DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@7d1e5d8 at 2025-08-11T17:23:58Z on 317460cabc16 Generated at : 2025-08-11T17:23:58Z Runner Host : 317460cabc16 Workflow ID : 🛡️ Shell Script Linting Git Commit : 7d1e5d8 HEAD -> master
V8.04.002.2025.08.11
2025-08-11 17:23:58 +00:00 · 2025-08-11 19:22:57 +02:00 · 2025-08-11 17:03:33 +00:00 · 2025-08-11 19:02:33 +02:00 · 2025-08-11 16:53:44 +00:00 · 2025-08-11 18:52:29 +02:00
68 changed files with 1169 additions and 467 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -0,0 +1,142 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Usage Wrapper CISS.debian.live.builder
 # Globals:
 #   none
 # Arguments:
 #   $0: Script name
 #######################################
 usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
 $(echo -e "\e[92mMaster V8.04.002.2025.08.11\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
 $(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
 "${0} <option>", where <option> is one or more of:
 $(echo -e "\e[97m  --help, -h\e[0m")
    What you're looking at.
 $(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
    selector dialog. Change '*' to your desired Linux kernel and trim the
    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
 $(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
    A string reflecting the architecture of the Live System.
    MUST be provided.
 $(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
    Where the Debian Live Build Image should be generated.
    MUST be provided.
 $(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
    A string reflecting the GRub Boot Screen Splash you want to use.
    If omitted defaults to "./.archive/background/club.png".
 $(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
    This option generates a boot menu entry to start the forthcoming
    'CISS.debian.installer', which will be executed after
    the system has successfully booted up.
 $(echo -e "\e[97m  --contact, -c\e[0m")
    Displays contact information of the author.
 $(echo -e "\e[97m  --control <INTEGER>\e[0m")
    An integer that reflects the version of your Live ISO Image.
    MUST be provided.
 $(echo -e "\e[97m  --debug\e[0m")
    Enables debug logging for the main program routine. Detailed logging
    information are written to "/tmp/ciss_live_builder_$$.log"
 $(echo -e "\e[97m  --dhcp-centurion\e[0m")
    If a DHCP lease is provided, the provider's nameserver will be overridden,
    and only the hardened, privacy-focused Centurion DNS servers will be used:
      - https://dns01.eddns.eu/
      - https://dns02.eddns.de/
      - https://dns03.eddns.eu/
 $(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
    If provided, than it MUST be a <SPACE> separated list.
    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
 $(echo -e "\e[97m  --log-statistics-only\e[0m")
    Provides statistic only after successful building a
    CISS.debian.live-ISO. While enabling "--log-statistics-only"
    the argument "--build-directory" MUST be provided while
    all further options MUST be omitted.
 $(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
    Activates IPv6 support for Netcup Root Server. One unique
    IPv6 address MUST be provided in this case and MUST be encapsulated
    with [], e.g., [1234::abcd].
 $(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
    Reset the nice priority value of the script and all its children
    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
    Negative (higher) values MUST be enclosed in double quotes '"'.
 $(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
    Reset the ionice priority value of the script and all its children
    to the desired <CLASS>. MUST be an integer:
      1: realtime
      2: best-effort
      3: idle
    Defaults to '2'.
    Whereas <PRIORITY> MUST be an integer as well between:
      0: highest priority and
      7: lowest priority.
    Defaults to '4'.
    A real-time I/O process can significantly slow down other processes
    or even cause them to starve if it continuously requests I/O.
 $(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
    and MUST NOT contain the special character '"'.
    If the argument is omitted, no further login authentication is required for
    the local console. The root password is hashed with an 16 Byte '/dev/random'
    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
    after Hash generation all Variables containing plain password fragments are
    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
    further prompt after password hash has been successfully generated via:
    'shred -vfzu 5 -f'.
    No tracing of any plain text password fragment in any debug log.
 $(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
    The desired Port SSH should listen to.
    If not provided defaults to Port 22.
 $(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
    specified PATH into the Live ISO. MUST be provided.
 $(echo -e "\e[97m  --version, -v\e[0m")
    Displays version of ${0}.
 $(echo -e "\e[93m💡 Notes:\e[0m")
 🔵 You MUST be 'root' to run this script.
 $(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
 $(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
 EOF
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.832.2025.06.24"
+      placeholder: "e.g., Master V8.04.002.2025.08.11"
    validations:
      required: true
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11
 name: 🔁 Render README.md to README.html.
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 build:
-  counter: 1024
+  counter: 1023
-  version: V8.03.832.2025.06.24
+  version: V8.04.002.2025.08.11
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.832.2025.06.24
+  version: V8.04.002.2025.08.11
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.832.2025.06.24
+  version: V8.04.002.2025.08.11
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.832.2025.06.24
+  version: V8.04.002.2025.08.11
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11
 name: 🔐 Generating a Private Live ISO FLV 0.
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11
 name: 🔐 Generating a Private Live ISO FLV 1.
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11
 name: 💙 Generating a PUBLIC Live ISO.
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11
 # Gitea Workflow: Shell-Script Linting
 #
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11
 name: 🔁 Render Graphviz Diagrams.
--- a/.shellcheckrc
+++ b/.shellcheckrc
@@ -0,0 +1,28 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 encoding=utf-8
 external-sources=true
 shell=bash
 source-path=~/lib
 source-path=~/scripts
 source-path=~/var
 enable=avoid-nullary-conditions
 enable=check-extra-masked-returns
 enable=check-set-e-suppressed
 enable=check-unassigned-uppercase
 enable=deprecate-which
 enable=quote-safe-variables
 enable=require-double-brackets
 enable=require-variable-braces
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.832.2025.06.24"
+properties_version="V8.04.002.2025.08.11"
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.832.2025.06.24
+PackageVersion: Master V8.04.002.2025.08.11
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -20,4 +20,4 @@ License: LicenseRef-CCLA-1.0
 LicenseID: LicenseRef-CCLA-1.0
 LicenseName: Centurion Commercial License Agreement 1.0
 LicenseCrossReference: https://coresecret.eu/imprint/licenses/
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-06-24T21:45:52Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-11T17:23:55Z".
 ✅ The last linter check was successful. ✅
--- a/LIVE_ISO.public
+++ b/LIVE_ISO.public
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-06-23T09:04:49Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-07T10:53:55Z".
