DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]

X-CI-Metadata: master@4f7131c at 2025-06-24T22:34:39Z on 56dbb041e6a3 Generated at : 2025-06-24T22:34:39Z Runner Host : 56dbb041e6a3 Workflow ID : 🔐 Generating a Private Live ISO FLV 1. Git Commit : 4f7131c HEAD -> master
DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]
2025-06-24 22:34:39 +00:00 · 2025-06-24 21:45:55 +00:00 · 2025-06-24 23:44:04 +02:00 · 2025-06-24 20:29:03 +00:00 · 2025-06-24 22:27:16 +02:00 · 2025-06-24 20:24:22 +00:00
89 changed files with 822 additions and 428 deletions
--- a/.archive/icon.lib
+++ b/.archive/icon.lib
@@ -46,4 +46,10 @@
 🧠
 📅
 🎯
 🌐
 🔗
 💬
 ☢️
 ☣️
 •
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.644.2025.06.07"
+      placeholder: "e.g., Master V8.03.832.2025.06.24"
    validations:
      required: true
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.832.2025.06.24
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.832.2025.06.24
 name: 🔁 Render README.md to README.html.
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 build:
-  counter: 1023
+  counter: 1024
-  version: V8.03.644.2025.06.07
+  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.644.2025.06.07
+  version: V8.03.832.2025.06.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.832.2025.06.24
 name: 🔐 Generating a Private Live ISO FLV 0.
@@ -270,7 +270,7 @@ jobs:
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.12.30+bpo-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --control "${timestamp}" \
@@ -386,7 +386,7 @@ jobs:
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
          CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
          CISS.debian.live.builder ISO sha512 sign :
            $(< "${SIGNATURE_FILE}")
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.512.2025.06.06
+### Version Master V8.03.832.2025.06.24
 name: 🔐 Generating a Private Live ISO FLV 1.
@@ -270,7 +270,7 @@ jobs:
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.12.30+bpo-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --control "${timestamp}" \
@@ -383,7 +383,7 @@ jobs:
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
          CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
          CISS.debian.live.builder ISO sha512 sign :
            $(< "${SIGNATURE_FILE}")
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.832.2025.06.24
 name: 💙 Generating a PUBLIC Live ISO.
@@ -271,7 +271,7 @@ jobs:
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.22+bpo-amd64 \
+            --autobuild=6.12.30+bpo-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --control "${timestamp}" \
@@ -383,7 +383,7 @@ jobs:
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
          CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
          CISS.debian.live.builder ISO sha512 sign :
            $(< "${SIGNATURE_FILE}")
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.832.2025.06.24
 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.832.2025.06.24
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.832.2025.06.24
 name: 🔁 Render Graphviz Diagrams.
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.644.2025.06.07"
+properties_version="V8.03.832.2025.06.24"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.644.2025.06.07
+PackageVersion: Master V8.03.832.2025.06.24
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-06-07T13:59:44Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-24T21:45:52Z".
 ✅ The last linter check was successful. ✅
--- a/LIVE_ISO.public
+++ b/LIVE_ISO.public
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-06-07T13:28:13Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-23T09:04:49Z".
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_07T12_48_35Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_23T08_20_37Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_07T12_48_35Z-amd64.hybrid.iso.sha512"
+  86a8be09e16299892ae99d195b56a04356bcf5d2202016da8f8fa7441077c43fab68ebefcb8c39b3423f085a74b607907fb691ac71fdef92af33782bd2ac0ce5
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEQ+bQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFkYsQAKCRA85KY4hzOw
-IdnhAQC+NGhgMMPqZgS51p59kCYSoGLDzodY7TtFOJOxLo5LeAD/bgJifC51JFju
+IbrbAQDeOIS3QYKIPkMhYlNPIcsJjv/dh3TdYiuQbkvfwVI+/gD/TiB+ska62vJk
-RKy7e3am5Z80cAGZJ1RFliRgjJVZeAU=
+LGfwjuaxMC0KHG1/UTICytOeAnTrXAc=
-=P9Qk
+=qk8B
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_FLV_0.private
+++ b/LIVE_ISO_FLV_0.private
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-06-07T11:52:28Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-24T19:21:36Z".
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_07T11_12_45Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_24T18_36_59Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_07T11_12_45Z-amd64.hybrid.iso.sha512"
+  3ca5a9635ef74a48f6d8f31696ec56e56ee95eff5317df95976e22d31e331bc503422602e24a9eaddfc30212acf6ebe96af51e94298c4c7c49c839c62abb6c2f
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEQn/AAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFr6wAAKCRA85KY4hzOw
-IeMFAP0ZsIuEHFz3EgDpk1rN066VZ2nGrx3NvQenvjg5EQsRNAD+MNlJ4JE9zk17
+IbgHAP4p9jlF9jZkYIw/0H8j07QUWNHxeUz2r2UXp8aN2gUEBwEAxqbznJhH8li8
-pvWF+r0l2K7P6CmxlK7WZFU2Hs6KYwc=
+40g5sWwGLmBjlidIOe0NxeMUBkuMlQg=
-=6azh
+=gq5w
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_FLV_1.private
+++ b/LIVE_ISO_FLV_1.private
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-06-07T12:39:29Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-06-24T22:34:36Z".
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_07T12_01_03Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_06_24T21_53_22Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_07T12_01_03Z-amd64.hybrid.iso.sha512"
+  581d951c8ab4d8e7afd2d727f8e64bd6fff51d005b84b9800e941da8dae654985bae500e056f02729d6b274ba330dfdbec59fd5ec2c8b18c3bbf37433b73c154
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaEQzAQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFsn/AAKCRA85KY4hzOw
-IedVAQDj71Q0oAweOhYGabzgECIwgIxHPypvidif0fnjucGuIgD+O5XAvFsPnUzQ
+IUvMAP9P1U6lblhdZ9tSROvYXRXcv0IEg2rVo3fMx9T5fozLewEAgxxo0+J1Nlvu
-7lXvBLPURbSoa5//sgkXL3Pmik2vvwk=
+KVZOdiuc6xdxkBHWYaA2kSXZKI+qAwA=
-=TJPq
+=2H0C
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.644.2025.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.832.2025.06.24-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,8 +11,8 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -37,7 +37,7 @@ changes and made publicly available for download. The latest generic ISO is avai
 Check out more:
 * [CenturionNet Services](https://coresecret.eu/cnet/) 
-* [CenturionDNS Resolver](https://dns.eddns.eu/)
+* [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
 * [CenturionNet Status](https://uptime.coresecret.eu/) 
 * [CenturionMeet](https://talk.e2ee.li/) 
@@ -142,13 +142,20 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `8.03.384.2025.06.03`
+Example: `V8.03.832.2025.06.24`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
 reproducibility and traceability.
 ## 1.6. Keywords
 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
 "MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], 
 [[RFC2119](https://datatracker.ietf.org/doc/html/rfc2119)], [[RFC8174](https://datatracker.ietf.org/doc/html/rfc8174)] when,
 and only when, they appear in all capitals, as shown here.
