DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@4445a0a at 2025-07-15T17:55:22Z on deea7eb4a68b

Generated at : 2025-07-15T17:55:22Z
Runner Host  : deea7eb4a68b
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 4445a0a HEAD -> master

.archive/.0000_lib_usage.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Usage Wrapper CISS.debian.live.builder
+# Globals:
+#   none
+# Arguments:
+#   $0: Script name
+#######################################
+usage() {
+  clear
+  cat << EOF
+$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
+$(echo -e "\e[92mMaster V8.03.864.2025.07.15\e[0m")
+$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
+
+$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
+$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+
+"${0} <option>", where <option> is one or more of:
+
+$(echo -e "\e[97m  --help, -h\e[0m")
+    What you're looking at.
+
+$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
+    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
+    selector dialog. Change '*' to your desired Linux kernel and trim the
+    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
+
+$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
+    A string reflecting the architecture of the Live System.
+    MUST be provided.
+
+$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
+    Where the Debian Live Build Image should be generated.
+    MUST be provided.
+
+$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
+    A string reflecting the GRub Boot Screen Splash you want to use.
+    If omitted defaults to "./.archive/background/club.png".
+
+$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
+    This option generates a boot menu entry to start the forthcoming
+    'CISS.debian.installer', which will be executed after
+    the system has successfully booted up.
+
+$(echo -e "\e[97m  --contact, -c\e[0m")
+    Displays contact information of the author.
+
+$(echo -e "\e[97m  --control <INTEGER>\e[0m")
+    An integer that reflects the version of your Live ISO Image.
+    MUST be provided.
+
+$(echo -e "\e[97m  --debug\e[0m")
+    Enables debug logging for the main program routine. Detailed logging
+    information are written to "/tmp/ciss_live_builder_$$.log"
+
+$(echo -e "\e[97m  --dhcp-centurion\e[0m")
+    If a DHCP lease is provided, the provider's nameserver will be overridden,
+    and only the hardened, privacy-focused Centurion DNS servers will be used:
+      - https://dns01.eddns.eu/
+      - https://dns02.eddns.de/
+      - https://dns03.eddns.eu/
+
+$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
+    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
+    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
+    If provided, than it MUST be a <SPACE> separated list.
+    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
+
+$(echo -e "\e[97m  --log-statistics-only\e[0m")
+    Provides statistic only after successful building a
+    CISS.debian.live-ISO. While enabling "--log-statistics-only"
+    the argument "--build-directory" MUST be provided while
+    all further options MUST be omitted.
+
+$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
+    Activates IPv6 support for Netcup Root Server. One unique
+    IPv6 address MUST be provided in this case and MUST be encapsulated
+    with [], e.g., [1234::abcd].
+
+$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
+    Reset the nice priority value of the script and all its children
+    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
+    Negative (higher) values MUST be enclosed in double quotes '"'.
+
+$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
+    Reset the ionice priority value of the script and all its children
+    to the desired <CLASS>. MUST be an integer:
+      1: realtime
+      2: best-effort
+      3: idle
+    Defaults to '2'.
+    Whereas <PRIORITY> MUST be an integer as well between:
+      0: highest priority and
+      7: lowest priority.
+    Defaults to '4'.
+    A real-time I/O process can significantly slow down other processes
+    or even cause them to starve if it continuously requests I/O.
+
+$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
+    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
+    and MUST NOT contain the special character '"'.
+    If the argument is omitted, no further login authentication is required for
+    the local console. The root password is hashed with an 16 Byte '/dev/random'
+    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
+    after Hash generation all Variables containing plain password fragments are
+    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
+    further prompt after password hash has been successfully generated via:
+    'shred -vfzu 5 -f'.
+    No tracing of any plain text password fragment in any debug log.
+
+$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
+    The desired Port SSH should listen to.
+    If not provided defaults to Port 22.
+
+$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
+    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
+    specified PATH into the Live ISO. MUST be provided.
+
+$(echo -e "\e[97m  --version, -v\e[0m")
+    Displays version of ${0}.
+
+$(echo -e "\e[93m💡 Notes:\e[0m")
+🔵 You MUST be 'root' to run this script.
+
+$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
+$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
+
+EOF
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/icon.lib

@@ -46,4 +46,10 @@
 🧠
 📅
 🎯
+🌐
+🔗
+💬
+☢️
+☣️
+•
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.768.2025.06.17"
+      placeholder: "e.g., Master V8.03.864.2025.07.15"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.17
+### Version Master V8.03.864.2025.07.15
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.17
+### Version Master V8.03.864.2025.07.15
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.768.2025.06.17
+  version: V8.03.864.2025.07.15
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.768.2025.06.17
+  version: V8.03.864.2025.07.15
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.768.2025.06.17
+  version: V8.03.864.2025.07.15
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.768.2025.06.17
+  version: V8.03.864.2025.07.15
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.17
+### Version Master V8.03.864.2025.07.15
 
 name: 🔐 Generating a Private Live ISO FLV 0.
 
@@ -386,7 +386,7 @@ jobs:
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"
           CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
           CISS.debian.live.builder ISO sha512 sign :
             $(< "${SIGNATURE_FILE}")
 

.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.17
+### Version Master V8.03.864.2025.07.15
 
 name: 🔐 Generating a Private Live ISO FLV 1.
 
@@ -383,7 +383,7 @@ jobs:
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"
           CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
           CISS.debian.live.builder ISO sha512 sign :
             $(< "${SIGNATURE_FILE}")
 

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.17
+### Version Master V8.03.864.2025.07.15
 
 name: 💙 Generating a PUBLIC Live ISO.
 
@@ -383,7 +383,7 @@ jobs:
           CISS.debian.live.builder ISO :
             "${VAR_ISO_FILE_NAME}"
           CISS.debian.live.builder ISO sha512 :
-            "${VAR_ISO_FILE_SHA512}"
+            $(< "${VAR_ISO_FILE_SHA512}")
           CISS.debian.live.builder ISO sha512 sign :
             $(< "${SIGNATURE_FILE}")
 

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.17
+### Version Master V8.03.864.2025.07.15
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.17
+### Version Master V8.03.864.2025.07.15
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.17
+### Version Master V8.03.864.2025.07.15
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.768.2025.06.17"
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+properties_version="V8.03.864.2025.07.15"
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.768.2025.06.17
+PackageVersion: Master V8.03.864.2025.07.15
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -20,4 +20,4 @@ License: LicenseRef-CCLA-1.0
 LicenseID: LicenseRef-CCLA-1.0
 LicenseName: Centurion Commercial License Agreement 1.0
 LicenseCrossReference: https://coresecret.eu/imprint/licenses/
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

LINTER_RESULTS.txt

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-17T17:03:33Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-07-15T17:55:19Z".
 
 ✅ The last linter check was successful. ✅
 

LIVE_ISO.public

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-17T14:54:34Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-07-15T13:01:05Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_17T14_12_22Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_07_15T12_12_23Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_17T14_12_22Z-amd64.hybrid.iso.sha512"
+  e94f1f698fb6d6a078d3aed785302ffcad25221c92439e84bb505a39d7b4da50674063cc2f7957cca655afdcdb55871ed4990aebbb096f964336af682891aed0
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFGBqgAKCRA85KY4hzOw
-IYthAQDYHWvmctdnn39QGj0cdLgPkqMd3JTtC+goiM2BO6UAoQD/SM4ObHSBQ9ZO
-tQ5Wj5SzmMyMqFB9UIFizaEH0RcBEgk=
-=zTxU
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHZREQAKCRA85KY4hzOw
+IQE/APsGY1Q8yonOxKTBUxgPPIA7ugHTfub9yWbPLcisC7J+sQEA17e8hmjJSX+O
+NpAtnhF4dfZheybcyfJwsscrNtOieAM=
+=V2i8
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_0.private

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-17T13:12:03Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-07-15T11:05:11Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_17T12_29_48Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_07_15T10_13_20Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_17T12_29_48Z-amd64.hybrid.iso.sha512"
+  b18d79055f12e6f61a1d0b46f8648f8097da419701f3366ba127b0eff1bb0d9ef4794b1a59b66ad8d48c3e3812a1fbc81f948a66b913b036cf2b740a778a88cd
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFFpowAKCRA85KY4hzOw
-IQmsAQC7nsyQvaiBPjFjze0arnTSyJ0X45OElMH6vwWeOPCYwgEAgoPURpD9KBWX
-TDSR3bhZqdaFTJYAQfguXxDI0wff8Aw=
-=BqaA
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHY15wAKCRA85KY4hzOw
+Idw3AQDzmYnaCI3OADP+DB+u805S8F+QUmVIcfmUGnM0sDz78gD+I+m+BHte8lzp
+rwudtbEBn9wZvy2KyFWcxlSCn3go2gU=
+=nGnJ
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_1.private

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-17T14:03:33Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-07-15T12:03:16Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_17T13_20_50Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_07_15T11_14_23Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  "ciss-debian-live-2025_06_17T13_20_50Z-amd64.hybrid.iso.sha512"
+  a022fe082d5d06db05e4c53f09b59ee57f483a3d2a2a143403d93c27a2d454ec8982ccaeb957f654c0879276befc7d9ab2333f407c8089306348c7a10fd39a20
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFF1tQAKCRA85KY4hzOw
-IbsWAP9Zk6J3kFfRVASMGnT4h2Joak31pmX5p3Ron4mRDserMgEArhu1axOkGlyI
-MPD3Zw/YEZeRSRtGLPFPfEEq8zAmIQo=
-=b16D
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHZDhAAKCRA85KY4hzOw
+IV0hAQCl7xeM8Art2obImFmhUBKDOLcLifegqY/jKY9729EM/wEAzJTRuLts9Jzy
+PXje4fYxZiNOoFv3hz7Xwt5q9rPn/AE=
+=S0vW
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.768.2025.06.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.864.2025.07.15-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -11,8 +11,8 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)  
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)  
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -142,13 +142,20 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `8.03.384.2025.06.03`
+Example: `V8.03.864.2025.07.15`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
 Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
 reproducibility and traceability.
 
