA-ARIA256-CBC-SHA384    ECDH       ARIA        256      TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384           not a/v
+ xc04d   ECDHE-RSA-ARIA256-CBC-SHA384      ECDH       ARIA        256      TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384             not a/v
+ xc053   DHE-RSA-ARIA256-GCM-SHA384        DH         ARIAGCM     256      TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384               not a/v
+ xc057   DHE-DSS-ARIA256-GCM-SHA384        DH         ARIAGCM     256      TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384               not a/v
+ xc05d   ECDHE-ECDSA-ARIA256-GCM-SHA384    ECDH       ARIAGCM     256      TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384           not a/v
+ xc061   ECDHE-ARIA256-GCM-SHA384          ECDH       ARIAGCM     256      TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384             not a/v
+ xc07d   -                                 DH         CamelliaGCM 256      TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384           not a/v
+ xc081   -                                 DH         CamelliaGCM 256      TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384           not a/v
+ xc087   -                                 ECDH       CamelliaGCM 256      TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384       not a/v
+ xc08b   -                                 ECDH       CamelliaGCM 256      TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384         not a/v
+ x1301   TLS_AES_128_GCM_SHA256            any        AESGCM      128      TLS_AES_128_GCM_SHA256                             not a/v
+ x1304   TLS_AES_128_CCM_SHA256            any        AESCCM      128      TLS_AES_128_CCM_SHA256                             not a/v
+ x1305   TLS_AES_128_CCM_8_SHA256          any        AESCCM8     128      TLS_AES_128_CCM_8_SHA256                           not a/v
+ xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH       AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              not a/v
+ xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH       AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256            not a/v
+ xc027   ECDHE-RSA-AES128-SHA256           ECDH       AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              not a/v
+ xc023   ECDHE-ECDSA-AES128-SHA256         ECDH       AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256            not a/v
+ xc013   ECDHE-RSA-AES128-SHA              ECDH       AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 not a/v
+ xc009   ECDHE-ECDSA-AES128-SHA            ECDH       AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA               not a/v
+ xa2     DHE-DSS-AES128-GCM-SHA256         DH         AESGCM      128      TLS_DHE_DSS_WITH_AES_128_GCM_SHA256                not a/v
+ x9e     DHE-RSA-AES128-GCM-SHA256         DH         AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256                not a/v
+ xc0ae   ECDHE-ECDSA-AES128-CCM8           ECDH       AESCCM8     128      TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8                 not a/v
+ xc0ac   ECDHE-ECDSA-AES128-CCM            ECDH       AESCCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_CCM                   not a/v
+ xc0a2   DHE-RSA-AES128-CCM8               DH         AESCCM8     128      TLS_DHE_RSA_WITH_AES_128_CCM_8                     not a/v
+ xc09e   DHE-RSA-AES128-CCM                DH         AESCCM      128      TLS_DHE_RSA_WITH_AES_128_CCM                       not a/v
+ x67     DHE-RSA-AES128-SHA256             DH         AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256                not a/v
+ x40     DHE-DSS-AES128-SHA256             DH         AES         128      TLS_DHE_DSS_WITH_AES_128_CBC_SHA256                not a/v
+ x33     DHE-RSA-AES128-SHA                DH         AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   not a/v
+ x32     DHE-DSS-AES128-SHA                DH         AES         128      TLS_DHE_DSS_WITH_AES_128_CBC_SHA                   not a/v
+ xc076   ECDHE-RSA-CAMELLIA128-SHA256      ECDH       Camellia    128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256         not a/v
+ xc072   ECDHE-ECDSA-CAMELLIA128-SHA256    ECDH       Camellia    128      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256       not a/v
+ xbe     DHE-RSA-CAMELLIA128-SHA256        DH         Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256           not a/v
+ xbd     DHE-DSS-CAMELLIA128-SHA256        DH         Camellia    128      TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256           not a/v
+ x9a     DHE-RSA-SEED-SHA                  DH         SEED        128      TLS_DHE_RSA_WITH_SEED_CBC_SHA                      not a/v
+ x99     DHE-DSS-SEED-SHA                  DH         SEED        128      TLS_DHE_DSS_WITH_SEED_CBC_SHA                      not a/v
+ x45     DHE-RSA-CAMELLIA128-SHA           DH         Camellia    128      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA              not a/v
+ x44     DHE-DSS-CAMELLIA128-SHA           DH         Camellia    128      TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA              not a/v
+ xc042   DHE-DSS-ARIA128-CBC-SHA256        DH         ARIA        128      TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256               not a/v
+ xc044   DHE-RSA-ARIA128-CBC-SHA256        DH         ARIA        128      TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256               not a/v
+ xc048   ECDHE-ECDSA-ARIA128-CBC-SHA256    ECDH       ARIA        128      TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256           not a/v
+ xc04c   ECDHE-RSA-ARIA128-CBC-SHA256      ECDH       ARIA        128      TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256             not a/v
+ xc052   DHE-RSA-ARIA128-GCM-SHA256        DH         ARIAGCM     128      TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256               not a/v
+ xc056   DHE-DSS-ARIA128-GCM-SHA256        DH         ARIAGCM     128      TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256               not a/v
+ xc05c   ECDHE-ECDSA-ARIA128-GCM-SHA256    ECDH       ARIAGCM     128      TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256           not a/v
+ xc060   ECDHE-ARIA128-GCM-SHA256          ECDH       ARIAGCM     128      TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256             not a/v
+ xc07c   -                                 DH         CamelliaGCM 128      TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256           not a/v
+ xc080   -                                 DH         CamelliaGCM 128      TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256           not a/v
+ xc086   -                                 ECDH       CamelliaGCM 128      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256       not a/v
+ xc08a   -                                 ECDH       CamelliaGCM 128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256         not a/v
+
+ Elliptic curves offered:     secp384r1 secp521r1 X448
+ TLS 1.2 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224
+ TLS 1.3 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512
+
+ Testing server defaults (Server Hello)
+
+ TLS extensions (standard)    "server name/#0" "max fragment length/#1" "status request/#5" "supported_groups/#10" "EC point formats/#11"
+                              "application layer protocol negotiation/#16" "extended master secret/#23" "supported versions/#43" "key share/#51"
+                              "renegotiation info/#65281"
+ Session Ticket RFC 5077 hint no -- no lifetime advertised
+ SSL Session ID support       yes
+ Session Resumption           Tickets no, ID: yes
+ TLS clock skew               Random values, no fingerprinting possible
+ Certificate Compression      none
+ Client Authentication        none
+ Signature Algorithm          SHA384 with RSA
+ Server key size              RSA 4096 bits (exponent is 262147)
+ Server key usage             Digital Signature, Key Encipherment
+ Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
+ Serial                       A39CFE0064280D467269C012636F9EE8 (OK: length 16)
+ Fingerprints                 SHA1 9E19BE00A07E50CC5DB94A51419D431E845F810A
+                              SHA256 92D01842FB6275890EF74AAD742990EFD76ABA0604203B327F3270E805B6F356
+ Common Name (CN)             eddns.eu
+ subjectAltName (SAN)         eddns.eu dns01.eddns.eu dns02.eddns.de dns03.eddns.eu eddns.de
+ Trust (hostname)             Ok via SAN (same w/o SNI)
+ Chain of trust               Ok
+ EV cert (experimental)       no
+ Certificate Validity (UTC)   358 >= 60 days (2025-06-16 00:00 --> 2026-06-16 23:59)
+ ETS/"eTLS", visibility info  not present
+ In pwnedkeys.com DB          not in database
+ Certificate Revocation List  --
+ OCSP URI                     http://zerossl.ocsp.sectigo.com, not revoked
+ OCSP stapling                offered, not revoked