 # 2. Features & Rationale
 Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -37,65 +37,89 @@
  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
 [[ ${#} -eq 0 ]] && {
  . ./lib/lib_usage.sh; usage; exit 1; }
-declare -g VAR_HANDLER_AUTOBUILD="false"
+### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
-declare -gr VAR_CONTACT="security@coresecret.eu"
+. ./var/early.var.sh
-declare -gr VAR_VERSION="Master V8.03.644.2025.06.07"
+. ./lib/lib_guard_sourcing.sh
 . ./lib/lib_git_var.sh
-### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
+### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
-declare arg
+for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
-if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -g VAR_HANDLER_AUTOBUILD=true; declare -g VAR_KERNEL="${arg#*=}";; esac; done
 for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${VAR_CONTACT}"; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
 unset arg
-### VERY EARLY CHECK FOR XTRACE DEBUGGING
+### ALL CHECKS DONE. READY TO START THE SCRIPT
-if [[ $* == *" --debug "* ]]; then
+check_git
-  . ./lib/lib_debug.sh
+for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
-  debugger "${@}"
+declare -gx VAR_SETUP="true"
 else
  declare -grx VAR_EARLY_DEBUG=false
 fi
-### Advisory Lock
+### SOURCING VARIABLES
-exec 127>/var/lock/ciss_live_builder.lock || {
+[[ "${VAR_SETUP}" == true ]] && {
  . ./var/bash.var.sh
  . ./var/color.var.sh
  . ./var/global.var.sh
 }
 ### SOURCING LIBRARIES
 [[ "${VAR_SETUP}" == true ]] && {
  . ./lib/lib_arg_parser.sh
  . ./lib/lib_arg_priority_check.sh
  . ./lib/lib_boot_screen.sh
  . ./lib/lib_cdi.sh
  . ./lib/lib_change_splash.sh
  . ./lib/lib_check_dhcp.sh
  . ./lib/lib_check_hooks.sh
  . ./lib/lib_check_kernel.sh
  . ./lib/lib_check_pkgs.sh
  . ./lib/lib_check_provider.sh
  . ./lib/lib_check_stats.sh
  . ./lib/lib_check_var.sh
  . ./lib/lib_clean_screen.sh
  . ./lib/lib_clean_up.sh
  . ./lib/lib_copy_integrity.sh
  . ./lib/lib_hardening_root_pw.sh
  . ./lib/lib_hardening_ssh.sh
  . ./lib/lib_hardening_ultra.sh
  . ./lib/lib_helper_ip.sh
  . ./lib/lib_lb_build_start.sh
  . ./lib/lib_lb_config_start.sh
  . ./lib/lib_lb_config_write.sh
  . ./lib/lib_provider_netcup.sh
  . ./lib/lib_run_analysis.sh
  . ./lib/lib_sanitizer.sh
  . ./lib/lib_trap_on_err.sh
  . ./lib/lib_trap_on_exit.sh
  . ./lib/lib_usage.sh
 }
 ### ADVISORY LOCK
 exec 127>/var/lock/ciss_live_builder.lock || {
  printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
  exit "${ERR_FLOCK_WRTG}"
 }
 if ! flock -x -n 127; then
  . ./var/global.var.sh
  printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2
  exit "${ERR_FLOCK_COLL}"
 fi
-### Checking required packages
+### CHECK FOR AUTOBUILD MODE
-. ./lib/lib_check_pkgs.sh
+for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
 for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
 ### CHECKING REQUIRED PACKAGES
 check_pkgs
-### Dialog Output for Initialization
+### DIALOG OUTPUT FOR INITIALIZATION
-if ! $VAR_HANDLER_AUTOBUILD; then . ./lib/lib_boot_screen.sh && boot_screen; fi
+if ! $VAR_HANDLER_AUTOBUILD; then boot_screen; fi
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 . ./var/global.var.sh
 . ./var/colors.var.sh
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
 set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
 set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
 set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
 set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
 set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
 set -o noclobber # Prevent overwriting, the same as "set -C".
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
 ### Initialization
 declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
@@ -108,42 +132,13 @@ declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
-. ./lib/lib_arg_parser.sh
+### Following the CISS Bash naming and ordering scheme:
 . ./lib/lib_arg_priority_check.sh
 . ./lib/lib_cdi.sh
 . ./lib/lib_change_splash.sh
 . ./lib/lib_check_dhcp.sh
 . ./lib/lib_check_hooks.sh
 . ./lib/lib_check_kernel.sh
 . ./lib/lib_check_provider.sh
 . ./lib/lib_check_stats.sh
 . ./lib/lib_check_var.sh
 . ./lib/lib_clean_screen.sh
 . ./lib/lib_clean_up.sh
 . ./lib/lib_copy_integrity.sh
 . ./lib/lib_hardening_root_pw.sh
 . ./lib/lib_hardening_ssh.sh
 . ./lib/lib_hardening_ultra.sh
 . ./lib/lib_helper_ip.sh
 . ./lib/lib_lb_build_start.sh
 . ./lib/lib_lb_config_start.sh
 . ./lib/lib_lb_config_write.sh
 . ./lib/lib_provider_netcup.sh
 . ./lib/lib_run_analysis.sh
 . ./lib/lib_sanitizer.sh
 . ./lib/lib_trap_on_err.sh
 . ./lib/lib_trap_on_exit.sh
 . ./lib/lib_usage.sh
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
 declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
@@ -159,6 +154,7 @@ clean_ip
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 ### Turn off Dialog Wrapper
 if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
 ### MAIN Program
--- a/config/hooks/live/9985_clamav.chroot
+++ b/config/hooks/live/9985_clamav.chroot
@@ -32,8 +32,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav /run/clamav
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
+#MemoryLimit=4096M
-CPUShares=512
+#CPUShares=512
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
@@ -58,8 +58,8 @@ ReadOnlyPaths=/
 ReadWritePaths=/var/lib/clamav /var/log/clamav /var/run/clamav
 MemoryDenyWriteExecute=yes
-MemoryLimit=512M
+#MemoryLimit=4096M
-CPUShares=512
+#CPUShares=512
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=yes
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -16,13 +16,13 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 apt-get update -y
-apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config \
+apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
-apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config \
+apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
-qemu-guest-agent rmail sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
+#sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
-dpkg --get-selections | grep deinstall >> /tmp/deinstall.log || true
+dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then
  printf "\n"
--- a/config/hooks/live/9991_file_permissions.chroot
+++ b/config/hooks/live/9991_file_permissions.chroot
@@ -39,7 +39,7 @@ EOF
 cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
-sed -i 's/LOGIN_TIMEOUT       60/LOGIN_TIMEOUT       180/' /etc/login.defs
+sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
 sed -i 's/PASS_MAX_DAYS	99999/PASS_MAX_DAYS	16384/' /etc/login.defs
 sed -i 's/PASS_MIN_DAYS	0/PASS_MIN_DAYS	1/' /etc/login.defs
--- a/config/hooks/live/9994_password_policy.chroot
+++ b/config/hooks/live/9994_password_policy.chroot
@@ -51,7 +51,7 @@ difok = 4
 ### Minimum acceptable size for the new password (plus one if
 ### credits are not disabled, which is the default). (See pam_cracklib manual.)
 ### Cannot be set to a lower value than 6.
-minlen = 20
+minlen = 40
 ### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
 ### NIST SP 800-63B advises against rigid complexity rules (numbers, symbols, uppercase)
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.832.2025.06.24
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -51,7 +51,7 @@ MaxSessions                  2
 MaxStartups                  08:64:16
 ### Restrict each individual source IP to only 4 unauthenticated connection slot
 ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
-PerSourceMaxStartups         4
+PerSourceMaxStartups         8
 ClientAliveInterval          300
 ClientAliveCountMax          2
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.644.2025.06.07
+### Version Master V8.03.832.2025.06.24
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.03.644.2025.06.07"
+declare -gr VERSION="Master V8.03.832.2025.06.24"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.644.2025.06.07 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.03.832.2025.06.24 at: 10:18:37.9542
--- a/config/includes.chroot/root/.bashrc
+++ b/config/includes.chroot/root/.bashrc
@@ -33,6 +33,7 @@
 trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
 source /root/.ciss/alias
 source /root/.ciss/f2bchk.sh
 source /root/.ciss/shortcuts
 source /root/.ciss/scan_libwrap
--- a/config/includes.chroot/root/.ciss/alias
+++ b/config/includes.chroot/root/.ciss/alias
@@ -149,64 +149,85 @@ genpasswdhash() {
  mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
 }
-###########################################################################################
+#######################################
-# Globals: Wrapper for secure curl
+# Wrapper for secure curl
 # Arguments:
 #  $1: URL from which to download a specific file
 #  $2: /path/to/file to be saved to
-###########################################################################################
+# Returns:
-# shellcheck disable=SC2317
+#   0: Download successful
 #   1: Usage error
 #   2: Download failure
 #######################################
 scurl() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>. \e[0m\n" >&2
+    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
    return 1
  fi
-
+  declare url="$1"
-  if ! curl --proto '=https' --tlsv1.3 -sSf -o "${2}" "${1}"; then
+  declare output_path="$2"
-    printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2
+  if ! curl --doh-url "https://dns01.eddns.eu/dns-query" \
            --doh-cert-status \
            --tlsv1.3 \
            -sSf \
            -o "${output_path}" \
            "${url}"
  then
    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
    return 2
  fi
  return 0
 }
-###########################################################################################
+#######################################
-# Globals: Wrapper for secure wget
+# Wrapper for secure wget
 # Arguments:
 #  $1: URL from which to download a specific file
 #  $2: /path/to/file to be saved to
-###########################################################################################
+# Returns:
-# shellcheck disable=SC2317
+#   0: Download successful
 #   1: Usage error
 #   2: Download failure
 #######################################
 swget() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>. \e[0m\n" >&2
+    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
    return 1
  fi
-
+  declare url="$1"
-  if ! wget --no-clobber --https-only --secure-protocol=TLSv1_3 -qO "${2}" "${1}"; then
+  declare output_path="$2"
-    printf "\e[91m❌ Error: Download failed for URL: '%s'. \e[0m\n" "${1}" >&2
+  mkdir -p "$(dirname "${output_path}")"
  if ! wget --show-progress \
            --no-clobber \
            --https-only \
            --secure-protocol=TLSv1_3 \
            -qO "${output_path}" \
            "${url}"
  then
    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
    return 2
  fi
  return 0
 }
-###########################################################################################
+#######################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
+# Wrapper for loading CISS.2025 hardened Kernel Parameters
 # Arguments:
-#  none
+#  None
-###########################################################################################
+#######################################
 # shellcheck disable=SC2317
 sysp() {
  sysctl -p /etc/sysctl.d/99_local.hardened
  # sleep 1
  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
-###########################################################################################
+#######################################
-# Globals: Wrapper for tree
+# Wrapper for tree
 # Arguments:
 #  $1: Depth of Directory Listing
-###########################################################################################
+#######################################
 # shellcheck disable=SC2317
 trel() {
-    declare depth=${1:-3}
+  declare depth=${1:-3}
-    tree -C -h --dirsfirst -L "${depth}"
+  tree -C -h --dirsfirst -L "${depth}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/f2bchk.sh
+++ b/config/includes.chroot/root/.ciss/f2bchk.sh
@@ -0,0 +1,87 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Wrapper for fail2ban filter checks against logs.
