DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@4445a0a at 2025-07-15T17:55:22Z on deea7eb4a68b

Generated at : 2025-07-15T17:55:22Z
Runner Host  : deea7eb4a68b
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 4445a0a HEAD -> master

.archive/.0000_lib_usage.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Usage Wrapper CISS.debian.live.builder
+# Globals:
+#   none
+# Arguments:
+#   $0: Script name
+#######################################
+usage() {
+  clear
+  cat << EOF
+$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
+$(echo -e "\e[92mMaster V8.03.864.2025.07.15\e[0m")
+$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
+
+$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
+$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+
+"${0} <option>", where <option> is one or more of:
+
+$(echo -e "\e[97m  --help, -h\e[0m")
+    What you're looking at.
+
+$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
+    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
+    selector dialog. Change '*' to your desired Linux kernel and trim the
+    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
+
+$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
+    A string reflecting the architecture of the Live System.
+    MUST be provided.
+
+$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
+    Where the Debian Live Build Image should be generated.
+    MUST be provided.
+
+$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
+    A string reflecting the GRub Boot Screen Splash you want to use.
+    If omitted defaults to "./.archive/background/club.png".
+
+$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
+    This option generates a boot menu entry to start the forthcoming
+    'CISS.debian.installer', which will be executed after
+    the system has successfully booted up.
+
+$(echo -e "\e[97m  --contact, -c\e[0m")
+    Displays contact information of the author.
+
+$(echo -e "\e[97m  --control <INTEGER>\e[0m")
+    An integer that reflects the version of your Live ISO Image.
+    MUST be provided.
+
+$(echo -e "\e[97m  --debug\e[0m")
+    Enables debug logging for the main program routine. Detailed logging
+    information are written to "/tmp/ciss_live_builder_$$.log"
+
+$(echo -e "\e[97m  --dhcp-centurion\e[0m")
+    If a DHCP lease is provided, the provider's nameserver will be overridden,
+    and only the hardened, privacy-focused Centurion DNS servers will be used:
+      - https://dns01.eddns.eu/
+      - https://dns02.eddns.de/
+      - https://dns03.eddns.eu/
+
+$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
+    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
+    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
+    If provided, than it MUST be a <SPACE> separated list.
+    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
+
+$(echo -e "\e[97m  --log-statistics-only\e[0m")
+    Provides statistic only after successful building a
+    CISS.debian.live-ISO. While enabling "--log-statistics-only"
+    the argument "--build-directory" MUST be provided while
+    all further options MUST be omitted.
+
+$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
+    Activates IPv6 support for Netcup Root Server. One unique
+    IPv6 address MUST be provided in this case and MUST be encapsulated
+    with [], e.g., [1234::abcd].
+
+$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
+    Reset the nice priority value of the script and all its children
+    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
+    Negative (higher) values MUST be enclosed in double quotes '"'.
+
+$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
+    Reset the ionice priority value of the script and all its children
+    to the desired <CLASS>. MUST be an integer:
+      1: realtime
+      2: best-effort
+      3: idle
+    Defaults to '2'.
+    Whereas <PRIORITY> MUST be an integer as well between:
+      0: highest priority and
+      7: lowest priority.
+    Defaults to '4'.
+    A real-time I/O process can significantly slow down other processes
+    or even cause them to starve if it continuously requests I/O.
+
+$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
+    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
+    and MUST NOT contain the special character '"'.
+    If the argument is omitted, no further login authentication is required for
+    the local console. The root password is hashed with an 16 Byte '/dev/random'
+    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
+    after Hash generation all Variables containing plain password fragments are
+    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
+    further prompt after password hash has been successfully generated via:
+    'shred -vfzu 5 -f'.
+    No tracing of any plain text password fragment in any debug log.
+
+$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
+    The desired Port SSH should listen to.
+    If not provided defaults to Port 22.
+
+$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
+    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
+    specified PATH into the Live ISO. MUST be provided.
+
+$(echo -e "\e[97m  --version, -v\e[0m")
+    Displays version of ${0}.
+
+$(echo -e "\e[93m💡 Notes:\e[0m")
+🔵 You MUST be 'root' to run this script.
+
+$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
+$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
+
+EOF
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.832.2025.06.24"
+      placeholder: "e.g., Master V8.03.864.2025.07.15"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.03.864.2025.07.15
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.03.864.2025.07.15
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml

@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1024
+  counter: 1023
-  version: V8.03.832.2025.06.24
+  version: V8.03.864.2025.07.15
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.832.2025.06.24
+  version: V8.03.864.2025.07.15
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.832.2025.06.24
+  version: V8.03.864.2025.07.15
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.03.832.2025.06.24
+  version: V8.03.864.2025.07.15
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.03.864.2025.07.15
 
 name: 🔐 Generating a Private Live ISO FLV 0.
 