+ OCSP must staple extension   supported
+ DNS CAA RR (experimental)    available - please check for match with "Issuer" below
+                              communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl,
+                              issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
+                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
+                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
+ Certificate Transparency     yes (certificate extension)
+ Certificates provided        2
+ Issuer                       ZeroSSL RSA Domain Secure Site CA (ZeroSSL from AT)
+ Intermediate cert validity   #1: ok > 40 days (2030-01-29 23:59). ZeroSSL RSA Domain Secure Site CA <-- USERTrust RSA Certification Authority
+ Intermediate Bad OCSP (exp.) Ok
+
+
+ Testing HTTP header response @ "/"
+
+ HTTP Status Code             200 OK
+ HTTP clock skew              0 sec from localtime
+ Strict Transport Security    730 days=63072000 s, includeSubDomains, preload
+ Public Key Pinning           --
+ Server banner                nginx
+ Application banner           --
+ Cookie(s)                    (none issued at "/")
+ Security headers             X-Frame-Options: SAMEORIGIN
+                              X-Content-Type-Options: nosniff
+                              Expect-CT: max-age=86400, enforce
+                              Permissions-Policy: interest-cohort=()
+                              Cross-Origin-Opener-Policy: same-origin
+                              Cross-Origin-Resource-Policy: cross-origin
+                              Cross-Origin-Embedder-Policy: credentialless
+                              X-XSS-Protection: 1; mode=block
+                              Access-Control-Allow-Origin: https://dns01.eddns.eu
+                              Permissions-Policy: interest-cohort=()
+                              Referrer-Policy: same-origin
+                              Cache-Control: no-cache
+ Reverse Proxy banner         --
+
+
+ Testing vulnerabilities
+
+ Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
+ CCS (CVE-2014-0224)                       not vulnerable (OK)
+ Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK), no session ticket extension
+ ROBOT                                     Server does not support any cipher suites that use RSA key transport
+ Secure Renegotiation (RFC 5746)           supported (OK)
+ Secure Client-Initiated Renegotiation     not vulnerable (OK)
+ CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
+ BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested
+ POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
+ TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible (OK), no protocol below TLS 1.2 offered
+ SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
+ FREAK (CVE-2015-0204)                     not vulnerable (OK)
+ DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
+                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
+                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=92D01842FB6275890EF74AAD742990EFD76ABA0604203B327F3270E805B6F356
+ LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
+ BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
+ LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
+ Winshock (CVE-2014-6321), experimental    not vulnerable (OK)
+ RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
+
+
+ Running client simulations (HTTP) via sockets
+
+ Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
+------------------------------------------------------------------------------------------------
+ Android 7.0 (native)         No connection
+ Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
+ Android 9.0 (native)         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Android 10.0 (native)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Android 11/12 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Android 13/14 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Android 15 (native)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Chrome 101 (Win 10)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Chromium 137 (Win 11)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Firefox 100 (Win 10)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
+ Firefox 137 (Win 11)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
+ IE 8 Win 7                   No connection
+ IE 11 Win 7                  No connection
+ IE 11 Win 8.1                No connection
+ IE 11 Win Phone 8.1          No connection
+ IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
+ Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
+ Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Edge 133 Win 11 23H2         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Safari 18.4 (iOS 18.4)       TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
+ Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
+ Safari 18.4 (macOS 15.4)     TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
+ Java 7u25                    No connection
+ Java 8u442 (OpenJDK)         TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
+ Java 11.0.2 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
+ Java 17.0.3 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
+ Java 21.0.6 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
+ go 1.17.8                    TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
+ LibreSSL 3.3.6 (macOS)       TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
+ OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       521 bit ECDH (P-521)
+ OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
+ OpenSSL 3.0.15 (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
+ OpenSSL 3.5.0 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
+ Apple Mail (16.0)            TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       521 bit ECDH (P-521)
+ Thunderbird (91.9)           TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
+
+
+ Rating (experimental)
+
+ Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
+ Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
+ Protocol Support (weighted)  100 (30)
+ Key Exchange     (weighted)  100 (30)
+ Cipher Strength  (weighted)  100 (40)
+ Final Score                  100
+ Overall Grade                A+
+
+ Done 2025-06-23 06:38:43 [ 102s] -->> 135.181.207.105:443 (dns01.eddns.eu) <<--
+
+
+25-06-23|root@kali.ed448.eu:/root/gitea/testssl.sh/>>1|~#> ./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
+
+#####################################################################
+  testssl.sh version 3.2.1 from https://testssl.sh/
+  (81471c3 2025-06-15 09:48:31)
+
+  This program is free software. Distribution and modification under
+  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
+
+  Please file bugs @ https://testssl.sh/bugs/
+#####################################################################
+
+  Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
+  on kali:./bin/openssl.Linux.x86_64
+
+ Start 2025-06-23 06:55:40        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 
  Further IP addresses:   2a0a:4cc0:80:330f:152:53:110:40
  rDNS (152.53.110.40):   git.coresecret.dev.
@@ -193,17 +499,21 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
                               SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
  Common Name (CN)             coresecret.dev
  subjectAltName (SAN)         coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
- Trust (hostname)             Ok via SAN and CN (same w/o SNI)
+ Trust (hostname)             Ok via SAN (same w/o SNI)
  Chain of trust               Ok
  EV cert (experimental)       no
- Certificate Validity (UTC)   174 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
+ Certificate Validity (UTC)   153 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
  ETS/"eTLS", visibility info  not present
  In pwnedkeys.com DB          not in database
  Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
  OCSP URI                     http://ocsp.buypass.com, not revoked
  OCSP stapling                offered, not revoked
  OCSP must staple extension   --
- DNS CAA RR (experimental)    not offered
+ DNS CAA RR (experimental)    available - please check for match with "Issuer" below
+                              iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl, issue=letsencrypt.org;,
+                              issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
+                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
+                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
  Certificate Transparency     yes (certificate extension)
  Certificates provided        2
  Issuer                       Buypass Class 2 CA 5 (Buypass AS-983163327 from NO)
@@ -213,23 +523,27 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 
  Testing HTTP header response @ "/"
 
