V8.03.768.2025.06.11

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-11 19:17:47 +02:00 · 2025-06-11 19:16:51 +02:00 · 2025-06-09 23:03:26 +00:00 · 2025-06-09 22:16:21 +00:00 · 2025-06-09 21:29:12 +00:00 · 2025-06-09 20:42:11 +00:00
49 changed files with 193 additions and 77 deletions
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.644.2025.06.07"
+      placeholder: "e.g., Master V8.03.768.2025.06.11"
    validations:
      required: true
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.11
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.11
 name: 🔁 Render README.md to README.html.
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.768.2025.06.11
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.768.2025.06.11
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.768.2025.06.11
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.768.2025.06.11
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.11
 name: 🔐 Generating a Private Live ISO FLV 0.
@@ -270,7 +270,7 @@ jobs:
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.12.27+bpo-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --control "${timestamp}" \
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.512.2025.06.06
+### Version Master V8.03.768.2025.06.11
 name: 🔐 Generating a Private Live ISO FLV 1.
@@ -270,7 +270,7 @@ jobs:
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.12.27+bpo-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --control "${timestamp}" \
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.11
 name: 💙 Generating a PUBLIC Live ISO.
@@ -271,7 +271,7 @@ jobs:
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.12.27+bpo-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --control "${timestamp}" \
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.11
 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.11
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.11
 name: 🔁 Render Graphviz Diagrams.
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.644.2025.06.07"
+properties_version="V8.03.768.2025.06.11"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.644.2025.06.07
+PackageVersion: Master V8.03.768.2025.06.11
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-06-07T13:59:44Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-09T20:42:08Z".
 ✅ The last linter check was successful. ✅
--- a/LIVE_ISO.public
+++ b/LIVE_ISO.public
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-06-07T13:28:13Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-09T23:03:24Z".
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_07T12_48_35Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_09T22_24_52Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_07T12_48_35Z-amd64.hybrid.iso.sha512"
+  "ciss-debian-live-2025_06_09T22_24_52Z-amd64.hybrid.iso.sha512"
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEQ+bQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEdoPAAKCRA85KY4hzOw
-IdnhAQC+NGhgMMPqZgS51p59kCYSoGLDzodY7TtFOJOxLo5LeAD/bgJifC51JFju
+ISx/AQDaWYyH8QulOKnFs6NdEWI9Bs4mm3goYMloHE6k+ggriwD/cGWeNBYZEq/r
-RKy7e3am5Z80cAGZJ1RFliRgjJVZeAU=
+ELwSKN93MHQI+k6ceurSNVINKcdhdAo=
-=P9Qk
+=qwLb
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_FLV_0.private
+++ b/LIVE_ISO_FLV_0.private
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-06-07T11:52:28Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-09T21:29:09Z".
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_07T11_12_45Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_09T20_49_35Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_07T11_12_45Z-amd64.hybrid.iso.sha512"
+  "ciss-debian-live-2025_06_09T20_49_35Z-amd64.hybrid.iso.sha512"
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEQn/AAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEdSJQAKCRA85KY4hzOw
-IeMFAP0ZsIuEHFz3EgDpk1rN066VZ2nGrx3NvQenvjg5EQsRNAD+MNlJ4JE9zk17
+IfhAAQD7eHcuDOahhxGeZUvM9cDSjhI9NZ32DXiKyh5G4h98eAEA+BQ45jKcSCCj
-pvWF+r0l2K7P6CmxlK7WZFU2Hs6KYwc=
+4mDbCicU/5Xo48I1UveYpEw7THIk1Qg=
-=6azh
+=1JtH
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_FLV_1.private
+++ b/LIVE_ISO_FLV_1.private
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-06-07T12:39:29Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-09T22:16:18Z".