 # Usage: f2bchk --mode=ignored || --mode=matched  || --mode=missed \
 #               --filter=/etc/fail2ban/filter.d/ufw.aggressive.conf \
 #               --log=/var/log/ufw.log \
 #               --output=/tmp/f2bchk.log
 # Globals:
 #   DEFAULT_FILTER
 #   DEFAULT_LOG
 #   DEFAULT_MODE
 # Arguments:
 #  None
 # Returns:
 #   1 In case of any errors
 #######################################
 f2bchk(){
  # Declare default values (readonly)
  declare -r DEFAULT_MODE="matched"
  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
  declare -r DEFAULT_LOG="/var/log/ufw.log"
  declare mode="${DEFAULT_MODE}"
  declare filter="${DEFAULT_FILTER}"
  declare log="${DEFAULT_LOG}"
  declare output=""
  declare arg=""
  for arg in "$@"; do
    case "${arg}" in
      --mode=*)   mode="${arg#--mode=}";;
      --filter=*) filter="${arg#--filter=}";;
      --log=*)    log="${arg#--log=}";;
      --output=*) output="${arg#--output=}";;
      *)
        printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
        return 1
        ;;
    esac
  done
  declare flag suffix
  case "${mode}" in
    ignored) flag="--print-all-ignored"; suffix="all.ignored";;
    matched) flag="--print-all-matched"; suffix="all.matched";;
    missed)  flag="--print-all-missed";  suffix="all.missed";;
    *)
      printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
      return 1
      ;;
  esac
  if [[ -z "${output}" ]]; then
    declare filter_name="${filter##*/}"
    filter_name="${filter_name%.conf}"
    output="/tmp/${filter_name}.${suffix}.log"
  fi
  if [[ ! -r "${log}" ]]; then
    printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
    return 1
  fi
  if [[ ! -r "${filter}" ]]; then
    printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
    return 1
  fi
  printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
    printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
    printf "You can view it with: cat %s\n" "$output"
  else
    printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
    return 1
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -21,6 +21,7 @@ bc
 bind9-dnsutils
 bsdmainutils
 btrfs-progs
 bzip2
 ca-certificates
 clamav
 clamav-daemon
@@ -42,9 +43,11 @@ dirmngr
 dmsetup
 dnsviz
 dosfstools
 e2fsprogs
 efibootmgr
 expect
 fail2ban
 fdisk
 figlet
 fzf
 gawk
@@ -79,6 +82,7 @@ man
 man-db
 manpages
 manpages-dev
 mdadm
 mtr
 nano
 ncat
@@ -110,11 +114,13 @@ ssl-cert
 sudo
 sysstat
 systemd-sysv
 tar
 tree
 tshark
 ufw
 unattended-upgrades
 unzip
 util-linux
 virt-what
 wamerican
 wbritish
@@ -122,6 +128,9 @@ wfrench
 wget
 whois
 wngerman
 xfsprogs
 xz-utils
 yq
 zip
 zsh
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 # 2. DNSSEC Status
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 # 2. TLS Audit:
 ````text
 #####################################################################
-  testssl.sh version 3.2rc4 from https://testssl.sh/dev/
+  testssl.sh version 3.2.1 from https://testssl.sh/
-  (6746fa5 2025-04-18 13:17:50)
+  (81471c3 2025-06-15 09:48:31)
  This program is free software. Distribution and modification under
  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -26,7 +26,7 @@ include_toc: true
  Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
  on kali:./bin/openssl.Linux.x86_64
- Start 2025-06-02 18:04:19        -->> 152.53.110.40:443 (coresecret.dev) <<--
+ Start 2025-06-23 17:58:48        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 Further IP addresses:   2a0a:4cc0:80:330f:152:53:110:40
 rDNS (152.53.110.40):   git.coresecret.dev.
@@ -193,17 +193,21 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
                              SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
 Common Name (CN)             coresecret.dev
 subjectAltName (SAN)         coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
- Trust (hostname)             Ok via SAN and CN (same w/o SNI)
+ Trust (hostname)             Ok via SAN (same w/o SNI)
 Chain of trust               Ok
 EV cert (experimental)       no
- Certificate Validity (UTC)   174 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
+ Certificate Validity (UTC)   153 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
 ETS/"eTLS", visibility info  not present
 In pwnedkeys.com DB          not in database
 Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
 OCSP URI                     http://ocsp.buypass.com, not revoked
 OCSP stapling                offered, not revoked
 OCSP must staple extension   --
- DNS CAA RR (experimental)    not offered
+ DNS CAA RR (experimental)    available - please check for match with "Issuer" below
                              communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl,
                              issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
 Certificate Transparency     yes (certificate extension)
 Certificates provided        2
 Issuer                       Buypass Class 2 CA 5 (Buypass AS-983163327 from NO)
@@ -213,23 +217,27 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Testing HTTP header response @ "/"
- HTTP Status Code             301 Moved Permanently, redirecting to "https://git.coresecret.dev"
+ HTTP Status Code             200 OK
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    730 days=63072000 s, includeSubDomains, preload
 Public Key Pinning           --
 Server banner                nginx
 Application banner           --
- Cookie(s)                    (none issued at "/") -- maybe better try target URL of 30x
+ Cookie(s)                    2 issued: 2/2 secure, 2/2 HttpOnly
 Security headers             X-Frame-Options: SAMEORIGIN
                              X-Content-Type-Options: nosniff
                              Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self';
                                frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
                                https://uml.coresecret.dev; manifest-src 'self'; media-src 'self' data: https://badges.coresecret.dev
                                https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none';
                              Expect-CT: max-age=86400, enforce
                              Permissions-Policy: interest-cohort=()
-                              Cross-Origin-Opener-Policy: same-origin
+                              Cross-Origin-Opener-Policy: cross-origin
-                              Cross-Origin-Resource-Policy: same-origin
+                              Cross-Origin-Resource-Policy: cross-origin
-                              Cross-Origin-Embedder-Policy: require-corp
+                              Cross-Origin-Embedder-Policy: unsafe-none
                              X-XSS-Protection: 1; mode=block
                              Permissions-Policy: interest-cohort=()
-                              Referrer-Policy: same-origin
+                              Referrer-Policy: no-referrer
                              Cache-Control: no-cache
 Reverse Proxy banner         --
@@ -268,6 +276,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Android 10.0 (native)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Android 11/12 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Android 13/14 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Android 15 (native)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Chrome 101 (Win 10)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Chromium 137 (Win 11)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Firefox 100 (Win 10)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
@@ -308,7 +317,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Final Score                  100
 Overall Grade                A+
- Done 2025-06-02 18:05:51 [  95s] -->> 152.53.110.40:443 (coresecret.dev) <<--
+ Done 2025-06-23 18:00:16 [  99s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 ````
 ---
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,53 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 # 2. Changelog
 ## V8.03.832.2025.06.24
 * Updated:
  * [lib_check_provider.sh](../lib/lib_check_provider.sh)
  * [lib_debug_header.sh](../lib/lib_debug_header.sh)
  * [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
 * The Debian package ``bat`` will be installed to enable smooth log reading.
 ## V8.03.768.2025.06.23
 * Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
 * Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh)
 * Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh)
 * Added Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
 * Added ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
  * to prevent the caller LIB-file from being sourced twice.
 ## V8.03.768.2025.06.19
 * Minor main script improvements.