- HTTP Status Code             301 Moved Permanently, redirecting to "https://git.coresecret.dev"
+ HTTP Status Code             200 OK
  HTTP clock skew              0 sec from localtime
  Strict Transport Security    730 days=63072000 s, includeSubDomains, preload
  Public Key Pinning           --
  Server banner                nginx
  Application banner           --
- Cookie(s)                    (none issued at "/") -- maybe better try target URL of 30x
+ Cookie(s)                    2 issued: 2/2 secure, 2/2 HttpOnly
  Security headers             X-Frame-Options: SAMEORIGIN
                               X-Content-Type-Options: nosniff
+                              Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self';
+                                frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
+                                https://uml.coresecret.dev; manifest-src 'self'; media-src 'self' data: https://badges.coresecret.dev
+                                https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none';
                               Expect-CT: max-age=86400, enforce
                               Permissions-Policy: interest-cohort=()
-                              Cross-Origin-Opener-Policy: same-origin
-                              Cross-Origin-Resource-Policy: same-origin
-                              Cross-Origin-Embedder-Policy: require-corp
+                              Cross-Origin-Opener-Policy: cross-origin
+                              Cross-Origin-Resource-Policy: cross-origin
+                              Cross-Origin-Embedder-Policy: unsafe-none
                               X-XSS-Protection: 1; mode=block
                               Permissions-Policy: interest-cohort=()
-                              Referrer-Policy: same-origin
+                              Referrer-Policy: no-referrer
                               Cache-Control: no-cache
  Reverse Proxy banner         --
 