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_23T08_20_37Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_07T10_04_36Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  86a8be09e16299892ae99d195b56a04356bcf5d2202016da8f8fa7441077c43fab68ebefcb8c39b3423f085a74b607907fb691ac71fdef92af33782bd2ac0ce5
+  3d1e73f464cae840af3faf43ab1dcd2b47b2a8610527ed57d406b0d1d6c80b23d8b550c33288edad2652f33560cc410efcb71c022e6f46ef6edec344e9b735f7
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFkYsQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJSFwwAKCRA85KY4hzOw
-IbrbAQDeOIS3QYKIPkMhYlNPIcsJjv/dh3TdYiuQbkvfwVI+/gD/TiB+ska62vJk
+IdavAP9IXSWEcQcEW0LRPJBEino30IU4bzAlJJPJ/ROcRblMWQEA06xIsSQVM6A/
-LGfwjuaxMC0KHG1/UTICytOeAnTrXAc=
+JeUxqQCspstTDwOEROSwfcZgCN/ySwA=
-=qk8B
+=RynM
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_FLV_0.private
+++ b/LIVE_ISO_FLV_0.private
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-06-24T19:21:36Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-07T08:55:20Z".
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_24T18_36_59Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_07T08_03_38Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  3ca5a9635ef74a48f6d8f31696ec56e56ee95eff5317df95976e22d31e331bc503422602e24a9eaddfc30212acf6ebe96af51e94298c4c7c49c839c62abb6c2f
+  1ed2a27ca9137e55202cc3936c32c8285c02e200fc7e40034752d21fe15d251d10a91b05e5336aedd351d47b0aa6bed34304bf46dbd6a1df0df92612a72c950d
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFr6wAAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJRp+AAKCRA85KY4hzOw
-IbgHAP4p9jlF9jZkYIw/0H8j07QUWNHxeUz2r2UXp8aN2gUEBwEAxqbznJhH8li8
+IRXlAQDsDYY4bc7OA8pVWbz4AXlTh/m5PJtt4DAiRvqBnSNQkQEA3M0OZr/6cZkF
-40g5sWwGLmBjlidIOe0NxeMUBkuMlQg=
+lDpsQU14hbr06d70JmNeAc9CVsMVbQQ=
-=gq5w
+=h1hv
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_FLV_1.private
+++ b/LIVE_ISO_FLV_1.private
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-06-24T22:34:36Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-08-07T09:55:21Z".
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_06_24T21_53_22Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_08_07T09_04_30Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  581d951c8ab4d8e7afd2d727f8e64bd6fff51d005b84b9800e941da8dae654985bae500e056f02729d6b274ba330dfdbec59fd5ec2c8b18c3bbf37433b73c154
+  7ccbe6b6622a6fe2db68a37c0d4feb2759addf8fe8b3cd1186bcc2bb7305dae4b6ffbbdad336b41eb98e5bef681166d50ddcf9761226575584201de94de9007b
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaFsn/AAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJR4CQAKCRA85KY4hzOw
-IUvMAP9P1U6lblhdZ9tSROvYXRXcv0IEg2rVo3fMx9T5fozLewEAgxxo0+J1Nlvu
+IdL0AP9jojn+k2E9FdCuc/y8qvD4p26m12cvydq2CYFUwfjbXgD/TBC0yRhM4Cfo
-KVZOdiuc6xdxkBHWYaA2kSXZKI+qAwA=
+GShrXSXGILEZBIxSbmWwPqHEWo7vMQ8=
-=2H0C
+=tgad
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.832.2025.06.24-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.04.002.2025.08.11-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -12,7 +12,7 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -142,7 +142,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.03.832.2025.06.24`
+Example: `V8.04.002.2025.08.11`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -420,12 +420,13 @@ predictable script behavior.
   5. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
-   ```yaml
+   ````bash
   chmod 0700 ./ciss_live_builder.sh
   timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
   ./ciss_live_builder.sh --architecture amd64 \
                          --build-directory /opt/livebuild \
                          --change-splash hexagon \
-                          --control 384 \
+                          --control "${timestamp}" \
                          --debug \
                          --dhcp-centurion \
                          --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
@@ -435,7 +436,7 @@ predictable script behavior.
                          --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
                          --ssh-port 4242 \
                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder
-   ```
+   ````
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -13,85 +13,142 @@
 ### Contributions so far see ./docs/CREDITS.md
 ### WHY BASH?
-# Ease of installation.
+# Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
-# No compiling or installing gems, CPAN modules, pip packages, etc.
+# and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
-# Simple to use and read. Clear syntax and straightforward output interpretation.
+# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
-# Built-in power.
+# Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
-# Pattern matching, line processing, and regular expression support are available natively,
+# default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
-# no external binaries required.
+# or Cygwin on Windows systems.
 # Cross-platform consistency.
 # '/bin/bash' is the default shell on most Linux distributions, ensuring scripts run unmodified across systems.
 # macOS compatibility.
 # Since macOS Catalina (10.15), the default login shell has been zsh, but bash remains available at '/bin/bash'.
 # Windows support.
 # You can use bash via WSL, MSYS2, or Cygwin on Windows systems.
-### Preliminary checks
+### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
 # shellcheck disable=SC2155
 declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
 declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
 declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
 declare -ag   ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -grx  VAR_SETUP_FILE="${0##*/}"                                  # 'ciss_debian_live_builder.sh'
 declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/opt/git/CISS.debian.live.builder'
 declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
 # shellcheck disable=SC2155
 declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
 # shellcheck disable=SC2155
 declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 # shellcheck disable=SC2155
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### PRELIMINARY CHECKS.
 ### No ash, dash, ksh, sh.
 # shellcheck disable=2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### No zsh.
 [[ -n "${ZSH_VERSION:-}" ]] && {
  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### Not root.
 [[ ${EUID} -ne 0 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2; exit "${ERR_NOT_USER_0}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2
  exit "${ERR_NOT_USER_0}"
 }
 ### Not called by sh.
 # shellcheck disable=2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### Not sourced.
 [[ "${BASH_SOURCE[0]}" != "$0" ]] && {
  . ./var/global.var.sh
  printf "\e[91m❌ This script must be executed, not sourced. Please run '%s' directly! Bye... \e[0m\n" "$0" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### Minimum Bash version 5.
 [[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### Minimum Bash version 5.1.
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### No arguments.