.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.03.864.2025.07.15
 
 name: 🔐 Generating a Private Live ISO FLV 1.
 

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.03.864.2025.07.15
 
 name: 💙 Generating a PUBLIC Live ISO.
 

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.03.864.2025.07.15
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.03.864.2025.07.15
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.03.864.2025.07.15
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.832.2025.06.24"
+properties_version="V8.03.864.2025.07.15"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.832.2025.06.24
+PackageVersion: Master V8.03.864.2025.07.15
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-24T21:45:52Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-07-15T17:55:19Z".
 
 ✅ The last linter check was successful. ✅
 

LIVE_ISO.public

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-23T09:04:49Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-07-15T13:01:05Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_23T08_20_37Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_07_15T12_12_23Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  86a8be09e16299892ae99d195b56a04356bcf5d2202016da8f8fa7441077c43fab68ebefcb8c39b3423f085a74b607907fb691ac71fdef92af33782bd2ac0ce5
+  e94f1f698fb6d6a078d3aed785302ffcad25221c92439e84bb505a39d7b4da50674063cc2f7957cca655afdcdb55871ed4990aebbb096f964336af682891aed0
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFkYsQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHZREQAKCRA85KY4hzOw
-IbrbAQDeOIS3QYKIPkMhYlNPIcsJjv/dh3TdYiuQbkvfwVI+/gD/TiB+ska62vJk
+IQE/APsGY1Q8yonOxKTBUxgPPIA7ugHTfub9yWbPLcisC7J+sQEA17e8hmjJSX+O
-LGfwjuaxMC0KHG1/UTICytOeAnTrXAc=
+NpAtnhF4dfZheybcyfJwsscrNtOieAM=
-=qk8B
+=V2i8
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_0.private

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-24T19:21:36Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-07-15T11:05:11Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_24T18_36_59Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_07_15T10_13_20Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  3ca5a9635ef74a48f6d8f31696ec56e56ee95eff5317df95976e22d31e331bc503422602e24a9eaddfc30212acf6ebe96af51e94298c4c7c49c839c62abb6c2f
+  b18d79055f12e6f61a1d0b46f8648f8097da419701f3366ba127b0eff1bb0d9ef4794b1a59b66ad8d48c3e3812a1fbc81f948a66b913b036cf2b740a778a88cd
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFr6wAAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHY15wAKCRA85KY4hzOw
-IbgHAP4p9jlF9jZkYIw/0H8j07QUWNHxeUz2r2UXp8aN2gUEBwEAxqbznJhH8li8
+Idw3AQDzmYnaCI3OADP+DB+u805S8F+QUmVIcfmUGnM0sDz78gD+I+m+BHte8lzp
-40g5sWwGLmBjlidIOe0NxeMUBkuMlQg=
+rwudtbEBn9wZvy2KyFWcxlSCn3go2gU=
-=gq5w
+=nGnJ
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_FLV_1.private