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_07T12_01_03Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_09T21_37_50Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_07T12_01_03Z-amd64.hybrid.iso.sha512"
+  "ciss-debian-live-2025_06_09T21_37_50Z-amd64.hybrid.iso.sha512"
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEQzAQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEddMgAKCRA85KY4hzOw
-IedVAQDj71Q0oAweOhYGabzgECIwgIxHPypvidif0fnjucGuIgD+O5XAvFsPnUzQ
+IfJ2AQDqmrBfWDF/ZxM1wgxB/JYFtLVTYY5tSRUfBPkrNCrmaQD/UjIYnVwOwUoj
-7lXvBLPURbSoa5//sgkXL3Pmik2vvwk=
+3i2g5OT1ufIaPP7UDglgnVUwYfUgKwE=
-=TJPq
+=pv0S
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.644.2025.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.768.2025.06.11-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -40,7 +40,7 @@
 declare -g VAR_HANDLER_AUTOBUILD="false"
 declare -gr VAR_CONTACT="security@coresecret.eu"
-declare -gr VAR_VERSION="Master V8.03.644.2025.06.07"
+declare -gr VAR_VERSION="Master V8.03.768.2025.06.11"
 ### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
 declare arg
--- a/config/hooks/live/9985_clamav.chroot
+++ b/config/hooks/live/9985_clamav.chroot
@@ -58,7 +58,7 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
+MemoryLimit=4096M
 CPUShares=512
 RestrictAddressFamilies=AF_INET AF_INET6
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -22,7 +22,7 @@ qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendm
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config \
 qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
-dpkg --get-selections | grep deinstall >> /tmp/deinstall.log || true
+dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then
  printf "\n"
--- a/config/hooks/live/9991_file_permissions.chroot
+++ b/config/hooks/live/9991_file_permissions.chroot
@@ -39,7 +39,7 @@ EOF
 cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
-sed -i 's/LOGIN_TIMEOUT       60/LOGIN_TIMEOUT       180/' /etc/login.defs
+sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
 sed -i 's/PASS_MAX_DAYS	99999/PASS_MAX_DAYS	16384/' /etc/login.defs
 sed -i 's/PASS_MIN_DAYS	0/PASS_MIN_DAYS	1/' /etc/login.defs
--- a/config/hooks/live/9994_password_policy.chroot
+++ b/config/hooks/live/9994_password_policy.chroot
@@ -51,7 +51,7 @@ difok = 4
 ### Minimum acceptable size for the new password (plus one if
 ### credits are not disabled, which is the default). (See pam_cracklib manual.)
 ### Cannot be set to a lower value than 6.
-minlen = 20
+minlen = 40
 ### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
 ### NIST SP 800-63B advises against rigid complexity rules (numbers, symbols, uppercase)
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.11
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -51,7 +51,7 @@ MaxSessions                  2
 MaxStartups                  08:64:16
 ### Restrict each individual source IP to only 4 unauthenticated connection slot
 ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
-PerSourceMaxStartups         4
+PerSourceMaxStartups         8
 ClientAliveInterval          300
 ClientAliveCountMax          2
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.768.2025.06.11
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.03.644.2025.06.07"
+declare -gr VERSION="Master V8.03.768.2025.06.11"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.644.2025.06.07 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.03.768.2025.06.11 at: 10:18:37.9542
--- a/config/includes.chroot/root/.bashrc
+++ b/config/includes.chroot/root/.bashrc
@@ -33,6 +33,7 @@
 trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
 source /root/.ciss/alias
 source /root/.ciss/f2bchk.sh
 source /root/.ciss/shortcuts
 source /root/.ciss/scan_libwrap
--- a/config/includes.chroot/root/.ciss/alias
+++ b/config/includes.chroot/root/.ciss/alias
@@ -158,14 +158,22 @@ genpasswdhash() {
 # shellcheck disable=SC2317
 scurl() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>. \e[0m\n" >&2
+    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
    return 1
  fi
-
+  declare url="$1"
-  if ! curl --proto '=https' --tlsv1.3 -sSf -o "${2}" "${1}"; then
+  declare output_path="$2"
-    printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2
+  if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
            --doh-cert-status \
            --tlsv1.3 \
            -sSf \
            -o "${output_path}" \
            "${url}"
  then
    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
    return 2
  fi
  return 0
 }
 ###########################################################################################
@@ -177,14 +185,23 @@ scurl() {
 # shellcheck disable=SC2317
 swget() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>. \e[0m\n" >&2
+    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
    return 1
  fi
-
+  declare url="$1"
-  if ! wget --no-clobber --https-only --secure-protocol=TLSv1_3 -qO "${2}" "${1}"; then
+  declare output_path="$2"
-    printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2
+  mkdir -p "$(dirname "${output_path}")"
  if ! wget --show-progress \
            --no-clobber \
            --https-only \
            --secure-protocol=TLSv1_3 \
            -qO "${output_path}" \
            "${url}"
  then
    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
    return 2
  fi
  return 0
 }
 ###########################################################################################
--- a/config/includes.chroot/root/.ciss/f2bchk.sh
+++ b/config/includes.chroot/root/.ciss/f2bchk.sh
@@ -0,0 +1,87 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Wrapper for fail2ban filter checks against logs.