 [[ ${#} -eq 0 ]] && {
-  . ./lib/lib_usage.sh; usage; exit 1; }
+  . ./lib/lib_usage.sh
  usage
  exit 1
 }
 ### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
 . ./var/early.var.sh
 . ./lib/lib_guard_sourcing.sh
-. ./lib/lib_git_var.sh
+. ./lib/lib_source_guard.sh
 source_guard "./lib/lib_git_var.sh"
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh  ; usage  ; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -v|--version) printf "\e[95mCISS.debian.live.builder Version: %s\e[0m\n" "${VAR_VERSION}"; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done
 ### ALL CHECKS DONE. READY TO START THE SCRIPT
 check_git
-for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
+for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 declare -gx VAR_SETUP="true"
 ### SOURCING VARIABLES
 [[ "${VAR_SETUP}" == true ]] && {
-  . ./var/bash.var.sh
+  source_guard "./var/bash.var.sh"
-  . ./var/color.var.sh
+  source_guard "./var/color.var.sh"
-  . ./var/global.var.sh
+  source_guard "./var/global.var.sh"
 }
 ### SOURCING LIBRARIES
 [[ "${VAR_SETUP}" == true ]] && {
-  . ./lib/lib_arg_parser.sh
+  source_guard "./lib/lib_arg_parser.sh"
-  . ./lib/lib_arg_priority_check.sh
+  source_guard "./lib/lib_arg_priority_check.sh"
-  . ./lib/lib_boot_screen.sh
+  source_guard "./lib/lib_boot_screen.sh"
-  . ./lib/lib_cdi.sh
+  source_guard "./lib/lib_cdi.sh"
-  . ./lib/lib_change_splash.sh
+  source_guard "./lib/lib_change_splash.sh"
-  . ./lib/lib_check_dhcp.sh
+  source_guard "./lib/lib_check_dhcp.sh"
-  . ./lib/lib_check_hooks.sh
+  source_guard "./lib/lib_check_hooks.sh"
-  . ./lib/lib_check_kernel.sh
+  source_guard "./lib/lib_check_kernel.sh"
-  . ./lib/lib_check_pkgs.sh
+  source_guard "./lib/lib_check_pkgs.sh"
-  . ./lib/lib_check_provider.sh
+  source_guard "./lib/lib_check_provider.sh"
-  . ./lib/lib_check_stats.sh
+  source_guard "./lib/lib_check_stats.sh"
-  . ./lib/lib_check_var.sh
+  source_guard "./lib/lib_check_var.sh"
-  . ./lib/lib_clean_screen.sh
+  source_guard "./lib/lib_clean_screen.sh"
-  . ./lib/lib_clean_up.sh
+  source_guard "./lib/lib_clean_up.sh"
-  . ./lib/lib_copy_integrity.sh
+  source_guard "./lib/lib_copy_integrity.sh"
-  . ./lib/lib_hardening_root_pw.sh
+  source_guard "./lib/lib_hardening_root_pw.sh"
-  . ./lib/lib_hardening_ssh.sh
+  source_guard "./lib/lib_hardening_ssh.sh"
-  . ./lib/lib_hardening_ultra.sh
+  source_guard "./lib/lib_hardening_ultra.sh"
-  . ./lib/lib_helper_ip.sh
+  source_guard "./lib/lib_helper_ip.sh"
-  . ./lib/lib_lb_build_start.sh
+  source_guard "./lib/lib_lb_build_start.sh"
-  . ./lib/lib_lb_config_start.sh
+  source_guard "./lib/lib_lb_config_start.sh"
-  . ./lib/lib_lb_config_write.sh
+  source_guard "./lib/lib_lb_config_write.sh"
-  . ./lib/lib_provider_netcup.sh
+  source_guard "./lib/lib_lb_config_write_trixie.sh"
-  . ./lib/lib_run_analysis.sh
+  source_guard "./lib/lib_provider_netcup.sh"
-  . ./lib/lib_sanitizer.sh
+  source_guard "./lib/lib_run_analysis.sh"
-  . ./lib/lib_trap_on_err.sh
+  source_guard "./lib/lib_sanitizer.sh"
-  . ./lib/lib_trap_on_exit.sh
+  source_guard "./lib/lib_trap_on_err.sh"
-  . ./lib/lib_usage.sh
+  source_guard "./lib/lib_trap_on_exit.sh"
  source_guard "./lib/lib_usage.sh"
 }
 ### ADVISORY LOCK
@@ -113,61 +170,61 @@ for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *)
 check_pkgs
 ### DIALOG OUTPUT FOR INITIALIZATION
-if ! $VAR_HANDLER_AUTOBUILD; then boot_screen; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 ### Initialization
 declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
 #declare -ar ARG_ARY_ORG_INPUT=("$@")
 # shellcheck disable=SC2155
 declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
 # shellcheck disable=SC2155
 declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 # shellcheck disable=SC2155
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
 declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 ### Turn off Dialog Wrapper
-if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
 ### MAIN Program
 arg_priority_check
 check_stats
-if ! $VAR_HANDLER_AUTOBUILD; then check_provider; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
-if ! $VAR_HANDLER_AUTOBUILD; then check_kernel; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
 check_hooks
 hardening_ssh
 lb_config_start
 lb_config_write
 if [[ "${VAR_SUITE}" == "bookworm" ]]; then
  lb_config_write
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
 else
  lb_config_write_trixie
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
 fi
 # shellcheck disable=SC2164
 cd "${VAR_WORKDIR}"
 hardening_ultra
 hardening_root_pw
 change_splash
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -21,7 +21,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 #######################################
 grep_nic_driver_modules() {
  declare _mods
-  # Gather all Driver and sort unique
+
  ### Gather all Driver and sort unique.
  # shellcheck disable=SC2312
  readarray -t _mods < <(
    lspci -k \
      | grep -A2 -i ethernet \
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -39,14 +39,13 @@ authselectmode require
 server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9
 server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9
 server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9
-server ptbtime4.ptb.de iburst nts noselect minpoll 5 maxpoll 9
+server ptbtime4.ptb.de iburst nts minpoll 5 maxpoll 9
-# server nts.netnod.se iburst nts minpoll 5 maxpoll 9
+server sth1.ntp.se iburst nts minpoll 5 maxpoll 9
-
+server ntp0.fau.de iburst nts minpoll 5 maxpoll 9
 server ntp13.metas.ch iburst nts minpoll 5 maxpoll 9
 # server ntp.ripe.net iburst nts minpoll 5 maxpoll 9
 # server ntp12.metas.ch iburst nts minpoll 5 maxpoll 9
 # server ntp2.tecnico.ulisboa.pt iburst nts minpoll 5 maxpoll 9
 # server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
 server ntp0.fau.de iburst nts minpoll 5 maxpoll 9
 leapsectz right/UTC
--- a/config/hooks/live/9998_sources_list_bookworm.chroot
+++ b/config/hooks/live/9998_sources_list_bookworm.chroot
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -0,0 +1,59 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -C -e -u -o pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 if [[ -f /etc/apt/sources.list ]]; then
  mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak
 fi
 cat << 'EOF' >| /etc/apt/sources.list
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
 # SPDX-PackageName: CISS.2025.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #-----------------------------------------------------------------------------------------#
 #                                  OFFICIAL DEBIAN REPOS
 #-----------------------------------------------------------------------------------------#
 ### Debian Main Repos Bookworm
 deb https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware
 deb-src https://deb.debian.org/debian/ trixie main contrib non-free non-free-firmware
 deb http://security.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
 deb-src http://security.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
 deb https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware
 deb-src https://deb.debian.org/debian/ trixie-updates main contrib non-free non-free-firmware
 deb https://deb.debian.org/debian/ trixie-backports main contrib non-free non-free-firmware
 deb-src https://deb.debian.org/debian/ trixie-backports main contrib non-free non-free-firmware
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -31,12 +31,12 @@ ListenAddress                ::
 Port MUST_BE_CHANGED
 AllowUsers                   root
 UseDNS                       no
-### Force a key exchange after transferring 1 GiB of data or 1 hour of session time,
+### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, whichever occurs first.