 * Updated [lib_usage.sh](../lib/lib_usage.sh) output.
 ## V8.03.768.2025.06.18
 * Minor main script improvements.
 * Updated contact section.
 * Integrated third ``dns03.eddns.eu`` Centurion DNS Resolver.
 ## V8.03.768.2025.06.17
 * Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64``
 ## V8.03.768.2025.06.11
 * Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64``
 ## V8.03.768.2025.06.09
 * Added: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
 * Updated: [alias](../config/includes.chroot/root/.ciss/alias)
  * ``scurl()``
  * ``swget()``
 ## V8.03.644.2025.06.07
 * Updated workflows ISO Generators Runners. 
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 # 2. Centurion Net - Developer Branch Overview
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 # 2. Coding Style
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 # 2. Contributing / participating
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 # 2. Credits
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,20 +8,17 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
-# 2. Usage
+# 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.644.2025.06.07
+Master V8.03.832.2025.06.24
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025
 https://coresecret.eu/
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 "./ciss_live_builder.sh <option>", where <option> is one or more of:
  --help, -h
@@ -30,7 +27,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
  --autobuild=*, -a=*
    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
    selector dialog. Change '*' to your desired Linux kernel and trim the
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.22+bpo-amd64'.
+    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
  --architecture <STRING> one of <amd64 | arm64>
    A string reflecting the architecture of the Live System.
@@ -58,19 +55,20 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
  --debug
    Enables debug logging for the main program routine. Detailed logging
-    information are written to "/tmp/ciss_live_builder_3764286.log"
+    information are written to "/tmp/ciss_live_builder_1136873.log"
  --dhcp-centurion
    If a DHCP lease is provided, the provider's nameserver will be overridden,
    and only the hardened, privacy-focused Centurion DNS servers will be used:
-    - https://dns01.eddns.eu/
+      - https://dns01.eddns.eu/
-    - https://dns02.eddns.de/
+      - https://dns02.eddns.de/
      - https://dns03.eddns.eu/
  --jump-host <IP | IP | ... >
    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
    If provided, than it MUST be a <SPACE> separated list.
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd/64].
+    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
  --log-statistics-only
    Provides statistic only after successful building a
@@ -80,23 +78,25 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
  --provider-netcup-ipv6
    Activates IPv6 support for Netcup Root Server. One unique
-    IPv6 address MUST be provided in this case.
+    IPv6 address MUST be provided in this case and MUST be encapsulated
    with [], e.g., [1234::abcd].
  --renice-priority <PRIORITY>
    Reset the nice priority value of the script and all its children
-    to the desired PRIORITY. MUST be an integer (between "-19" and 19).
+    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
    Negative (higher) values MUST be enclosed in double quotes '"'.
  --reionice-priority <CLASS> <PRIORITY>
    Reset the ionice priority value of the script and all its children
-    to the desired CLASS. MUST be an integer:
+    to the desired <CLASS>. MUST be an integer:
-    1: realtime
+      1: realtime
-    2: best-effort
+      2: best-effort
-    3: idle
+      3: idle
-    defaults to "2".
+    Defaults to '2'.
-    PRIORITY MUST be an integer:
+    Whereas <PRIORITY> MUST be an integer as well between:
-    between 0 (highest) and 7 (lowest) priority.
+      0: highest priority and
-    defaults to "4".
+      7: lowest priority.
    Defaults to '4'.
    A real-time I/O process can significantly slow down other processes
    or even cause them to starve if it continuously requests I/O.
@@ -107,9 +107,9 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
    the local console. The root password is hashed with an 16 Byte '/dev/random'
    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
    after Hash generation all Variables containing plain password fragments are
-    deleted. Password file SHOULD be 0400 and root:root and is deleted without
+    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
    further prompt after password hash has been successfully generated via:
-    shred -vfzu 5 -f.
+    'shred -vfzu 5 -f'.
    No tracing of any plain text password fragment in any debug log.
  --ssh-port <INTEGER>
@@ -123,14 +123,30 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
  --version, -v
    Displays version of ./ciss_live_builder.sh.
-NOTES:
+💡 Notes:
-  - You MUST be root to run this script.
+🔵 You MUST be 'root' to run this script.
-Contact:
+💷 Please consider donating to my work at:
-  - https://coresecret.eu/
+🌐 https://coresecret.eu/spenden/
-  - security@coresecret.eu
+````
-    - PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
+
-      - https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD
+# 2.2. Contact
 ````text
 CISS.debian.live.builder
 Master V8.03.832.2025.06.24
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025
 💬 Contact:
 🌐 https://coresecret.eu/
 📧 security@coresecret.eu
 🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
 🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
 ````
 # 3. Booting
--- a/docs/LICENSES/CCLA-1.0.html
+++ b/docs/LICENSES/CCLA-1.0.html
@@ -1,53 +0,0 @@
 <h1 id="spdx-license-identifier-licenseref-ccla-10">SPDX-License-Identifier: LicenseRef-CCLA-1.0</h1>
 <h1 id="centurion-commercial-license-agreement-10">Centurion Commercial License Agreement 1.0</h1>
 <h2 id="1-general-terms"><strong>1. General Terms</strong></h2>
 <p>1.1. This Subscription License Agreement ("Agreement") governs the commercial use of the Software ("Software").</p>
 <p>1.2. Private and open-source usage of the Software remains governed by the EUPL-1.2 license.</p>
 <p>1.3. By purchasing and using the Software under this Agreement, you ("Licensee") agree to the terms outlined below.</p>
 <p>1.4. Only the English version of this Agreement shall be legally binding. Translations are provided for convenience only.</p>
 <h2 id="2-grant-of-license"><strong>2. Grant of License</strong></h2>
 <p>2.1. Subject-to-payment of applicable subscription fees, Licensor grants Licensee a</p>
 <ul>
 <li>non-exclusive,</li>
 <li>non-transferable,</li>
 <li>time-limited,</li>
 </ul>
 <p>right to use the Software for commercial purposes.</p>
 <p>2.2. This license is valid only for the duration of the subscription period and under the scope defined in this Agreement.</p>
 <h2 id="3-subscription-fees-and-payment"><strong>3. Subscription Fees and Payment</strong></h2>
 <p>3.1. Licensee agrees to pay the subscription fees as specified in the pricing agreement. These fees are non-refundable.</p>
 <p>3.2. Licensor reserves the right to modify subscription fees upon 30 days' written notice.</p>
 <h2 id="4-restrictions"><strong>4. Restrictions</strong></h2>
 <p>4.1. Licensee shall not:</p>
 <ul>
 <li>Distribute, sublicense, or resell the Software.</li>
 <li>Reverse engineer, decompile, or modify the Software, except as permitted by mandatory law.</li>
 </ul>
 <p>4.2. The Software may not be used for illegal or unethical purposes.</p>
 <h2 id="5-support-and-updates"><strong>5. Support and Updates</strong></h2>
 <p>5.1. Licensor will provide updates and support for the Software during the subscription period, as detailed in the accompanying support agreement.</p>
 <p>5.2. Support services may include bug fixes, patches, and minor updates. Major updates may incur additional fees.</p>
 <h2 id="6-termination"><strong>6. Termination</strong></h2>
 <p>6.1. This Agreement is valid for the subscription term unless terminated earlier:</p>
 <ul>
 <li>By Licensee, with a 30-day written notice.</li>
 <li>By Licensor, in the event of Licensees breach of this Agreement.</li>
 </ul>
 <p>6.2. Upon termination, Licensee must cease all uses of the Software and delete all copies.</p>
 <h2 id="7-liability-and-warranty"><strong>7. Liability and Warranty</strong></h2>
 <p>7.1. The Software is provided "as is" without warranties of any kind, except as required by law.</p>
 <p>7.2. Licensors' liability is limited to the number of subscription fees paid by Licensee in the preceding 12 months.</p>
 <h2 id="8-governing-law"><strong>8. Governing Law</strong></h2>
 <p>8.1. This Agreement shall be governed by the laws of Portugal.</p>
 <p>8.2. Disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Portugal.</p>
 <h2 id="9-miscellaneous"><strong>9. Miscellaneous</strong></h2>
 <p>9.1. Any changes to this Agreement must be in writing and signed by both parties.</p>
 <p>9.2. If any provision of this Agreement is found invalid, the remaining provisions shall remain enforceable.</p>
 <h2 id="10-contact-information">10. <strong>Contact Information</strong></h2>
 <ul>
 <li>Licensor : Centurion Intelligence Consulting Agency</li>
 <li>Email : <a href="mailto:legal@coresecret.eu">legal@coresecret.eu</a></li>
 </ul>
 <hr />
 <p>This Subscription License Agreement was last updated at 09.05.2025.</p>
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.644.2025.06.07<br>
+**Build**: V8.03.832.2025.06.24<br>
 # 2. Resources
--- a/docs/SECURITY/coresecret.dev.png
+++ b/docs/SECURITY/coresecret.dev.png
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Argument Parser
 # Globals:
@@ -100,7 +102,7 @@ arg_parser() {
            printf "\e[91m❌ Error: --architecture MUST be 'amd64' or 'arm64'.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
-            exit "${ERR_UNCRITICAL}"
+            exit "${ERR_ARG_MSMTCH}"
          fi
          ;;
--- a/lib/lib_arg_priority_check.sh
+++ b/lib/lib_arg_priority_check.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Check and setup Script Priorities
 # Globals:
--- a/lib/lib_boot_screen.sh
+++ b/lib/lib_boot_screen.sh
@@ -10,8 +10,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
-# Change Grub Boot Screen Splash
+# Set up a gauge Dialog Wrapper.