@@ -268,6 +582,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Android 10.0 (native)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Android 11/12 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Android 13/14 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Android 15 (native)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Chrome 101 (Win 10)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Chromium 137 (Win 11)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Firefox 100 (Win 10)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
@@ -308,7 +623,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Final Score                  100
  Overall Grade                A+
 
- Done 2025-06-02 18:05:51 [  95s] -->> 152.53.110.40:443 (coresecret.dev) <<--
+ Done 2025-06-23 06:57:01 [  86s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 ````
 
 ---

docs/CHANGELOG.md

@@ -8,10 +8,40 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 # 2. Changelog
 
+## V8.03.768.2025.06.22
+
+* Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Lock FD and Artifacts.
+
+## V8.03.768.2025.06.19
+
+* Minor main script improvements.
+* Updated [lib_usage.sh](../lib/lib_usage.sh) output.
+
+## V8.03.768.2025.06.18
+
+* Minor main script improvements.
+* Updated contact section.
+* Integrated third ``dns03.eddns.eu`` Centurion DNS Resolver.
+
+## V8.03.768.2025.06.17
+
+* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64``
+
+## V8.03.768.2025.06.11
+
+* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64``
+
+## V8.03.768.2025.06.09
+
+* Added: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
+* Updated: [alias](../config/includes.chroot/root/.ciss/alias)
+  * ``scurl()``
+  * ``swget()``
+
 ## V8.03.644.2025.06.07
 
 * Updated workflows ISO Generators Runners. 