 ### whichever occurs first.
 RekeyLimit                   1G 1h
 HostKey                      /etc/ssh/ssh_host_ed25519_key
 HostKey                      /etc/ssh/ssh_host_rsa_key
 TrustedUserCAKeys            none
 PubkeyAuthentication         yes
 PermitRootLogin              prohibit-password
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.832.2025.06.24
+### Version Master V8.04.002.2025.08.11
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.03.832.2025.06.24"
+declare -gr VERSION="Master V8.04.002.2025.08.11"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.832.2025.06.24 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.04.002.2025.08.11 at: 10:18:37.9542
--- a/config/includes.chroot/root/.bashrc
+++ b/config/includes.chroot/root/.bashrc
@@ -10,25 +10,6 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # ~/.bashrc: executed by bash(1) for non-login shells.
 # Note: PS1 and umask are already set in /etc/profile. You should not
 # need this unless you want different defaults for root.
 # PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
 # umask 022
 # You may uncomment the following lines if you want `ls' to be colorized:
 # export LS_OPTIONS='--color=auto'
 # eval "$(dircolors)"
 # alias ls='ls $LS_OPTIONS'
 # alias ll='ls $LS_OPTIONS -l'
 # alias l='ls $LS_OPTIONS -lA'
 #
 # Some more alias to avoid making mistakes:
 # alias rm='rm -i'
 # alias cp='cp -i'
 # alias mv='mv -i'
 [[ $- != *i* ]] && return
 trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
@@ -55,27 +36,20 @@ export CMAG='\033[1;95m'
 export CCYA='\033[1;96m'
 export CWHI='\033[1;97m'
 export CRES='\033[0m'
-
+export NL='\n'
 #if [[ "${UID}" -eq 0 ]]; then
 #  export user_color="${CRED}"
 #else
 #  export user_color="${CGRE}"
 #fi
 ### Define bash colorful prompt
-# PS1="${user_color}\d${CRES}|${user_color}\u${CRES}@${CMAG}\h${CRES}:${CCYA}\w${CRES}/>>\$(if [[ \$? -eq 0 ]]; then echo -e \"${CGRE}\$?${CRES}\"; else echo -e \"${CRED}\$?${CRES}\"; fi)|~\$ "
+export PS1="\
-PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\
-\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;91m\]\u\[\033[0m\]@\
 \[\033[1;95m\]\h\[\033[0m\]:\
 \[\033[1;96m\]\w\[\033[0m\]/>>\
 \$(if [[ \$? -eq 0 ]]; then \
    # Show exit status in green if zero
    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
  else \
    # Show exit status in red otherwise
    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
  fi)\
-|~\$ "
+\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
 ### Overwrite Protection
 set -o noclobber
@@ -83,11 +57,23 @@ alias cp="cp -iv"
 alias mv='mv -iv'
 alias rm='rm -iv'
-# Welcome message after login
+### Welcome message after login
 printf "\n"
 printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
-printf "\e[92m✅ Welcome back\e[0m"; printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
+printf "\e[92m✅ Welcome back\e[0m"
 printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
 printf "\n"
 printf "\n"
 ### Welcome message after login.
 #printf "\n"
 #printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}"
 #printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}"
 #printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}"
 #printf "%s! Type%s " "${CGRE}" "${CRES}"
 #printf "%s'celp'%s " "${CMAG}" "${CRES}"
 #printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}"
 #printf "\n"
 #printf "\n"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/alias
+++ b/config/includes.chroot/root/.ciss/alias
@@ -11,16 +11,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 ########################################################################################### Alpha
 #######################################
 # Outputs a 16-character random printable string
 # Arguments:
 #  None
 #######################################
 genstring() {
  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
 }
 # Generates 1,048,576 random bytes into a timestamped file
 alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
 ########################################################################################### Bash
@@ -60,6 +50,7 @@ alias aptupd='apt update'
 alias aptupg='apt upgrade'
 alias apti='apt install'
 alias aptp='apt purge'
 alias aptpp='dpkg --purge'
 alias aptr='apt remove'
 alias aptse='apt search'
 alias aptsh='apt show'
@@ -104,11 +95,11 @@ alias whatpurge='dpkg --get-selections | grep deinstall'
 ########################################################################################### Functions
-###########################################################################################
+#######################################
 # Generates Secure (/dev/random) Passwords
 # Arguments:
-#  Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
+#    Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
-###########################################################################################
+#######################################
 # shellcheck disable=SC2317
 genpasswd() {
  declare -i length=32
@@ -128,6 +119,7 @@ genpasswd() {
  done
  declare passwd
  # shellcheck disable=SC2312
  passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}")
  if [[ ${usebase64} -eq 1 ]]; then
@@ -137,23 +129,38 @@ genpasswd() {
  fi
 }
-###########################################################################################
+#######################################
-# Generates Secure (/dev/random) Passwords
+# Generates Secure (/dev/random) Passwords.
 # Arguments:
-#  none
+#   none
-###########################################################################################
+#######################################
 # shellcheck disable=SC2317
 genpasswdhash() {
  declare salt
  # shellcheck disable=SC2312
  salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
  mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
 }
 #######################################
-# Wrapper for secure curl
+# Outputs a 16-character random printable string
 # Arguments:
-#  $1: URL from which to download a specific file
+#   None
-#  $2: /path/to/file to be saved to
+#######################################
 genstring() {
  # shellcheck disable=SC2312
  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
 }
 #######################################
 # Wrapper for secure curl
 # Globals:
 #   CRED
 #   CRES
 #   NL
 # Arguments:
 #   1: URL from which to download a specific file
 #   2: /path/to/file to be saved to
 # Returns:
 #   0: Download successful
 #   1: Usage error
@@ -161,7 +168,7 @@ genpasswdhash() {
 #######################################
 scurl() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
+    printf "%s❌ Error: Usage: scurl <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
    return 1
  fi
  declare url="$1"
@@ -173,7 +180,7 @@ scurl() {
            -o "${output_path}" \
            "${url}"
  then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
    return 2
  fi
  return 0
@@ -181,9 +188,13 @@ scurl() {
 #######################################
 # Wrapper for secure wget
 # Globals:
 #   CRED
 #   CRES
 #   NL
 # Arguments:
-#  $1: URL from which to download a specific file
+#   1: URL from which to download a specific file
-#  $2: /path/to/file to be saved to
+#   2: /path/to/file to be saved to
 # Returns:
 #   0: Download successful
 #   1: Usage error
@@ -191,7 +202,7 @@ scurl() {
 #######################################
 swget() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
+    printf "%s❌ Error: Usage: swget <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
    return 1
  fi
  declare url="$1"
@@ -204,30 +215,57 @@ swget() {
            -qO "${output_path}" \
            "${url}"
  then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
    return 2
  fi
  return 0
 }
 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters
+# Wrapper for loading CISS.2025 hardened Kernel Parameters.