@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-06-24T22:34:36Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-07-15T12:03:16Z".
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_24T21_53_22Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_07_15T11_14_23Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  581d951c8ab4d8e7afd2d727f8e64bd6fff51d005b84b9800e941da8dae654985bae500e056f02729d6b274ba330dfdbec59fd5ec2c8b18c3bbf37433b73c154
+  a022fe082d5d06db05e4c53f09b59ee57f483a3d2a2a143403d93c27a2d454ec8982ccaeb957f654c0879276befc7d9ab2333f407c8089306348c7a10fd39a20
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFsn/AAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHZDhAAKCRA85KY4hzOw
-IUvMAP9P1U6lblhdZ9tSROvYXRXcv0IEg2rVo3fMx9T5fozLewEAgxxo0+J1Nlvu
+IV0hAQCl7xeM8Art2obImFmhUBKDOLcLifegqY/jKY9729EM/wEAzJTRuLts9Jzy
-KVZOdiuc6xdxkBHWYaA2kSXZKI+qAwA=
+PXje4fYxZiNOoFv3hz7Xwt5q9rPn/AE=
-=2H0C
+=S0vW
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.832.2025.06.24-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.864.2025.07.15-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -142,7 +142,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.03.832.2025.06.24`
+Example: `V8.03.864.2025.07.15`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
@@ -420,12 +420,13 @@ predictable script behavior.
    5. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
 
-   ```yaml
+   ````bash
    chmod 0700 ./ciss_live_builder.sh
+   timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
    ./ciss_live_builder.sh --architecture amd64 \
                           --build-directory /opt/livebuild \
                           --change-splash hexagon \
-                          --control 384 \
+                          --control "${timestamp}" \
                           --debug \
                           --dhcp-centurion \
                           --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
@@ -435,7 +436,7 @@ predictable script behavior.
                           --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
                           --ssh-port 4242 \
                           --ssh-pubkey /opt/gitea/CISS.debian.live.builder
-   ```
+   ````
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.

ciss_live_builder.sh

@@ -48,7 +48,7 @@
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done
 
 ### ALL CHECKS DONE. READY TO START THE SCRIPT
 check_git

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.03.864.2025.07.15
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.03.864.2025.07.15
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.03.832.2025.06.24"
+declare -gr VERSION="Master V8.03.864.2025.07.15"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.832.2025.06.24 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.03.864.2025.07.15 at: 10:18:37.9542

config/package-lists/live.list.common.chroot

@@ -26,6 +26,7 @@ ca-certificates
 clamav
 clamav-daemon
 console-setup
+cpuid
 cryptsetup
 cryptsetup-nuke-password
 curl
@@ -49,6 +50,7 @@ expect
 fail2ban
 fdisk
 figlet
+fio
 fzf
 gawk
 gdisk
@@ -111,6 +113,7 @@ speedtest-cli
 squashfs-tools
 ssh
 ssl-cert
+stress
 sudo
 sysstat
 systemd-sysv

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. TLS Audit:
 

docs/BOOTPARAMS.md

@@ -0,0 +1,56 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.03<br>
+**Build**: V8.03.864.2025.07.15<br>
+
+# 2. Hardened Kernel Boot Parameters
+
+Below is a curated set of kernel boot parameters optimized for CISS Debian Installer. These parameters enhance security posture,
+restrict legacy interfaces, enforce memory initialization, and disable speculative side channels. Each parameter is documented 
+with a short rationale.
+
+* ``audit=1``: Enable kernel auditing subsystem.
+* ``audit_backlog_limit=8192``: Set audit event buffer depth.
+* ``cfi=kcfi``: Enable Clang's Control Flow Integrity (if supported by kernel).
+* ``debugfs=off``: Disable debugfs mount, prevents access to kernel internals.
+* ``efi=disable_early_pci_dma``: Prevent early PCI DMA via EFI.
+* ``hardened_usercopy=1``: Harden copy_*_user() functions, mitigate heap/memcpy bugs.
+* ``ia32_emulation=0``: Disable 32-bit x86 binary support on 64-bit kernel.
+* ``init_on_alloc=1``: Zero-initialize heap memory on allocation.
+* ``init_on_free=1``: Zero memory on free to prevent reuse data leaks.
+* ``iommu=force``: Enforce use of IOMMU.
+* ``iommu.strict=1``: Enable strict IOMMU mode (always remap).
+* ``iommu.passthrough=0``: Prevent IOMMU passthrough (forces remapping).
+* ``kfence.sample_interval=100``: Enable low-overhead heap-fence sampling.
+* ``kvm.nx_huge_pages=force``: Enforce NX-bit for KVM hugepages to prevent code execution.
+* ``l1d_flush=on``: Flush L1D cache on VM-entry to mitigate cache side-channels.
+* ``lockdown=confidentiality``: Enable kernel lockdown in confidentiality mode.
+* ``loglevel=0``: Silence all kernel messages (only EMERG shown).
+* ``mitigations=auto,nosmt``: Enable all available speculative mitigations, disable SMT.
+* ``mmio_stale_data=full,force,nosmt``: Mitigate MMIO stale data side channel fully.
+* ``nosmt=force``: Force disable Simultaneous Multithreading (SMT/HT).
+* ``oops=panic``: Trigger kernel panic on oops, ensures halt on fault.
+* ``page_alloc.shuffle=1``: Randomize page allocator freelist order.
+* ``page_poison=1``: Fill freed pages with poison patterns to detect UAF.
+* ``panic=-1``: Prevent automatic reboot after panic.
+* ``pti=on``: Enable Page Table Isolation (Meltdown mitigation).
+* ``random.trust_bootloader=off``: Do not trust RNG state from bootloader.
+* ``random.trust_cpu=off``: Do not trust CPU's RDRAND or RDSEED.
+* ``randomize_kstack_offset=on``: Enable randomized kernel stack offset per syscall.
+* ``randomize_va_space=2``: Enable full ASLR for mmap and heap.
+* ``retbleed=auto,nosmt``: Mitigate Retbleed exploit path via branch prediction.
+* ``rodata=on``: Enforce read-only sections for .rodata.
+* ``slab_nomerge``: Disable merging of similar slab caches.
+* ``vdso32=0``: Disable 32-bit vdso mapping (x86 compatibility).
+* ``vsyscall=none``: Disable vsyscall legacy mapping.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