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,29 +8,26 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
-# 2. Usage
+# 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.644.2025.06.07
+Master V8.03.768.2025.06.23
+A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025
 
-https://coresecret.eu/
-
-A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
-
 "./ciss_live_builder.sh <option>", where <option> is one or more of:
 
   --help, -h
     What you're looking at.
-    
+
   --autobuild=*, -a=*
     Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
     selector dialog. Change '*' to your desired Linux kernel and trim the
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.22+bpo-amd64'.
+    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
 
   --architecture <STRING> one of <amd64 | arm64>
     A string reflecting the architecture of the Live System.
@@ -58,19 +55,20 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 
   --debug
     Enables debug logging for the main program routine. Detailed logging
-    information are written to "/tmp/ciss_live_builder_3764286.log"
+    information are written to "/tmp/ciss_live_builder_1136873.log"
 
   --dhcp-centurion
     If a DHCP lease is provided, the provider's nameserver will be overridden,
     and only the hardened, privacy-focused Centurion DNS servers will be used:
-    - https://dns01.eddns.eu/
-    - https://dns02.eddns.de/
+      - https://dns01.eddns.eu/
+      - https://dns02.eddns.de/
+      - https://dns03.eddns.eu/
 
   --jump-host <IP | IP | ... >
     Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
     Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
     If provided, than it MUST be a <SPACE> separated list.
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd/64].
+    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
 
   --log-statistics-only
     Provides statistic only after successful building a
@@ -78,25 +76,27 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
     the argument "--build-directory" MUST be provided while
     all further options MUST be omitted.
 
-  --provider-netcup-ipv6 
+  --provider-netcup-ipv6
     Activates IPv6 support for Netcup Root Server. One unique
-    IPv6 address MUST be provided in this case.
+    IPv6 address MUST be provided in this case and MUST be encapsulated
+    with [], e.g., [1234::abcd].
 
   --renice-priority <PRIORITY>
     Reset the nice priority value of the script and all its children
-    to the desired PRIORITY. MUST be an integer (between "-19" and 19).
+    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
     Negative (higher) values MUST be enclosed in double quotes '"'.
 
   --reionice-priority <CLASS> <PRIORITY>
     Reset the ionice priority value of the script and all its children
-    to the desired CLASS. MUST be an integer:
-    1: realtime
-    2: best-effort
-    3: idle
-    defaults to "2".
-    PRIORITY MUST be an integer:
-    between 0 (highest) and 7 (lowest) priority.
-    defaults to "4".
+    to the desired <CLASS>. MUST be an integer:
+      1: realtime
+      2: best-effort
+      3: idle
+    Defaults to '2'.
+    Whereas <PRIORITY> MUST be an integer as well between:
+      0: highest priority and
+      7: lowest priority.
+    Defaults to '4'.
     A real-time I/O process can significantly slow down other processes
     or even cause them to starve if it continuously requests I/O.
 
@@ -107,9 +107,9 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
     the local console. The root password is hashed with an 16 Byte '/dev/random'
     generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
     after Hash generation all Variables containing plain password fragments are
-    deleted. Password file SHOULD be 0400 and root:root and is deleted without
+    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
     further prompt after password hash has been successfully generated via:
-    shred -vfzu 5 -f.
+    'shred -vfzu 5 -f'.
     No tracing of any plain text password fragment in any debug log.
 
   --ssh-port <INTEGER>
@@ -123,14 +123,30 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
   --version, -v
     Displays version of ./ciss_live_builder.sh.
 
-NOTES:
-  - You MUST be root to run this script.
+💡 Notes:
+🔵 You MUST be 'root' to run this script.
 