 # Usage: f2bchk --mode=ignored || --mode=matched  || --mode=missed \
 #               --filter=/etc/fail2ban/filter.d/ufw.aggressive.conf \
 #               --log=/var/log/ufw.log \
 #               --output=/tmp/f2bchk.log
 # Globals:
 #   DEFAULT_FILTER
 #   DEFAULT_LOG
 #   DEFAULT_MODE
 # Arguments:
 #  None
 # Returns:
 #   1 In case of any errors
 #######################################
 f2bchk(){
  # Declare default values (readonly)
  declare -r DEFAULT_MODE="matched"
  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
  declare -r DEFAULT_LOG="/var/log/ufw.log"
  declare mode="${DEFAULT_MODE}"
  declare filter="${DEFAULT_FILTER}"
  declare log="${DEFAULT_LOG}"
  declare output=""
  declare arg=""
  for arg in "$@"; do
    case "${arg}" in
      --mode=*)   mode="${arg#--mode=}";;
      --filter=*) filter="${arg#--filter=}";;
      --log=*)    log="${arg#--log=}";;
      --output=*) output="${arg#--output=}";;
      *)
        printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
        return 1
        ;;
    esac
  done
  declare flag suffix
  case "${mode}" in
    ignored) flag="--print-all-ignored"; suffix="all.ignored";;
    matched) flag="--print-all-matched"; suffix="all.matched";;
    missed)  flag="--print-all-missed";  suffix="all.missed";;
    *)
      printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
      return 1
      ;;
  esac
  if [[ -z "${output}" ]]; then
    declare filter_name="${filter##*/}"
    filter_name="${filter_name%.conf}"
    output="/tmp/${filter_name}.${suffix}.log"
  fi
  if [[ ! -r "${log}" ]]; then
    printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
    return 1
  fi
  if [[ ! -r "${filter}" ]]; then
    printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
    return 1
  fi
  printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
    printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
    printf "You can view it with: cat %s\n" "$output"
  else
    printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
    return 1
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. DNSSEC Status
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. TLS Audit:
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,21 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. Changelog
 ## V8.03.768.2025.06.11
 * Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64``
 ## V8.03.768.2025.06.09
 * Added: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
 * Updated: [alias](../config/includes.chroot/root/.ciss/alias)
  * ``scurl()``
  * ``swget()``
 ## V8.03.644.2025.06.07
 * Updated workflows ISO Generators Runners. 
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. Centurion Net - Developer Branch Overview
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. Coding Style
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. Contributing / participating
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. Credits
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.644.2025.06.07
+Master V8.03.768.2025.06.11
 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.768.2025.06.11<br>
 # 2. Resources
--- a/docs/SECURITY/coresecret.dev.png
+++ b/docs/SECURITY/coresecret.dev.png
--- a/lib/lib_check_provider.sh
+++ b/lib/lib_check_provider.sh
@@ -18,7 +18,7 @@
 check_provider() {
  clear
  cat << 'EOF' >| "${VAR_NOTES}"
-Build: Master V8.03.644.2025.06.07
+Build: Master V8.03.768.2025.06.11
 Press 'EXIT' to continue with CISS.debian.live.builder.