 # Globals:
 #   PID_BOOT_SCREEN
 #   PIPE_BOOT_SCREEN
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # CISS.2025.debian.installer GRUB and Autostart Generator
 # Globals:
--- a/lib/lib_change_splash.sh
+++ b/lib/lib_change_splash.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Change Grub Boot Screen Splash
 # Globals:
--- a/lib/lib_check_dhcp.sh
+++ b/lib/lib_check_dhcp.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Check if hardened Centurion DNS servers are desired.
 # Globals:
--- a/lib/lib_check_hooks.sh
+++ b/lib/lib_check_hooks.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
 # Globals:
--- a/lib/lib_check_kernel.sh
+++ b/lib/lib_check_kernel.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Kernel Image Selector
 # Globals:
@@ -52,7 +54,7 @@ check_kernel() {
    done < "${VAR_KERNEL_SRT}"
  # shellcheck disable=SC2155
-  if declare -g VAR_KERNEL=$(dialog \
+  if declare -gx VAR_KERNEL=$(dialog \
                          --no-collapse \
                          --ascii-lines \
                          --clear \
@@ -63,9 +65,9 @@ check_kernel() {
  else
    clear
    if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then
-      declare -gr VAR_KERNEL="amd64"
+      declare -gx VAR_KERNEL="amd64"
    elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then
-      declare -gr VAR_KERNEL="arm64"
+      declare -gx VAR_KERNEL="arm64"
    fi
  fi
 }
--- a/lib/lib_check_pkgs.sh
+++ b/lib/lib_check_pkgs.sh
@@ -10,23 +10,46 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Check for required Deb Packages to run the script.
 # Arguments:
 #  None
 #######################################
 check_pkgs() {
-  if [[ ! -f /usr/share/live/build/VERSION ]]; then
+  apt-get update -y > /dev/null 2>&1
-    apt-get update -y
+
-    apt-get install live-build -y
+  if [[ -z "$(command -v batcat || true)" ]]; then
    apt-get install -y --no-install-recommends bat
  fi
-  if [[ -z "$(command -v dialog || true)" ]]; then
+  if [[ -z "$(command -v lsb_release || true)" ]]; then
-    if ! $VAR_HANDLER_AUTOBUILD; then apt-get install --no-install-recommends dialog -y; fi
+    apt-get install -y --no-install-recommends lsb-release
  fi
  if [[ -z "$(command -v debootstrap || true)" ]]; then
    if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
      # shellcheck disable=SC2155
      declare codename=$(lsb_release -sc)
      apt-get install -y -t "${codename}-backports" debootstrap
    else
      apt-get install -y debootstrap
    fi
  fi
  if [[ ! -f /usr/share/live/build/VERSION ]]; then
    apt-get install -y live-build
  fi
  if [[ "${VAR_HANDLER_AUTOBUILD}" == false ]]; then
    if [[ -z "$(command -v dialog || true)" ]]; then
      apt-get install -y --no-install-recommends dialog
    fi
  fi
  if [[ -z "$(command -v mkpasswd || true)" ]]; then
-    apt-get install --no-install-recommends whois -y
+    apt-get install -y --no-install-recommends whois
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_check_provider.sh
+++ b/lib/lib_check_provider.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Notes Textbox
 # Arguments:
@@ -17,8 +19,9 @@
 #######################################
 check_provider() {
  clear
-  cat << 'EOF' >| "${VAR_NOTES}"
+  cat << EOF >| "${VAR_NOTES}"
-Build: Master V8.03.644.2025.06.07
+Build  : ${VAR_VERSION}
 Commit : ${VAR_GIT_REL}
 Press 'EXIT' to continue with CISS.debian.live.builder.
--- a/lib/lib_check_stats.sh
+++ b/lib/lib_check_stats.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Check if analysis run is desired only.
 # Globals:
--- a/lib/lib_check_var.sh
+++ b/lib/lib_check_var.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Unbound Variable Check and call Trap on ERR
 # Globals:
--- a/lib/lib_clean_screen.sh
+++ b/lib/lib_clean_screen.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Terminal cleaner before Trap on Error
 # Arguments:
--- a/lib/lib_clean_up.sh
+++ b/lib/lib_clean_up.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Clean Up Wrapper on Trap on 'ERR' and 'EXIT'.
 # Globals:
@@ -26,6 +28,11 @@ clean_up() {
  rm -f -- "${VAR_KERNEL_INF}"
  rm -f -- "${VAR_KERNEL_SRT}"
  rm -f -- "${VAR_KERNEL_TMP}"
  # Release advisory lock on FD 127.
  flock -u 127
  # Close file descriptor 127.
  exec 127>&-
  # Remove the lockfile artifact.
  rm -f /run/lock/ciss_live_builder.lock
  if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
  if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
--- a/lib/lib_contact.sh
+++ b/lib/lib_contact.sh
@@ -0,0 +1,41 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Contact Wrapper CISS.debian.live.builder
 # Globals:
 #   none
 # Arguments:
 #   none
 #######################################
 contact() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
 $(echo -e "\e[92mMaster V8.03.832.2025.06.24\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
 $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
 $(echo -e "\e[95m💬 Contact:\e[0m")
 $(echo -e "\e[95m🌐 https://coresecret.eu/ \e[0m")
 $(echo -e "\e[95m📧 security@coresecret.eu \e[0m")
 $(echo -e "\e[95m🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
 $(echo -e "\e[95m🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
 $(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
 $(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
 EOF
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_copy_integrity.sh
+++ b/lib/lib_copy_integrity.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Copy Initial ISO aide Database into Host System
 # Globals:
--- a/lib/lib_debug.sh
+++ b/lib/lib_debug.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Debugger Wrapper for xtrace to Debug Log
 # Globals:
@@ -34,22 +36,18 @@ debugger() {
      declare -p "${var}" 2>/dev/null
    done < <(compgen -v | grep -Ev '^(BASH|_).*')
  } | sort >| "${VAR_DUMP_VARS_INITIAL}"
-  declare -grx VAR_EARLY_DEBUG=true
+  declare -gx VAR_EARLY_DEBUG="true"
  ### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name
-  declare -grx PS4='\e[97m+\e[0m\e[96m$(date +%T.%4N)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
+  declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
  # shellcheck disable=SC2155
  declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log"
-  ### Generates empty LOG_DEBUG
+  declare -grx LOG_VAR="/tmp/ciss_live_builder_$$_var.log"
  ### Generates empty LOG_DEBUG and LOG_VAR
  touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
  touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
  ### Open file descriptor 42 for writing to the debug log
  exec 42>| "${LOG_DEBUG}"
  ### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
    ### Determine the directory of this script, even if sourced.
    # shellcheck disable=SC2155
    declare script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
    ### Source the header from the same directory. This ensures we always load lib/lib_debug_header.sh correctly.
    . "${script_dir}/lib_debug_header.sh"
  # shellcheck disable=SC2119
  debug_header "$#" "$*"
  ### Tell Bash to send xtrace output to FD 42
  export BASH_XTRACEFD=42
--- a/lib/lib_debug_header.sh
+++ b/lib/lib_debug_header.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Generates Debug Log Header
 # Globals:
@@ -31,26 +33,29 @@ debug_header() {
  declare -r arg_counter="$1"
  declare -r arg_string="$2"
  {
-    printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date +%T.%4N)"
+    printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
-    printf "\e[97m+\e[0m\e[92m%s: Version                   : %s \e[0m\n" "$(date +%T.%4N)" "${VAR_VERSION}"
+    printf "\e[97m+\e[0m\e[92m%s: Git Commit                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_REL}"
-    printf "\e[97m+\e[0m\e[92m%s: Epoch                     : %s \e[0m\n" "$(date +%T.%4N)" "${EPOCHREALTIME}"
+    printf "\e[97m+\e[0m\e[92m%s: Version                   : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release          : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[0]}"
+    printf "\e[97m+\e[0m\e[92m%s: Epoch                     : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version          : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[1]}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level          : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[2]}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[1]}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash Build Version        : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[3]}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[2]}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash Release              : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[4]}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash Build Version        : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[3]}"
-    printf "\e[97m+\e[0m\e[92m%s: UID                       : %s \e[0m\n" "$(date +%T.%4N)" "${UID}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash Release              : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[4]}"
-    printf "\e[97m+\e[0m\e[92m%s: EUID                      : %s \e[0m\n" "$(date +%T.%4N)" "${EUID}"
+    printf "\e[97m+\e[0m\e[92m%s: UID                       : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${UID}"
-    printf "\e[97m+\e[0m\e[92m%s: Hostname                  : %s \e[0m\n" "$(date +%T.%4N)" "${HOSTNAME}"
+    printf "\e[97m+\e[0m\e[92m%s: EUID                      : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EUID}"
-    printf "\e[97m+\e[0m\e[92m%s: Script name               : %s \e[0m\n" "$(date +%T.%4N)" "$0"
+    printf "\e[97m+\e[0m\e[92m%s: Hostname                  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${HOSTNAME}"
-    printf "\e[97m+\e[0m\e[92m%s: Argument Counter          : %s \e[0m\n" "$(date +%T.%4N)" "${arg_counter}"
+    printf "\e[97m+\e[0m\e[92m%s: Hostsystem                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_SYSTEM}"
-    printf "\e[97m+\e[0m\e[92m%s: Argument String Original  : %s \e[0m\n" "$(date +%T.%4N)" "${arg_string}"
+    printf "\e[97m+\e[0m\e[92m%s: Script name               : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$0"
-    printf "\e[97m+\e[0m\e[92m%s: Script PID                : %s \e[0m\n" "$(date +%T.%4N)" "$$"
+    printf "\e[97m+\e[0m\e[92m%s: Argument Counter          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_counter}"
-    printf "\e[97m+\e[0m\e[92m%s: Script Parent PID         : %s \e[0m\n" "$(date +%T.%4N)" "${PPID}"
+    printf "\e[97m+\e[0m\e[92m%s: Argument String Original  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_string}"
-    printf "\e[97m+\e[0m\e[92m%s: Script work DIR           : %s \e[0m\n" "$(date +%T.%4N)" "${PWD}"
+    printf "\e[97m+\e[0m\e[92m%s: Script PID                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$$"
-    printf "\e[97m+\e[0m\e[92m%s: Shell Options             : %s \e[0m\n" "$(date +%T.%4N)" "$-"
+    printf "\e[97m+\e[0m\e[92m%s: Script Parent PID         : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PPID}"
-    printf "\e[97m+\e[0m\e[92m%s: BASHOPTS                  : %s \e[0m\n" "$(date +%T.%4N)" "${BASHOPTS}"
+    printf "\e[97m+\e[0m\e[92m%s: Script work DIR           : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PWD}"
-    printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date +%T.%4N)"
+    printf "\e[97m+\e[0m\e[92m%s: Shell Options             : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$-"
    printf "\e[97m+\e[0m\e[92m%s: BASHOPTS                  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASHOPTS}"
    printf "\e[97m+\e[0m\e[92m%s: SHELLOPTS                 : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SHELLOPTS}"
    printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
  } >&42
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_git_var.sh
+++ b/lib/lib_git_var.sh
@@ -0,0 +1,36 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Define Git Repo related Variables.
 # Globals:
 #   VAR_GIT_HEAD
 #   VAR_GIT_REL
 #   VAR_GIT_REL_DATE
 #   VAR_GIT_REL_DATE_TIME
 #   VAR_GIT_REL_SHORT
 # Arguments:
 #   None
 #######################################
 check_git() {
  # shellcheck disable=SC2155
  if git rev-parse --is-inside-work-tree &>/dev/null; then
    declare -grx VAR_GIT_REL="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
    declare -grx VAR_GIT_REL_SHORT="${VAR_GIT_REL%% *}"
    declare -grx VAR_GIT_REL_DATE_TIME="${VAR_GIT_REL#* }"
    declare -grx VAR_GIT_REL_DATE="${VAR_GIT_REL_DATE_TIME% *}"
    declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_guard_sourcing.sh
+++ b/lib/lib_guard_sourcing.sh
@@ -0,0 +1,42 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Prevent the caller LIB-file from being sourced twice.
 # Derive a safe guard-variable name from the caller script filename.
 # Globals:
 #   BASH_SOURCE
 # Arguments:
 #   $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
 # Returns:
 #   0: Returns '0' in both cases as they are intended to be successful.
 #######################################
 guard_sourcing() {
  ### Determine the caller script (the library being sourced).
  declare var_src="${1:-${BASH_SOURCE[1]}}"
  ### Strip path, keep only filename
  declare var_file_name="${var_src##*/}"
  ### Sanitize to valid var name.
  declare var_safe_name="${var_file_name//[^a-zA-Z0-9_]/_}"
  ### Build guard-variable name.
  declare var_guard_var="_${var_safe_name}_LOADED"
  ### If already loaded, abort sourcing
  if [[ -n "${!var_guard_var:-}" ]]; then
    return 0
  fi
  ### Mark as loaded (readonly + exported)
  declare -grx "${var_guard_var}"=1
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_hardening_root_pw.sh
+++ b/lib/lib_hardening_root_pw.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Updates the Live ISO to use root password authentication for local console access.
 # Globals:
--- a/lib/lib_hardening_ssh.sh
+++ b/lib/lib_hardening_ssh.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # SSH Hardening Ultra via TCP Wrapper
 # Globals:
--- a/lib/lib_hardening_ultra.sh
+++ b/lib/lib_hardening_ultra.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
 # Globals:
--- a/lib/lib_helper_ip.sh
+++ b/lib/lib_helper_ip.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # IP Notation cleaner for pure IP output only
 # Globals:
--- a/lib/lib_lb_build_start.sh
+++ b/lib/lib_lb_build_start.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
--- a/lib/lib_lb_config_start.sh
+++ b/lib/lib_lb_config_start.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
 # Globals:
--- a/lib/lib_lb_config_write.sh
+++ b/lib/lib_lb_config_write.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
--- a/lib/lib_provider_netcup.sh
+++ b/lib/lib_provider_netcup.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Notes Textbox
 # Arguments:
--- a/lib/lib_run_analysis.sh
+++ b/lib/lib_run_analysis.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Wrapper for statistic functions of the final build.