-Contact:
-  - https://coresecret.eu/
-  - security@coresecret.eu
-    - PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
-      - https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD
+💷 Please consider donating to my work at:
+🌐 https://coresecret.eu/spenden/
+````
+
+# 2.2. Contact
+````text
+CISS.debian.live.builder
+Master V8.03.768.2025.06.23
+A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
+
+(c) Marc S. Weidner, 2018 - 2025
+(p) Centurion Press, 2024 - 2025
+
+💬 Contact:
+🌐 https://coresecret.eu/
+📧 security@coresecret.eu
+🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
+🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD
+
+💷 Please consider donating to my work at:
+🌐 https://coresecret.eu/spenden/
 ````
 
 # 3. Booting

docs/LICENSES/CCLA-1.0.html

@@ -1,53 +0,0 @@
-<h1 id="spdx-license-identifier-licenseref-ccla-10">SPDX-License-Identifier: LicenseRef-CCLA-1.0</h1>
-<h1 id="centurion-commercial-license-agreement-10">Centurion Commercial License Agreement 1.0</h1>
-<h2 id="1-general-terms"><strong>1. General Terms</strong></h2>
-<p>1.1. This Subscription License Agreement ("Agreement") governs the commercial use of the Software ("Software").</p>
-<p>1.2. Private and open-source usage of the Software remains governed by the EUPL-1.2 license.</p>
-<p>1.3. By purchasing and using the Software under this Agreement, you ("Licensee") agree to the terms outlined below.</p>
-<p>1.4. Only the English version of this Agreement shall be legally binding. Translations are provided for convenience only.</p>
-<h2 id="2-grant-of-license"><strong>2. Grant of License</strong></h2>
-<p>2.1. Subject-to-payment of applicable subscription fees, Licensor grants Licensee a</p>
-<ul>
-<li>non-exclusive,</li>
-<li>non-transferable,</li>
-<li>time-limited,</li>
-</ul>
-<p>right to use the Software for commercial purposes.</p>
-<p>2.2. This license is valid only for the duration of the subscription period and under the scope defined in this Agreement.</p>
-<h2 id="3-subscription-fees-and-payment"><strong>3. Subscription Fees and Payment</strong></h2>
-<p>3.1. Licensee agrees to pay the subscription fees as specified in the pricing agreement. These fees are non-refundable.</p>
-<p>3.2. Licensor reserves the right to modify subscription fees upon 30 days' written notice.</p>
-<h2 id="4-restrictions"><strong>4. Restrictions</strong></h2>
-<p>4.1. Licensee shall not:</p>
-<ul>
-<li>Distribute, sublicense, or resell the Software.</li>
-<li>Reverse engineer, decompile, or modify the Software, except as permitted by mandatory law.</li>
-</ul>
-<p>4.2. The Software may not be used for illegal or unethical purposes.</p>
-<h2 id="5-support-and-updates"><strong>5. Support and Updates</strong></h2>
-<p>5.1. Licensor will provide updates and support for the Software during the subscription period, as detailed in the accompanying support agreement.</p>
-<p>5.2. Support services may include bug fixes, patches, and minor updates. Major updates may incur additional fees.</p>
-<h2 id="6-termination"><strong>6. Termination</strong></h2>
-<p>6.1. This Agreement is valid for the subscription term unless terminated earlier:</p>
-<ul>
-<li>By Licensee, with a 30-day written notice.</li>
-<li>By Licensor, in the event of Licensees breach of this Agreement.</li>
-</ul>
-<p>6.2. Upon termination, Licensee must cease all uses of the Software and delete all copies.</p>
-<h2 id="7-liability-and-warranty"><strong>7. Liability and Warranty</strong></h2>
-<p>7.1. The Software is provided "as is" without warranties of any kind, except as required by law.</p>
-<p>7.2. Licensors' liability is limited to the number of subscription fees paid by Licensee in the preceding 12 months.</p>
-<h2 id="8-governing-law"><strong>8. Governing Law</strong></h2>
-<p>8.1. This Agreement shall be governed by the laws of Portugal.</p>
-<p>8.2. Disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Portugal.</p>
-<h2 id="9-miscellaneous"><strong>9. Miscellaneous</strong></h2>
-<p>9.1. Any changes to this Agreement must be in writing and signed by both parties.</p>
-<p>9.2. If any provision of this Agreement is found invalid, the remaining provisions shall remain enforceable.</p>
-<h2 id="10-contact-information">10. <strong>Contact Information</strong></h2>
-<ul>
-<li>Licensor : Centurion Intelligence Consulting Agency</li>
-<li>Email : <a href="mailto:legal@coresecret.eu">legal@coresecret.eu</a></li>
-</ul>
-<hr />
-<p>This Subscription License Agreement was last updated at 09.05.2025.</p>
-

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.23<br>
 
 # 2. Resources
 

lib/lib_arg_parser.sh

@@ -100,7 +100,7 @@ arg_parser() {
             printf "\e[91m❌ Error: --architecture MUST be 'amd64' or 'arm64'.\e[0m\n" >&2
             # shellcheck disable=SC2162
             read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
-            exit "${ERR_UNCRITICAL}"
+            exit "${ERR_ARG_MSMTCH}"
           fi
           ;;
 

lib/lib_boot_screen.sh

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 #######################################
-# Change Grub Boot Screen Splash
+# Set up a gauge Dialog Wrapper.
 # Globals:
 #   PID_BOOT_SCREEN
 #   PIPE_BOOT_SCREEN

lib/lib_check_kernel.sh

@@ -52,7 +52,7 @@ check_kernel() {
     done < "${VAR_KERNEL_SRT}"
 
   # shellcheck disable=SC2155
-  if declare -g VAR_KERNEL=$(dialog \
+  if declare -gx VAR_KERNEL=$(dialog \
                           --no-collapse \
                           --ascii-lines \
                           --clear \
@@ -63,9 +63,9 @@ check_kernel() {
   else
     clear
     if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then
-      declare -gr VAR_KERNEL="amd64"
+      declare -gx VAR_KERNEL="amd64"
     elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then
-      declare -gr VAR_KERNEL="arm64"
+      declare -gx VAR_KERNEL="arm64"
     fi
   fi
 }

lib/lib_check_pkgs.sh

@@ -16,16 +16,34 @@
 #  None
 #######################################
 check_pkgs() {
-  if [[ ! -f /usr/share/live/build/VERSION ]]; then
-    apt-get update -y
-    apt-get install live-build -y
+  apt-get update -y
+
+  if [[ -z "$(command -v lsb_release || true)" ]]; then
+    apt-get install -y --no-install-recommends lsb-release
   fi
 
-  if [[ -z "$(command -v dialog || true)" ]]; then
-    if ! $VAR_HANDLER_AUTOBUILD; then apt-get install --no-install-recommends dialog -y; fi
+  if [[ -z "$(command -v debootstrap || true)" ]]; then
+    if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
+      # shellcheck disable=SC2155
+      declare codename=$(lsb_release -sc)
+      apt-get install -y -t "${codename}-backports" debootstrap
+    else
+      apt-get install -y debootstrap
+    fi
+  fi
+
+  if [[ ! -f /usr/share/live/build/VERSION ]]; then
+    apt-get install -y live-build
+  fi
+
+  if [[ "${VAR_HANDLER_AUTOBUILD}" == false ]]; then
+    if [[ -z "$(command -v dialog || true)" ]]; then
+      apt-get install -y --no-install-recommends dialog
+    fi
   fi
 
   if [[ -z "$(command -v mkpasswd || true)" ]]; then
+    apt-get update -y
     apt-get install --no-install-recommends whois -y
   fi
 }

lib/lib_check_provider.sh

@@ -18,7 +18,7 @@
 check_provider() {
   clear
   cat << 'EOF' >| "${VAR_NOTES}"
-Build: Master V8.03.644.2025.06.07
+Build: Master V8.03.768.2025.06.23
 
 Press 'EXIT' to continue with CISS.debian.live.builder.
 

lib/lib_clean_up.sh

@@ -26,6 +26,11 @@ clean_up() {
   rm -f -- "${VAR_KERNEL_INF}"
   rm -f -- "${VAR_KERNEL_SRT}"
   rm -f -- "${VAR_KERNEL_TMP}"
+  # Release advisory lock on FD 127.
+  flock -u 127
+  # Close file descriptor 127.
+  exec 127>&-
+  # Remove the lockfile artifact.
   rm -f /run/lock/ciss_live_builder.lock
   if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
   if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then

lib/lib_contact.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Contact Wrapper CISS.debian.live.builder
+# Globals:
+#   none
+# Arguments:
+#   none
+#######################################
+contact() {
+  clear
+  cat << EOF
+$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
+$(echo -e "\e[92mMaster V8.03.768.2025.06.23\e[0m")
+$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
+
+$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
+$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+
+$(echo -e "\e[95m💬 Contact:\e[0m")
+$(echo -e "\e[95m🌐 https://coresecret.eu/ \e[0m")