 # Arguments:
-#  None
+#   None
 #######################################
 sysp() {
  sysctl -p /etc/sysctl.d/99_local.hardened
  # sleep 1
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  # shellcheck disable=SC2312
  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 #######################################
 # Wrapper for tree
 # Arguments:
-#  $1: Depth of Directory Listing
+#   1: Depth of Directory Listing
 #######################################
 trel() {
  declare depth=${1:-3}
  tree -C -h --dirsfirst -L "${depth}"
 }
 #######################################
 # Wrapper for package and path to bin.
 # Arguments:
 #   1: Program
 #######################################
 whichpackage() {
  if ! command -v "$1" >/dev/null 2>&1; then
    printf '%s❌ Error: Program '%s' not found. %s%s' "${CRED}" "$1" "${CRES}" "${NL}" >&2
    exit 1
  fi
  # shellcheck disable=SC2230,SC2312
  dpkg -S "$(which "$1")"
 }
 #######################################
 # Wrapper for Diskspace used in Path.
 # Arguments:
 #   1: Path (defaults /var)
 #   2: Depth (defaults 1)
 #   3: Number of Entries (defaults 16)
 #######################################
 whichused() {
  # shellcheck disable=SC2312
  du -h --max-depth="${2:-1}" "${1:-/var}" | sort -hr | head -n "${3:-16}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/clean_logout.sh
+++ b/config/includes.chroot/root/.ciss/clean_logout.sh
@@ -36,4 +36,6 @@ echo -e "\e[92m          All done" "\e[95m'${USER}'" "\e[92m! \e[0m"
 echo -e "\e[92m          Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m"
 # shellcheck disable=SC2162
 read
 [[ -x /usr/bin/clear_console ]] && /usr/bin/clear_console -q
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/f2bchk.sh
+++ b/config/includes.chroot/root/.ciss/f2bchk.sh
@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 #######################################
 # Wrapper for fail2ban filter checks against logs.
 # Usage: f2bchk --mode=ignored || --mode=matched  || --mode=missed \
@@ -17,16 +19,18 @@
 #               --log=/var/log/ufw.log \
 #               --output=/tmp/f2bchk.log
 # Globals:
-#   DEFAULT_FILTER
+#   CGRE
-#   DEFAULT_LOG
+#   CRED
-#   DEFAULT_MODE
+#   CRES
 #   NL
 # Arguments:
-#  None
+#   None
 # Returns:
-#   1 In case of any errors
+#   0: on success
 #   1: In case of any errors
 #######################################
 f2bchk(){
-  # Declare default values (readonly)
+  ### Declare default values (readonly)
  declare -r DEFAULT_MODE="matched"
  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
  declare -r DEFAULT_LOG="/var/log/ufw.log"
@@ -44,7 +48,7 @@ f2bchk(){
      --log=*)    log="${arg#--log=}";;
      --output=*) output="${arg#--output=}";;
      *)
-        printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
+        printf "%s[ERROR]%s Unknown argument: '%s' %s" "${CRED}" "${CRES}" "${arg}" "${CRED}"
        return 1
        ;;
    esac
@@ -56,7 +60,7 @@ f2bchk(){
    matched) flag="--print-all-matched"; suffix="all.matched";;
    missed)  flag="--print-all-missed";  suffix="all.missed";;
    *)
-      printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
+      printf "%s[ERROR]%s Invalid mode: '%s' %s" "${CRED}" "${CRES}" "${mode}" "${NL}"
      return 1
      ;;
  esac
@@ -66,22 +70,30 @@ f2bchk(){
    filter_name="${filter_name%.conf}"
    output="/tmp/${filter_name}.${suffix}.log"
  fi
  if [[ ! -r "${log}" ]]; then
-    printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
+    printf "%s[ERROR]%s Log file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${log}" "${NL}"
    return 1
  fi
  if [[ ! -r "${filter}" ]]; then
    printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
    return 1
  fi
-  printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
+  if [[ ! -r "${filter}" ]]; then
-  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
+    printf "%s[ERROR]%s Filter file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${filter}" "${NL}"
    printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
    printf "You can view it with: cat %s\n" "$output"
  else
    printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
    return 1
  fi
  printf "%s[INFO]%s Running: fail2ban-regex '%s %s %s' %s" "${CGRE}" "${CRES}" "${log}" "${filter}" "${flag}" "${NL}"
  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
    printf "%s[SUCCESS]%s Saved log to: '%s' %s" "${CGRE}" "${CRES}" "${output}" "${NL}"
    printf "You can view it with: cat %s%s" "${output}" "${NL}"
  else
    printf "%s[ERROR]%s fail2ban-regex execution failed. %s" "${CRED}" "${CRES}" "${NL}"
    return 1
  fi
  exit 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/scan_libwrap
+++ b/config/includes.chroot/root/.ciss/scan_libwrap
@@ -12,30 +12,38 @@
 #######################################
 # Scanner for 'libwrap' usage.
 # Globals:
 #   CGRE
 #   CRES
 #   NL
 # Arguments:
-#  None
+#   None
 #######################################
 scanlw() {
-  printf "\e[92m🔍 Scanning all running processes for 'libwrap' usage ... \e[0m\n"
+  printf "%s🔍 Scanning all running processes for 'libwrap' usage ... %s%s" "${CGRE}" "${CRES}" "${NL}"
  printf "\n"
-  # Collect binaries from all running PIDs
+  ### Collect binaries from all running PIDs.
  declare pid exe_path comm user
  for pid in $(ps -e -o pid=); do
    exe_path=$(readlink -f "/proc/${pid}/exe" 2>/dev/null)
-    # Skip if not a regular executable
+    ### Skip if not a regular executable.
    [[ -x "${exe_path}" ]] || continue
-    # Check if the binary is linked with libwrap
+    ### Check if the binary is linked with libwrap.