 # Globals:
--- a/lib/lib_sanitizer.sh
+++ b/lib/lib_sanitizer.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Argument Check Wrapper
 # Arguments:
--- a/lib/lib_trap_on_err.sh
+++ b/lib/lib_trap_on_err.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Print Error Message for Trap on 'ERR' in ${ERROR_LOG}
 # Globals:
@@ -34,21 +36,22 @@
 print_file_err() {
  {
    printf "❌ CISS.debian.live.builder Script failed. \n"
-    printf "❌ Version             : %s \n" "${VAR_VERSION}"
+    printf "❌ Git Commit             : %s \n" "${VAR_GIT_REL}"
-    printf "❌ Environment         : %s \n" "${VAR_SYSTEM}"
+    printf "❌ Version                : %s \n" "${VAR_VERSION}"
-    printf "❌ Error               : %s \n" "${ERRCODE}"
+    printf "❌ Hostsystem             : %s \n" "${VAR_SYSTEM}"
-    printf "❌ Line                : %s \n" "${ERRLINE}"
+    printf "❌ Error                  : %s \n" "${ERRCODE}"
-    printf "❌ Script              : %s \n" "${ERRSCRT}"
+    printf "❌ Line                   : %s \n" "${ERRLINE}"
-    printf "❌ Function            : %s \n" "${ERRFUNC}"
+    printf "❌ Script                 : %s \n" "${ERRSCRT}"
-    printf "❌ Command             : %s \n" "${ERRCMMD}"
+    printf "❌ Function               : %s \n" "${ERRFUNC}"
-    printf "❌ Script Runtime      : %s \n" "${SECONDS}"
+    printf "❌ Command                : %s \n" "${ERRCMMD}"
-    printf "❌ Arguments Counter   : %s \n" "${ARGUMENTS_COUNT}"
+    printf "❌ Script Runtime         : %s \n" "${SECONDS}"
-    printf "❌ Arguments Original  : %s \n" "${ARG_STR_ORG_INPUT}"
+    printf "❌ Arguments Counter      : %s \n" "${ARGUMENTS_COUNT}"
-    printf "❌ Arguments Sanitized : %s \n" "${VAR_ARG_SANITIZED}"
+    printf "❌ Arguments Original     : %s \n" "${ARG_STR_ORG_INPUT}"
    printf "❌ Arguments Sanitized    : %s \n" "${VAR_ARG_SANITIZED}"
    if "${VAR_EARLY_DEBUG}"; then
-      printf "❌ Vars Dump saved at  : %s \n" "${LOG_VAR}"
+      printf "❌ Vars Dump saved at     : %s \n" "${LOG_VAR}"
-      printf "❌ Debug Log saved at  : %s \n" "${LOG_DEBUG}"
+      printf "❌ Debug Log saved at     : %s \n" "${LOG_DEBUG}"
-      printf "❌                   cat %s \n" "${LOG_DEBUG}"
+      printf "❌ batcat --pager='less -r' %s \n" "${LOG_DEBUG}"
    fi
    printf "\n"
  } >> "${LOG_ERROR}"
@@ -77,23 +80,24 @@ print_file_err() {
 #######################################
 print_scr_err() {
  printf "\e[91m❌ CISS.debian.live.builder Script failed. \e[0m\n" >&2
-  printf "\e[91m❌ Version             : %s \e[0m\n" "${VAR_VERSION}" >&2
+  printf "\e[91m❌ Git Commit             : %s \e[0m\n" "${VAR_GIT_REL}" >&2
-  printf "\e[91m❌ Environment         : %s \e[0m\n" "${VAR_SYSTEM}" >&2
+  printf "\e[91m❌ Version                : %s \e[0m\n" "${VAR_VERSION}" >&2
-  printf "\e[91m❌ Error               : %s \e[0m\n" "${ERRCODE}" >&2
+  printf "\e[91m❌ Hostsystem             : %s \e[0m\n" "${VAR_SYSTEM}" >&2
-  printf "\e[91m❌ Line                : %s \e[0m\n" "${ERRLINE}" >&2
+  printf "\e[91m❌ Error                  : %s \e[0m\n" "${ERRCODE}" >&2
-  printf "\e[91m❌ Script              : %s \e[0m\n" "${ERRSCRT}" >&2
+  printf "\e[91m❌ Line                   : %s \e[0m\n" "${ERRLINE}" >&2
-  printf "\e[91m❌ Function            : %s \e[0m\n" "${ERRFUNC}" >&2
+  printf "\e[91m❌ Script                 : %s \e[0m\n" "${ERRSCRT}" >&2
-  printf "\e[91m❌ Command             : %s \e[0m\n" "${ERRCMMD}" >&2
+  printf "\e[91m❌ Function               : %s \e[0m\n" "${ERRFUNC}" >&2
-  printf "\e[91m❌ Script Runtime      : %s \e[0m\n" "${SECONDS}" >&2
+  printf "\e[91m❌ Command                : %s \e[0m\n" "${ERRCMMD}" >&2
-  printf "\e[91m❌ Arguments Counter   : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
+  printf "\e[91m❌ Script Runtime         : %s \e[0m\n" "${SECONDS}" >&2
-  printf "\e[91m❌ Arguments Original  : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
+  printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
-  printf "\e[91m❌ Arguments Sanitized : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
+  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
-  printf "\e[91m❌ Error Log saved at  : %s \e[0m\n" "${LOG_ERROR}" >&2
+  printf "\e[91m❌ Arguments Sanitized    : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
-  printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_ERROR}" >&2
+  printf "\e[91m❌ Error Log saved at     : %s \e[0m\n" "${LOG_ERROR}" >&2
  printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_ERROR}" >&2
  if "${VAR_EARLY_DEBUG}"; then
-    printf "\e[91m❌ Vars Dump saved at  : %s \e[0m\n" "${LOG_VAR}" >&2
+    printf "\e[91m❌ Vars Dump saved at     : %s \e[0m\n" "${LOG_VAR}" >&2
-    printf "\e[91m❌ Debug Log saved at  : %s \e[0m\n" "${LOG_DEBUG}" >&2
+    printf "\e[91m❌ Debug Log saved at     : %s \e[0m\n" "${LOG_DEBUG}" >&2
-    printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_DEBUG}" >&2
+    printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_DEBUG}" >&2
  fi
  printf "\n"
 }
@@ -115,12 +119,12 @@ print_scr_err() {
 #   $5: ${BASH_COMMAND}
 #######################################
 trap_on_err() {
  trap - ERR
  declare -g ERRCODE="$1"
  declare -g ERRSCRT="$2"
  declare -g ERRLINE="$3"
  declare -g ERRFUNC="$4"
  declare -g ERRCMMD="$5"
  trap - ERR
  if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
  clean_up "${ERRCODE}"
  if ! $VAR_HANDLER_AUTOBUILD; then clean_screen; fi
--- a/lib/lib_trap_on_exit.sh
+++ b/lib/lib_trap_on_exit.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Trap function to be called on 'EXIT'.
 # Globals:
@@ -18,20 +20,20 @@
 #   $1: $?
 #######################################
 trap_on_exit() {
  declare -r trap_on_exit_code="$1"
  trap - EXIT
-  if (( trap_on_exit_code == 0 )); then
+  declare -r var_trap_on_exit_code="$1"
  if (( var_trap_on_exit_code == 0 )); then
    if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
-    clean_up "${trap_on_exit_code}"
+    clean_up "${var_trap_on_exit_code}"
-    print_scr_exit "${trap_on_exit_code}"
+    print_scr_exit "${var_trap_on_exit_code}"
-    exit 0
+    exit "${var_trap_on_exit_code}"
  else
-    exit "${trap_on_exit_code}"
+    exit "${var_trap_on_exit_code}"
  fi
 }
 #######################################
-# Print Success Message for Trap on 'EXIT' on 'stdout'
+# Print Success Message for Trap on 'EXIT' on 'stdout'.
 # Globals:
 #   LOG_DEBUG
 #   LOG_VAR
@@ -40,22 +42,22 @@ trap_on_exit() {
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_SCRIPT_SUCCESS
 # Arguments:
-#   $1: ${trap_on_exit_code} of trap_on_exit()
+#   $1: ${var_trap_on_exit_code} of trap_on_exit()
 #######################################
 print_scr_exit() {
-  declare -r print_scr_exit_code="$1"
+  declare -r var_print_scr_exit_code="$1"
-  if (( print_scr_exit_code == 0 )); then
+  if (( var_print_scr_exit_code == 0 )); then
    if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then
      printf "\n"
      printf "\e[92m✅ CISS.debian.live.builder Script successful. \e[0m\n"
-      printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/"
+      printf "\e[92m✅ Aide Initial DB at     : %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/"
-      printf "\e[92m✅ Exited with Status: %s \e[0m\n" "${print_scr_exit_code}"
+      printf "\e[92m✅ Exited with Status     : %s \e[0m\n" "${var_print_scr_exit_code}"
      printf "\n"
      if [[ "${VAR_EARLY_DEBUG}" == "true" ]]; then
-        printf "\e[92m✅ Script Runtime    : %s \e[0m\n" "${SECONDS}"
+        printf "\e[92m✅ Script Runtime         : %s \e[0m\n" "${SECONDS}"
-        printf "\e[92m✅ Vars Dump saved at: %s \e[0m\n" "${LOG_VAR}"
+        printf "\e[92m✅ Vars Dump saved at     : %s \e[0m\n" "${LOG_VAR}"
-        printf "\e[92m✅ Debug Log saved at: %s \e[0m\n" "${LOG_DEBUG}"
+        printf "\e[92m✅ Debug Log saved at     : %s \e[0m\n" "${LOG_DEBUG}"
-        printf "\e[92m✅                 cat %s \e[0m\n" "${LOG_DEBUG}"
+        printf "\e[92m✅ batcat --pager='less -r' %s \e[0m\n" "${LOG_DEBUG}"
        printf "\n"
      fi
      printf "\e[95m💷 Please consider donating to my work at: \e[0m\n"
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -13,133 +13,129 @@
 #######################################
 # Usage Wrapper CISS.debian.live.builder
 # Globals:
-#   ERR_UNCRITICAL
+#   none
 # Arguments:
 #   $0: Script name
 #######################################
 usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.644.2025.06.07\e[0m")
+$(echo -e "\e[92mMaster V8.03.832.2025.06.24\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
 $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
 $(echo -e "\e[95mhttps://coresecret.eu/\e[0m")
 $(echo -e "\e[97mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
 "${0} <option>", where <option> is one or more of:
-  --help, -h
+$(echo -e "\e[97m  --help, -h\e[0m")
    What you're looking at.
-  --autobuild=*, -a=*
+$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
    selector dialog. Change '*' to your desired Linux kernel and trim the
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.22+bpo-amd64'.
+    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
-  --architecture <STRING> one of <amd64 | arm64>
+$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
    A string reflecting the architecture of the Live System.
    MUST be provided.
-  --build-directory </path/to/build_directory>
+$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
    Where the Debian Live Build Image should be generated.
    MUST be provided.
-  --change-splash <STRING> one of <club | hexagon>
+$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
    A string reflecting the GRub Boot Screen Splash you want to use.
    If omitted defaults to "./.archive/background/club.png".
-  --cdi (Experimental Feature)
+$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
    This option generates a boot menu entry to start the forthcoming
    'CISS.debian.installer', which will be executed after
    the system has successfully booted up.
-  --contact, -c
+$(echo -e "\e[97m  --contact, -c\e[0m")
    Displays contact information of the author.
-  --control <INTEGER>
+$(echo -e "\e[97m  --control <INTEGER>\e[0m")
    An integer that reflects the version of your Live ISO Image.
    MUST be provided.
-  --debug
+$(echo -e "\e[97m  --debug\e[0m")
    Enables debug logging for the main program routine. Detailed logging
    information are written to "/tmp/ciss_live_builder_$$.log"
-  --dhcp-centurion
+$(echo -e "\e[97m  --dhcp-centurion\e[0m")
    If a DHCP lease is provided, the provider's nameserver will be overridden,
    and only the hardened, privacy-focused Centurion DNS servers will be used:
-    - https://dns01.eddns.eu/
+      - https://dns01.eddns.eu/
-    - https://dns02.eddns.de/
+      - https://dns02.eddns.de/
      - https://dns03.eddns.eu/
-  --jump-host <IP | IP | ... >
+$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
    If provided, than it MUST be a <SPACE> separated list.
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd/64].
+    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
-  --log-statistics-only
+$(echo -e "\e[97m  --log-statistics-only\e[0m")
    Provides statistic only after successful building a
    CISS.debian.live-ISO. While enabling "--log-statistics-only"
    the argument "--build-directory" MUST be provided while
    all further options MUST be omitted.
-  --provider-netcup-ipv6
+$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
    Activates IPv6 support for Netcup Root Server. One unique
-    IPv6 address MUST be provided in this case.
+    IPv6 address MUST be provided in this case and MUST be encapsulated
    with [], e.g., [1234::abcd].
-  --renice-priority <PRIORITY>
+$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
    Reset the nice priority value of the script and all its children
-    to the desired PRIORITY. MUST be an integer (between "-19" and 19).
+    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
    Negative (higher) values MUST be enclosed in double quotes '"'.
-  --reionice-priority <CLASS> <PRIORITY>
+$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
    Reset the ionice priority value of the script and all its children
-    to the desired CLASS. MUST be an integer:
+    to the desired <CLASS>. MUST be an integer:
-    1: realtime
+      1: realtime
-    2: best-effort
+      2: best-effort
-    3: idle
+      3: idle
-    defaults to "2".
+    Defaults to '2'.
-    PRIORITY MUST be an integer:
+    Whereas <PRIORITY> MUST be an integer as well between:
-    between 0 (highest) and 7 (lowest) priority.
+      0: highest priority and
-    defaults to "4".
+      7: lowest priority.
    Defaults to '4'.
    A real-time I/O process can significantly slow down other processes
    or even cause them to starve if it continuously requests I/O.
-  --root-password-file </path/to/password.txt>
+$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
    and MUST NOT contain the special character '"'.
    If the argument is omitted, no further login authentication is required for
    the local console. The root password is hashed with an 16 Byte '/dev/random'
    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
    after Hash generation all Variables containing plain password fragments are
-    deleted. Password file SHOULD be 0400 and root:root and is deleted without
+    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
    further prompt after password hash has been successfully generated via:
-    shred -vfzu 5 -f.
+    'shred -vfzu 5 -f'.
    No tracing of any plain text password fragment in any debug log.
-  --ssh-port <INTEGER>
+$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
    The desired Port SSH should listen to.
    If not provided defaults to Port 22.
-  --ssh-pubkey </path/to/.ssh/>
+$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
    specified PATH into the Live ISO. MUST be provided.
-  --version, -v
+$(echo -e "\e[97m  --version, -v\e[0m")
    Displays version of ${0}.
-$(echo -e "\e[93mNOTES:\e[0m")
+$(echo -e "\e[93m💡 Notes:\e[0m")
-  - You MUST be 'root' to run this script.
+🔵 You MUST be 'root' to run this script.
-$(echo -e "\e[92mContact:\e[0m")
+$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
-$(echo -e "\e[95m  - https://coresecret.eu/ \e[0m")
+$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
 $(echo -e "\e[95m  - security@coresecret.eu \e[0m")
 $(echo -e "\e[95m    - PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
 $(echo -e "\e[95m      - https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
 EOF
 }
--- a/meta_sources_debug.sh
+++ b/meta_sources_debug.sh
@@ -0,0 +1,16 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Sourcing Debug Libs
 . ./lib/lib_debug.sh
 . ./lib/lib_debug_header.sh
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/scripts/0010_dhcp_supersede.sh
+++ b/scripts/0010_dhcp_supersede.sh
@@ -21,9 +21,9 @@ fi
 cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
 # Custom dhclient config to override DHCP DNS
-# dns01.eddns.eu, dns02.eddns.de;
+# dns01.eddns.eu, dns02.eddns.de; dns03.eddns.eu;
-supersede domain-name-servers 135.181.207.105, 89.58.62.53;
+supersede domain-name-servers 135.181.207.105, 89.58.62.53; 138.199.237.109;
 EOF
--- a/scripts/9000-cdi-starter
+++ b/scripts/9000-cdi-starter
@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.03.644.2025.06.07 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.03.832.2025.06.24 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
  chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
--- a/var/bash.var.sh
+++ b/var/bash.var.sh
@@ -0,0 +1,21 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
 set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
 set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
 set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
 set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
 set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
 set -o noclobber # Prevent overwriting, the same as "set -C".
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/colors.var.sh
+++ b/var/colors.var.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -grx C_BLA='\e[90m' # For the techno fans.
+declare -grx C_BLA='\e[90m' # Beautiful black For the techno fans.
 declare -grx C_RED='\e[91m' # Bright red.
 declare -grx C_GRE='\e[92m' # Vibrant green.
 declare -grx C_YEL='\e[93m' # Fancy yellow
@@ -18,6 +18,6 @@ declare -grx C_BLU='\e[94m' # Organic blue.
 declare -grx C_MAG='\e[95m' # Super gay magenta.
 declare -grx C_CYA='\e[96m' # Lovely cyan.
 declare -grx C_WHI='\e[97m' # Fantastic color mix.
-declare -grx C_RES='\e[0m'    # Forget everything.
+declare -grx C_RES='\e[0m'  # Forget everything.
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -0,0 +1,25 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### Definition of MUST set early Variables
 # shellcheck disable=SC2155
 declare -agx ARY_PARAM_ARRAY=("$@")
 declare -grx VAR_PARAM_COUNT="$#"
 declare -grx VAR_PARAM_STRNG="$*"
 declare -grx VAR_CONTACT="security@coresecret.eu"
 declare -grx VAR_VERSION="Master V8.03.832.2025.06.24"
 declare -grx VAR_SYSTEM="$(uname -a)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"
 umask 0022
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -10,24 +10,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # shellcheck disable=SC2155
 declare -gr VAR_SYSTEM="$(uname -a)"
 # shellcheck disable=SC2155
 declare -gr VAR_ISO8601="$(date +%Y_%m_%d_%H_%M_%S)"
 # shellcheck disable=SC2155
 declare -gr VAR_KERNEL_INF="$(mktemp)"
 # shellcheck disable=SC2155
 declare -gr VAR_KERNEL_TMP="$(mktemp)"
 # shellcheck disable=SC2155
 declare -gr VAR_KERNEL_SRT="$(mktemp)"
 # shellcheck disable=SC2155
 declare -gr VAR_NOTES="$(mktemp)"
 if "${VAR_EARLY_DEBUG}"; then
  declare -gr LOG_VAR="/tmp/ciss_live_builder_$$_var.log"
  touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
 fi
 declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log"
 touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}"