+$(echo -e "\e[95m📧 security@coresecret.eu \e[0m")
+$(echo -e "\e[95m🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
+$(echo -e "\e[95m🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
+
+$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
+$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
+
+EOF
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_debug.sh

@@ -34,9 +34,9 @@ debugger() {
       declare -p "${var}" 2>/dev/null
     done < <(compgen -v | grep -Ev '^(BASH|_).*')
   } | sort >| "${VAR_DUMP_VARS_INITIAL}"
-  declare -grx VAR_EARLY_DEBUG=true
+  declare -gx VAR_EARLY_DEBUG=true
   ### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name
-  declare -grx PS4='\e[97m+\e[0m\e[96m$(date +%T.%4N)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
+  declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
   # shellcheck disable=SC2155
   declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log"
   ### Generates empty LOG_DEBUG
@@ -44,12 +44,6 @@ debugger() {
   ### Open file descriptor 42 for writing to the debug log
   exec 42>| "${LOG_DEBUG}"
   ### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
-    ### Determine the directory of this script, even if sourced.
-    # shellcheck disable=SC2155
-    declare script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-    ### Source the header from the same directory. This ensures we always load lib/lib_debug_header.sh correctly.
-    . "${script_dir}/lib_debug_header.sh"
-  # shellcheck disable=SC2119
   debug_header "$#" "$*"
   ### Tell Bash to send xtrace output to FD 42
   export BASH_XTRACEFD=42

lib/lib_debug_header.sh

@@ -30,27 +30,30 @@
 debug_header() {
   declare -r arg_counter="$1"
   declare -r arg_string="$2"
+  # shellcheck disable=SC2155
+  declare git_head=$(git rev-parse HEAD)
   {
-    printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date +%T.%4N)"
-    printf "\e[97m+\e[0m\e[92m%s: Version                   : %s \e[0m\n" "$(date +%T.%4N)" "${VAR_VERSION}"
-    printf "\e[97m+\e[0m\e[92m%s: Epoch                     : %s \e[0m\n" "$(date +%T.%4N)" "${EPOCHREALTIME}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release          : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[0]}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version          : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[1]}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level          : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[2]}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash Build Version        : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[3]}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash Release              : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[4]}"
-    printf "\e[97m+\e[0m\e[92m%s: UID                       : %s \e[0m\n" "$(date +%T.%4N)" "${UID}"
-    printf "\e[97m+\e[0m\e[92m%s: EUID                      : %s \e[0m\n" "$(date +%T.%4N)" "${EUID}"
-    printf "\e[97m+\e[0m\e[92m%s: Hostname                  : %s \e[0m\n" "$(date +%T.%4N)" "${HOSTNAME}"
-    printf "\e[97m+\e[0m\e[92m%s: Script name               : %s \e[0m\n" "$(date +%T.%4N)" "$0"
-    printf "\e[97m+\e[0m\e[92m%s: Argument Counter          : %s \e[0m\n" "$(date +%T.%4N)" "${arg_counter}"
-    printf "\e[97m+\e[0m\e[92m%s: Argument String Original  : %s \e[0m\n" "$(date +%T.%4N)" "${arg_string}"
-    printf "\e[97m+\e[0m\e[92m%s: Script PID                : %s \e[0m\n" "$(date +%T.%4N)" "$$"
-    printf "\e[97m+\e[0m\e[92m%s: Script Parent PID         : %s \e[0m\n" "$(date +%T.%4N)" "${PPID}"
-    printf "\e[97m+\e[0m\e[92m%s: Script work DIR           : %s \e[0m\n" "$(date +%T.%4N)" "${PWD}"
-    printf "\e[97m+\e[0m\e[92m%s: Shell Options             : %s \e[0m\n" "$(date +%T.%4N)" "$-"
-    printf "\e[97m+\e[0m\e[92m%s: BASHOPTS                  : %s \e[0m\n" "$(date +%T.%4N)" "${BASHOPTS}"
-    printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date +%T.%4N)"
+    printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
+    printf "\e[97m+\e[0m\e[92m%s: Git Commit                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${git_head}"
+    printf "\e[97m+\e[0m\e[92m%s: Version                   : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
+    printf "\e[97m+\e[0m\e[92m%s: Epoch                     : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[1]}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[2]}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash Build Version        : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[3]}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash Release              : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[4]}"
+    printf "\e[97m+\e[0m\e[92m%s: UID                       : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${UID}"
+    printf "\e[97m+\e[0m\e[92m%s: EUID                      : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EUID}"
+    printf "\e[97m+\e[0m\e[92m%s: Hostname                  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${HOSTNAME}"
+    printf "\e[97m+\e[0m\e[92m%s: Script name               : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$0"
+    printf "\e[97m+\e[0m\e[92m%s: Argument Counter          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_counter}"
+    printf "\e[97m+\e[0m\e[92m%s: Argument String Original  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_string}"
+    printf "\e[97m+\e[0m\e[92m%s: Script PID                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$$"
+    printf "\e[97m+\e[0m\e[92m%s: Script Parent PID         : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PPID}"
+    printf "\e[97m+\e[0m\e[92m%s: Script work DIR           : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PWD}"
+    printf "\e[97m+\e[0m\e[92m%s: Shell Options             : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$-"
+    printf "\e[97m+\e[0m\e[92m%s: BASHOPTS                  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASHOPTS}"
+    printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
   } >&42
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_trap_on_exit.sh

@@ -18,20 +18,20 @@
 #   $1: $?
 #######################################
 trap_on_exit() {
-  declare -r trap_on_exit_code="$1"
+  declare -r var_trap_on_exit_code="$1"
   trap - EXIT
-  if (( trap_on_exit_code == 0 )); then
+  if (( var_trap_on_exit_code == 0 )); then
     if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
-    clean_up "${trap_on_exit_code}"
-    print_scr_exit "${trap_on_exit_code}"
-    exit 0
+    clean_up "${var_trap_on_exit_code}"
+    print_scr_exit "${var_trap_on_exit_code}"
+    exit "${var_trap_on_exit_code}"
   else
-    exit "${trap_on_exit_code}"
+    exit "${var_trap_on_exit_code}"
   fi
 }
 
 #######################################
-# Print Success Message for Trap on 'EXIT' on 'stdout'
+# Print Success Message for Trap on 'EXIT' on 'stdout'.
 # Globals:
 #   LOG_DEBUG
 #   LOG_VAR
@@ -40,16 +40,16 @@ trap_on_exit() {
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_SCRIPT_SUCCESS
 # Arguments:
-#   $1: ${trap_on_exit_code} of trap_on_exit()
+#   $1: ${var_trap_on_exit_code} of trap_on_exit()
 #######################################
 print_scr_exit() {
-  declare -r print_scr_exit_code="$1"
-  if (( print_scr_exit_code == 0 )); then
+  declare -r var_print_scr_exit_code="$1"
+  if (( var_print_scr_exit_code == 0 )); then
     if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then
       printf "\n"
       printf "\e[92m✅ CISS.debian.live.builder Script successful. \e[0m\n"
       printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/"
-      printf "\e[92m✅ Exited with Status: %s \e[0m\n" "${print_scr_exit_code}"
+      printf "\e[92m✅ Exited with Status: %s \e[0m\n" "${var_print_scr_exit_code}"
       printf "\n"
       if [[ "${VAR_EARLY_DEBUG}" == "true" ]]; then
         printf "\e[92m✅ Script Runtime    : %s \e[0m\n" "${SECONDS}"

lib/lib_usage.sh

@@ -13,133 +13,129 @@
 #######################################
 # Usage Wrapper CISS.debian.live.builder
 # Globals:
-#   ERR_UNCRITICAL
+#   none
 # Arguments:
 #   $0: Script name
 #######################################
 usage() {
   clear
   cat << EOF
-
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.644.2025.06.07\e[0m")
+$(echo -e "\e[92mMaster V8.03.768.2025.06.23\e[0m")