-    if ldd "$exe_path" 2>/dev/null | grep -q "libwrap"; then
+    # shellcheck disable=SC2312
-      comm=$(ps -p "$pid" -o comm=)
+    if ldd "${exe_path}" 2>/dev/null | grep -q "libwrap"; then
-      user=$(ps -p "$pid" -o user=)
+      comm=$(ps -p "${pid}" -o comm=)
-      printf "\e[92m✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. \e[0m\n" "${pid}" "${comm}" "${user}"
+      user=$(ps -p "${pid}" -o user=)
      printf "%s✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. %s%s" "${CGRE}" "${pid}" "${comm}" "${user}" "${CRES}" "${NL}"
    fi
  done
  printf "\n"
-  printf "\e[92m✅ Scan complete. \e[0m\n"
+  printf "%s✅ Scan complete. %s%s" "${CGRE}" "${CRES}" "${NL}"
  exit 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/shortcuts
+++ b/config/includes.chroot/root/.ciss/shortcuts
@@ -21,6 +21,7 @@ declare -ga shortcuts=(
  "apti: apt install"
  "aptimage: get Kernel Img"
  "aptp: apt purge"
  "aptpp: dpkg --purge"
  "aptr: apt remove"
  "aptse: apt search"
  "aptsh: apt show"
@@ -83,6 +84,8 @@ declare -ga shortcuts=(
  "whatdelete: lsof | grep deleted"
  "whatimage: dpkg --list | grep linux"
  "whatpurge: dpkg --get-selections"
  "whichpackage <PROGRAM>"
  "whichused <PATH> <DEPTH> <ENTRIES>"
 )
 #######################################
@@ -101,7 +104,7 @@ celp() {
  declare i=0
  declare entry
  for entry in "${arr[@]}"; do
-    # Print entry left-aligned in fixed width, colored
+    ### Print entry left-aligned in fixed width, colored.
    printf "${CMAG}%-${col_width}s${CRES}" "${entry}"
    ((i++))
    if ((i % cols == 0)); then
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -15,17 +15,21 @@ apt-file
 apt-mirror
 apt-show-versions
 apt-transport-https
 autoconf
 automake
 bash-completion
 bat
 bc
 bind9-dnsutils
 bsdmainutils
 btrfs-progs
 build-essential
 bzip2
 ca-certificates
 clamav
 clamav-daemon
 console-setup
 cpuid
 cryptsetup
 cryptsetup-nuke-password
 curl
@@ -49,6 +53,7 @@ expect
 fail2ban
 fdisk
 figlet
 fio
 fzf
 gawk
 gdisk
@@ -67,6 +72,9 @@ knot-dnsutils
 libpam-google-authenticator
 libpam-pwquality
 libpwquality-tools
 libtomcrypt-dev
 libtommath-dev
 libtool
 linux-doc-6.12
 linux-source
 live-boot
@@ -76,7 +84,6 @@ locate
 logrotate
 lsb-release
 lvm2
 makedev
 makepasswd
 man
 man-db
@@ -84,9 +91,10 @@ manpages
 manpages-dev
 mdadm
 mtr
 musl-tools
 nano
 ncat
-neofetch
+ncdu
 neovim
 net-tools
 netselect-apt
@@ -105,12 +113,12 @@ rsync
 rsyslog
 screen
 shellcheck
 software-properties-common
 spectre-meltdown-checker
 speedtest-cli
 squashfs-tools
 ssh
 ssl-cert
 stress
 sudo
 sysstat
 systemd-sysv
@@ -133,4 +141,4 @@ xz-utils
 yq
 zip
 zsh
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2. DNSSEC Status
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2. TLS Audit:
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -0,0 +1,56 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. CISS.debian.live.builder
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
 **Build**: V8.04.002.2025.08.11<br>
 # 2. Hardened Kernel Boot Parameters
 Below is a curated set of kernel boot parameters optimized for CISS Debian Installer. These parameters enhance security posture,
 restrict legacy interfaces, enforce memory initialization, and disable speculative side channels. Each parameter is documented 
 with a short rationale.
 * ``audit=1``: Enable kernel auditing subsystem.
 * ``audit_backlog_limit=8192``: Set audit event buffer depth.
 * ``cfi=kcfi``: Enable Clang's Control Flow Integrity (if supported by kernel).
 * ``debugfs=off``: Disable debugfs mount, prevents access to kernel internals.
 * ``efi=disable_early_pci_dma``: Prevent early PCI DMA via EFI.
 * ``hardened_usercopy=1``: Harden copy_*_user() functions, mitigate heap/memcpy bugs.
 * ``ia32_emulation=0``: Disable 32-bit x86 binary support on 64-bit kernel.
 * ``init_on_alloc=1``: Zero-initialize heap memory on allocation.
 * ``init_on_free=1``: Zero memory on free to prevent reuse data leaks.
 * ``iommu=force``: Enforce use of IOMMU.
 * ``iommu.strict=1``: Enable strict IOMMU mode (always remap).
 * ``iommu.passthrough=0``: Prevent IOMMU passthrough (forces remapping).
 * ``kfence.sample_interval=100``: Enable low-overhead heap-fence sampling.
 * ``kvm.nx_huge_pages=force``: Enforce NX-bit for KVM hugepages to prevent code execution.
 * ``l1d_flush=on``: Flush L1D cache on VM-entry to mitigate cache side-channels.
 * ``lockdown=confidentiality``: Enable kernel lockdown in confidentiality mode.
 * ``loglevel=0``: Silence all kernel messages (only EMERG shown).
 * ``mitigations=auto,nosmt``: Enable all available speculative mitigations, disable SMT.
 * ``mmio_stale_data=full,force,nosmt``: Mitigate MMIO stale data side channel fully.
 * ``nosmt=force``: Force disable Simultaneous Multithreading (SMT/HT).
 * ``oops=panic``: Trigger kernel panic on oops, ensures halt on fault.
 * ``page_alloc.shuffle=1``: Randomize page allocator freelist order.
 * ``page_poison=1``: Fill freed pages with poison patterns to detect UAF.
 * ``panic=-1``: Prevent automatic reboot after panic.
 * ``pti=on``: Enable Page Table Isolation (Meltdown mitigation).
 * ``random.trust_bootloader=off``: Do not trust RNG state from bootloader.
 * ``random.trust_cpu=off``: Do not trust CPU's RDRAND or RDSEED.
 * ``randomize_kstack_offset=on``: Enable randomized kernel stack offset per syscall.
 * ``randomize_va_space=2``: Enable full ASLR for mmap and heap.
 * ``retbleed=auto,nosmt``: Mitigate Retbleed exploit path via branch prediction.
 * ``rodata=on``: Enforce read-only sections for .rodata.
 * ``slab_nomerge``: Disable merging of similar slab caches.
 * ``vdso32=0``: Disable 32-bit vdso mapping (x86 compatibility).
 * ``vsyscall=none``: Disable vsyscall legacy mapping.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,58 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2. Changelog
 ## V8.04.002.2025.08.11
 * Updated: Experimental support for Debian Trixie
 ## V8.03.920.2025.08.07
 * Updated: [lib_arg_parser.sh](../lib/lib_arg_parser.sh)
 * Updated: [ciss_live_builder.sh](../ciss_live_builder.sh)
 * Updated: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
 ## V8.03.912.2025.07.23
 * Updated: [alias](../config/includes.chroot/root/.ciss/alias)
 * Updated: [clean_logout.sh](../config/includes.chroot/root/.ciss/clean_logout.sh)
 * Updated: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
 * Updated: [scan_libwrap](../config/includes.chroot/root/.ciss/scan_libwrap)
 * Updated: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
 * Updated: [.bashrc](../config/includes.chroot/root/.bashrc)
 ## V8.03.896.2025.07.22
 * Added: [.shellcheckrc](../.shellcheckrc)
 * Bugfixes: [ciss_live_builder.sh](../ciss_live_builder.sh)
 * Updated: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)
 ## V8.03.880.2025.07.19
 * Updated: [alias](../config/includes.chroot/root/.ciss/alias)
 * Updated: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
 * Added: Package ``ncdu``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
 * Added: ``TrustedUserCAKeys none``: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
 ## V8.03.864.2025.07.15
 * Updated: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
 * Added: [BOOTPARAMS.md](BOOTPARAMS.md)
 * Added: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
 ## V8.03.832.2025.06.25
 * Added: [lib_version.sh](../lib/lib_version.sh)
 * Updated:
  * [lib_contact.sh](../lib/lib_contact.sh)
  * [lib_usage.sh](../lib/lib_usage.sh)
 * Packages added:
  * https://packages.debian.org/bookworm/fio
  * https://packages.debian.org/bookworm/stress 
 * Timezone changed to ``Etc/UTC``
 ## V8.03.832.2025.06.24
 * Updated:
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2. Centurion Net - Developer Branch Overview
--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2. Coding Style
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2. Contributing / participating
--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2. Credits
--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.03.832.2025.06.24
+Master V8.04.002.2025.08.11
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
@@ -120,6 +120,9 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
    specified PATH into the Live ISO. MUST be provided.
  --trixie
    Create a Debian Trixie Live ISO. Experimental Feature.
  --version, -v
    Displays version of ./ciss_live_builder.sh.
@@ -133,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.03.832.2025.06.24
+Master V8.04.002.2025.08.11
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2025
--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.03<br>
-**Build**: V8.03.832.2025.06.24<br>
+**Build**: V8.04.002.2025.08.11<br>
 # 2. Resources
--- a/docs/SECURITY/coresecret.dev.png
+++ b/docs/SECURITY/coresecret.dev.png
--- a/lib/lib_arg_parser.sh
+++ b/lib/lib_arg_parser.sh
@@ -64,8 +64,8 @@ arg_parser() {
          ;;
        -c | --contact)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --contact MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -74,8 +74,8 @@ arg_parser() {
          ;;
        -h | --help)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --help MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -84,8 +84,8 @@ arg_parser() {
          ;;
        -v | --version)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --version MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -98,7 +98,7 @@ arg_parser() {
            declare -gx VAR_ARCHITECTURE="${2}"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --architecture MUST be 'amd64' or 'arm64'.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -109,7 +109,7 @@ arg_parser() {
        --build-directory)
          declare -gx VAR_HANDLER_BUILD_DIR="${2}"
          if [[ ! "${VAR_HANDLER_BUILD_DIR}" =~ ^/ ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2
            exit "${ERR_NOTABSPATH}"
          fi
@@ -118,8 +118,8 @@ arg_parser() {
          ;;
        --cdi)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --cdi MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -133,7 +133,7 @@ arg_parser() {
            declare -g VAR_HANDLER_SPLASH="${2}"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --change-splash MUST be 'club' or 'hexagon'.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -142,11 +142,11 @@ arg_parser() {
          ;;
        --control)
-          if [[ -n "${2}" ]]; then
+          if [[ -n "${2-}" ]]; then
            declare -g VAR_HANDLER_ISO_COUNTER="${2}"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --control MUST be provided with a Parameter.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -155,8 +155,8 @@ arg_parser() {
          ;;
        --debug)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --debug MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -165,8 +165,8 @@ arg_parser() {
          ;;
        --dhcp-centurion)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --dhcp-centurion MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -176,7 +176,7 @@ arg_parser() {
          ;;
        --jump-host)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
            declare -i count=0
            shift
            while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do
@@ -188,7 +188,7 @@ arg_parser() {
              shift
            done
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --jump-host MUST contain one or up to ten IPs.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -196,8 +196,8 @@ arg_parser() {
          ;;
        --log-statistics-only)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --log-statistics-only MUST NOT be followed by an argument.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -207,7 +207,7 @@ arg_parser() {
          ;;
        --provider-netcup-ipv6)
-          if [[ -n "${2}" && "${2}" != -* ]]; then
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
            declare -i count=0
            declare -g VAR_HANDLER_NETCUP_IPV6=true
            shift
@@ -221,7 +221,7 @@ arg_parser() {
              shift
            done
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --provider-netcup-ipv6 MUST provide one IPv6.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_ARG_MSMTCH}"
@@ -229,11 +229,11 @@ arg_parser() {
          ;;
        --renice-priority)
-          if [[ -n ${2} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
+          if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
-            declare -gi VAR_HANDLER_PRIORITY="$2"
+            VAR_HANDLER_PRIORITY="$2"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --renice-priority MUST an integer between '-19' and '19'.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -242,28 +242,28 @@ arg_parser() {
          ;;
        --reionice-priority)
-          if [[ -z "${2}" ]]; then
+          if [[ -z "${2-}" ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --reionice-priority no values provided.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_REIONICE_P}"
          else
            if [[ "${2}" =~ ^[1-3]$ ]]; then
-              declare -gi VAR_REIONICE_CLASS="${2}"
+              VAR_REIONICE_CLASS="${2}"
-              if [[ -z "${3}" ]]; then
+              if [[ -z "${3-}" ]]; then
                :
              else
                if [[ "${3}" =~ ^[0-7]$ ]]; then
-                  declare -gi VAR_REIONICE_PRIORITY="${3}"
+                  VAR_REIONICE_PRIORITY="${3}"
                else
-                  if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+                  if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
                  printf "\e[91m❌ Error: --reionice-priority PRIORITY MUST be an integer between '0' and '7'.\e[0m\n" >&2