docs/CHANGELOG.md

@@ -8,10 +8,27 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Changelog
 
+## V8.03.864.2025.07.15
+
+* Updated: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
+* Added: [BOOTPARAMS.md](BOOTPARAMS.md)
+* Added: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+
+## V8.03.832.2025.06.25
+
+* Added: [lib_version.sh](../lib/lib_version.sh)
+* Updated:
+  * [lib_contact.sh](../lib/lib_contact.sh)
+  * [lib_usage.sh](../lib/lib_usage.sh)
+* Packages added:
+  * https://packages.debian.org/bookworm/fio
+  * https://packages.debian.org/bookworm/stress 
+* Timezone changed to ``Etc/UTC``
+
 ## V8.03.832.2025.06.24
 
 * Updated:

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.832.2025.06.24
+Master V8.03.864.2025.07.15
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
@@ -133,7 +133,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.03.832.2025.06.24
+Master V8.03.864.2025.07.15
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.03.864.2025.07.15<br>
 
 # 2. Resources
 

lib/lib_contact.sh

@@ -20,9 +20,9 @@
 contact() {
   clear
   cat << EOF
-$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
+$(echo -e "\e[97m################################################################################ \e[0m")
-$(echo -e "\e[92mMaster V8.03.832.2025.06.24\e[0m")
+$(echo -e "\e[92m  CISS.debian.live.builder from https://git.coresecret.dev/msw                   \e[0m")
-$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
+$(echo -e "\e[92m  A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.     \e[0m")
 
 $(echo -e "\e[97m  (c) Marc S. Weidner, 2018 - 2025 \e[0m")
 $(echo -e "\e[97m  (p) Centurion Press, 2024 - 2025 \e[0m")
@@ -35,6 +35,7 @@ $(echo -e "\e[95m🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F4103
 
 $(echo -e "\e[95m  💷 Please consider donating to my work at: \e[0m")
 $(echo -e "\e[95m  🌐 https://coresecret.eu/spenden/          \e[0m")
+$(echo -e "\e[97m################################################################################ \e[0m")
 
 EOF
 }

lib/lib_lb_config_write.sh

@@ -15,20 +15,12 @@ guard_sourcing
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
-#   VAR_HANDLER_ISO_COUNTER
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
+#   VAR_HANDLER_ISO_COUNTER
 #   VAR_KERNEL
-#   VAR_WORKDIR
 #   VAR_VERSION
-# Arguments:
+#   VAR_WORKDIR
-#  None
-#######################################
-
-#######################################
-# description
-# Globals:
-
 # Arguments:
 #  None
 #######################################
@@ -46,8 +38,8 @@ lb_config_write() {
     --backports true \
     --binary-filesystem fat32 \
     --binary-image iso-hybrid \
-    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Europe/Lisbon splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Europe/Lisbon toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
     --bootloaders grub-efi \
     --cache true \
     --checksums sha512 sha256 md5 \

lib/lib_usage.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-25; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -12,131 +12,152 @@
 