+$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
 
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
 $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
 
-$(echo -e "\e[95mhttps://coresecret.eu/\e[0m")
-
-$(echo -e "\e[97mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
-
 "${0} <option>", where <option> is one or more of:
 
-  --help, -h
+$(echo -e "\e[97m  --help, -h\e[0m")
     What you're looking at.
 
-  --autobuild=*, -a=*
+$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
     Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
     selector dialog. Change '*' to your desired Linux kernel and trim the
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.22+bpo-amd64'.
+    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
 
-  --architecture <STRING> one of <amd64 | arm64>
+$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
     A string reflecting the architecture of the Live System.
     MUST be provided.
 
-  --build-directory </path/to/build_directory>
+$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
     Where the Debian Live Build Image should be generated.
     MUST be provided.
 
-  --change-splash <STRING> one of <club | hexagon>
+$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
     A string reflecting the GRub Boot Screen Splash you want to use.
     If omitted defaults to "./.archive/background/club.png".
 
-  --cdi (Experimental Feature)
+$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
     This option generates a boot menu entry to start the forthcoming
     'CISS.debian.installer', which will be executed after
     the system has successfully booted up.
 
-  --contact, -c
+$(echo -e "\e[97m  --contact, -c\e[0m")
     Displays contact information of the author.
 
-  --control <INTEGER>
+$(echo -e "\e[97m  --control <INTEGER>\e[0m")
     An integer that reflects the version of your Live ISO Image.
     MUST be provided.
 
-  --debug
+$(echo -e "\e[97m  --debug\e[0m")
     Enables debug logging for the main program routine. Detailed logging
     information are written to "/tmp/ciss_live_builder_$$.log"
 
-  --dhcp-centurion
+$(echo -e "\e[97m  --dhcp-centurion\e[0m")
     If a DHCP lease is provided, the provider's nameserver will be overridden,
     and only the hardened, privacy-focused Centurion DNS servers will be used:
-    - https://dns01.eddns.eu/
-    - https://dns02.eddns.de/
+      - https://dns01.eddns.eu/
+      - https://dns02.eddns.de/
+      - https://dns03.eddns.eu/
 
-  --jump-host <IP | IP | ... >
+$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
     Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
     Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
     If provided, than it MUST be a <SPACE> separated list.
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd/64].
+    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
 
-  --log-statistics-only
+$(echo -e "\e[97m  --log-statistics-only\e[0m")
     Provides statistic only after successful building a
     CISS.debian.live-ISO. While enabling "--log-statistics-only"
     the argument "--build-directory" MUST be provided while
     all further options MUST be omitted.
 
-  --provider-netcup-ipv6
+$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
     Activates IPv6 support for Netcup Root Server. One unique
-    IPv6 address MUST be provided in this case.
+    IPv6 address MUST be provided in this case and MUST be encapsulated
+    with [], e.g., [1234::abcd].
 
-  --renice-priority <PRIORITY>
+$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
     Reset the nice priority value of the script and all its children
-    to the desired PRIORITY. MUST be an integer (between "-19" and 19).
+    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
     Negative (higher) values MUST be enclosed in double quotes '"'.
 
-  --reionice-priority <CLASS> <PRIORITY>
+$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
     Reset the ionice priority value of the script and all its children
-    to the desired CLASS. MUST be an integer:
-    1: realtime
-    2: best-effort
-    3: idle
-    defaults to "2".
-    PRIORITY MUST be an integer:
-    between 0 (highest) and 7 (lowest) priority.
-    defaults to "4".
+    to the desired <CLASS>. MUST be an integer:
+      1: realtime
+      2: best-effort
+      3: idle
+    Defaults to '2'.
+    Whereas <PRIORITY> MUST be an integer as well between:
+      0: highest priority and
+      7: lowest priority.
+    Defaults to '4'.
     A real-time I/O process can significantly slow down other processes
     or even cause them to starve if it continuously requests I/O.
 
-  --root-password-file </path/to/password.txt>
+$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
     Password file for 'root', if given, MUST be a string of 20 to 64 characters,
     and MUST NOT contain the special character '"'.
     If the argument is omitted, no further login authentication is required for
     the local console. The root password is hashed with an 16 Byte '/dev/random'
     generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
     after Hash generation all Variables containing plain password fragments are
-    deleted. Password file SHOULD be 0400 and root:root and is deleted without
+    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
     further prompt after password hash has been successfully generated via:
-    shred -vfzu 5 -f.
+    'shred -vfzu 5 -f'.
     No tracing of any plain text password fragment in any debug log.
 
-  --ssh-port <INTEGER>
+$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
     The desired Port SSH should listen to.
     If not provided defaults to Port 22.
 
-  --ssh-pubkey </path/to/.ssh/>
+$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
     Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
     specified PATH into the Live ISO. MUST be provided.
 
-  --version, -v
+$(echo -e "\e[97m  --version, -v\e[0m")
     Displays version of ${0}.
 
-$(echo -e "\e[93mNOTES:\e[0m")
-  - You MUST be 'root' to run this script.
+$(echo -e "\e[93m💡 Notes:\e[0m")
+🔵 You MUST be 'root' to run this script.
 
-$(echo -e "\e[92mContact:\e[0m")
-$(echo -e "\e[95m  - https://coresecret.eu/ \e[0m")
-$(echo -e "\e[95m  - security@coresecret.eu \e[0m")
-$(echo -e "\e[95m    - PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
-$(echo -e "\e[95m      - https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
+$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
+$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
 
 EOF
 }

scripts/0010_dhcp_supersede.sh

@@ -21,9 +21,9 @@ fi
 cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
 
 # Custom dhclient config to override DHCP DNS
-# dns01.eddns.eu, dns02.eddns.de;
+# dns01.eddns.eu, dns02.eddns.de; dns03.eddns.eu;
 
-supersede domain-name-servers 135.181.207.105, 89.58.62.53;
+supersede domain-name-servers 135.181.207.105, 89.58.62.53; 138.199.237.109;
 
 EOF
 

scripts/9000-cdi-starter

@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1
 
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.03.644.2025.06.07 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.03.768.2025.06.23 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
   chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh

var/bash.var.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
+set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
+set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
+set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
+set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
+set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
+set -o noclobber # Prevent overwriting, the same as "set -C".
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

var/color.var.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -grx C_BLA='\e[90m' # For the techno fans.
+declare -grx C_BLA='\e[90m' # Beautiful black For the techno fans.
 declare -grx C_RED='\e[91m' # Bright red.
 declare -grx C_GRE='\e[92m' # Vibrant green.
 declare -grx C_YEL='\e[93m' # Fancy yellow
@@ -18,6 +18,6 @@ declare -grx C_BLU='\e[94m' # Organic blue.
 declare -grx C_MAG='\e[95m' # Super gay magenta.
 declare -grx C_CYA='\e[96m' # Lovely cyan.
 declare -grx C_WHI='\e[97m' # Fantastic color mix.
-declare -grx C_RES='\e[0m'    # Forget everything.
+declare -grx C_RES='\e[0m'  # Forget everything.
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh