Merge remote-tracking branch 'origin/master'

V8.04.002.2025.08.11
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-08-11 19:32:43 +02:00 · 2025-08-11 19:32:33 +02:00 · 2025-08-11 19:32:11 +02:00 · 2025-08-11 17:23:58 +00:00 · 2025-08-11 19:22:57 +02:00 · 2025-08-11 17:03:33 +00:00
68 changed files with 1167 additions and 466 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -0,0 +1,142 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Usage Wrapper CISS.debian.live.builder
+# Globals:
+#   none
+# Arguments:
+#   $0: Script name
+#######################################
+usage() {
+  clear
+  cat << EOF
+$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
+$(echo -e "\e[92mMaster V8.04.002.2025.08.11\e[0m")
+$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
+
+$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
+$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+
+"${0} <option>", where <option> is one or more of:
+
+$(echo -e "\e[97m  --help, -h\e[0m")
+    What you're looking at.
+
+$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
+    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
+    selector dialog. Change '*' to your desired Linux kernel and trim the
+    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
+
+$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
+    A string reflecting the architecture of the Live System.
+    MUST be provided.
+
+$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
+    Where the Debian Live Build Image should be generated.
+    MUST be provided.
+
+$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
+    A string reflecting the GRub Boot Screen Splash you want to use.
+    If omitted defaults to "./.archive/background/club.png".
+
+$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
+    This option generates a boot menu entry to start the forthcoming
+    'CISS.debian.installer', which will be executed after
+    the system has successfully booted up.
+
+$(echo -e "\e[97m  --contact, -c\e[0m")
+    Displays contact information of the author.
+
+$(echo -e "\e[97m  --control <INTEGER>\e[0m")
+    An integer that reflects the version of your Live ISO Image.
+    MUST be provided.
+
+$(echo -e "\e[97m  --debug\e[0m")
+    Enables debug logging for the main program routine. Detailed logging
+    information are written to "/tmp/ciss_live_builder_$$.log"
+
+$(echo -e "\e[97m  --dhcp-centurion\e[0m")
+    If a DHCP lease is provided, the provider's nameserver will be overridden,
+    and only the hardened, privacy-focused Centurion DNS servers will be used:
+      - https://dns01.eddns.eu/
+      - https://dns02.eddns.de/
+      - https://dns03.eddns.eu/
+
+$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
+    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
+    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
+    If provided, than it MUST be a <SPACE> separated list.
+    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
+
+$(echo -e "\e[97m  --log-statistics-only\e[0m")
+    Provides statistic only after successful building a
+    CISS.debian.live-ISO. While enabling "--log-statistics-only"
+    the argument "--build-directory" MUST be provided while
+    all further options MUST be omitted.
+
+$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
+    Activates IPv6 support for Netcup Root Server. One unique
+    IPv6 address MUST be provided in this case and MUST be encapsulated
+    with [], e.g., [1234::abcd].
+
+$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
+    Reset the nice priority value of the script and all its children
+    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
+    Negative (higher) values MUST be enclosed in double quotes '"'.
+
+$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
+    Reset the ionice priority value of the script and all its children
+    to the desired <CLASS>. MUST be an integer:
+      1: realtime
+      2: best-effort
+      3: idle
+    Defaults to '2'.
+    Whereas <PRIORITY> MUST be an integer as well between:
+      0: highest priority and
+      7: lowest priority.
+    Defaults to '4'.
+    A real-time I/O process can significantly slow down other processes
+    or even cause them to starve if it continuously requests I/O.
+
+$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
+    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
+    and MUST NOT contain the special character '"'.
+    If the argument is omitted, no further login authentication is required for
+    the local console. The root password is hashed with an 16 Byte '/dev/random'
+    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
+    after Hash generation all Variables containing plain password fragments are
+    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
+    further prompt after password hash has been successfully generated via:
+    'shred -vfzu 5 -f'.
+    No tracing of any plain text password fragment in any debug log.
+
+$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
+    The desired Port SSH should listen to.
+    If not provided defaults to Port 22.
+
+$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
+    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
+    specified PATH into the Live ISO. MUST be provided.
+
+$(echo -e "\e[97m  --version, -v\e[0m")
+    Displays version of ${0}.
+
+$(echo -e "\e[93m💡 Notes:\e[0m")
+🔵 You MUST be 'root' to run this script.
+
+$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
+$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
+
+EOF
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.832.2025.06.24"
+      placeholder: "e.g., Master V8.04.002.2025.08.11"
    validations:
      required: true

--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11

 FROM debian:bookworm

--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11

 name: 🔁 Render README.md to README.html.

--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1024
-  version: V8.03.832.2025.06.24
+  version: V8.04.002.2025.08.11
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.832.2025.06.24
+  version: V8.04.002.2025.08.11
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.832.2025.06.24
+  version: V8.04.002.2025.08.11
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.03.832.2025.06.24
+  version: V8.04.002.2025.08.11
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11

 name: 🔐 Generating a Private Live ISO FLV 0.

--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11

 name: 🔐 Generating a Private Live ISO FLV 1.

--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11

 name: 💙 Generating a PUBLIC Live ISO.

--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11

 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11

 name: 🔁 Render Graphviz Diagrams.

--- a/.shellcheckrc
+++ b/.shellcheckrc
@@ -0,0 +1,28 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+encoding=utf-8
+external-sources=true
+shell=bash
+source-path=~/lib
+source-path=~/scripts
+source-path=~/var
+
+enable=avoid-nullary-conditions
+enable=check-extra-masked-returns
+enable=check-set-e-suppressed
+enable=check-unassigned-uppercase
+enable=deprecate-which
+enable=quote-safe-variables
+enable=require-double-brackets
+enable=require-variable-braces
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.832.2025.06.24"
+properties_version="V8.04.002.2025.08.11"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.832.2025.06.24
+PackageVersion: Master V8.04.002.2025.08.11
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-06-24T21:45:52Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-11T17:23:55Z".

 ✅ The last linter check was successful. ✅

--- a/LIVE_ISO.public
+++ b/LIVE_ISO.public
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-06-23T09:04:49Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-07T10:53:55Z".

 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_23T08_20_37Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_07T10_04_36Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  86a8be09e16299892ae99d195b56a04356bcf5d2202016da8f8fa7441077c43fab68ebefcb8c39b3423f085a74b607907fb691ac71fdef92af33782bd2ac0ce5
+  3d1e73f464cae840af3faf43ab1dcd2b47b2a8610527ed57d406b0d1d6c80b23d8b550c33288edad2652f33560cc410efcb71c022e6f46ef6edec344e9b735f7
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFkYsQAKCRA85KY4hzOw
-IbrbAQDeOIS3QYKIPkMhYlNPIcsJjv/dh3TdYiuQbkvfwVI+/gD/TiB+ska62vJk
-LGfwjuaxMC0KHG1/UTICytOeAnTrXAc=
-=qk8B
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJSFwwAKCRA85KY4hzOw
+IdavAP9IXSWEcQcEW0LRPJBEino30IU4bzAlJJPJ/ROcRblMWQEA06xIsSQVM6A/
+JeUxqQCspstTDwOEROSwfcZgCN/ySwA=
+=RynM
 -----END PGP SIGNATURE-----

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_FLV_0.private
+++ b/LIVE_ISO_FLV_0.private
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-06-24T19:21:36Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-07T08:55:20Z".

 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_24T18_36_59Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_07T08_03_38Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  3ca5a9635ef74a48f6d8f31696ec56e56ee95eff5317df95976e22d31e331bc503422602e24a9eaddfc30212acf6ebe96af51e94298c4c7c49c839c62abb6c2f
+  1ed2a27ca9137e55202cc3936c32c8285c02e200fc7e40034752d21fe15d251d10a91b05e5336aedd351d47b0aa6bed34304bf46dbd6a1df0df92612a72c950d
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFr6wAAKCRA85KY4hzOw
-IbgHAP4p9jlF9jZkYIw/0H8j07QUWNHxeUz2r2UXp8aN2gUEBwEAxqbznJhH8li8
-40g5sWwGLmBjlidIOe0NxeMUBkuMlQg=
-=gq5w
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJRp+AAKCRA85KY4hzOw
+IRXlAQDsDYY4bc7OA8pVWbz4AXlTh/m5PJtt4DAiRvqBnSNQkQEA3M0OZr/6cZkF
+lDpsQU14hbr06d70JmNeAc9CVsMVbQQ=
+=h1hv
 -----END PGP SIGNATURE-----

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_FLV_1.private
+++ b/LIVE_ISO_FLV_1.private
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-06-24T22:34:36Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-07T09:55:21Z".