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -22,7 +22,7 @@ usage() {
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.644.2025.06.07\e[0m")
+$(echo -e "\e[92mMaster V8.03.768.2025.06.11\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
 $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
--- a/scripts/9000-cdi-starter
+++ b/scripts/9000-cdi-starter
@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.03.644.2025.06.07 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.03.768.2025.06.11 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
  chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
Author	SHA256	Message	Date
Marc S. Weidner	7eb8fb8754	V8.03.768.2025.06.11 All checks were successful 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 35s Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m39s Details 🔐 Generating a Private Live ISO FLV 0. / 🔐 Generating a Private Live ISO FLV 0. (push) Successful in 49m7s Details 🔐 Generating a Private Live ISO FLV 1. / 🔐 Generating a Private Live ISO FLV 1. (push) Successful in 49m24s Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Successful in 49m23s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-06-11 19:17:47 +02:00
Marc S. Weidner	1fda52e948	V8.03.768.2025.06.11 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-06-11 19:16:51 +02:00
Marc S. Weidner BOT	6d12da9566	DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci] X-CI-Metadata: master@2b8deaf at 2025-06-09T23:03:26Z on 541caa50b8e9 Generated at : 2025-06-09T23:03:26Z Runner Host : 541caa50b8e9 Workflow ID : 💙 Generating a PUBLIC Live ISO. Git Commit : `2b8deaf` HEAD -> master	2025-06-09 23:03:26 +00:00
Marc S. Weidner BOT	2b8deafabc	DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci] X-CI-Metadata: master@3a8e624 at 2025-06-09T22:16:21Z on 3c94b0ce9f9b Generated at : 2025-06-09T22:16:21Z Runner Host : 3c94b0ce9f9b Workflow ID : 🔐 Generating a Private Live ISO FLV 1. Git Commit : `3a8e624` HEAD -> master	2025-06-09 22:16:21 +00:00
Marc S. Weidner BOT	3a8e624f57	DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci] X-CI-Metadata: master@eac8f62 at 2025-06-09T21:29:12Z on 5faff8dc6e26 Generated at : 2025-06-09T21:29:12Z Runner Host : 5faff8dc6e26 Workflow ID : 🔐 Generating a Private Live ISO FLV 0. Git Commit : `eac8f62` HEAD -> master	2025-06-09 21:29:12 +00:00
Marc S. Weidner BOT	eac8f62459	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@fadece6 at 2025-06-09T20:42:11Z on be4dd281175d Generated at : 2025-06-09T20:42:11Z Runner Host : be4dd281175d Workflow ID : 🛡️ Shell Script Linting Git Commit : `fadece6` HEAD -> master	2025-06-09 20:42:11 +00:00
Marc S. Weidner BOT	fadece63ca	DEPLOY BOT : 🛡️ Auto-Generate DNSSEC Status [skip ci] X-CI-Metadata: master@68eb879 at 2025-06-09T20:41:27Z on 55df2b5118e1 Generated at : 2025-06-09T20:41:27Z Runner Host : 55df2b5118e1 Workflow ID : 🛡️ Retrieve DNSSEC status of coresecret.dev. Git Commit : `68eb879` HEAD -> master	2025-06-09 20:41:27 +00:00
Marc S. Weidner	68eb879c8a	V8.03.768.2025.06.09 All checks were successful 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 34s Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m19s Details 🔐 Generating a Private Live ISO FLV 0. / 🔐 Generating a Private Live ISO FLV 0. (push) Successful in 48m28s Details 🔐 Generating a Private Live ISO FLV 1. / 🔐 Generating a Private Live ISO FLV 1. (push) Successful in 47m5s Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Successful in 47m5s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-06-09 22:38:15 +02:00
Marc S. Weidner BOT	64689d00b2	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@7172b4f at 2025-06-07T17:57:16Z on b04492b21523 Generated at : 2025-06-07T17:57:16Z Runner Host : b04492b21523 Workflow ID : 🛡️ Shell Script Linting Git Commit : `7172b4f` HEAD -> master	2025-06-07 17:57:16 +00:00
Marc S. Weidner	7172b4fee9	V8.03.644.2025.06.07 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m7s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-06-07 19:55:41 +02:00
Marc S. Weidner BOT	ec6066f620	DEPLOY BOT : 🛡️ Shell Script Linting [skip ci] X-CI-Metadata: master@e164a03 at 2025-06-07T15:27:29Z on ea435a870a0e Generated at : 2025-06-07T15:27:29Z Runner Host : ea435a870a0e Workflow ID : 🛡️ Shell Script Linting Git Commit : `e164a03` HEAD -> master	2025-06-07 15:27:29 +00:00
Marc S. Weidner	e164a039fa	V8.03.644.2025.06.07 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m3s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-06-07 17:26:01 +02:00