 #######################################
 # Usage Wrapper CISS.debian.live.builder
-# Globals:
-#   none
 # Arguments:
 #   $0: Script name
 #######################################
 usage() {
-  clear
+  # shellcheck disable=SC2155
-  cat << EOF
+  declare var_cols=$(tput cols 2>/dev/null || echo 80)
-$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.832.2025.06.24\e[0m")
-$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
 
-$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
+  #######################################
-$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+  # Header, Footer wrapper for dynamically output.
+  # Arguments:
+  #   $1: Text.
+  #   $2: Width of Terminal.
+  #######################################
+  center() {
+    declare var_text="$1"
+    declare var_width="$2"
+    declare var_padding=$(( (var_width - ${#var_text}) / 2 ))
+    printf "%*s%s%*s\n" "${var_padding}" "" "${var_text}" "${var_padding}" ""
+  }
 
-"${0} <option>", where <option> is one or more of:
+  # shellcheck disable=SC2155
+  declare var_header=$(center "CLB(1)        CISS.debian.live.builder        CLB(1)" "${var_cols}")
+  # shellcheck disable=SC2155
+  declare var_footer=$(center "V8.03.864.2025.07.15        2025-06-25        CLB(1)" "${var_cols}")
 
-$(echo -e "\e[97m  --help, -h\e[0m")
+  {
-    What you're looking at.
+    echo -e "\e[1;97m${var_header}\e[0m"
-
+    echo
-$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
+    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
+    echo -e "\e[92mMaster V8.03.864.2025.07.15\e[0m"
-    selector dialog. Change '*' to your desired Linux kernel and trim the
+    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
+    echo
-
+    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
-$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
+    echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
-    A string reflecting the architecture of the Live System.
+    echo
-    MUST be provided.
+    echo -e "\e[97m${0} <option>, where <option> is one or more of: \e[0m"
-
+    echo
-$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
+    echo -e "\e[97m  --help, -h \e[0m"
-    Where the Debian Live Build Image should be generated.
+    echo "    What you're looking at."
-    MUST be provided.
+    echo
-
+    echo -e "\e[97m  --autobuild=*, -a=* \e[0m"
-$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
+    echo "    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel"
-    A string reflecting the GRub Boot Screen Splash you want to use.
+    echo "    selector dialog. Change '*' to your desired Linux kernel and trim the"
-    If omitted defaults to "./.archive/background/club.png".
+    echo "    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'."
-
+    echo
-$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
+    echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64> \e[0m"
-    This option generates a boot menu entry to start the forthcoming
+    echo "    A string reflecting the architecture of the Live System."
-    'CISS.debian.installer', which will be executed after
+    echo "    MUST be provided."
-    the system has successfully booted up.
+    echo
-
+    echo -e "\e[97m  --build-directory </path/to/build_directory> \e[0m"
-$(echo -e "\e[97m  --contact, -c\e[0m")
+    echo "    Where the Debian Live Build Image should be generated."
-    Displays contact information of the author.
+    echo "    MUST be provided."
-
+    echo
-$(echo -e "\e[97m  --control <INTEGER>\e[0m")
+    echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m"
-    An integer that reflects the version of your Live ISO Image.
+    echo "    A string reflecting the Grub Boot Screen Splash you want to use."
-    MUST be provided.
+    echo "    If omitted defaults to './.archive/background/club.png'."
-
+    echo
-$(echo -e "\e[97m  --debug\e[0m")
+    echo -e "\e[97m  --cdi (Experimental Feature)\e[0m"
-    Enables debug logging for the main program routine. Detailed logging
+    echo "    This option generates a boot menu entry to start the forthcoming"
-    information are written to "/tmp/ciss_live_builder_$$.log"
+    echo "    'CISS.debian.installer', which will be executed after"
-
+    echo "    the system has successfully booted up."
-$(echo -e "\e[97m  --dhcp-centurion\e[0m")
+    echo
-    If a DHCP lease is provided, the provider's nameserver will be overridden,
+    echo -e "\e[97m  --contact, -c\ e[0m"
-    and only the hardened, privacy-focused Centurion DNS servers will be used:
+    echo "    Show author contact information."
-      - https://dns01.eddns.eu/
+    echo
-      - https://dns02.eddns.de/
+    echo -e "\e[97m  --control <INTEGER>\e[0m"
-      - https://dns03.eddns.eu/
+    echo "    An integer that reflects the version of your Live ISO Image."
-
+    echo "    MUST be provided."
-$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
+    echo