+## 1.6. Keywords
+
+The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
+"MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], 
+[[RFC2119](https://datatracker.ietf.org/doc/html/rfc2119)], [[RFC8174](https://datatracker.ietf.org/doc/html/rfc8174)] when,
+and only when, they appear in all capitals, as shown here.
+
 # 2. Features & Rationale
 
 Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.
@@ -413,12 +420,13 @@ predictable script behavior.
    5. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
 
-   ```yaml
+   ````bash
    chmod 0700 ./ciss_live_builder.sh
+   timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
    ./ciss_live_builder.sh --architecture amd64 \
                           --build-directory /opt/livebuild \
                           --change-splash hexagon \
-                          --control 384 \
+                          --control "${timestamp}" \
                           --debug \
                           --dhcp-centurion \
                           --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
@@ -428,7 +436,7 @@ predictable script behavior.
                           --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
                           --ssh-port 4242 \
                           --ssh-pubkey /opt/gitea/CISS.debian.live.builder
-   ```
+   ````
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.

ciss_live_builder.sh

@@ -37,66 +37,89 @@
   . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
   . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+[[ ${#} -eq 0 ]] && {
+  . ./lib/lib_usage.sh; usage; exit 1; }
 
-declare -g VAR_HANDLER_AUTOBUILD="false"
-declare -gr VAR_CONTACT="security@coresecret.eu"
-declare -gr VAR_VERSION="Master V8.03.768.2025.06.17"
-for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
+### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
+. ./var/early.var.sh
+. ./lib/lib_guard_sourcing.sh
+. ./lib/lib_git_var.sh
 
-### VERY EARLY CHECK FOR AUTO-BUILD, CONTACT, USAGE, AND VERSION STRING
-declare arg
-if [[ ${#} -eq 0 ]]; then . ./lib/lib_usage.sh; usage; exit 1; fi
-for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -g VAR_HANDLER_AUTOBUILD=true; declare -g VAR_KERNEL="${arg#*=}";; esac; done
-for arg in "$@"; do case "${arg,,}" in -c|--contact) printf "\e[95mCISS.debian.live.builder Contact: %s\e[0m\n" "${VAR_CONTACT}"; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -h|--help) . ./lib/lib_usage.sh; usage; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
-unset arg
+### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
+for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done
 
-### VERY EARLY CHECK FOR XTRACE DEBUGGING
-if [[ $* == *" --debug "* ]]; then
-  . ./lib/lib_debug.sh
-  debugger "${@}"
-else
-  declare -grx VAR_EARLY_DEBUG=false
-fi
+### ALL CHECKS DONE. READY TO START THE SCRIPT
+check_git
+for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
+declare -gx VAR_SETUP="true"
 
-### Advisory Lock
-exec 127>/var/lock/ciss_live_builder.lock || {
+### SOURCING VARIABLES
+[[ "${VAR_SETUP}" == true ]] && {
+  . ./var/bash.var.sh
+  . ./var/color.var.sh
   . ./var/global.var.sh
+}
+
+### SOURCING LIBRARIES
+[[ "${VAR_SETUP}" == true ]] && {
+  . ./lib/lib_arg_parser.sh
+  . ./lib/lib_arg_priority_check.sh
+  . ./lib/lib_boot_screen.sh
+  . ./lib/lib_cdi.sh
+  . ./lib/lib_change_splash.sh
+  . ./lib/lib_check_dhcp.sh
+  . ./lib/lib_check_hooks.sh
+  . ./lib/lib_check_kernel.sh
+  . ./lib/lib_check_pkgs.sh
+  . ./lib/lib_check_provider.sh
+  . ./lib/lib_check_stats.sh
+  . ./lib/lib_check_var.sh
+  . ./lib/lib_clean_screen.sh
+  . ./lib/lib_clean_up.sh
+  . ./lib/lib_copy_integrity.sh
+  . ./lib/lib_hardening_root_pw.sh
+  . ./lib/lib_hardening_ssh.sh
+  . ./lib/lib_hardening_ultra.sh
+  . ./lib/lib_helper_ip.sh
+  . ./lib/lib_lb_build_start.sh
+  . ./lib/lib_lb_config_start.sh
+  . ./lib/lib_lb_config_write.sh
+  . ./lib/lib_provider_netcup.sh
+  . ./lib/lib_run_analysis.sh
+  . ./lib/lib_sanitizer.sh
+  . ./lib/lib_trap_on_err.sh
+  . ./lib/lib_trap_on_exit.sh
+  . ./lib/lib_usage.sh
+}
+
+### ADVISORY LOCK
+exec 127>/var/lock/ciss_live_builder.lock || {
   printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
   exit "${ERR_FLOCK_WRTG}"
 }
 
 if ! flock -x -n 127; then
-  . ./var/global.var.sh
   printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2
   exit "${ERR_FLOCK_COLL}"
 fi
 
-### Checking required packages
-. ./lib/lib_check_pkgs.sh
+### CHECK FOR AUTOBUILD MODE
+for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
+for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir
+
+### CHECKING REQUIRED PACKAGES
 check_pkgs
 
-### Dialog Output for Initialization
-if ! $VAR_HANDLER_AUTOBUILD; then . ./lib/lib_boot_screen.sh && boot_screen; fi
+### DIALOG OUTPUT FOR INITIALIZATION
+if ! $VAR_HANDLER_AUTOBUILD; then boot_screen; fi
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nUpdating variables ... \nXXX\n05\n" >&3; fi
-. ./var/global.var.sh
-. ./var/colors.var.sh
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nEnabling Bash Error Handling ... \nXXX\n15\n" >&3; fi
-### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
-set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
-set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
-set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
-set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
-set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
-set -o noclobber # Prevent overwriting, the same as "set -C".
-
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n25\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 ### Initialization
 declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
@@ -109,42 +132,13 @@ declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSourcing Libraries ... \nXXX\n50\n" >&3; fi
-. ./lib/lib_arg_parser.sh
-. ./lib/lib_arg_priority_check.sh
-. ./lib/lib_cdi.sh
-. ./lib/lib_change_splash.sh
-. ./lib/lib_check_dhcp.sh
-. ./lib/lib_check_hooks.sh
-. ./lib/lib_check_kernel.sh
-. ./lib/lib_check_provider.sh
-. ./lib/lib_check_stats.sh
-. ./lib/lib_check_var.sh
-. ./lib/lib_clean_screen.sh
-. ./lib/lib_clean_up.sh
-. ./lib/lib_copy_integrity.sh
-. ./lib/lib_hardening_root_pw.sh
-. ./lib/lib_hardening_ssh.sh
-. ./lib/lib_hardening_ultra.sh
-. ./lib/lib_helper_ip.sh
-. ./lib/lib_lb_build_start.sh
-. ./lib/lib_lb_config_start.sh
-. ./lib/lib_lb_config_write.sh
-. ./lib/lib_provider_netcup.sh
-. ./lib/lib_run_analysis.sh
-. ./lib/lib_sanitizer.sh
-. ./lib/lib_trap_on_err.sh
-. ./lib/lib_trap_on_exit.sh
-. ./lib/lib_usage.sh
-
-### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n55\n" >&3; fi
-### Following the CISS Bash naming and ordering scheme
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n70\n" >&3; fi
+if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
 declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
@@ -160,6 +154,7 @@ clean_ip
 ### Updating Status of Dialog Gauge Bar
 if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 
+### Turn off Dialog Wrapper
 if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
 
 ### MAIN Program

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.17
+### Version Master V8.03.864.2025.07.15
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.768.2025.06.17
+### Version Master V8.03.864.2025.07.15
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.03.768.2025.06.17"
+declare -gr VERSION="Master V8.03.864.2025.07.15"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.768.2025.06.17 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.03.864.2025.07.15 at: 10:18:37.9542

config/includes.chroot/root/.ciss/alias

@@ -149,13 +149,16 @@ genpasswdhash() {
   mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
 }
 
-###########################################################################################
-# Globals: Wrapper for secure curl
+#######################################
+# Wrapper for secure curl
 # Arguments:
 #  $1: URL from which to download a specific file
 #  $2: /path/to/file to be saved to
-###########################################################################################
-# shellcheck disable=SC2317
+# Returns:
+#   0: Download successful
+#   1: Usage error
+#   2: Download failure
+#######################################
 scurl() {
   if [[ $# -ne 2 ]]; then
     printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
@@ -176,13 +179,16 @@ scurl() {
   return 0
 }
 
-###########################################################################################
-# Globals: Wrapper for secure wget
+#######################################
+# Wrapper for secure wget
 # Arguments:
 #  $1: URL from which to download a specific file
 #  $2: /path/to/file to be saved to
-###########################################################################################
-# shellcheck disable=SC2317
+# Returns:
+#   0: Download successful
+#   1: Usage error
+#   2: Download failure
+#######################################
 swget() {
   if [[ $# -ne 2 ]]; then
     printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
@@ -204,26 +210,24 @@ swget() {
   return 0
 }
 
-###########################################################################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
+#######################################
+# Wrapper for loading CISS.2025 hardened Kernel Parameters
 # Arguments:
-#  none
-###########################################################################################
-# shellcheck disable=SC2317
+#  None
+#######################################
 sysp() {
   sysctl -p /etc/sysctl.d/99_local.hardened
   # sleep 1
   sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 
-###########################################################################################
-# Globals: Wrapper for tree
+#######################################
+# Wrapper for tree
 # Arguments:
 #  $1: Depth of Directory Listing
-###########################################################################################
-# shellcheck disable=SC2317
+#######################################
 trel() {
-    declare depth=${1:-3}
-    tree -C -h --dirsfirst -L "${depth}"
+  declare depth=${1:-3}
+  tree -C -h --dirsfirst -L "${depth}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/package-lists/live.list.common.chroot

@@ -21,10 +21,12 @@ bc
 bind9-dnsutils
 bsdmainutils
 btrfs-progs
+bzip2
 ca-certificates
 clamav
 clamav-daemon
 console-setup
+cpuid
 cryptsetup
 cryptsetup-nuke-password
 curl
@@ -42,10 +44,13 @@ dirmngr
 dmsetup
 dnsviz
 dosfstools
+e2fsprogs
 efibootmgr
 expect
 fail2ban
+fdisk
 figlet
+fio
 fzf
 gawk
 gdisk
@@ -79,6 +84,7 @@ man
 man-db
 manpages
 manpages-dev
+mdadm
 mtr
 nano
 ncat
@@ -107,14 +113,17 @@ speedtest-cli
 squashfs-tools
 ssh
 ssl-cert
+stress
 sudo
 sysstat
 systemd-sysv
+tar
 tree
 tshark
 ufw
 unattended-upgrades
 unzip
+util-linux
 virt-what
 wamerican
 wbritish
@@ -122,6 +131,9 @@ wfrench
 wget
 whois
 wngerman
+xfsprogs
+xz-utils
+yq
 zip
 zsh
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. TLS Audit:
 
 ````text
 #####################################################################
-  testssl.sh version 3.2rc4 from https://testssl.sh/dev/
-  (6746fa5 2025-04-18 13:17:50)
+  testssl.sh version 3.2.1 from https://testssl.sh/
+  (81471c3 2025-06-15 09:48:31)
 
   This program is free software. Distribution and modification under
   GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -26,7 +26,7 @@ include_toc: true
   Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
   on kali:./bin/openssl.Linux.x86_64
 
- Start 2025-06-02 18:04:19        -->> 152.53.110.40:443 (coresecret.dev) <<--
+ Start 2025-06-23 17:58:48        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 
  Further IP addresses:   2a0a:4cc0:80:330f:152:53:110:40
  rDNS (152.53.110.40):   git.coresecret.dev.
@@ -193,17 +193,21 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
                               SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
  Common Name (CN)             coresecret.dev
  subjectAltName (SAN)         coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
- Trust (hostname)             Ok via SAN and CN (same w/o SNI)
+ Trust (hostname)             Ok via SAN (same w/o SNI)
  Chain of trust               Ok
  EV cert (experimental)       no
- Certificate Validity (UTC)   174 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
+ Certificate Validity (UTC)   153 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
  ETS/"eTLS", visibility info  not present
  In pwnedkeys.com DB          not in database
  Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
  OCSP URI                     http://ocsp.buypass.com, not revoked
  OCSP stapling                offered, not revoked
  OCSP must staple extension   --
- DNS CAA RR (experimental)    not offered
+ DNS CAA RR (experimental)    available - please check for match with "Issuer" below
+                              communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl,
+                              issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
+                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
+                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
  Certificate Transparency     yes (certificate extension)
  Certificates provided        2
  Issuer                       Buypass Class 2 CA 5 (Buypass AS-983163327 from NO)
@@ -213,23 +217,27 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 
  Testing HTTP header response @ "/"
 
- HTTP Status Code             301 Moved Permanently, redirecting to "https://git.coresecret.dev"
+ HTTP Status Code             200 OK
  HTTP clock skew              0 sec from localtime
  Strict Transport Security    730 days=63072000 s, includeSubDomains, preload
  Public Key Pinning           --
  Server banner                nginx
  Application banner           --
- Cookie(s)                    (none issued at "/") -- maybe better try target URL of 30x
+ Cookie(s)                    2 issued: 2/2 secure, 2/2 HttpOnly
  Security headers             X-Frame-Options: SAMEORIGIN
                               X-Content-Type-Options: nosniff
+                              Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self';
+                                frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
+                                https://uml.coresecret.dev; manifest-src 'self'; media-src 'self' data: https://badges.coresecret.dev
+                                https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none';
                               Expect-CT: max-age=86400, enforce
                               Permissions-Policy: interest-cohort=()
-                              Cross-Origin-Opener-Policy: same-origin
-                              Cross-Origin-Resource-Policy: same-origin
-                              Cross-Origin-Embedder-Policy: require-corp
+                              Cross-Origin-Opener-Policy: cross-origin
+                              Cross-Origin-Resource-Policy: cross-origin
+                              Cross-Origin-Embedder-Policy: unsafe-none
                               X-XSS-Protection: 1; mode=block
                               Permissions-Policy: interest-cohort=()
-                              Referrer-Policy: same-origin
+                              Referrer-Policy: no-referrer
                               Cache-Control: no-cache
  Reverse Proxy banner         --
 
@@ -268,6 +276,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Android 10.0 (native)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Android 11/12 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Android 13/14 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Android 15 (native)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Chrome 101 (Win 10)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Chromium 137 (Win 11)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
  Firefox 100 (Win 10)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
@@ -308,7 +317,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Final Score                  100
  Overall Grade                A+
 
- Done 2025-06-02 18:05:51 [  95s] -->> 152.53.110.40:443 (coresecret.dev) <<--
+ Done 2025-06-23 18:00:16 [  99s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 ````
 
 ---

docs/BOOTPARAMS.md

@@ -0,0 +1,56 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.03<br>
+**Build**: V8.03.864.2025.07.15<br>
+
+# 2. Hardened Kernel Boot Parameters
+
+Below is a curated set of kernel boot parameters optimized for CISS Debian Installer. These parameters enhance security posture,
+restrict legacy interfaces, enforce memory initialization, and disable speculative side channels. Each parameter is documented 
+with a short rationale.
+
+* ``audit=1``: Enable kernel auditing subsystem.
+* ``audit_backlog_limit=8192``: Set audit event buffer depth.
+* ``cfi=kcfi``: Enable Clang's Control Flow Integrity (if supported by kernel).
+* ``debugfs=off``: Disable debugfs mount, prevents access to kernel internals.
+* ``efi=disable_early_pci_dma``: Prevent early PCI DMA via EFI.
+* ``hardened_usercopy=1``: Harden copy_*_user() functions, mitigate heap/memcpy bugs.
+* ``ia32_emulation=0``: Disable 32-bit x86 binary support on 64-bit kernel.
+* ``init_on_alloc=1``: Zero-initialize heap memory on allocation.
+* ``init_on_free=1``: Zero memory on free to prevent reuse data leaks.
+* ``iommu=force``: Enforce use of IOMMU.
+* ``iommu.strict=1``: Enable strict IOMMU mode (always remap).
+* ``iommu.passthrough=0``: Prevent IOMMU passthrough (forces remapping).
+* ``kfence.sample_interval=100``: Enable low-overhead heap-fence sampling.
+* ``kvm.nx_huge_pages=force``: Enforce NX-bit for KVM hugepages to prevent code execution.
+* ``l1d_flush=on``: Flush L1D cache on VM-entry to mitigate cache side-channels.
+* ``lockdown=confidentiality``: Enable kernel lockdown in confidentiality mode.
+* ``loglevel=0``: Silence all kernel messages (only EMERG shown).
+* ``mitigations=auto,nosmt``: Enable all available speculative mitigations, disable SMT.
+* ``mmio_stale_data=full,force,nosmt``: Mitigate MMIO stale data side channel fully.
+* ``nosmt=force``: Force disable Simultaneous Multithreading (SMT/HT).
+* ``oops=panic``: Trigger kernel panic on oops, ensures halt on fault.
+* ``page_alloc.shuffle=1``: Randomize page allocator freelist order.
+* ``page_poison=1``: Fill freed pages with poison patterns to detect UAF.
+* ``panic=-1``: Prevent automatic reboot after panic.
+* ``pti=on``: Enable Page Table Isolation (Meltdown mitigation).
+* ``random.trust_bootloader=off``: Do not trust RNG state from bootloader.
+* ``random.trust_cpu=off``: Do not trust CPU's RDRAND or RDSEED.
+* ``randomize_kstack_offset=on``: Enable randomized kernel stack offset per syscall.
+* ``randomize_va_space=2``: Enable full ASLR for mmap and heap.
+* ``retbleed=auto,nosmt``: Mitigate Retbleed exploit path via branch prediction.
+* ``rodata=on``: Enforce read-only sections for .rodata.
+* ``slab_nomerge``: Disable merging of similar slab caches.
+* ``vdso32=0``: Disable 32-bit vdso mapping (x86 compatibility).
+* ``vsyscall=none``: Disable vsyscall legacy mapping.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

docs/CHANGELOG.md

@@ -8,10 +8,55 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Changelog
 
+## V8.03.864.2025.07.15
+
+* Updated: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
+* Added: [BOOTPARAMS.md](BOOTPARAMS.md)
+* Added: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+
+## V8.03.832.2025.06.25
+
+* Added: [lib_version.sh](../lib/lib_version.sh)
+* Updated:
+  * [lib_contact.sh](../lib/lib_contact.sh)
+  * [lib_usage.sh](../lib/lib_usage.sh)
+* Packages added:
+  * https://packages.debian.org/bookworm/fio
+  * https://packages.debian.org/bookworm/stress 
+* Timezone changed to ``Etc/UTC``
+
+## V8.03.832.2025.06.24
+
+* Updated:
+  * [lib_check_provider.sh](../lib/lib_check_provider.sh)
+  * [lib_debug_header.sh](../lib/lib_debug_header.sh)
+  * [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
+* The Debian package ``bat`` will be installed to enable smooth log reading.
+
+## V8.03.768.2025.06.23
+
+* Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
+* Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh)
+* Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh)
+* Added Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
+* Added ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
+  * to prevent the caller LIB-file from being sourced twice.
+
+## V8.03.768.2025.06.19
+
+* Minor main script improvements.
+* Updated [lib_usage.sh](../lib/lib_usage.sh) output.
+
+## V8.03.768.2025.06.18
+
+* Minor main script improvements.
+* Updated contact section.
+* Integrated third ``dns03.eddns.eu`` Centurion DNS Resolver.
+
 ## V8.03.768.2025.06.17
 
 * Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64``

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,29 +8,26 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
-# 2. Usage
+# 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.768.2025.06.17
+Master V8.03.864.2025.07.15
+A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
 (p) Centurion Press, 2024 - 2025
 
-https://coresecret.eu/
-
-A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
-
 "./ciss_live_builder.sh <option>", where <option> is one or more of:
 
   --help, -h
     What you're looking at.
-    
+
   --autobuild=*, -a=*
     Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
     selector dialog. Change '*' to your desired Linux kernel and trim the
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.22+bpo-amd64'.
+    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
 
   --architecture <STRING> one of <amd64 | arm64>
     A string reflecting the architecture of the Live System.
@@ -58,19 +55,20 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 
   --debug
     Enables debug logging for the main program routine. Detailed logging
-    information are written to "/tmp/ciss_live_builder_3764286.log"
+    information are written to "/tmp/ciss_live_builder_1136873.log"
 
   --dhcp-centurion
     If a DHCP lease is provided, the provider's nameserver will be overridden,
     and only the hardened, privacy-focused Centurion DNS servers will be used:
-    - https://dns01.eddns.eu/
-    - https://dns02.eddns.de/
+      - https://dns01.eddns.eu/
+      - https://dns02.eddns.de/
+      - https://dns03.eddns.eu/
 
   --jump-host <IP | IP | ... >
     Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
     Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
     If provided, than it MUST be a <SPACE> separated list.
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd/64].
+    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
 
   --log-statistics-only
     Provides statistic only after successful building a
@@ -78,25 +76,27 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
     the argument "--build-directory" MUST be provided while
     all further options MUST be omitted.
 
-  --provider-netcup-ipv6 
+  --provider-netcup-ipv6
     Activates IPv6 support for Netcup Root Server. One unique
-    IPv6 address MUST be provided in this case.
+    IPv6 address MUST be provided in this case and MUST be encapsulated
+    with [], e.g., [1234::abcd].
 
   --renice-priority <PRIORITY>
     Reset the nice priority value of the script and all its children
-    to the desired PRIORITY. MUST be an integer (between "-19" and 19).
+    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
     Negative (higher) values MUST be enclosed in double quotes '"'.
 
   --reionice-priority <CLASS> <PRIORITY>
     Reset the ionice priority value of the script and all its children
-    to the desired CLASS. MUST be an integer:
-    1: realtime
-    2: best-effort
-    3: idle
-    defaults to "2".
-    PRIORITY MUST be an integer:
-    between 0 (highest) and 7 (lowest) priority.
-    defaults to "4".
+    to the desired <CLASS>. MUST be an integer:
+      1: realtime
+      2: best-effort
+      3: idle
+    Defaults to '2'.
+    Whereas <PRIORITY> MUST be an integer as well between:
+      0: highest priority and
+      7: lowest priority.
+    Defaults to '4'.
     A real-time I/O process can significantly slow down other processes
     or even cause them to starve if it continuously requests I/O.
 
@@ -107,9 +107,9 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
     the local console. The root password is hashed with an 16 Byte '/dev/random'
     generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
     after Hash generation all Variables containing plain password fragments are
-    deleted. Password file SHOULD be 0400 and root:root and is deleted without
+    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
     further prompt after password hash has been successfully generated via:
-    shred -vfzu 5 -f.
+    'shred -vfzu 5 -f'.
     No tracing of any plain text password fragment in any debug log.
 
   --ssh-port <INTEGER>
@@ -123,14 +123,30 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
   --version, -v
     Displays version of ./ciss_live_builder.sh.
 
-NOTES:
-  - You MUST be root to run this script.
+💡 Notes:
+🔵 You MUST be 'root' to run this script.
 
-Contact:
-  - https://coresecret.eu/
-  - security@coresecret.eu
-    - PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
-      - https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD
+💷 Please consider donating to my work at:
+🌐 https://coresecret.eu/spenden/
+````
+
+# 2.2. Contact
+````text
+CISS.debian.live.builder
+Master V8.03.864.2025.07.15
+A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
+
+(c) Marc S. Weidner, 2018 - 2025
+(p) Centurion Press, 2024 - 2025
+
+💬 Contact:
+🌐 https://coresecret.eu/
+📧 security@coresecret.eu
+🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD
+🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD
+
+💷 Please consider donating to my work at:
+🌐 https://coresecret.eu/spenden/
 ````
 
 # 3. Booting

docs/LICENSES/CCLA-1.0.html

@@ -1,53 +0,0 @@
-<h1 id="spdx-license-identifier-licenseref-ccla-10">SPDX-License-Identifier: LicenseRef-CCLA-1.0</h1>
-<h1 id="centurion-commercial-license-agreement-10">Centurion Commercial License Agreement 1.0</h1>
-<h2 id="1-general-terms"><strong>1. General Terms</strong></h2>
-<p>1.1. This Subscription License Agreement ("Agreement") governs the commercial use of the Software ("Software").</p>
-<p>1.2. Private and open-source usage of the Software remains governed by the EUPL-1.2 license.</p>
-<p>1.3. By purchasing and using the Software under this Agreement, you ("Licensee") agree to the terms outlined below.</p>
-<p>1.4. Only the English version of this Agreement shall be legally binding. Translations are provided for convenience only.</p>
-<h2 id="2-grant-of-license"><strong>2. Grant of License</strong></h2>
-<p>2.1. Subject-to-payment of applicable subscription fees, Licensor grants Licensee a</p>
-<ul>
-<li>non-exclusive,</li>
-<li>non-transferable,</li>
-<li>time-limited,</li>
-</ul>
-<p>right to use the Software for commercial purposes.</p>
-<p>2.2. This license is valid only for the duration of the subscription period and under the scope defined in this Agreement.</p>
-<h2 id="3-subscription-fees-and-payment"><strong>3. Subscription Fees and Payment</strong></h2>
-<p>3.1. Licensee agrees to pay the subscription fees as specified in the pricing agreement. These fees are non-refundable.</p>
-<p>3.2. Licensor reserves the right to modify subscription fees upon 30 days' written notice.</p>
-<h2 id="4-restrictions"><strong>4. Restrictions</strong></h2>
-<p>4.1. Licensee shall not:</p>
-<ul>
-<li>Distribute, sublicense, or resell the Software.</li>
-<li>Reverse engineer, decompile, or modify the Software, except as permitted by mandatory law.</li>
-</ul>
-<p>4.2. The Software may not be used for illegal or unethical purposes.</p>
-<h2 id="5-support-and-updates"><strong>5. Support and Updates</strong></h2>
-<p>5.1. Licensor will provide updates and support for the Software during the subscription period, as detailed in the accompanying support agreement.</p>
-<p>5.2. Support services may include bug fixes, patches, and minor updates. Major updates may incur additional fees.</p>
-<h2 id="6-termination"><strong>6. Termination</strong></h2>
-<p>6.1. This Agreement is valid for the subscription term unless terminated earlier:</p>
-<ul>
-<li>By Licensee, with a 30-day written notice.</li>
-<li>By Licensor, in the event of Licensees breach of this Agreement.</li>
-</ul>
-<p>6.2. Upon termination, Licensee must cease all uses of the Software and delete all copies.</p>
-<h2 id="7-liability-and-warranty"><strong>7. Liability and Warranty</strong></h2>
-<p>7.1. The Software is provided "as is" without warranties of any kind, except as required by law.</p>
-<p>7.2. Licensors' liability is limited to the number of subscription fees paid by Licensee in the preceding 12 months.</p>
-<h2 id="8-governing-law"><strong>8. Governing Law</strong></h2>
-<p>8.1. This Agreement shall be governed by the laws of Portugal.</p>
-<p>8.2. Disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Portugal.</p>
-<h2 id="9-miscellaneous"><strong>9. Miscellaneous</strong></h2>
-<p>9.1. Any changes to this Agreement must be in writing and signed by both parties.</p>
-<p>9.2. If any provision of this Agreement is found invalid, the remaining provisions shall remain enforceable.</p>
-<h2 id="10-contact-information">10. <strong>Contact Information</strong></h2>
-<ul>
-<li>Licensor : Centurion Intelligence Consulting Agency</li>
-<li>Email : <a href="mailto:legal@coresecret.eu">legal@coresecret.eu</a></li>
-</ul>
-<hr />
-<p>This Subscription License Agreement was last updated at 09.05.2025.</p>
-

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.768.2025.06.17<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Resources
 

lib/lib_arg_parser.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Argument Parser
 # Globals:
@@ -100,7 +102,7 @@ arg_parser() {
             printf "\e[91m❌ Error: --architecture MUST be 'amd64' or 'arm64'.\e[0m\n" >&2
             # shellcheck disable=SC2162
             read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
-            exit "${ERR_UNCRITICAL}"
+            exit "${ERR_ARG_MSMTCH}"
           fi
           ;;
 

lib/lib_arg_priority_check.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Check and setup Script Priorities
 # Globals:

lib/lib_boot_screen.sh

@@ -10,8 +10,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
-# Change Grub Boot Screen Splash
+# Set up a gauge Dialog Wrapper.
 # Globals:
 #   PID_BOOT_SCREEN
 #   PIPE_BOOT_SCREEN

lib/lib_cdi.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # CISS.2025.debian.installer GRUB and Autostart Generator
 # Globals:

lib/lib_change_splash.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Change Grub Boot Screen Splash
 # Globals:

lib/lib_check_dhcp.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Check if hardened Centurion DNS servers are desired.
 # Globals:

lib/lib_check_hooks.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
 # Globals:

lib/lib_check_kernel.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Kernel Image Selector
 # Globals:
@@ -52,7 +54,7 @@ check_kernel() {
     done < "${VAR_KERNEL_SRT}"
 
   # shellcheck disable=SC2155
-  if declare -g VAR_KERNEL=$(dialog \
+  if declare -gx VAR_KERNEL=$(dialog \
                           --no-collapse \
                           --ascii-lines \
                           --clear \
@@ -63,9 +65,9 @@ check_kernel() {
   else
     clear
     if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then
-      declare -gr VAR_KERNEL="amd64"
+      declare -gx VAR_KERNEL="amd64"
     elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then
-      declare -gr VAR_KERNEL="arm64"
+      declare -gx VAR_KERNEL="arm64"
     fi
   fi
 }

lib/lib_check_pkgs.sh

@@ -10,40 +10,46 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Check for required Deb Packages to run the script.
 # Arguments:
 #  None
 #######################################
 check_pkgs() {
-  apt-get update -y
+  apt-get update -y > /dev/null 2>&1
+
+  if [[ -z "$(command -v batcat || true)" ]]; then
+    apt-get install -y --no-install-recommends bat
+  fi
+
   if [[ -z "$(command -v lsb_release || true)" ]]; then
-    apt-get install --no-install-recommends lsb-release -y
+    apt-get install -y --no-install-recommends lsb-release
   fi
 
   if [[ -z "$(command -v debootstrap || true)" ]]; then
     if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
       # shellcheck disable=SC2155
       declare codename=$(lsb_release -sc)
-      apt-get -t "${codename}-backports" install debootstrap -y
+      apt-get install -y -t "${codename}-backports" debootstrap
     else
-      apt-get install debootstrap -y
+      apt-get install -y debootstrap
     fi
   fi
 
   if [[ ! -f /usr/share/live/build/VERSION ]]; then
-    apt-get install live-build -y
+    apt-get install -y live-build
   fi
 
-  if [[ -z "$(command -v dialog || true)" ]]; then
-    if ! $VAR_HANDLER_AUTOBUILD; then
-      apt-get install --no-install-recommends dialog -y;
+  if [[ "${VAR_HANDLER_AUTOBUILD}" == false ]]; then
+    if [[ -z "$(command -v dialog || true)" ]]; then
+      apt-get install -y --no-install-recommends dialog
     fi
   fi
 
   if [[ -z "$(command -v mkpasswd || true)" ]]; then
-    apt-get update -y
-    apt-get install --no-install-recommends whois -y
+    apt-get install -y --no-install-recommends whois
   fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_check_provider.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Notes Textbox
 # Arguments:
@@ -17,8 +19,9 @@
 #######################################
 check_provider() {
   clear
-  cat << 'EOF' >| "${VAR_NOTES}"
-Build: Master V8.03.768.2025.06.17
+  cat << EOF >| "${VAR_NOTES}"
+Build  : ${VAR_VERSION}
+Commit : ${VAR_GIT_REL}
 
 Press 'EXIT' to continue with CISS.debian.live.builder.
 

lib/lib_check_stats.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Check if analysis run is desired only.
 # Globals:

lib/lib_check_var.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Unbound Variable Check and call Trap on ERR
 # Globals:

lib/lib_clean_screen.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Terminal cleaner before Trap on Error
 # Arguments:

lib/lib_clean_up.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Clean Up Wrapper on Trap on 'ERR' and 'EXIT'.
 # Globals:
@@ -26,6 +28,11 @@ clean_up() {
   rm -f -- "${VAR_KERNEL_INF}"
   rm -f -- "${VAR_KERNEL_SRT}"
   rm -f -- "${VAR_KERNEL_TMP}"
+  # Release advisory lock on FD 127.
+  flock -u 127
+  # Close file descriptor 127.
+  exec 127>&-
+  # Remove the lockfile artifact.
   rm -f /run/lock/ciss_live_builder.lock
   if (( clean_exit_code == 0 )); then rm -f -- "${LOG_ERROR}"; fi
   if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then

lib/lib_contact.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Contact Wrapper CISS.debian.live.builder
+# Globals:
+#   none
+# Arguments:
+#   none
+#######################################
+contact() {
+  clear
+  cat << EOF
+$(echo -e "\e[97m################################################################################ \e[0m")
+$(echo -e "\e[92m  CISS.debian.live.builder from https://git.coresecret.dev/msw                   \e[0m")
+$(echo -e "\e[92m  A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.     \e[0m")
+
+$(echo -e "\e[97m  (c) Marc S. Weidner, 2018 - 2025 \e[0m")
+$(echo -e "\e[97m  (p) Centurion Press, 2024 - 2025 \e[0m")
+
+$(echo -e "\e[95m  💬 Contact:               \e[0m")
+$(echo -e "\e[95m  🌐 https://coresecret.eu/ \e[0m")
+$(echo -e "\e[95m  📧 security@coresecret.eu \e[0m")
+$(echo -e "\e[95m  🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
+$(echo -e "\e[95m  🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
+
+$(echo -e "\e[95m  💷 Please consider donating to my work at: \e[0m")
+$(echo -e "\e[95m  🌐 https://coresecret.eu/spenden/          \e[0m")
+$(echo -e "\e[97m################################################################################ \e[0m")
+
+EOF
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_copy_integrity.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Copy Initial ISO aide Database into Host System
 # Globals:

lib/lib_debug.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Debugger Wrapper for xtrace to Debug Log
 # Globals:
@@ -34,22 +36,18 @@ debugger() {
       declare -p "${var}" 2>/dev/null
     done < <(compgen -v | grep -Ev '^(BASH|_).*')
   } | sort >| "${VAR_DUMP_VARS_INITIAL}"
-  declare -grx VAR_EARLY_DEBUG=true
+  declare -gx VAR_EARLY_DEBUG="true"
   ### Set a verbose PS4 prompt including timestamp, source, line, exit status, and function name
-  declare -grx PS4='\e[97m+\e[0m\e[96m$(date +%T.%4N)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
+  declare -grx PS4='\e[97m+\e[0m\e[96m$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)\e[0m\e[97m:\e[0m\e[92m[${BASH_SOURCE[0]}:${LINENO}]\e[0m\e[97m|\e[0m\e[93m${?}\e[0m\e[97m>\e[0m\e[95m${FUNCNAME[0]:-main}()\e[0m \e[97m>>\e[0m '
   # shellcheck disable=SC2155
   declare -grx LOG_DEBUG="/tmp/ciss_live_builder_$$_debug.log"
-  ### Generates empty LOG_DEBUG
+  declare -grx LOG_VAR="/tmp/ciss_live_builder_$$_var.log"
+  ### Generates empty LOG_DEBUG and LOG_VAR
   touch "${LOG_DEBUG}" && chmod 0600 "${LOG_DEBUG}"
+  touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
   ### Open file descriptor 42 for writing to the debug log
   exec 42>| "${LOG_DEBUG}"
   ### Write Debug Log Header https://www.gnu.org/software/bash/manual/html_node/Bash-Variables
-    ### Determine the directory of this script, even if sourced.
-    # shellcheck disable=SC2155
-    declare script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-    ### Source the header from the same directory. This ensures we always load lib/lib_debug_header.sh correctly.
-    . "${script_dir}/lib_debug_header.sh"
-  # shellcheck disable=SC2119
   debug_header "$#" "$*"
   ### Tell Bash to send xtrace output to FD 42
   export BASH_XTRACEFD=42

lib/lib_debug_header.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Generates Debug Log Header
 # Globals:
@@ -31,26 +33,29 @@ debug_header() {
   declare -r arg_counter="$1"
   declare -r arg_string="$2"
   {
-    printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date +%T.%4N)"
-    printf "\e[97m+\e[0m\e[92m%s: Version                   : %s \e[0m\n" "$(date +%T.%4N)" "${VAR_VERSION}"
-    printf "\e[97m+\e[0m\e[92m%s: Epoch                     : %s \e[0m\n" "$(date +%T.%4N)" "${EPOCHREALTIME}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release          : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[0]}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version          : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[1]}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level          : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[2]}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash Build Version        : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[3]}"
-    printf "\e[97m+\e[0m\e[92m%s: Bash Release              : %s \e[0m\n" "$(date +%T.%4N)" "${BASH_VERSINFO[4]}"
-    printf "\e[97m+\e[0m\e[92m%s: UID                       : %s \e[0m\n" "$(date +%T.%4N)" "${UID}"
-    printf "\e[97m+\e[0m\e[92m%s: EUID                      : %s \e[0m\n" "$(date +%T.%4N)" "${EUID}"
-    printf "\e[97m+\e[0m\e[92m%s: Hostname                  : %s \e[0m\n" "$(date +%T.%4N)" "${HOSTNAME}"
-    printf "\e[97m+\e[0m\e[92m%s: Script name               : %s \e[0m\n" "$(date +%T.%4N)" "$0"
-    printf "\e[97m+\e[0m\e[92m%s: Argument Counter          : %s \e[0m\n" "$(date +%T.%4N)" "${arg_counter}"
-    printf "\e[97m+\e[0m\e[92m%s: Argument String Original  : %s \e[0m\n" "$(date +%T.%4N)" "${arg_string}"
-    printf "\e[97m+\e[0m\e[92m%s: Script PID                : %s \e[0m\n" "$(date +%T.%4N)" "$$"
-    printf "\e[97m+\e[0m\e[92m%s: Script Parent PID         : %s \e[0m\n" "$(date +%T.%4N)" "${PPID}"
-    printf "\e[97m+\e[0m\e[92m%s: Script work DIR           : %s \e[0m\n" "$(date +%T.%4N)" "${PWD}"
-    printf "\e[97m+\e[0m\e[92m%s: Shell Options             : %s \e[0m\n" "$(date +%T.%4N)" "$-"
-    printf "\e[97m+\e[0m\e[92m%s: BASHOPTS                  : %s \e[0m\n" "$(date +%T.%4N)" "${BASHOPTS}"
-    printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date +%T.%4N)"
+    printf "\e[97m+\e[0m\e[92m%s: CISS.debian.live.builder Debug Log \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
+    printf "\e[97m+\e[0m\e[92m%s: Git Commit                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_GIT_REL}"
+    printf "\e[97m+\e[0m\e[92m%s: Version                   : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_VERSION}"
+    printf "\e[97m+\e[0m\e[92m%s: Epoch                     : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EPOCHREALTIME}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash MAJ Release          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[0]}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash MIN Version          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[1]}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash Patch Level          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[2]}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash Build Version        : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[3]}"
+    printf "\e[97m+\e[0m\e[92m%s: Bash Release              : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASH_VERSINFO[4]}"
+    printf "\e[97m+\e[0m\e[92m%s: UID                       : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${UID}"
+    printf "\e[97m+\e[0m\e[92m%s: EUID                      : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${EUID}"
+    printf "\e[97m+\e[0m\e[92m%s: Hostname                  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${HOSTNAME}"
+    printf "\e[97m+\e[0m\e[92m%s: Hostsystem                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${VAR_SYSTEM}"
+    printf "\e[97m+\e[0m\e[92m%s: Script name               : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$0"
+    printf "\e[97m+\e[0m\e[92m%s: Argument Counter          : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_counter}"
+    printf "\e[97m+\e[0m\e[92m%s: Argument String Original  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${arg_string}"
+    printf "\e[97m+\e[0m\e[92m%s: Script PID                : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$$"
+    printf "\e[97m+\e[0m\e[92m%s: Script Parent PID         : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PPID}"
+    printf "\e[97m+\e[0m\e[92m%s: Script work DIR           : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${PWD}"
+    printf "\e[97m+\e[0m\e[92m%s: Shell Options             : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "$-"
+    printf "\e[97m+\e[0m\e[92m%s: BASHOPTS                  : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${BASHOPTS}"
+    printf "\e[97m+\e[0m\e[92m%s: SHELLOPTS                 : %s \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)" "${SHELLOPTS}"
+    printf "\e[97m+\e[0m\e[92m%s: ==== Debug Log Begin ==== : \e[0m\n" "$(date -u +%Y-%m-%dT%H:%M:%S.%4N%z)"
   } >&42
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_git_var.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Define Git Repo related Variables.
+# Globals:
+#   VAR_GIT_HEAD
+#   VAR_GIT_REL
+#   VAR_GIT_REL_DATE
+#   VAR_GIT_REL_DATE_TIME
+#   VAR_GIT_REL_SHORT
+# Arguments:
+#   None
+#######################################
+check_git() {
+  # shellcheck disable=SC2155
+  if git rev-parse --is-inside-work-tree &>/dev/null; then
+    declare -grx VAR_GIT_REL="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
+    declare -grx VAR_GIT_REL_SHORT="${VAR_GIT_REL%% *}"
+    declare -grx VAR_GIT_REL_DATE_TIME="${VAR_GIT_REL#* }"
+    declare -grx VAR_GIT_REL_DATE="${VAR_GIT_REL_DATE_TIME% *}"
+    declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_guard_sourcing.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Prevent the caller LIB-file from being sourced twice.
+# Derive a safe guard-variable name from the caller script filename.
+# Globals:
+#   BASH_SOURCE
+# Arguments:
+#   $1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
+# Returns:
+#   0: Returns '0' in both cases as they are intended to be successful.
+#######################################
+guard_sourcing() {
+  ### Determine the caller script (the library being sourced).
+  declare var_src="${1:-${BASH_SOURCE[1]}}"
+  ### Strip path, keep only filename
+  declare var_file_name="${var_src##*/}"
+  ### Sanitize to valid var name.
+  declare var_safe_name="${var_file_name//[^a-zA-Z0-9_]/_}"
+  ### Build guard-variable name.
+  declare var_guard_var="_${var_safe_name}_LOADED"
+
+  ### If already loaded, abort sourcing
+  if [[ -n "${!var_guard_var:-}" ]]; then
+    return 0
+  fi
+
+  ### Mark as loaded (readonly + exported)
+  declare -grx "${var_guard_var}"=1
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_hardening_root_pw.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Updates the Live ISO to use root password authentication for local console access.
 # Globals:

lib/lib_hardening_ssh.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # SSH Hardening Ultra via TCP Wrapper
 # Globals:

lib/lib_hardening_ultra.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
 # Globals:

lib/lib_helper_ip.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # IP Notation cleaner for pure IP output only
 # Globals:

lib/lib_lb_build_start.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:

lib/lib_lb_config_start.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Wrapper for 'lb config' - set up a build environment or deleting old build artifacts.
 # Globals:

lib/lib_lb_config_write.sh

@@ -10,23 +10,17 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
-#   VAR_HANDLER_ISO_COUNTER
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
+#   VAR_HANDLER_ISO_COUNTER
 #   VAR_KERNEL
-#   VAR_WORKDIR
 #   VAR_VERSION
-# Arguments:
-#  None
-#######################################
-
-#######################################
-# description
-# Globals:
-
+#   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
@@ -44,8 +38,8 @@ lb_config_write() {
     --backports true \
     --binary-filesystem fat32 \
     --binary-image iso-hybrid \
-    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Europe/Lisbon splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Europe/Lisbon toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
     --bootloaders grub-efi \
     --cache true \
     --checksums sha512 sha256 md5 \

lib/lib_provider_netcup.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Notes Textbox
 # Arguments:

lib/lib_run_analysis.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Wrapper for statistic functions of the final build.
 # Globals:

lib/lib_sanitizer.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Argument Check Wrapper
 # Arguments:

lib/lib_trap_on_err.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Print Error Message for Trap on 'ERR' in ${ERROR_LOG}
 # Globals:
@@ -34,21 +36,22 @@
 print_file_err() {
   {
     printf "❌ CISS.debian.live.builder Script failed. \n"
-    printf "❌ Version             : %s \n" "${VAR_VERSION}"
-    printf "❌ Environment         : %s \n" "${VAR_SYSTEM}"
-    printf "❌ Error               : %s \n" "${ERRCODE}"
-    printf "❌ Line                : %s \n" "${ERRLINE}"
-    printf "❌ Script              : %s \n" "${ERRSCRT}"
-    printf "❌ Function            : %s \n" "${ERRFUNC}"
-    printf "❌ Command             : %s \n" "${ERRCMMD}"
-    printf "❌ Script Runtime      : %s \n" "${SECONDS}"
-    printf "❌ Arguments Counter   : %s \n" "${ARGUMENTS_COUNT}"
-    printf "❌ Arguments Original  : %s \n" "${ARG_STR_ORG_INPUT}"
-    printf "❌ Arguments Sanitized : %s \n" "${VAR_ARG_SANITIZED}"
+    printf "❌ Git Commit             : %s \n" "${VAR_GIT_REL}"
+    printf "❌ Version                : %s \n" "${VAR_VERSION}"
+    printf "❌ Hostsystem             : %s \n" "${VAR_SYSTEM}"
+    printf "❌ Error                  : %s \n" "${ERRCODE}"
+    printf "❌ Line                   : %s \n" "${ERRLINE}"
+    printf "❌ Script                 : %s \n" "${ERRSCRT}"
+    printf "❌ Function               : %s \n" "${ERRFUNC}"
+    printf "❌ Command                : %s \n" "${ERRCMMD}"
+    printf "❌ Script Runtime         : %s \n" "${SECONDS}"
+    printf "❌ Arguments Counter      : %s \n" "${ARGUMENTS_COUNT}"
+    printf "❌ Arguments Original     : %s \n" "${ARG_STR_ORG_INPUT}"
+    printf "❌ Arguments Sanitized    : %s \n" "${VAR_ARG_SANITIZED}"
     if "${VAR_EARLY_DEBUG}"; then
-      printf "❌ Vars Dump saved at  : %s \n" "${LOG_VAR}"
-      printf "❌ Debug Log saved at  : %s \n" "${LOG_DEBUG}"
-      printf "❌                   cat %s \n" "${LOG_DEBUG}"
+      printf "❌ Vars Dump saved at     : %s \n" "${LOG_VAR}"
+      printf "❌ Debug Log saved at     : %s \n" "${LOG_DEBUG}"
+      printf "❌ batcat --pager='less -r' %s \n" "${LOG_DEBUG}"
     fi
     printf "\n"
   } >> "${LOG_ERROR}"
@@ -77,23 +80,24 @@ print_file_err() {
 #######################################
 print_scr_err() {
   printf "\e[91m❌ CISS.debian.live.builder Script failed. \e[0m\n" >&2
-  printf "\e[91m❌ Version             : %s \e[0m\n" "${VAR_VERSION}" >&2
-  printf "\e[91m❌ Environment         : %s \e[0m\n" "${VAR_SYSTEM}" >&2
-  printf "\e[91m❌ Error               : %s \e[0m\n" "${ERRCODE}" >&2
-  printf "\e[91m❌ Line                : %s \e[0m\n" "${ERRLINE}" >&2
-  printf "\e[91m❌ Script              : %s \e[0m\n" "${ERRSCRT}" >&2
-  printf "\e[91m❌ Function            : %s \e[0m\n" "${ERRFUNC}" >&2
-  printf "\e[91m❌ Command             : %s \e[0m\n" "${ERRCMMD}" >&2
-  printf "\e[91m❌ Script Runtime      : %s \e[0m\n" "${SECONDS}" >&2
-  printf "\e[91m❌ Arguments Counter   : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
-  printf "\e[91m❌ Arguments Original  : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
-  printf "\e[91m❌ Arguments Sanitized : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
-  printf "\e[91m❌ Error Log saved at  : %s \e[0m\n" "${LOG_ERROR}" >&2
-  printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_ERROR}" >&2
+  printf "\e[91m❌ Git Commit             : %s \e[0m\n" "${VAR_GIT_REL}" >&2
+  printf "\e[91m❌ Version                : %s \e[0m\n" "${VAR_VERSION}" >&2
+  printf "\e[91m❌ Hostsystem             : %s \e[0m\n" "${VAR_SYSTEM}" >&2
+  printf "\e[91m❌ Error                  : %s \e[0m\n" "${ERRCODE}" >&2
+  printf "\e[91m❌ Line                   : %s \e[0m\n" "${ERRLINE}" >&2
+  printf "\e[91m❌ Script                 : %s \e[0m\n" "${ERRSCRT}" >&2
+  printf "\e[91m❌ Function               : %s \e[0m\n" "${ERRFUNC}" >&2
+  printf "\e[91m❌ Command                : %s \e[0m\n" "${ERRCMMD}" >&2
+  printf "\e[91m❌ Script Runtime         : %s \e[0m\n" "${SECONDS}" >&2
+  printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
+  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
+  printf "\e[91m❌ Arguments Sanitized    : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
+  printf "\e[91m❌ Error Log saved at     : %s \e[0m\n" "${LOG_ERROR}" >&2
+  printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_ERROR}" >&2
   if "${VAR_EARLY_DEBUG}"; then
-    printf "\e[91m❌ Vars Dump saved at  : %s \e[0m\n" "${LOG_VAR}" >&2
-    printf "\e[91m❌ Debug Log saved at  : %s \e[0m\n" "${LOG_DEBUG}" >&2
-    printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_DEBUG}" >&2
+    printf "\e[91m❌ Vars Dump saved at     : %s \e[0m\n" "${LOG_VAR}" >&2
+    printf "\e[91m❌ Debug Log saved at     : %s \e[0m\n" "${LOG_DEBUG}" >&2
+    printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_DEBUG}" >&2
   fi
   printf "\n"
 }
@@ -115,12 +119,12 @@ print_scr_err() {
 #   $5: ${BASH_COMMAND}
 #######################################
 trap_on_err() {
+  trap - ERR
   declare -g ERRCODE="$1"
   declare -g ERRSCRT="$2"
   declare -g ERRLINE="$3"
   declare -g ERRFUNC="$4"
   declare -g ERRCMMD="$5"
-  trap - ERR
   if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
   clean_up "${ERRCODE}"
   if ! $VAR_HANDLER_AUTOBUILD; then clean_screen; fi

lib/lib_trap_on_exit.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Trap function to be called on 'EXIT'.
 # Globals:
@@ -18,20 +20,20 @@
 #   $1: $?
 #######################################
 trap_on_exit() {
-  declare -r trap_on_exit_code="$1"
   trap - EXIT
-  if (( trap_on_exit_code == 0 )); then
+  declare -r var_trap_on_exit_code="$1"
+  if (( var_trap_on_exit_code == 0 )); then
     if "${VAR_EARLY_DEBUG}"; then dump_user_vars; fi
-    clean_up "${trap_on_exit_code}"
-    print_scr_exit "${trap_on_exit_code}"
-    exit 0
+    clean_up "${var_trap_on_exit_code}"
+    print_scr_exit "${var_trap_on_exit_code}"
+    exit "${var_trap_on_exit_code}"
   else
-    exit "${trap_on_exit_code}"
+    exit "${var_trap_on_exit_code}"
   fi
 }
 
 #######################################
-# Print Success Message for Trap on 'EXIT' on 'stdout'
+# Print Success Message for Trap on 'EXIT' on 'stdout'.
 # Globals:
 #   LOG_DEBUG
 #   LOG_VAR
@@ -40,22 +42,22 @@ trap_on_exit() {
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_SCRIPT_SUCCESS
 # Arguments:
-#   $1: ${trap_on_exit_code} of trap_on_exit()
+#   $1: ${var_trap_on_exit_code} of trap_on_exit()
 #######################################
 print_scr_exit() {
-  declare -r print_scr_exit_code="$1"
-  if (( print_scr_exit_code == 0 )); then
+  declare -r var_print_scr_exit_code="$1"
+  if (( var_print_scr_exit_code == 0 )); then
     if [[ "${VAR_SCRIPT_SUCCESS}" == "true" ]]; then
       printf "\n"
       printf "\e[92m✅ CISS.debian.live.builder Script successful. \e[0m\n"
-      printf "\e[92m✅ Aide Initial DB at: %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/"
-      printf "\e[92m✅ Exited with Status: %s \e[0m\n" "${print_scr_exit_code}"
+      printf "\e[92m✅ Aide Initial DB at     : %s \e[0m\n" "${VAR_HANDLER_BUILD_DIR}/.integrity/"
+      printf "\e[92m✅ Exited with Status     : %s \e[0m\n" "${var_print_scr_exit_code}"
       printf "\n"
       if [[ "${VAR_EARLY_DEBUG}" == "true" ]]; then
-        printf "\e[92m✅ Script Runtime    : %s \e[0m\n" "${SECONDS}"
-        printf "\e[92m✅ Vars Dump saved at: %s \e[0m\n" "${LOG_VAR}"
-        printf "\e[92m✅ Debug Log saved at: %s \e[0m\n" "${LOG_DEBUG}"
-        printf "\e[92m✅                 cat %s \e[0m\n" "${LOG_DEBUG}"
+        printf "\e[92m✅ Script Runtime         : %s \e[0m\n" "${SECONDS}"
+        printf "\e[92m✅ Vars Dump saved at     : %s \e[0m\n" "${LOG_VAR}"
+        printf "\e[92m✅ Debug Log saved at     : %s \e[0m\n" "${LOG_DEBUG}"
+        printf "\e[92m✅ batcat --pager='less -r' %s \e[0m\n" "${LOG_DEBUG}"
         printf "\n"
       fi
       printf "\e[95m💷 Please consider donating to my work at: \e[0m\n"

lib/lib_usage.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-25; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -12,135 +12,152 @@
 
 #######################################
 # Usage Wrapper CISS.debian.live.builder
-# Globals:
-#   ERR_UNCRITICAL
 # Arguments:
 #   $0: Script name
 #######################################
 usage() {
-  clear
-  cat << EOF
+  # shellcheck disable=SC2155
+  declare var_cols=$(tput cols 2>/dev/null || echo 80)
 
-$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.768.2025.06.17\e[0m")
+  #######################################
+  # Header, Footer wrapper for dynamically output.
+  # Arguments:
+  #   $1: Text.
+  #   $2: Width of Terminal.
+  #######################################
+  center() {
+    declare var_text="$1"
+    declare var_width="$2"
+    declare var_padding=$(( (var_width - ${#var_text}) / 2 ))
+    printf "%*s%s%*s\n" "${var_padding}" "" "${var_text}" "${var_padding}" ""
+  }
 
-$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
-$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+  # shellcheck disable=SC2155
+  declare var_header=$(center "CLB(1)        CISS.debian.live.builder        CLB(1)" "${var_cols}")
+  # shellcheck disable=SC2155
+  declare var_footer=$(center "V8.03.864.2025.07.15        2025-06-25        CLB(1)" "${var_cols}")
 
-$(echo -e "\e[95mhttps://coresecret.eu/\e[0m")
-
-$(echo -e "\e[97mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
-
-"${0} <option>", where <option> is one or more of:
-
-  --help, -h
-    What you're looking at.
-
-  --autobuild=*, -a=*
-    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
-    selector dialog. Change '*' to your desired Linux kernel and trim the
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.22+bpo-amd64'.
-
-  --architecture <STRING> one of <amd64 | arm64>
-    A string reflecting the architecture of the Live System.
-    MUST be provided.
-
-  --build-directory </path/to/build_directory>
-    Where the Debian Live Build Image should be generated.
-    MUST be provided.
-
-  --change-splash <STRING> one of <club | hexagon>
-    A string reflecting the GRub Boot Screen Splash you want to use.
-    If omitted defaults to "./.archive/background/club.png".
-
-  --cdi (Experimental Feature)
-    This option generates a boot menu entry to start the forthcoming
-    'CISS.debian.installer', which will be executed after
-    the system has successfully booted up.
-
-  --contact, -c
-    Displays contact information of the author.
-
-  --control <INTEGER>
-    An integer that reflects the version of your Live ISO Image.
-    MUST be provided.
-
-  --debug
-    Enables debug logging for the main program routine. Detailed logging
-    information are written to "/tmp/ciss_live_builder_$$.log"
-
-  --dhcp-centurion
-    If a DHCP lease is provided, the provider's nameserver will be overridden,
-    and only the hardened, privacy-focused Centurion DNS servers will be used:
-    - https://dns01.eddns.eu/
-    - https://dns02.eddns.de/
-
-  --jump-host <IP | IP | ... >
-    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
-    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
-    If provided, than it MUST be a <SPACE> separated list.
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd/64].
-
-  --log-statistics-only
-    Provides statistic only after successful building a
-    CISS.debian.live-ISO. While enabling "--log-statistics-only"
-    the argument "--build-directory" MUST be provided while
-    all further options MUST be omitted.
-
-  --provider-netcup-ipv6
-    Activates IPv6 support for Netcup Root Server. One unique
-    IPv6 address MUST be provided in this case.
-
-  --renice-priority <PRIORITY>
-    Reset the nice priority value of the script and all its children
-    to the desired PRIORITY. MUST be an integer (between "-19" and 19).
-    Negative (higher) values MUST be enclosed in double quotes '"'.
-
-  --reionice-priority <CLASS> <PRIORITY>
-    Reset the ionice priority value of the script and all its children
-    to the desired CLASS. MUST be an integer:
-    1: realtime
-    2: best-effort
-    3: idle
-    defaults to "2".
-    PRIORITY MUST be an integer:
-    between 0 (highest) and 7 (lowest) priority.
-    defaults to "4".
-    A real-time I/O process can significantly slow down other processes
-    or even cause them to starve if it continuously requests I/O.
-
-  --root-password-file </path/to/password.txt>
-    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
-    and MUST NOT contain the special character '"'.
-    If the argument is omitted, no further login authentication is required for
-    the local console. The root password is hashed with an 16 Byte '/dev/random'
-    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
-    after Hash generation all Variables containing plain password fragments are
-    deleted. Password file SHOULD be 0400 and root:root and is deleted without
-    further prompt after password hash has been successfully generated via:
-    shred -vfzu 5 -f.
-    No tracing of any plain text password fragment in any debug log.
-
-  --ssh-port <INTEGER>
-    The desired Port SSH should listen to.
-    If not provided defaults to Port 22.
-
-  --ssh-pubkey </path/to/.ssh/>
-    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
-    specified PATH into the Live ISO. MUST be provided.
-
-  --version, -v
-    Displays version of ${0}.
-
-$(echo -e "\e[93mNOTES:\e[0m")
-  - You MUST be 'root' to run this script.
-
-$(echo -e "\e[92mContact:\e[0m")
-$(echo -e "\e[95m  - https://coresecret.eu/ \e[0m")
-$(echo -e "\e[95m  - security@coresecret.eu \e[0m")
-$(echo -e "\e[95m    - PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
-$(echo -e "\e[95m      - https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
-
-EOF
+  {
+    echo -e "\e[1;97m${var_header}\e[0m"
+    echo
+    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
+    echo -e "\e[92mMaster V8.03.864.2025.07.15\e[0m"
+    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
+    echo
+    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
+    echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
+    echo
+    echo -e "\e[97m${0} <option>, where <option> is one or more of: \e[0m"
+    echo
+    echo -e "\e[97m  --help, -h \e[0m"
+    echo "    What you're looking at."
+    echo
+    echo -e "\e[97m  --autobuild=*, -a=* \e[0m"
+    echo "    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel"
+    echo "    selector dialog. Change '*' to your desired Linux kernel and trim the"
+    echo "    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'."
+    echo
+    echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64> \e[0m"
+    echo "    A string reflecting the architecture of the Live System."
+    echo "    MUST be provided."
+    echo
+    echo -e "\e[97m  --build-directory </path/to/build_directory> \e[0m"
+    echo "    Where the Debian Live Build Image should be generated."
+    echo "    MUST be provided."
+    echo
+    echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m"
+    echo "    A string reflecting the Grub Boot Screen Splash you want to use."
+    echo "    If omitted defaults to './.archive/background/club.png'."
+    echo
+    echo -e "\e[97m  --cdi (Experimental Feature)\e[0m"
+    echo "    This option generates a boot menu entry to start the forthcoming"
+    echo "    'CISS.debian.installer', which will be executed after"
+    echo "    the system has successfully booted up."
+    echo
+    echo -e "\e[97m  --contact, -c\ e[0m"
+    echo "    Show author contact information."
+    echo
+    echo -e "\e[97m  --control <INTEGER>\e[0m"
+    echo "    An integer that reflects the version of your Live ISO Image."
+    echo "    MUST be provided."
+    echo
+    echo -e "\e[97m  --debug, -d \e[0m"
+    echo "    Enables debug logging for the main program routine. Detailed logging"
+    echo "    information are written to '/tmp/ciss_live_builder_$$.log'."
+    echo
+    echo -e "\e[97m  --dhcp-centurion \e[0m"
+    echo "    If a DHCP lease is provided, the provider's nameserver will be overridden,"
+    echo "    and only the hardened, privacy-focused Centurion DNS servers will be used:"
+    echo "      - https://dns01.eddns.eu/"
+    echo "      - https://dns02.eddns.de/"
+    echo "      - https://dns03.eddns.eu/"
+    echo
+    echo -e "\e[97m  --jump-host <IP | IP | ... > \e[0m"
+    echo "    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access."
+    echo "    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation."
+    echo "    If provided, than it MUST be a <SPACE> separated list."
+    echo "    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64."
+    echo
+    echo -e "\e[97m  --log-statistics-only\e[0m"
+    echo "    Provides statistic only after successful building a"
+    echo "    CISS.debian.live-ISO. While enabling '--log-statistics-only'"
+    echo "    the argument '--build-directory' MUST be provided while"
+    echo "    all further options MUST be omitted."
+    echo
+    echo -e "\e[97m  --provider-netcup-ipv6 \e[0m"
+    echo "    Activates IPv6 support for Netcup Root Server. One unique"
+    echo "    IPv6 address MUST be provided in this case and MUST be encapsulated"
+    echo "    with [], e.g., [1234::abcd]."
+    echo
+    echo -e "\e[97m  --renice-priority <PRIORITY> \e[0m"
+    echo "    Reset the nice priority value of the script and all its children"
+    echo "    to the desired <PRIORITY>. MUST be an integer (between '-19' and 19)."
+    echo "    Negative (higher) values MUST be enclosed in double quotes '\"'."
+    echo
+    echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY> \e[0m"
+    echo "    Reset the ionice priority value of the script and all its children"
+    echo "    to the desired <CLASS>. MUST be an integer:"
+    echo "      1: realtime"
+    echo "      2: best-effort"
+    echo "      3: idle"
+    echo "    Defaults to '2'."
+    echo "    Whereas <PRIORITY> MUST be an integer as well between:"
+    echo "      0: highest priority and"
+    echo "      7: lowest priority."
+    echo "    Defaults to '4'."
+    echo "    A real-time I/O process can significantly slow down other processes"
+    echo "    or even cause them to starve if it continuously requests I/O."
+    echo
+    echo -e "\e[97m  --root-password-file </path/to/password.txt> \e[0m"
+    echo "    Password file for 'root', if given, MUST be a string of 20 to 64 characters,"
+    echo "    and MUST NOT contain the special character '\"'."
+    echo "    If the argument is omitted, no further login authentication is required for"
+    echo "    the local console. The root password is hashed with an 16 Byte '/dev/random'"
+    echo "    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately"
+    echo "    after Hash generation all Variables containing plain password fragments are"
+    echo "    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without"
+    echo "    further prompt after password hash has been successfully generated via:"
+    echo "    'shred -vfzu 5 -f'."
+    echo "    'No tracing of any plain text password fragment in any debug log."
+    echo
+    echo -e "\e[97m  --ssh-port <INTEGER> \e[0m"
+    echo "    The desired Port SSH should listen to."
+    echo "    If not provided defaults to Port '22'."
+    echo
+    echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/> \e[0m"
+    echo "    Imports the SSH Public Key from the FILE 'authorized_keys' of the"
+    echo "    specified PATH into the Live ISO. MUST be provided."
+    echo
+    echo -e "\e[97m  --version, -v \e[0m"
+    echo "    Show version of ${0}."
+    echo
+    echo -e "\e[93m💡 Notes:\e[0m"
+    echo -e "\e[93m🔵 You MUST be 'root' to run this script.\e[0m"
+    echo
+    echo -e "\e[95m💷 Please consider donating to my work at: \e[0m"
+    echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m"
+    echo
+    echo -e "\e[1;97m${var_footer}\e[0m"
+  } | less -R
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_version.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-25; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Version Wrapper CISS.debian.live.builder
+# Globals:
+#   VAR_VERSION
+# Arguments:
+#   None
+#######################################
+version() {
+  # shellcheck disable=SC2155
+  declare -r var_repo_ver="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
+  # shellcheck disable=SC2155
+  declare -r var_lb_ver="$(lb -v)"
+  # shellcheck disable=SC2155
+  declare -r var_ds_ver="$(debootstrap --version)"
+  # shellcheck disable=SC2155
+  declare -r var_host="$(uname -n)"
+  # shellcheck disable=SC2155
+  declare -r var_bash_ver="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')"
+
+  clear
+  cat << EOF
+$(echo -e "\e[97m################################################################################ \e[0m")
+$(echo -e "\e[92m  CISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m")
+$(echo -e "\e[92m  A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
+
+  Version : ${VAR_VERSION}
+  Git     : ${var_repo_ver}
+
+$(echo -e "\e[97m  This program is free software. Distribution and modification under  \e[0m")
+$(echo -e "\e[97m  EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! \e[0m")
+
+  Please file bugs @
+$(echo -e "\e[95m  https://git.coresecret.dev/msw/CISS.debian.live.builder/issues \e[0m")
+$(echo -e "\e[97m################################################################################\e[0m")
+
+  Using   : lb (${var_lb_ver}) debootstrap (${var_ds_ver})
+  on      : ${var_host}
+  Bash    : ${var_bash_ver}
+
+EOF
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

meta_sources_debug.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Sourcing Debug Libs
+. ./lib/lib_debug.sh
+. ./lib/lib_debug_header.sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

scripts/0010_dhcp_supersede.sh

@@ -21,9 +21,9 @@ fi
 cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
 
 # Custom dhclient config to override DHCP DNS
-# dns01.eddns.eu, dns02.eddns.de;
+# dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu;
 
-supersede domain-name-servers 135.181.207.105, 89.58.62.53;
+supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109;
 
 EOF
 

scripts/9000-cdi-starter

@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1
 
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.03.768.2025.06.17 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.03.864.2025.07.15 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
   chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh

var/bash.var.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
+set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
+set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
+set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
+set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
+set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
+set -o noclobber # Prevent overwriting, the same as "set -C".
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

var/color.var.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -grx C_BLA='\e[90m' # For the techno fans.
+declare -grx C_BLA='\e[90m' # Beautiful black For the techno fans.
 declare -grx C_RED='\e[91m' # Bright red.
 declare -grx C_GRE='\e[92m' # Vibrant green.
 declare -grx C_YEL='\e[93m' # Fancy yellow
@@ -18,6 +18,6 @@ declare -grx C_BLU='\e[94m' # Organic blue.
 declare -grx C_MAG='\e[95m' # Super gay magenta.
 declare -grx C_CYA='\e[96m' # Lovely cyan.
 declare -grx C_WHI='\e[97m' # Fantastic color mix.
-declare -grx C_RES='\e[0m'    # Forget everything.
+declare -grx C_RES='\e[0m'  # Forget everything.
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

var/early.var.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Definition of MUST set early Variables
+
+# shellcheck disable=SC2155
+declare -agx ARY_PARAM_ARRAY=("$@")
+declare -grx VAR_PARAM_COUNT="$#"
+declare -grx VAR_PARAM_STRNG="$*"
+declare -grx VAR_CONTACT="security@coresecret.eu"
+declare -grx VAR_VERSION="Master V8.03.864.2025.07.15"
+declare -grx VAR_SYSTEM="$(uname -a)"
+declare -gx  VAR_EARLY_DEBUG="false"
+declare -gx  VAR_HANDLER_AUTOBUILD="false"
+umask 0022
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

var/global.var.sh

@@ -10,24 +10,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# shellcheck disable=SC2155
-declare -gr VAR_SYSTEM="$(uname -a)"
 # shellcheck disable=SC2155
 declare -gr VAR_ISO8601="$(date +%Y_%m_%d_%H_%M_%S)"
-# shellcheck disable=SC2155
 declare -gr VAR_KERNEL_INF="$(mktemp)"
-# shellcheck disable=SC2155
 declare -gr VAR_KERNEL_TMP="$(mktemp)"
-# shellcheck disable=SC2155
 declare -gr VAR_KERNEL_SRT="$(mktemp)"
-# shellcheck disable=SC2155
 declare -gr VAR_NOTES="$(mktemp)"
 
-if "${VAR_EARLY_DEBUG}"; then
-  declare -gr LOG_VAR="/tmp/ciss_live_builder_$$_var.log"
-  touch "${LOG_VAR}" && chmod 0600 "${LOG_VAR}"
-fi
-
 declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log"
 touch "${LOG_ERROR}" && chmod 0600 "${LOG_ERROR}"