 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_24T21_53_22Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_07T09_04_30Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  581d951c8ab4d8e7afd2d727f8e64bd6fff51d005b84b9800e941da8dae654985bae500e056f02729d6b274ba330dfdbec59fd5ec2c8b18c3bbf37433b73c154
+  7ccbe6b6622a6fe2db68a37c0d4feb2759addf8fe8b3cd1186bcc2bb7305dae4b6ffbbdad336b41eb98e5bef681166d50ddcf9761226575584201de94de9007b
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFsn/AAKCRA85KY4hzOw
-IUvMAP9P1U6lblhdZ9tSROvYXRXcv0IEg2rVo3fMx9T5fozLewEAgxxo0+J1Nlvu
-KVZOdiuc6xdxkBHWYaA2kSXZKI+qAwA=
-=2H0C
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJR4CQAKCRA85KY4hzOw
+IdL0AP9jojn+k2E9FdCuc/y8qvD4p26m12cvydq2CYFUwfjbXgD/TBC0yRhM4Cfo
+GShrXSXGILEZBIxSbmWwPqHEWo7vMQ8=
+=tgad
 -----END PGP SIGNATURE-----

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.832.2025.06.24-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.04.002.2025.08.11-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -12,7 +12,7 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -142,7 +142,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V8.03.832.2025.06.24`
+Example: `V8.04.002.2025.08.11`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

@@ -420,12 +420,13 @@ predictable script behavior.
   5. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):

-   ```yaml
+   ````bash
   chmod 0700 ./ciss_live_builder.sh
+   timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
   ./ciss_live_builder.sh --architecture amd64 \
                          --build-directory /opt/livebuild \
                          --change-splash hexagon \
-                          --control 384 \
+                          --control "${timestamp}" \
                          --debug \
                          --dhcp-centurion \
                          --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
@@ -435,7 +436,7 @@ predictable script behavior.
                          --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
                          --ssh-port 4242 \
                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder
-   ```
+   ````
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -13,85 +13,142 @@
 ### Contributions so far see ./docs/CREDITS.md

 ### WHY BASH?
-# Ease of installation.
-# No compiling or installing gems, CPAN modules, pip packages, etc.
-# Simple to use and read. Clear syntax and straightforward output interpretation.
-# Built-in power.
-# Pattern matching, line processing, and regular expression support are available natively,
-# no external binaries required.
-# Cross-platform consistency.
-# '/bin/bash' is the default shell on most Linux distributions, ensuring scripts run unmodified across systems.
-# macOS compatibility.
-# Since macOS Catalina (10.15), the default login shell has been zsh, but bash remains available at '/bin/bash'.
-# Windows support.
-# You can use bash via WSL, MSYS2, or Cygwin on Windows systems.
+# Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
+# and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
+# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
+# Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
+# default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
+# or Cygwin on Windows systems.

-### Preliminary checks
+### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
+# shellcheck disable=SC2155
+declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
+declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
+declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
+declare -ag   ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
+declare -grx  VAR_SETUP_FILE="${0##*/}"                                  # 'ciss_debian_live_builder.sh'
+declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/opt/git/CISS.debian.live.builder'
+declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
+# shellcheck disable=SC2155
+declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
+# shellcheck disable=SC2155
+declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
+# shellcheck disable=SC2155
+declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
+
+### PRELIMINARY CHECKS.
+### No ash, dash, ksh, sh.
+# shellcheck disable=2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
+  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### No zsh.
+[[ -n "${ZSH_VERSION:-}" ]] && {
+  . ./var/global.var.sh
+  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### Not root.
 [[ ${EUID} -ne 0 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2; exit "${ERR_NOT_USER_0}"; }
+  . ./var/global.var.sh
+  printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2
+  exit "${ERR_NOT_USER_0}"
+}
+
+### Not called by sh.
+# shellcheck disable=2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
+  printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### Not sourced.
+[[ "${BASH_SOURCE[0]}" != "$0" ]] && {
+  . ./var/global.var.sh
+  printf "\e[91m❌ This script must be executed, not sourced. Please run '%s' directly! Bye... \e[0m\n" "$0" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### Minimum Bash version 5.
 [[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
+  printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### Minimum Bash version 5.1.
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
+  printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2
+  exit "${ERR_UNSPPTBASH}"
+}
+
+### No arguments.
 [[ ${#} -eq 0 ]] && {
-  . ./lib/lib_usage.sh; usage; exit 1; }
+  . ./lib/lib_usage.sh
+  usage
+  exit 1
+}

 ### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
 . ./var/early.var.sh
 . ./lib/lib_guard_sourcing.sh
-. ./lib/lib_git_var.sh
+. ./lib/lib_source_guard.sh
+source_guard "./lib/lib_git_var.sh"

 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh  ; usage  ; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done

 ### ALL CHECKS DONE. READY TO START THE SCRIPT
 check_git
-for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
+for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 declare -gx VAR_SETUP="true"

 ### SOURCING VARIABLES
 [[ "${VAR_SETUP}" == true ]] && {
-  . ./var/bash.var.sh
-  . ./var/color.var.sh
-  . ./var/global.var.sh
+  source_guard "./var/bash.var.sh"
+  source_guard "./var/color.var.sh"
+  source_guard "./var/global.var.sh"
 }

 ### SOURCING LIBRARIES
 [[ "${VAR_SETUP}" == true ]] && {
-  . ./lib/lib_arg_parser.sh
-  . ./lib/lib_arg_priority_check.sh
-  . ./lib/lib_boot_screen.sh
-  . ./lib/lib_cdi.sh
-  . ./lib/lib_change_splash.sh
-  . ./lib/lib_check_dhcp.sh
-  . ./lib/lib_check_hooks.sh
-  . ./lib/lib_check_kernel.sh
-  . ./lib/lib_check_pkgs.sh
-  . ./lib/lib_check_provider.sh
-  . ./lib/lib_check_stats.sh
-  . ./lib/lib_check_var.sh
-  . ./lib/lib_clean_screen.sh
-  . ./lib/lib_clean_up.sh
-  . ./lib/lib_copy_integrity.sh
-  . ./lib/lib_hardening_root_pw.sh
-  . ./lib/lib_hardening_ssh.sh
-  . ./lib/lib_hardening_ultra.sh
-  . ./lib/lib_helper_ip.sh
-  . ./lib/lib_lb_build_start.sh
-  . ./lib/lib_lb_config_start.sh
-  . ./lib/lib_lb_config_write.sh
-  . ./lib/lib_provider_netcup.sh
-  . ./lib/lib_run_analysis.sh
-  . ./lib/lib_sanitizer.sh
-  . ./lib/lib_trap_on_err.sh
-  . ./lib/lib_trap_on_exit.sh
-  . ./lib/lib_usage.sh
+  source_guard "./lib/lib_arg_parser.sh"
+  source_guard "./lib/lib_arg_priority_check.sh"
+  source_guard "./lib/lib_boot_screen.sh"
+  source_guard "./lib/lib_cdi.sh"
+  source_guard "./lib/lib_change_splash.sh"
+  source_guard "./lib/lib_check_dhcp.sh"
+  source_guard "./lib/lib_check_hooks.sh"
+  source_guard "./lib/lib_check_kernel.sh"
+  source_guard "./lib/lib_check_pkgs.sh"
+  source_guard "./lib/lib_check_provider.sh"
+  source_guard "./lib/lib_check_stats.sh"
+  source_guard "./lib/lib_check_var.sh"
+  source_guard "./lib/lib_clean_screen.sh"
+  source_guard "./lib/lib_clean_up.sh"
+  source_guard "./lib/lib_copy_integrity.sh"
+  source_guard "./lib/lib_hardening_root_pw.sh"
+  source_guard "./lib/lib_hardening_ssh.sh"
+  source_guard "./lib/lib_hardening_ultra.sh"
+  source_guard "./lib/lib_helper_ip.sh"
+  source_guard "./lib/lib_lb_build_start.sh"
+  source_guard "./lib/lib_lb_config_start.sh"
+  source_guard "./lib/lib_lb_config_write.sh"
+  source_guard "./lib/lib_lb_config_write_trixie.sh"
+  source_guard "./lib/lib_provider_netcup.sh"
+  source_guard "./lib/lib_run_analysis.sh"
+  source_guard "./lib/lib_sanitizer.sh"
+  source_guard "./lib/lib_trap_on_err.sh"
+  source_guard "./lib/lib_trap_on_exit.sh"
+  source_guard "./lib/lib_usage.sh"
 }

 ### ADVISORY LOCK
@@ -113,61 +170,61 @@ for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *)
 check_pkgs

 ### DIALOG OUTPUT FOR INITIALIZATION
-if ! $VAR_HANDLER_AUTOBUILD; then boot_screen; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
-### Initialization
-declare -gr ARGUMENTS_COUNT="$#"
-declare -gr ARG_STR_ORG_INPUT="$*"
-#declare -ar ARG_ARY_ORG_INPUT=("$@")
-# shellcheck disable=SC2155
-declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
-# shellcheck disable=SC2155
-declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
-# shellcheck disable=SC2155
-declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
 declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip

 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi

 ### Turn off Dialog Wrapper
-if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi

 ### MAIN Program
 arg_priority_check
 check_stats
-if ! $VAR_HANDLER_AUTOBUILD; then check_provider; fi
-if ! $VAR_HANDLER_AUTOBUILD; then check_kernel; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
 check_hooks
 hardening_ssh
 lb_config_start
-lb_config_write

+if [[ "${VAR_SUITE}" == "bookworm" ]]; then
+  lb_config_write
+  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
+else
+  lb_config_write_trixie
+  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
+  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
+fi
+
+# shellcheck disable=SC2164
 cd "${VAR_WORKDIR}"
+
 hardening_ultra
 hardening_root_pw
 change_splash
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -21,7 +21,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 #######################################
 grep_nic_driver_modules() {
  declare _mods
-  # Gather all Driver and sort unique
+
+  ### Gather all Driver and sort unique.
+  # shellcheck disable=SC2312
  readarray -t _mods < <(
    lspci -k \
      | grep -A2 -i ethernet \
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -39,14 +39,13 @@ authselectmode require
 server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9
 server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9
 server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9
-server ptbtime4.ptb.de iburst nts noselect minpoll 5 maxpoll 9
-# server nts.netnod.se iburst nts minpoll 5 maxpoll 9
-
+server ptbtime4.ptb.de iburst nts minpoll 5 maxpoll 9
+server sth1.ntp.se iburst nts minpoll 5 maxpoll 9
+server ntp0.fau.de iburst nts minpoll 5 maxpoll 9
+server ntp13.metas.ch iburst nts minpoll 5 maxpoll 9
 # server ntp.ripe.net iburst nts minpoll 5 maxpoll 9
-# server ntp12.metas.ch iburst nts minpoll 5 maxpoll 9
 # server ntp2.tecnico.ulisboa.pt iburst nts minpoll 5 maxpoll 9
 # server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
-server ntp0.fau.de iburst nts minpoll 5 maxpoll 9

 leapsectz right/UTC

--- a/config/hooks/live/9998_sources_list_bookworm.chroot
+++ b/config/hooks/live/9998_sources_list_bookworm.chroot
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -0,0 +1,59 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -C -e -u -o pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# sleep 1
+
+cd /root
+
+if [[ -f /etc/apt/sources.list ]]; then
+  mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak
+fi
+
+cat << 'EOF' >| /etc/apt/sources.list
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+#-----------------------------------------------------------------------------------------#
+#                                  OFFICIAL DEBIAN REPOS
+#-----------------------------------------------------------------------------------------#
+
+### Debian Main Repos Bookworm
+
+deb https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware
+deb-src https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware
+
+deb http://security.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
+deb-src http://security.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
+
+deb https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware
+deb-src https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware
+
+deb https://deb.debian.org/debian/ trixie-backports main contrib non-free non-free-firmware
+deb-src https://deb.debian.org/debian/ trixie-backports main contrib non-free non-free-firmware
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+# sleep 1
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -31,12 +31,12 @@ ListenAddress                ::
 Port MUST_BE_CHANGED
 AllowUsers                   root
 UseDNS                       no
-### Force a key exchange after transferring 1 GiB of data or 1 hour of session time,
-### whichever occurs first.
+### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, whichever occurs first.
 RekeyLimit                   1G 1h

 HostKey                      /etc/ssh/ssh_host_ed25519_key
 HostKey                      /etc/ssh/ssh_host_rsa_key
+TrustedUserCAKeys            none

 PubkeyAuthentication         yes
 PermitRootLogin              prohibit-password
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V8.03.832.2025.06.24"
+declare -gr VERSION="Master V8.04.002.2025.08.11"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.832.2025.06.24 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.04.002.2025.08.11 at: 10:18:37.9542
--- a/config/includes.chroot/root/.bashrc
+++ b/config/includes.chroot/root/.bashrc
@@ -10,25 +10,6 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# ~/.bashrc: executed by bash(1) for non-login shells.
-
-# Note: PS1 and umask are already set in /etc/profile. You should not
-# need this unless you want different defaults for root.
-# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
-# umask 022
-
-# You may uncomment the following lines if you want `ls' to be colorized:
-# export LS_OPTIONS='--color=auto'
-# eval "$(dircolors)"
-# alias ls='ls $LS_OPTIONS'
-# alias ll='ls $LS_OPTIONS -l'
-# alias l='ls $LS_OPTIONS -lA'
-#
-# Some more alias to avoid making mistakes:
-# alias rm='rm -i'
-# alias cp='cp -i'
-# alias mv='mv -i'
-
 [[ $- != *i* ]] && return

 trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
@@ -55,27 +36,20 @@ export CMAG='\033[1;95m'
 export CCYA='\033[1;96m'
 export CWHI='\033[1;97m'
 export CRES='\033[0m'
-
-#if [[ "${UID}" -eq 0 ]]; then
-#  export user_color="${CRED}"
-#else
-#  export user_color="${CGRE}"
-#fi
+export NL='\n'

 ### Define bash colorful prompt
-# PS1="${user_color}\d${CRES}|${user_color}\u${CRES}@${CMAG}\h${CRES}:${CCYA}\w${CRES}/>>\$(if [[ \$? -eq 0 ]]; then echo -e \"${CGRE}\$?${CRES}\"; else echo -e \"${CRED}\$?${CRES}\"; fi)|~\$ "
-PS1="\
-\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
+export PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\
+\[\033[1;91m\]\u\[\033[0m\]@\
 \[\033[1;95m\]\h\[\033[0m\]:\
 \[\033[1;96m\]\w\[\033[0m\]/>>\
 \$(if [[ \$? -eq 0 ]]; then \
-    # Show exit status in green if zero
    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
  else \
-    # Show exit status in red otherwise
    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
  fi)\
-|~\$ "
+\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"

 ### Overwrite Protection
 set -o noclobber
@@ -83,11 +57,23 @@ alias cp="cp -iv"
 alias mv='mv -iv'
 alias rm='rm -iv'

-# Welcome message after login
+### Welcome message after login
 printf "\n"
 printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
-printf "\e[92m✅ Welcome back\e[0m"; printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
+printf "\e[92m✅ Welcome back\e[0m"
+printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
 printf "\n"
 printf "\n"

+### Welcome message after login.
+#printf "\n"
+#printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}"
+#printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}"
+#printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}"
+#printf "%s! Type%s " "${CGRE}" "${CRES}"
+#printf "%s'celp'%s " "${CMAG}" "${CRES}"
+#printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}"
+#printf "\n"
+#printf "\n"
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/alias
+++ b/config/includes.chroot/root/.ciss/alias
@@ -11,16 +11,6 @@
 # SPDX-Security-Contact: security@coresecret.eu

 ########################################################################################### Alpha
-#######################################
-# Outputs a 16-character random printable string
-# Arguments:
-#  None
-#######################################
-genstring() {
-  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
-}
-
-# Generates 1,048,576 random bytes into a timestamped file
 alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'

 ########################################################################################### Bash
@@ -60,6 +50,7 @@ alias aptupd='apt update'
 alias aptupg='apt upgrade'
 alias apti='apt install'
 alias aptp='apt purge'
+alias aptpp='dpkg --purge'
 alias aptr='apt remove'
 alias aptse='apt search'
 alias aptsh='apt show'
@@ -104,11 +95,11 @@ alias whatpurge='dpkg --get-selections | grep deinstall'

 ########################################################################################### Functions

-###########################################################################################
+#######################################
 # Generates Secure (/dev/random) Passwords
 # Arguments:
-#  Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
-###########################################################################################
+#    Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
+#######################################
 # shellcheck disable=SC2317
 genpasswd() {
  declare -i length=32
@@ -128,6 +119,7 @@ genpasswd() {
  done

  declare passwd
+  # shellcheck disable=SC2312
  passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}")

  if [[ ${usebase64} -eq 1 ]]; then
@@ -137,23 +129,38 @@ genpasswd() {
  fi
 }

-###########################################################################################
-# Generates Secure (/dev/random) Passwords
+#######################################
+# Generates Secure (/dev/random) Passwords.
 # Arguments:
-#  none
-###########################################################################################
+#   none
+#######################################
 # shellcheck disable=SC2317
 genpasswdhash() {
  declare salt
+  # shellcheck disable=SC2312
  salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
  mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
 }

 #######################################
-# Wrapper for secure curl
+# Outputs a 16-character random printable string
 # Arguments:
-#  $1: URL from which to download a specific file
-#  $2: /path/to/file to be saved to
+#   None
+#######################################
+genstring() {
+  # shellcheck disable=SC2312
+  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
+}
+
+#######################################
+# Wrapper for secure curl
+# Globals:
+#   CRED
+#   CRES
+#   NL
+# Arguments:
+#   1: URL from which to download a specific file
+#   2: /path/to/file to be saved to
 # Returns:
 #   0: Download successful
 #   1: Usage error
@@ -161,7 +168,7 @@ genpasswdhash() {
 #######################################
 scurl() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
+    printf "%s❌ Error: Usage: scurl <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
    return 1
  fi
  declare url="$1"
@@ -173,7 +180,7 @@ scurl() {
            -o "${output_path}" \
            "${url}"
  then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
    return 2
  fi
  return 0
@@ -181,9 +188,13 @@ scurl() {

 #######################################
 # Wrapper for secure wget
+# Globals:
+#   CRED
+#   CRES
+#   NL
 # Arguments:
-#  $1: URL from which to download a specific file
-#  $2: /path/to/file to be saved to
+#   1: URL from which to download a specific file
+#   2: /path/to/file to be saved to
 # Returns:
 #   0: Download successful
 #   1: Usage error
@@ -191,7 +202,7 @@ scurl() {
 #######################################
 swget() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
+    printf "%s❌ Error: Usage: swget <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
    return 1
  fi
  declare url="$1"
@@ -204,30 +215,57 @@ swget() {
            -qO "${output_path}" \
            "${url}"
  then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
    return 2
  fi
  return 0
 }

 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters
+# Wrapper for loading CISS.2025 hardened Kernel Parameters.
 # Arguments:
-#  None
+#   None
 #######################################
 sysp() {
  sysctl -p /etc/sysctl.d/99_local.hardened
  # sleep 1
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  # shellcheck disable=SC2312
+  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }

 #######################################
 # Wrapper for tree
 # Arguments:
-#  $1: Depth of Directory Listing
+#   1: Depth of Directory Listing
 #######################################
 trel() {
  declare depth=${1:-3}
  tree -C -h --dirsfirst -L "${depth}"
 }
+
+#######################################
+# Wrapper for package and path to bin.
+# Arguments:
+#   1: Program
+#######################################
+whichpackage() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    printf '%s❌ Error: Program '%s' not found. %s%s' "${CRED}" "$1" "${CRES}" "${NL}" >&2
+    exit 1
+  fi
+  # shellcheck disable=SC2230,SC2312
+  dpkg -S "$(which "$1")"
+}
+
+#######################################
+# Wrapper for Diskspace used in Path.
+# Arguments:
+#   1: Path (defaults /var)
+#   2: Depth (defaults 1)
+#   3: Number of Entries (defaults 16)
+#######################################
+whichused() {
+  # shellcheck disable=SC2312
+  du -h --max-depth="${2:-1}" "${1:-/var}" | sort -hr | head -n "${3:-16}"
+}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/clean_logout.sh
+++ b/config/includes.chroot/root/.ciss/clean_logout.sh
@@ -36,4 +36,6 @@ echo -e "\e[92m          All done" "\e[95m'${USER}'" "\e[92m! \e[0m"
 echo -e "\e[92m          Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m"
 # shellcheck disable=SC2162
 read
+[[ -x /usr/bin/clear_console ]] && /usr/bin/clear_console -q
+exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/f2bchk.sh
+++ b/config/includes.chroot/root/.ciss/f2bchk.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+set -Ceuo pipefail
+
 #######################################
 # Wrapper for fail2ban filter checks against logs.
 # Usage: f2bchk --mode=ignored || --mode=matched  || --mode=missed \
@@ -17,16 +19,18 @@
 #               --log=/var/log/ufw.log \
 #               --output=/tmp/f2bchk.log
 # Globals:
-#   DEFAULT_FILTER
-#   DEFAULT_LOG
-#   DEFAULT_MODE
+#   CGRE
+#   CRED
+#   CRES
+#   NL
 # Arguments:
-#  None
+#   None
 # Returns:
-#   1 In case of any errors
+#   0: on success
+#   1: In case of any errors
 #######################################
 f2bchk(){
-  # Declare default values (readonly)
+  ### Declare default values (readonly)
  declare -r DEFAULT_MODE="matched"
  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
  declare -r DEFAULT_LOG="/var/log/ufw.log"
@@ -44,7 +48,7 @@ f2bchk(){
      --log=*)    log="${arg#--log=}";;
      --output=*) output="${arg#--output=}";;
      *)
-        printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
+        printf "%s[ERROR]%s Unknown argument: '%s' %s" "${CRED}" "${CRES}" "${arg}" "${CRED}"
        return 1
        ;;
    esac
@@ -56,7 +60,7 @@ f2bchk(){
    matched) flag="--print-all-matched"; suffix="all.matched";;
    missed)  flag="--print-all-missed";  suffix="all.missed";;
    *)
-      printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
+      printf "%s[ERROR]%s Invalid mode: '%s' %s" "${CRED}" "${CRES}" "${mode}" "${NL}"
      return 1
      ;;
  esac
@@ -66,22 +70,30 @@ f2bchk(){
    filter_name="${filter_name%.conf}"
    output="/tmp/${filter_name}.${suffix}.log"
  fi
+
  if [[ ! -r "${log}" ]]; then
-    printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
-    return 1
-  fi
-  if [[ ! -r "${filter}" ]]; then
-    printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
+    printf "%s[ERROR]%s Log file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${log}" "${NL}"
    return 1
  fi

-  printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
-  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
-    printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
-    printf "You can view it with: cat %s\n" "$output"
-  else
-    printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
+  if [[ ! -r "${filter}" ]]; then
+    printf "%s[ERROR]%s Filter file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${filter}" "${NL}"
    return 1
  fi
+
+  printf "%s[INFO]%s Running: fail2ban-regex '%s %s %s' %s" "${CGRE}" "${CRES}" "${log}" "${filter}" "${flag}" "${NL}"
+
+  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
+
+    printf "%s[SUCCESS]%s Saved log to: '%s' %s" "${CGRE}" "${CRES}" "${output}" "${NL}"
+    printf "You can view it with: cat %s%s" "${output}" "${NL}"
+  else
+
+    printf "%s[ERROR]%s fail2ban-regex execution failed. %s" "${CRED}" "${CRES}" "${NL}"
+    return 1
+
+  fi
+
+  exit 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/scan_libwrap
+++ b/config/includes.chroot/root/.ciss/scan_libwrap
@@ -12,30 +12,38 @@

 #######################################
 # Scanner for 'libwrap' usage.
+# Globals:
+#   CGRE
+#   CRES
+#   NL
 # Arguments:
-#  None
+#   None
 #######################################
 scanlw() {
-  printf "\e[92m🔍 Scanning all running processes for 'libwrap' usage ... \e[0m\n"
+  printf "%s🔍 Scanning all running processes for 'libwrap' usage ... %s%s" "${CGRE}" "${CRES}" "${NL}"
  printf "\n"

-  # Collect binaries from all running PIDs
+  ### Collect binaries from all running PIDs.
  declare pid exe_path comm user

  for pid in $(ps -e -o pid=); do
    exe_path=$(readlink -f "/proc/${pid}/exe" 2>/dev/null)

-    # Skip if not a regular executable
+    ### Skip if not a regular executable.
    [[ -x "${exe_path}" ]] || continue

-    # Check if the binary is linked with libwrap
-    if ldd "$exe_path" 2>/dev/null | grep -q "libwrap"; then
-      comm=$(ps -p "$pid" -o comm=)
-      user=$(ps -p "$pid" -o user=)
-      printf "\e[92m✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. \e[0m\n" "${pid}" "${comm}" "${user}"
+    ### Check if the binary is linked with libwrap.
+    # shellcheck disable=SC2312
+    if ldd "${exe_path}" 2>/dev/null | grep -q "libwrap"; then
+      comm=$(ps -p "${pid}" -o comm=)
+      user=$(ps -p "${pid}" -o user=)
+      printf "%s✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. %s%s" "${CGRE}" "${pid}" "${comm}" "${user}" "${CRES}" "${NL}"
    fi
  done
+
  printf "\n"
-  printf "\e[92m✅ Scan complete. \e[0m\n"
+  printf "%s✅ Scan complete. %s%s" "${CGRE}" "${CRES}" "${NL}"
+
+  exit 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/shortcuts
+++ b/config/includes.chroot/root/.ciss/shortcuts
@@ -21,6 +21,7 @@ declare -ga shortcuts=(
  "apti: apt install"
  "aptimage: get Kernel Img"
  "aptp: apt purge"
+  "aptpp: dpkg --purge"
  "aptr: apt remove"
  "aptse: apt search"
  "aptsh: apt show"
@@ -83,6 +84,8 @@ declare -ga shortcuts=(
  "whatdelete: lsof | grep deleted"
  "whatimage: dpkg --list | grep linux"
  "whatpurge: dpkg --get-selections"
+  "whichpackage <PROGRAM>"
+  "whichused <PATH> <DEPTH> <ENTRIES>"
 )

 #######################################
@@ -101,7 +104,7 @@ celp() {
  declare i=0
  declare entry
  for entry in "${arr[@]}"; do
-    # Print entry left-aligned in fixed width, colored
+    ### Print entry left-aligned in fixed width, colored.
    printf "${CMAG}%-${col_width}s${CRES}" "${entry}"
    ((i++))
    if ((i % cols == 0)); then
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -15,17 +15,21 @@ apt-file
 apt-mirror
 apt-show-versions
 apt-transport-https
+autoconf
+automake
 bash-completion
 bat
 bc
 bind9-dnsutils
 bsdmainutils
 btrfs-progs
+build-essential
 bzip2
 ca-certificates
 clamav
 clamav-daemon
 console-setup
+cpuid
 cryptsetup
 cryptsetup-nuke-password
 curl
@@ -49,6 +53,7 @@ expect
 fail2ban
 fdisk
 figlet
+fio
 fzf
 gawk
 gdisk
@@ -67,6 +72,9 @@ knot-dnsutils
 libpam-google-authenticator
 libpam-pwquality
 libpwquality-tools
+libtomcrypt-dev
+libtommath-dev
+libtool
 linux-doc-6.12
 linux-source
 live-boot
@@ -76,7 +84,6 @@ locate
 logrotate
 lsb-release
 lvm2
-makedev
 makepasswd
 man
 man-db
@@ -84,9 +91,10 @@ manpages
 manpages-dev
 mdadm
 mtr
+musl-tools
 nano
 ncat
-neofetch
+ncdu
 neovim
 net-tools
 netselect-apt
@@ -105,12 +113,12 @@ rsync
 rsyslog
 screen
 shellcheck
-software-properties-common
 spectre-meltdown-checker
 speedtest-cli
 squashfs-tools
 ssh
 ssl-cert
+stress
 sudo
 sysstat
 systemd-sysv
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2. DNSSEC Status

--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2. Lynis Audit:

--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2. SSH Audit by ssh-audit.com

--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2. TLS Audit:

--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -0,0 +1,56 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.03<br>
+**Build**: V8.04.002.2025.08.11<br>
+
+# 2. Hardened Kernel Boot Parameters
+
+Below is a curated set of kernel boot parameters optimized for CISS Debian Installer. These parameters enhance security posture,
+restrict legacy interfaces, enforce memory initialization, and disable speculative side channels. Each parameter is documented 
+with a short rationale.
+
+* ``audit=1``: Enable kernel auditing subsystem.
+* ``audit_backlog_limit=8192``: Set audit event buffer depth.
+* ``cfi=kcfi``: Enable Clang's Control Flow Integrity (if supported by kernel).
+* ``debugfs=off``: Disable debugfs mount, prevents access to kernel internals.
+* ``efi=disable_early_pci_dma``: Prevent early PCI DMA via EFI.
+* ``hardened_usercopy=1``: Harden copy_*_user() functions, mitigate heap/memcpy bugs.
+* ``ia32_emulation=0``: Disable 32-bit x86 binary support on 64-bit kernel.
+* ``init_on_alloc=1``: Zero-initialize heap memory on allocation.
+* ``init_on_free=1``: Zero memory on free to prevent reuse data leaks.
+* ``iommu=force``: Enforce use of IOMMU.
+* ``iommu.strict=1``: Enable strict IOMMU mode (always remap).
+* ``iommu.passthrough=0``: Prevent IOMMU passthrough (forces remapping).
+* ``kfence.sample_interval=100``: Enable low-overhead heap-fence sampling.
+* ``kvm.nx_huge_pages=force``: Enforce NX-bit for KVM hugepages to prevent code execution.
+* ``l1d_flush=on``: Flush L1D cache on VM-entry to mitigate cache side-channels.
+* ``lockdown=confidentiality``: Enable kernel lockdown in confidentiality mode.
+* ``loglevel=0``: Silence all kernel messages (only EMERG shown).
+* ``mitigations=auto,nosmt``: Enable all available speculative mitigations, disable SMT.
+* ``mmio_stale_data=full,force,nosmt``: Mitigate MMIO stale data side channel fully.
+* ``nosmt=force``: Force disable Simultaneous Multithreading (SMT/HT).
+* ``oops=panic``: Trigger kernel panic on oops, ensures halt on fault.
+* ``page_alloc.shuffle=1``: Randomize page allocator freelist order.
+* ``page_poison=1``: Fill freed pages with poison patterns to detect UAF.
+* ``panic=-1``: Prevent automatic reboot after panic.
+* ``pti=on``: Enable Page Table Isolation (Meltdown mitigation).
+* ``random.trust_bootloader=off``: Do not trust RNG state from bootloader.
+* ``random.trust_cpu=off``: Do not trust CPU's RDRAND or RDSEED.
+* ``randomize_kstack_offset=on``: Enable randomized kernel stack offset per syscall.
+* ``randomize_va_space=2``: Enable full ASLR for mmap and heap.
+* ``retbleed=auto,nosmt``: Mitigate Retbleed exploit path via branch prediction.
+* ``rodata=on``: Enforce read-only sections for .rodata.
+* ``slab_nomerge``: Disable merging of similar slab caches.
+* ``vdso32=0``: Disable 32-bit vdso mapping (x86 compatibility).
+* ``vsyscall=none``: Disable vsyscall legacy mapping.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,58 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2. Changelog

+## V8.04.002.2025.08.11
+* Updated: Experimental support for Debian Trixie
+
+## V8.03.920.2025.08.07
+
+* Updated: [lib_arg_parser.sh](../lib/lib_arg_parser.sh)
+* Updated: [ciss_live_builder.sh](../ciss_live_builder.sh)
+* Updated: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+
+## V8.03.912.2025.07.23
+
+* Updated: [alias](../config/includes.chroot/root/.ciss/alias)
+* Updated: [clean_logout.sh](../config/includes.chroot/root/.ciss/clean_logout.sh)
+* Updated: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
+* Updated: [scan_libwrap](../config/includes.chroot/root/.ciss/scan_libwrap)
+* Updated: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
+* Updated: [.bashrc](../config/includes.chroot/root/.bashrc)
+
+## V8.03.896.2025.07.22
+
+* Added: [.shellcheckrc](../.shellcheckrc)
+* Bugfixes: [ciss_live_builder.sh](../ciss_live_builder.sh)
+* Updated: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)
+
+## V8.03.880.2025.07.19
+
+* Updated: [alias](../config/includes.chroot/root/.ciss/alias)
+* Updated: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
+* Added: Package ``ncdu``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+* Added: ``TrustedUserCAKeys none``: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
+
+## V8.03.864.2025.07.15
+
+* Updated: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
+* Added: [BOOTPARAMS.md](BOOTPARAMS.md)
+* Added: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+
+## V8.03.832.2025.06.25
+
+* Added: [lib_version.sh](../lib/lib_version.sh)
+* Updated:
+  * [lib_contact.sh](../lib/lib_contact.sh)
+  * [lib_usage.sh](../lib/lib_usage.sh)
+* Packages added:
+  * https://packages.debian.org/bookworm/fio
+  * https://packages.debian.org/bookworm/stress 
+* Timezone changed to ``Etc/UTC``
+
 ## V8.03.832.2025.06.24

 * Updated:
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2. Centurion Net - Developer Branch Overview

--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2. Coding Style

--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2. Contributing / participating

--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2. Credits

--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.832.2025.06.24
+Master V8.04.002.2025.08.11
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
@@ -120,6 +120,9 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
    specified PATH into the Live ISO. MUST be provided.

+  --trixie
+    Create a Debian Trixie Live ISO. Experimental Feature.
+
  --version, -v
    Displays version of ./ciss_live_builder.sh.

@@ -133,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.03.832.2025.06.24
+Master V8.04.002.2025.08.11
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>

 # 2. Resources

--- a/docs/SECURITY/coresecret.dev.png
+++ b/docs/SECURITY/coresecret.dev.png
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -64,8 +64,8 @@ arg_parser() {
          ;;

        -c | --contact)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --contact MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -74,8 +74,8 @@ arg_parser() {
          ;;

        -h | --help)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --help MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -84,8 +84,8 @@ arg_parser() {
          ;;

        -v | --version)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --version MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -98,7 +98,7 @@ arg_parser() {
            declare -gx VAR_ARCHITECTURE="${2}"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --architecture MUST be 'amd64' or 'arm64'.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -109,7 +109,7 @@ arg_parser() {
        --build-directory)
          declare -gx VAR_HANDLER_BUILD_DIR="${2}"
          if [[ ! "${VAR_HANDLER_BUILD_DIR}" =~ ^/ ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2
            exit "${ERR_NOTABSPATH}"
          fi
@@ -118,8 +118,8 @@ arg_parser() {
          ;;

        --cdi)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --cdi MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -133,7 +133,7 @@ arg_parser() {
            declare -g VAR_HANDLER_SPLASH="${2}"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --change-splash MUST be 'club' or 'hexagon'.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -142,11 +142,11 @@ arg_parser() {
          ;;

        --control)
-          if [[ -n "${2}" ]]; then
+          if [[ -n "${2-}" ]]; then
            declare -g VAR_HANDLER_ISO_COUNTER="${2}"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --control MUST be provided with a Parameter.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -155,8 +155,8 @@ arg_parser() {
          ;;

        --debug)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --debug MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -165,8 +165,8 @@ arg_parser() {
          ;;

        --dhcp-centurion)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --dhcp-centurion MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -176,7 +176,7 @@ arg_parser() {
          ;;

        --jump-host)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
            declare -i count=0
            shift
            while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do
@@ -188,7 +188,7 @@ arg_parser() {
              shift
            done
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --jump-host MUST contain one or up to ten IPs.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -196,8 +196,8 @@ arg_parser() {
          ;;

        --log-statistics-only)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --log-statistics-only MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -207,7 +207,7 @@ arg_parser() {
          ;;

        --provider-netcup-ipv6)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
            declare -i count=0
            declare -g VAR_HANDLER_NETCUP_IPV6=true
            shift
@@ -221,7 +221,7 @@ arg_parser() {
              shift
            done
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --provider-netcup-ipv6 MUST provide one IPv6.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -229,11 +229,11 @@ arg_parser() {
          ;;

        --renice-priority)
-          if [[ -n ${2} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
-            declare -gi VAR_HANDLER_PRIORITY="$2"
+          if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
+            VAR_HANDLER_PRIORITY="$2"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --renice-priority MUST an integer between '-19' and '19'.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -242,28 +242,28 @@ arg_parser() {
          ;;

        --reionice-priority)
-          if [[ -z "${2}" ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if [[ -z "${2-}" ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --reionice-priority no values provided.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_REIONICE_P}"
          else
            if [[ "${2}" =~ ^[1-3]$ ]]; then
-              declare -gi VAR_REIONICE_CLASS="${2}"
-              if [[ -z "${3}" ]]; then
+              VAR_REIONICE_CLASS="${2}"
+              if [[ -z "${3-}" ]]; then
                :
              else
                if [[ "${3}" =~ ^[0-7]$ ]]; then
-                  declare -gi VAR_REIONICE_PRIORITY="${3}"
+                  VAR_REIONICE_PRIORITY="${3}"
                else
-                  if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+                  if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
                  printf "\e[91m❌ Error: --reionice-priority PRIORITY MUST be an integer between '0' and '7'.\e[0m\n" >&2
                  read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
                  exit "${ERR_REIO_P_VAL}"
                fi
              fi
            else
-              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+              if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
              printf "\e[91m❌ Error: --reionice-priority CLASS MUST be an integer between '1' and '3'.\e[0m\n" >&2
              read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
              exit "${ERR_REIO_C_VAL}"
@@ -279,7 +279,7 @@ arg_parser() {
        --root-password-file)
          declare pw_file="${2}"
          if [[ -z "${pw_file}" ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file missing password file path argument.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -287,7 +287,7 @@ arg_parser() {
          fi

          if [[ ! -f "${pw_file}" ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file password file '%s' does not exist.\e[0m\n" "${pw_file}" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -298,7 +298,7 @@ arg_parser() {
          owner=$(stat -c '%U:%G' "${pw_file}")
          if [[ "${owner}" != "root:root" ]]; then
            chown root:root "${pw_file}" || {
-              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+              if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
              printf "\e[91m❌ Error: --root-password-file failed to set owner root:root on '%s'.\e[0m\n" "${pw_file}" >&2
              # shellcheck disable=SC2162
              read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -310,7 +310,7 @@ arg_parser() {
          perms=$(stat -c '%a' "${pw_file}")
          if [[ "${perms}" -ne 400 ]]; then
            chmod 400 "${pw_file}" || {
-              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+              if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
              printf "\e[91m❌ Error: --root-password-file failed to set permissions 0400 on '%s'.\e[0m\n" "${pw_file}" >&2
              # shellcheck disable=SC2162
              read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -328,7 +328,7 @@ arg_parser() {
          declare pw_length
          pw_length=${#plaintext_pw}
          if (( pw_length < 20 || pw_length > 64 )); then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file password MUST be between 20 and 64 characters (got %d).\e[0m\n" "${pw_length}" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -338,7 +338,7 @@ arg_parser() {
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
          if [[ "${plaintext_pw}" == *\"* ]]; then
            [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file password MUST NOT contain double quotes (\").\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -374,11 +374,11 @@ arg_parser() {
          ;;

        --ssh-port)
-          if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
+          if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
            declare -gi VAR_SSHPORT="${2}"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --ssh-port MUST be an integer between '1' and '65535'.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR__SSH__PORT}"
@@ -390,8 +390,13 @@ arg_parser() {
          shift 2
          ;;

+        --trixie)
+          declare -g VAR_SUITE="trixie"
+          shift 1
+          ;;
+
        *)
-          if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
          usage
          ;;
    esac
--- a/lib/lib_contact.sh
+++ b/lib/lib_contact.sh
@@ -20,21 +20,22 @@
 contact() {
  clear
  cat << EOF
-$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.832.2025.06.24\e[0m")
-$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
+$(echo -e "\e[97m################################################################################ \e[0m")
+$(echo -e "\e[92m  CISS.debian.live.builder from https://git.coresecret.dev/msw                   \e[0m")
+$(echo -e "\e[92m  A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.     \e[0m")

-$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
-$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+$(echo -e "\e[97m  (c) Marc S. Weidner, 2018 - 2025 \e[0m")
+$(echo -e "\e[97m  (p) Centurion Press, 2024 - 2025 \e[0m")

-$(echo -e "\e[95m💬 Contact:\e[0m")
-$(echo -e "\e[95m🌐 https://coresecret.eu/ \e[0m")
-$(echo -e "\e[95m📧 security@coresecret.eu \e[0m")
-$(echo -e "\e[95m🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
-$(echo -e "\e[95m🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
+$(echo -e "\e[95m  💬 Contact:               \e[0m")
+$(echo -e "\e[95m  🌐 https://coresecret.eu/ \e[0m")
+$(echo -e "\e[95m  📧 security@coresecret.eu \e[0m")
+$(echo -e "\e[95m  🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
+$(echo -e "\e[95m  🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")

-$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
-$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
+$(echo -e "\e[95m  💷 Please consider donating to my work at: \e[0m")
+$(echo -e "\e[95m  🌐 https://coresecret.eu/spenden/          \e[0m")
+$(echo -e "\e[97m################################################################################ \e[0m")

 EOF
 }
--- a/lib/lib_guard_sourcing.sh
+++ b/lib/lib_guard_sourcing.sh
@@ -23,7 +23,7 @@
 guard_sourcing() {
  ### Determine the caller script (the library being sourced).
  declare var_src="${1:-${BASH_SOURCE[1]}}"
-  ### Strip path, keep only filename
+  ### Strip path, keep only the filename
  declare var_file_name="${var_src##*/}"
  ### Sanitize to valid var name.
  declare var_safe_name="${var_file_name//[^a-zA-Z0-9_]/_}"
--- a/lib/lib_lb_config_write.sh
+++ b/lib/lib_lb_config_write.sh
@@ -15,20 +15,12 @@ guard_sourcing
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
-#   VAR_HANDLER_ISO_COUNTER
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
+#   VAR_HANDLER_ISO_COUNTER
 #   VAR_KERNEL
-#   VAR_WORKDIR
 #   VAR_VERSION
-# Arguments:
-#  None
-#######################################
-
-#######################################
-# description
-# Globals:
-
+#   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
@@ -46,8 +38,8 @@ lb_config_write() {
    --backports true \
    --binary-filesystem fat32 \
    --binary-image iso-hybrid \
-    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Europe/Lisbon splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Europe/Lisbon toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
    --bootloaders grub-efi \
    --cache true \
    --checksums sha512 sha256 md5 \
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -0,0 +1,115 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Wrapper to write a new 'lb config' environment.
+# Globals:
+#   VAR_ARCHITECTURE
+#   VAR_HANDLER_BUILD_DIR
+#   VAR_HANDLER_ISO_COUNTER
+#   VAR_KERNEL
+#   VAR_VERSION
+#   VAR_WORKDIR
+# Arguments:
+#  None
+#######################################
+lb_config_write_trixie() {
+  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
+
+  lb config \
+    --apt apt \
+    --apt-indices true \
+    --apt-recommends true \
+    --apt-secure true \
+    --apt-source-archives true \
+    --architecture "${VAR_ARCHITECTURE}" \
+    --archive-areas main contrib non-free non-free-firmware \
+    --backports true \
+    --binary-filesystem fat32 \
+    --binary-image iso-hybrid \
+    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
+    --bootloaders grub-efi \
+    --cache true \
+    --checksums sha512 sha256 md5 \
+    --chroot-filesystem squashfs \
+    --chroot-squashfs-compression-level 22 \
+    --chroot-squashfs-compression-type zstd \
+    --color \
+    --compression bzip2 \
+    --debconf-frontend noninteractive \
+    --debconf-priority critical \
+    --debian-installer cdrom \
+    --debian-installer-distribution trixie \
+    --debian-installer-gui true \
+    --debian-installer-preseedfile "preseed.cfg" \
+    --debug \
+    --distribution trixie \
+    --distribution-binary trixie \
+    --distribution-chroot trixie \
+    --firmware-binary true \
+    --firmware-chroot true \
+    --hdd-label "CENTURIONLIVE" \
+    --image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
+    --initramfs "live-boot" \
+    --initramfs-compression gzip \
+    --initsystem systemd \
+    --iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20250505 - Debian-Installer: trixie" \
+    --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
+    --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
+    --iso-volume 'CISS.debian.live' \
+    --linux-flavours "${VAR_KERNEL}" \
+    --linux-packages linux-image \
+    --loadlin true \
+    --memtest memtest86+ \
+    --mirror-binary 'https://deb/debian.org/debian/' \
+    --mirror-binary-security 'https://security.debian.org/' \
+    --mirror-bootstrap 'https://deb.debian.org/debian/' \
+    --mirror-chroot 'https://deb.debian.org/debian/' \
+    --mirror-chroot-security 'https://security.debian.org/' \
+    --mirror-debian-installer 'https://deb.debian.org/debian/' \
+    --mode debian \
+    --parent-archive-areas main contrib non-free non-free-firmware \
+    --parent-debian-installer-distribution trixie \
+    --parent-distribution trixie \
+    --parent-distribution-binary trixie \
+    --parent-distribution-chroot trixie \
+    --parent-mirror-binary 'https://deb.debian.org/debian/' \
+    --parent-mirror-binary-security 'https://security.debian.org/' \
+    --parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
+    --parent-mirror-chroot 'https://deb.debian.org/debian/' \
+    --parent-mirror-chroot-security 'https://security.debian.org/' \
+    --parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
+    --security true \
+    --system live \
+    --source false \
+    --source-images tar \
+    --uefi-secure-boot auto \
+    --updates true \
+    --utc-time true \
+    --verbose
+
+  sleep 1
+
+  sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
+  sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
+
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
+  cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
+  chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
+  chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
+
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_source_guard.sh
+++ b/lib/lib_source_guard.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Prevent the file to be sourced twice.
+# Arguments:
+#   1: File to source.
+#######################################
+source_guard() {
+  declare var_file="${1}"
+  declare var_name="${var_file##*/}"
+  declare var_guard="_${var_name//[^a-zA-Z0-9_]/_}_LOADED"
+
+  if ! declare -p "${var_guard}" &>/dev/null; then
+    # shellcheck disable=SC1090
+    . "${var_file}"
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_trap_on_err.sh
+++ b/lib/lib_trap_on_err.sh
@@ -15,8 +15,8 @@ guard_sourcing
 #######################################
 # Print Error Message for Trap on 'ERR' in ${ERROR_LOG}
 # Globals:
-#   ARGUMENTS_COUNT
-#   ARG_STR_ORG_INPUT
+#   VAR_PARAM_COUNT
+#   VAR_PARAM_STRING
 #   VAR_ARG_SANITIZED
 #   LOG_DEBUG
 #   ERRCMMD
@@ -45,8 +45,8 @@ print_file_err() {
    printf "❌ Function               : %s \n" "${ERRFUNC}"
    printf "❌ Command                : %s \n" "${ERRCMMD}"
    printf "❌ Script Runtime         : %s \n" "${SECONDS}"
-    printf "❌ Arguments Counter      : %s \n" "${ARGUMENTS_COUNT}"
-    printf "❌ Arguments Original     : %s \n" "${ARG_STR_ORG_INPUT}"
+    printf "❌ Arguments Counter      : %s \n" "${VAR_PARAM_COUNT}"
+    printf "❌ Arguments Original     : %s \n" "${VAR_PARAM_STRING}"
    printf "❌ Arguments Sanitized    : %s \n" "${VAR_ARG_SANITIZED}"
    if "${VAR_EARLY_DEBUG}"; then
      printf "❌ Vars Dump saved at     : %s \n" "${LOG_VAR}"
@@ -60,8 +60,8 @@ print_file_err() {
 #######################################
 # Print Error Message for Trap on 'ERR' on Terminal
 # Globals:
-#   ARGUMENTS_COUNT
-#   ARG_STR_ORG_INPUT
+#   VAR_PARAM_COUNT
+#   VAR_PARAM_STRING
 #   VAR_ARG_SANITIZED
 #   LOG_DEBUG
 #   ERRCMMD
@@ -89,8 +89,8 @@ print_scr_err() {
  printf "\e[91m❌ Function               : %s \e[0m\n" "${ERRFUNC}" >&2
  printf "\e[91m❌ Command                : %s \e[0m\n" "${ERRCMMD}" >&2
  printf "\e[91m❌ Script Runtime         : %s \e[0m\n" "${SECONDS}" >&2
-  printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
-  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
+  printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${VAR_PARAM_COUNT}" >&2
+  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${VAR_PARAM_STRING}" >&2
  printf "\e[91m❌ Arguments Sanitized    : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
  printf "\e[91m❌ Error Log saved at     : %s \e[0m\n" "${LOG_ERROR}" >&2
  printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_ERROR}" >&2
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-25; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -12,131 +12,155 @@

 #######################################
 # Usage Wrapper CISS.debian.live.builder
-# Globals:
-#   none
 # Arguments:
 #   $0: Script name
 #######################################
 usage() {
-  clear
-  cat << EOF
-$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.832.2025.06.24\e[0m")
-$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
+  # shellcheck disable=SC2155
+  declare var_cols=$(tput cols 2>/dev/null || echo 80)

-$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
-$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+  #######################################
+  # Header, Footer wrapper for dynamical output.
+  # Arguments:
+  #   $1: Text.
+  #   $2: Width of Terminal.
+  #######################################
+  center() {
+    declare var_text="$1"
+    declare var_width="$2"
+    declare var_padding=$(( (var_width - ${#var_text}) / 2 ))
+    printf "%*s%s%*s\n" "${var_padding}" "" "${var_text}" "${var_padding}" ""
+  }

-"${0} <option>", where <option> is one or more of:
+  # shellcheck disable=SC2155
+  declare var_header=$(center "CLB(1)                        CISS.debian.live.builder                        CLB(1)" "${var_cols}")
+  # shellcheck disable=SC2155
+  declare var_footer=$(center "V8.04.002.2025.08.11                        2025-08-11                        CLB(1)" "${var_cols}")

-$(echo -e "\e[97m  --help, -h\e[0m")
-    What you're looking at.
-
-$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
-    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
-    selector dialog. Change '*' to your desired Linux kernel and trim the
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
-
-$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
-    A string reflecting the architecture of the Live System.
-    MUST be provided.
-
-$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
-    Where the Debian Live Build Image should be generated.
-    MUST be provided.
-
-$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
-    A string reflecting the GRub Boot Screen Splash you want to use.
-    If omitted defaults to "./.archive/background/club.png".
-
-$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
-    This option generates a boot menu entry to start the forthcoming
-    'CISS.debian.installer', which will be executed after
-    the system has successfully booted up.
-
-$(echo -e "\e[97m  --contact, -c\e[0m")
-    Displays contact information of the author.
-
-$(echo -e "\e[97m  --control <INTEGER>\e[0m")
-    An integer that reflects the version of your Live ISO Image.
-    MUST be provided.
-
-$(echo -e "\e[97m  --debug\e[0m")
-    Enables debug logging for the main program routine. Detailed logging
-    information are written to "/tmp/ciss_live_builder_$$.log"
-
-$(echo -e "\e[97m  --dhcp-centurion\e[0m")
-    If a DHCP lease is provided, the provider's nameserver will be overridden,
-    and only the hardened, privacy-focused Centurion DNS servers will be used:
-      - https://dns01.eddns.eu/
-      - https://dns02.eddns.de/
-      - https://dns03.eddns.eu/
-
-$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
-    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
-    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
-    If provided, than it MUST be a <SPACE> separated list.
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
-
-$(echo -e "\e[97m  --log-statistics-only\e[0m")
-    Provides statistic only after successful building a
-    CISS.debian.live-ISO. While enabling "--log-statistics-only"
-    the argument "--build-directory" MUST be provided while
-    all further options MUST be omitted.
-
-$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
-    Activates IPv6 support for Netcup Root Server. One unique
-    IPv6 address MUST be provided in this case and MUST be encapsulated
-    with [], e.g., [1234::abcd].
-
-$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
-    Reset the nice priority value of the script and all its children
-    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
-    Negative (higher) values MUST be enclosed in double quotes '"'.
-
-$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
-    Reset the ionice priority value of the script and all its children
-    to the desired <CLASS>. MUST be an integer:
-      1: realtime
-      2: best-effort
-      3: idle
-    Defaults to '2'.
-    Whereas <PRIORITY> MUST be an integer as well between:
-      0: highest priority and
-      7: lowest priority.
-    Defaults to '4'.
-    A real-time I/O process can significantly slow down other processes
-    or even cause them to starve if it continuously requests I/O.
-
-$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
-    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
-    and MUST NOT contain the special character '"'.
-    If the argument is omitted, no further login authentication is required for
-    the local console. The root password is hashed with an 16 Byte '/dev/random'
-    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
-    after Hash generation all Variables containing plain password fragments are
-    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
-    further prompt after password hash has been successfully generated via:
-    'shred -vfzu 5 -f'.
-    No tracing of any plain text password fragment in any debug log.
-
-$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
-    The desired Port SSH should listen to.
-    If not provided defaults to Port 22.
-
-$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
-    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
-    specified PATH into the Live ISO. MUST be provided.
-
-$(echo -e "\e[97m  --version, -v\e[0m")
-    Displays version of ${0}.
-
-$(echo -e "\e[93m💡 Notes:\e[0m")
-🔵 You MUST be 'root' to run this script.
-
-$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
-$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
-
-EOF
+  {
+    echo -e "\e[1;97m${var_header}\e[0m"
+    echo
+    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
+    echo -e "\e[92mMaster V8.04.002.2025.08.11\e[0m"
+    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
+    echo
+    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
+    echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
+    echo
+    echo -e "\e[97m${0} <option>, where <option> is one or more of: \e[0m"
+    echo
+    echo -e "\e[97m  --help, -h \e[0m"
+    echo "    What you're looking at."
+    echo
+    echo -e "\e[97m  --autobuild=*, -a=* \e[0m"
+    echo "    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel"
+    echo "    selector dialog. Change '*' to your desired Linux kernel and trim the"
+    echo "    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'."
+    echo
+    echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64> \e[0m"
+    echo "    A string reflecting the architecture of the Live System."
+    echo "    MUST be provided."
+    echo
+    echo -e "\e[97m  --build-directory </path/to/build_directory> \e[0m"
+    echo "    Where the Debian Live Build Image should be generated."
+    echo "    MUST be provided."
+    echo
+    echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m"
+    echo "    A string reflecting the Grub Boot Screen Splash you want to use."
+    echo "    If omitted defaults to './.archive/background/club.png'."
+    echo
+    echo -e "\e[97m  --cdi (Experimental Feature)\e[0m"
+    echo "    This option generates a boot menu entry to start the forthcoming"
+    echo "    'CISS.debian.installer', which will be executed after"
+    echo "    the system has successfully booted up."
+    echo
+    echo -e "\e[97m  --contact, -c\ e[0m"
+    echo "    Show author contact information."
+    echo
+    echo -e "\e[97m  --control <INTEGER>\e[0m"
+    echo "    An integer that reflects the version of your Live ISO Image."
+    echo "    MUST be provided."
+    echo
+    echo -e "\e[97m  --debug, -d \e[0m"
+    echo "    Enables debug logging for the main program routine. Detailed logging"
+    echo "    information are written to '/tmp/ciss_live_builder_$$.log'."
+    echo
+    echo -e "\e[97m  --dhcp-centurion \e[0m"
+    echo "    If a DHCP lease is provided, the provider's nameserver will be overridden,"
+    echo "    and only the hardened, privacy-focused Centurion DNS servers will be used:"
+    echo "      - https://dns01.eddns.eu/"
+    echo "      - https://dns02.eddns.de/"
+    echo "      - https://dns03.eddns.eu/"
+    echo
+    echo -e "\e[97m  --jump-host <IP | IP | ... > \e[0m"
+    echo "    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access."
+    echo "    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation."
+    echo "    If provided, than it MUST be a <SPACE> separated list."
+    echo "    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64."
+    echo
+    echo -e "\e[97m  --log-statistics-only\e[0m"
+    echo "    Provides statistic only after successful building a"
+    echo "    CISS.debian.live-ISO. While enabling '--log-statistics-only'"
+    echo "    the argument '--build-directory' MUST be provided while"
+    echo "    all further options MUST be omitted."
+    echo
+    echo -e "\e[97m  --provider-netcup-ipv6 \e[0m"
+    echo "    Activates IPv6 support for Netcup Root Server. One unique"
+    echo "    IPv6 address MUST be provided in this case and MUST be encapsulated"
+    echo "    with [], e.g., [1234::abcd]."
+    echo
+    echo -e "\e[97m  --renice-priority <PRIORITY> \e[0m"
+    echo "    Reset the nice priority value of the script and all its children"
+    echo "    to the desired <PRIORITY>. MUST be an integer (between '-19' and 19)."
+    echo "    Negative (higher) values MUST be enclosed in double quotes '\"'."
+    echo
+    echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY> \e[0m"
+    echo "    Reset the ionice priority value of the script and all its children"
+    echo "    to the desired <CLASS>. MUST be an integer:"
+    echo "      1: realtime"
+    echo "      2: best-effort"
+    echo "      3: idle"
+    echo "    Defaults to '2'."
+    echo "    Whereas <PRIORITY> MUST be an integer as well between:"
+    echo "      0: highest priority and"
+    echo "      7: lowest priority."
+    echo "    Defaults to '4'."
+    echo "    A real-time I/O process can significantly slow down other processes"
+    echo "    or even cause them to starve if it continuously requests I/O."
+    echo
+    echo -e "\e[97m  --root-password-file </path/to/password.txt> \e[0m"
+    echo "    Password file for 'root', if given, MUST be a string of 20 to 64 characters,"
+    echo "    and MUST NOT contain the special character '\"'."
+    echo "    If the argument is omitted, no further login authentication is required for"
+    echo "    the local console. The root password is hashed with an 16 Byte '/dev/random'"
+    echo "    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately"
+    echo "    after Hash generation all Variables containing plain password fragments are"
+    echo "    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without"
+    echo "    further prompt after password hash has been successfully generated via:"
+    echo "    'shred -vfzu 5 -f'."
+    echo "    'No tracing of any plain text password fragment in any debug log."
+    echo
+    echo -e "\e[97m  --ssh-port <INTEGER> \e[0m"
+    echo "    The desired Port SSH should listen to."
+    echo "    If not provided defaults to Port '22'."
+    echo
+    echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/> \e[0m"
+    echo "    Imports the SSH Public Key from the FILE 'authorized_keys' of the"
+    echo "    specified PATH into the Live ISO. MUST be provided."
+    echo
+    echo -e "\e[97m  --trixie \e[0m"
+    echo "    Create a Debian Trixie Live ISO. Experimental Feature"
+    echo
+    echo -e "\e[97m  --version, -v \e[0m"
+    echo "    Show version of ${0}."
+    echo
+    echo -e "\e[93m💡 Notes:\e[0m"
+    echo -e "\e[93m🔵 You MUST be 'root' to run this script.\e[0m"
+    echo
+    echo -e "\e[95m💷 Please consider donating to my work at: \e[0m"
+    echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m"
+    echo
+    echo -e "\e[1;97m${var_footer}\e[0m"
+  } | less -R
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_version.sh
+++ b/lib/lib_version.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-25; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Version Wrapper CISS.debian.live.builder
+# Globals:
+#   VAR_VERSION
+# Arguments:
+#   None
+#######################################
+version() {
+  # shellcheck disable=SC2155
+  declare -r var_repo_ver="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
+  # shellcheck disable=SC2155
+  declare -r var_lb_ver="$(lb -v)"
+  # shellcheck disable=SC2155
+  declare -r var_ds_ver="$(debootstrap --version)"
+  # shellcheck disable=SC2155
+  declare -r var_host="$(uname -n)"
+  # shellcheck disable=SC2155
+  declare -r var_bash_ver="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')"
+
+  clear
+  cat << EOF
+$(echo -e "\e[97m################################################################################ \e[0m")
+$(echo -e "\e[92m  CISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m")
+$(echo -e "\e[92m  A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
+
+  Version : ${VAR_VERSION}
+  Git     : ${var_repo_ver}
+
+$(echo -e "\e[97m  This program is free software. Distribution and modification under  \e[0m")
+$(echo -e "\e[97m  EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! \e[0m")
+
+  Please file bugs @
+$(echo -e "\e[95m  https://git.coresecret.dev/msw/CISS.debian.live.builder/issues \e[0m")
+$(echo -e "\e[97m################################################################################\e[0m")
+
+  Using   : lb (${var_lb_ver}) debootstrap (${var_ds_ver})
+  on      : ${var_host}
+  Bash    : ${var_bash_ver}
+
+EOF
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/scripts/0010_dhcp_supersede.sh
+++ b/scripts/0010_dhcp_supersede.sh
@@ -21,9 +21,9 @@ fi
 cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf

 # Custom dhclient config to override DHCP DNS
-# dns01.eddns.eu, dns02.eddns.de; dns03.eddns.eu;
+# dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu;

-supersede domain-name-servers 135.181.207.105, 89.58.62.53; 138.199.237.109;
+supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109;

 EOF

--- a/scripts/9000-cdi-starter
+++ b/scripts/9000-cdi-starter
@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1

 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.03.832.2025.06.24 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.04.002.2025.08.11 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log

 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
  chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
--- a/var/bash.var.sh
+++ b/var/bash.var.sh
@@ -10,12 +10,30 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
-set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
-set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
-set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
-set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
-set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
-set -o noclobber # Prevent overwriting, the same as "set -C".
+set -o errexit           # Exit script when a command exits with non-zero status, the same as "set -e".
+set -o errtrace          # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
+set -o functrace         # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
+set -o ignoreeof         # An interactive shell will not exit upon reading EOF.
+set -o noclobber         # Prevent overwriting, the same as "set -C".
+set -o nounset           # Exit script on use of an undefined variable, the same as "set -u".
+set -o pipefail          # Makes pipelines return the exit status of the last command in the pipe that failed.
+
+### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Shopt-Builtin
+#shopt -s failglob        # If set, patterns that fail to match filenames during filename expansion result in an expansion error.
+shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option instead of unsetting it in the
+                         # subshell environment. This option is enabled when POSIX mode is enabled.
+shopt -s lastpipe        # If set, and job control is not active, the shell runs the last command of a pipeline not executed in
+                         # the background in the current shell environment.
+shopt -u expand_aliases  # If set, aliases are expanded as described. This option is enabled by default for interactive shells.
+shopt -u dotglob         # If set, Bash includes filenames beginning with a '.' in the results of filename expansion.
+shopt -u extglob         # If set, enable the extended pattern matching features.
+shopt -u nullglob        # If set, filename expansion patterns that match no files expand to nothing and are removed.
+
+declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+declare -gx IFS=$' \t\n'
+umask 0022

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/color.var.sh
+++ b/var/color.var.sh
@@ -10,14 +10,20 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -grx C_BLA='\e[90m' # Beautiful black For the techno fans.
-declare -grx C_RED='\e[91m' # Bright red.
-declare -grx C_GRE='\e[92m' # Vibrant green.
-declare -grx C_YEL='\e[93m' # Fancy yellow
-declare -grx C_BLU='\e[94m' # Organic blue.
-declare -grx C_MAG='\e[95m' # Super gay magenta.
-declare -grx C_CYA='\e[96m' # Lovely cyan.
-declare -grx C_WHI='\e[97m' # Fantastic color mix.
-declare -grx C_RES='\e[0m'  # Forget everything.
+guard_sourcing
+
+### Definition of color variables.
+
+declare -grx BLA='\e[90m' # Beautiful black For the techno fans.
+declare -grx RED='\e[91m' # Bright red.
+declare -grx GRE='\e[92m' # Vibrant green.
+declare -grx YEL='\e[93m' # Fancy yellow
+declare -grx BLU='\e[94m' # Organic blue.
+declare -grx MAG='\e[95m' # Super gay magenta.
+declare -grx CYA='\e[96m' # Lovely cyan.
+declare -grx WHI='\e[97m' # Fantastic color mix.
+declare -grx RES='\e[0m'  # Forget everything.
+declare -grx TAB='\t'     # Tabulator.
+declare -grx NL='\n'      # New line.

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -13,13 +13,10 @@
 ### Definition of MUST set early Variables

 # shellcheck disable=SC2155
-declare -agx ARY_PARAM_ARRAY=("$@")
-declare -grx VAR_PARAM_COUNT="$#"
-declare -grx VAR_PARAM_STRNG="$*"
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.03.832.2025.06.24"
+declare -grx VAR_VERSION="Master V8.04.002.2025.08.11"
 declare -grx VAR_SYSTEM="$(uname -a)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"
-umask 0022
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -10,11 +10,18 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+guard_sourcing
+
+### Definition of MUST set global variables.
 # shellcheck disable=SC2155
 declare -gr VAR_ISO8601="$(date +%Y_%m_%d_%H_%M_%S)"
+# shellcheck disable=SC2155
 declare -gr VAR_KERNEL_INF="$(mktemp)"
+# shellcheck disable=SC2155
 declare -gr VAR_KERNEL_TMP="$(mktemp)"
+# shellcheck disable=SC2155
 declare -gr VAR_KERNEL_SRT="$(mktemp)"
+# shellcheck disable=SC2155
 declare -gr VAR_NOTES="$(mktemp)"

 declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log"
@@ -28,12 +35,14 @@ declare -g VAR_HANDLER_SPLASH=""
 declare -g VAR_SSHPORT=""
 declare -g VAR_SSHPUBKEY=""
 declare -g VAR_SCRIPT_SUCCESS="false"
+declare -g VAR_SUITE="bookworm"
 declare -g VAR_HANDLER_PRIORITY=""
 declare -g VAR_HANDLER_NETCUP_IPV6="false"
 declare -g VAR_HASHED_PWD=""
 declare -gi VAR_HANDLER_STA=0
-declare -g VAR_REIONICE_CLASS=""
-declare -g VAR_REIONICE_PRIORITY=""
+declare -gi VAR_HANDLER_PRIORITY=0
+declare -gi VAR_REIONICE_CLASS=2
+declare -gi VAR_REIONICE_PRIORITY=4
 declare -gr VAR_CHROOT_DIR="chroot"
 declare -gr VAR_PACKAGES_FILE="chroot.packages.live"
 declare -ga ARY_HANDLER_JUMPHOST=()