-    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
+    echo -e "\e[97m  --debug, -d \e[0m"
-    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
+    echo "    Enables debug logging for the main program routine. Detailed logging"
-    If provided, than it MUST be a <SPACE> separated list.
+    echo "    information are written to '/tmp/ciss_live_builder_$$.log'."
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
+    echo
-
+    echo -e "\e[97m  --dhcp-centurion \e[0m"
-$(echo -e "\e[97m  --log-statistics-only\e[0m")
+    echo "    If a DHCP lease is provided, the provider's nameserver will be overridden,"
-    Provides statistic only after successful building a
+    echo "    and only the hardened, privacy-focused Centurion DNS servers will be used:"
-    CISS.debian.live-ISO. While enabling "--log-statistics-only"
+    echo "      - https://dns01.eddns.eu/"
-    the argument "--build-directory" MUST be provided while
+    echo "      - https://dns02.eddns.de/"
-    all further options MUST be omitted.
+    echo "      - https://dns03.eddns.eu/"
-
+    echo
-$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
+    echo -e "\e[97m  --jump-host <IP | IP | ... > \e[0m"
-    Activates IPv6 support for Netcup Root Server. One unique
+    echo "    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access."
-    IPv6 address MUST be provided in this case and MUST be encapsulated
+    echo "    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation."
-    with [], e.g., [1234::abcd].
+    echo "    If provided, than it MUST be a <SPACE> separated list."
-
+    echo "    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64."
-$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
+    echo
-    Reset the nice priority value of the script and all its children
+    echo -e "\e[97m  --log-statistics-only\e[0m"
-    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
+    echo "    Provides statistic only after successful building a"
-    Negative (higher) values MUST be enclosed in double quotes '"'.
+    echo "    CISS.debian.live-ISO. While enabling '--log-statistics-only'"
-
+    echo "    the argument '--build-directory' MUST be provided while"
-$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
+    echo "    all further options MUST be omitted."
-    Reset the ionice priority value of the script and all its children
+    echo
-    to the desired <CLASS>. MUST be an integer:
+    echo -e "\e[97m  --provider-netcup-ipv6 \e[0m"
-      1: realtime
+    echo "    Activates IPv6 support for Netcup Root Server. One unique"
-      2: best-effort
+    echo "    IPv6 address MUST be provided in this case and MUST be encapsulated"
-      3: idle
+    echo "    with [], e.g., [1234::abcd]."
-    Defaults to '2'.
+    echo
-    Whereas <PRIORITY> MUST be an integer as well between:
+    echo -e "\e[97m  --renice-priority <PRIORITY> \e[0m"
-      0: highest priority and
+    echo "    Reset the nice priority value of the script and all its children"
-      7: lowest priority.
+    echo "    to the desired <PRIORITY>. MUST be an integer (between '-19' and 19)."
-    Defaults to '4'.
+    echo "    Negative (higher) values MUST be enclosed in double quotes '\"'."
-    A real-time I/O process can significantly slow down other processes
+    echo
-    or even cause them to starve if it continuously requests I/O.
+    echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY> \e[0m"
-
+    echo "    Reset the ionice priority value of the script and all its children"
-$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
+    echo "    to the desired <CLASS>. MUST be an integer:"
-    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
+    echo "      1: realtime"
-    and MUST NOT contain the special character '"'.
+    echo "      2: best-effort"
-    If the argument is omitted, no further login authentication is required for
+    echo "      3: idle"
-    the local console. The root password is hashed with an 16 Byte '/dev/random'
+    echo "    Defaults to '2'."
-    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
+    echo "    Whereas <PRIORITY> MUST be an integer as well between:"
-    after Hash generation all Variables containing plain password fragments are
+    echo "      0: highest priority and"
-    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
+    echo "      7: lowest priority."
-    further prompt after password hash has been successfully generated via:
+    echo "    Defaults to '4'."
-    'shred -vfzu 5 -f'.
+    echo "    A real-time I/O process can significantly slow down other processes"
-    No tracing of any plain text password fragment in any debug log.
+    echo "    or even cause them to starve if it continuously requests I/O."
-
+    echo
-$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
+    echo -e "\e[97m  --root-password-file </path/to/password.txt> \e[0m"
-    The desired Port SSH should listen to.
+    echo "    Password file for 'root', if given, MUST be a string of 20 to 64 characters,"
-    If not provided defaults to Port 22.
+    echo "    and MUST NOT contain the special character '\"'."
-
+    echo "    If the argument is omitted, no further login authentication is required for"
-$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
+    echo "    the local console. The root password is hashed with an 16 Byte '/dev/random'"
-    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
+    echo "    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately"
-    specified PATH into the Live ISO. MUST be provided.
+    echo "    after Hash generation all Variables containing plain password fragments are"
-
+    echo "    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without"
-$(echo -e "\e[97m  --version, -v\e[0m")
+    echo "    further prompt after password hash has been successfully generated via:"
-    Displays version of ${0}.
+    echo "    'shred -vfzu 5 -f'."
-
+    echo "    'No tracing of any plain text password fragment in any debug log."
-$(echo -e "\e[93m💡 Notes:\e[0m")
+    echo
-🔵 You MUST be 'root' to run this script.
+    echo -e "\e[97m  --ssh-port <INTEGER> \e[0m"
-
+    echo "    The desired Port SSH should listen to."
-$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
+    echo "    If not provided defaults to Port '22'."
-$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
+    echo
-
+    echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/> \e[0m"
-EOF
+    echo "    Imports the SSH Public Key from the FILE 'authorized_keys' of the"
+    echo "    specified PATH into the Live ISO. MUST be provided."
+    echo
+    echo -e "\e[97m  --version, -v \e[0m"
+    echo "    Show version of ${0}."
+    echo
+    echo -e "\e[93m💡 Notes:\e[0m"
+    echo -e "\e[93m🔵 You MUST be 'root' to run this script.\e[0m"
+    echo
+    echo -e "\e[95m💷 Please consider donating to my work at: \e[0m"
+    echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m"
+    echo
+    echo -e "\e[1;97m${var_footer}\e[0m"
+  } | less -R
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_version.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-25; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Version Wrapper CISS.debian.live.builder
+# Globals:
+#   VAR_VERSION
+# Arguments:
+#   None
+#######################################
+version() {
+  # shellcheck disable=SC2155
+  declare -r var_repo_ver="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
+  # shellcheck disable=SC2155
+  declare -r var_lb_ver="$(lb -v)"
+  # shellcheck disable=SC2155
+  declare -r var_ds_ver="$(debootstrap --version)"
+  # shellcheck disable=SC2155
+  declare -r var_host="$(uname -n)"
+  # shellcheck disable=SC2155
+  declare -r var_bash_ver="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')"
+
+  clear
+  cat << EOF
+$(echo -e "\e[97m################################################################################ \e[0m")
+$(echo -e "\e[92m  CISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m")
+$(echo -e "\e[92m  A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
+
+  Version : ${VAR_VERSION}
+  Git     : ${var_repo_ver}
+
+$(echo -e "\e[97m  This program is free software. Distribution and modification under  \e[0m")
+$(echo -e "\e[97m  EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! \e[0m")
+
+  Please file bugs @
+$(echo -e "\e[95m  https://git.coresecret.dev/msw/CISS.debian.live.builder/issues \e[0m")
+$(echo -e "\e[97m################################################################################\e[0m")
+
+  Using   : lb (${var_lb_ver}) debootstrap (${var_ds_ver})
+  on      : ${var_host}
+  Bash    : ${var_bash_ver}
+
+EOF
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

scripts/0010_dhcp_supersede.sh

@@ -21,9 +21,9 @@ fi
 cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
 
 # Custom dhclient config to override DHCP DNS
-# dns01.eddns.eu, dns02.eddns.de; dns03.eddns.eu;
+# dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu;
 
-supersede domain-name-servers 135.181.207.105, 89.58.62.53; 138.199.237.109;
+supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109;
 
 EOF
 

scripts/9000-cdi-starter

@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1
 
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.03.832.2025.06.24 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.03.864.2025.07.15 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
   chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh

var/early.var.sh

@@ -17,7 +17,7 @@ declare -agx ARY_PARAM_ARRAY=("$@")
 declare -grx VAR_PARAM_COUNT="$#"
 declare -grx VAR_PARAM_STRNG="$*"
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.03.832.2025.06.24"
+declare -grx VAR_VERSION="Master V8.03.864.2025.07.15"
 declare -grx VAR_SYSTEM="$(uname -a)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"