                  read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
                  exit "${ERR_REIO_P_VAL}"
                fi
              fi
            else
-              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+              if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
              printf "\e[91m❌ Error: --reionice-priority CLASS MUST be an integer between '1' and '3'.\e[0m\n" >&2
              read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
              exit "${ERR_REIO_C_VAL}"
@@ -279,7 +279,7 @@ arg_parser() {
        --root-password-file)
          declare pw_file="${2}"
          if [[ -z "${pw_file}" ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file missing password file path argument.\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -287,7 +287,7 @@ arg_parser() {
          fi
          if [[ ! -f "${pw_file}" ]]; then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file password file '%s' does not exist.\e[0m\n" "${pw_file}" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -298,7 +298,7 @@ arg_parser() {
          owner=$(stat -c '%U:%G' "${pw_file}")
          if [[ "${owner}" != "root:root" ]]; then
            chown root:root "${pw_file}" || {
-              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+              if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
              printf "\e[91m❌ Error: --root-password-file failed to set owner root:root on '%s'.\e[0m\n" "${pw_file}" >&2
              # shellcheck disable=SC2162
              read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -310,7 +310,7 @@ arg_parser() {
          perms=$(stat -c '%a' "${pw_file}")
          if [[ "${perms}" -ne 400 ]]; then
            chmod 400 "${pw_file}" || {
-              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+              if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
              printf "\e[91m❌ Error: --root-password-file failed to set permissions 0400 on '%s'.\e[0m\n" "${pw_file}" >&2
              # shellcheck disable=SC2162
              read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -328,7 +328,7 @@ arg_parser() {
          declare pw_length
          pw_length=${#plaintext_pw}
          if (( pw_length < 20 || pw_length > 64 )); then
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file password MUST be between 20 and 64 characters (got %d).\e[0m\n" "${pw_length}" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -338,7 +338,7 @@ arg_parser() {
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
          if [[ "${plaintext_pw}" == *\"* ]]; then
            [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --root-password-file password MUST NOT contain double quotes (\").\e[0m\n" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
@@ -374,11 +374,11 @@ arg_parser() {
          ;;
        --ssh-port)
-          if [[ -n "${2}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
+          if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
            declare -gi VAR_SSHPORT="${2}"
            shift 2
          else
-            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
            printf "\e[91m❌ Error: --ssh-port MUST be an integer between '1' and '65535'.\e[0m\n" >&2
            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR__SSH__PORT}"
@@ -390,8 +390,13 @@ arg_parser() {
          shift 2
          ;;
        --trixie)
          declare -g VAR_SUITE="trixie"
          shift 1
          ;;
        *)
-          if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+          if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
          usage
          ;;
    esac
--- a/lib/lib_contact.sh
+++ b/lib/lib_contact.sh
@@ -20,21 +20,22 @@
 contact() {
  clear
  cat << EOF
-$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
+$(echo -e "\e[97m################################################################################ \e[0m")
-$(echo -e "\e[92mMaster V8.03.832.2025.06.24\e[0m")
+$(echo -e "\e[92m  CISS.debian.live.builder from https://git.coresecret.dev/msw                   \e[0m")
-$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
+$(echo -e "\e[92m  A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.     \e[0m")
-$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
+$(echo -e "\e[97m  (c) Marc S. Weidner, 2018 - 2025 \e[0m")
-$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+$(echo -e "\e[97m  (p) Centurion Press, 2024 - 2025 \e[0m")
-$(echo -e "\e[95m💬 Contact:\e[0m")
+$(echo -e "\e[95m  💬 Contact:               \e[0m")
-$(echo -e "\e[95m🌐 https://coresecret.eu/ \e[0m")
+$(echo -e "\e[95m  🌐 https://coresecret.eu/ \e[0m")
-$(echo -e "\e[95m📧 security@coresecret.eu \e[0m")
+$(echo -e "\e[95m  📧 security@coresecret.eu \e[0m")
-$(echo -e "\e[95m🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
+$(echo -e "\e[95m  🔑 PGP Key 2D98 07F4 1030 1776 597E BDC9 9F54 8853 35A3 C9AD \e[0m")
-$(echo -e "\e[95m🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
+$(echo -e "\e[95m  🔗 https://keys.openpgp.org/vks/v1/by-fingerprint/2D9807F410301776597EBDC99F54885335A3C9AD \e[0m")
-$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
+$(echo -e "\e[95m  💷 Please consider donating to my work at: \e[0m")
-$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
+$(echo -e "\e[95m  🌐 https://coresecret.eu/spenden/          \e[0m")
 $(echo -e "\e[97m################################################################################ \e[0m")
 EOF
 }
--- a/lib/lib_guard_sourcing.sh
+++ b/lib/lib_guard_sourcing.sh
@@ -23,7 +23,7 @@
 guard_sourcing() {
  ### Determine the caller script (the library being sourced).
  declare var_src="${1:-${BASH_SOURCE[1]}}"
-  ### Strip path, keep only filename
+  ### Strip path, keep only the filename
  declare var_file_name="${var_src##*/}"
  ### Sanitize to valid var name.
  declare var_safe_name="${var_file_name//[^a-zA-Z0-9_]/_}"
--- a/lib/lib_lb_config_write.sh
+++ b/lib/lib_lb_config_write.sh
@@ -15,20 +15,12 @@ guard_sourcing
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
 #   VAR_HANDLER_ISO_COUNTER
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_ISO_COUNTER
 #   VAR_KERNEL
 #   VAR_WORKDIR
 #   VAR_VERSION
-# Arguments:
+#   VAR_WORKDIR
 #  None
 #######################################
 #######################################
 # description
 # Globals:
 # Arguments:
 #  None
 #######################################
@@ -46,8 +38,8 @@ lb_config_write() {
    --backports true \
    --binary-filesystem fat32 \
    --binary-image iso-hybrid \
-    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Europe/Lisbon splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Europe/Lisbon toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
    --bootloaders grub-efi \
    --cache true \
    --checksums sha512 sha256 md5 \
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -0,0 +1,115 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Wrapper to write a new 'lb config' environment.
 # Globals:
 #   VAR_ARCHITECTURE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_HANDLER_ISO_COUNTER
 #   VAR_KERNEL
 #   VAR_VERSION
 #   VAR_WORKDIR
 # Arguments:
 #  None
 #######################################
 lb_config_write_trixie() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
  lb config \
    --apt apt \
    --apt-indices true \
    --apt-recommends true \
    --apt-secure true \
    --apt-source-archives true \
    --architecture "${VAR_ARCHITECTURE}" \
    --archive-areas main contrib non-free non-free-firmware \
    --backports true \
    --binary-filesystem fat32 \
    --binary-image iso-hybrid \
    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
    --bootloaders grub-efi \
    --cache true \
    --checksums sha512 sha256 md5 \
    --chroot-filesystem squashfs \
    --chroot-squashfs-compression-level 22 \
    --chroot-squashfs-compression-type zstd \
    --color \
    --compression bzip2 \
    --debconf-frontend noninteractive \
    --debconf-priority critical \
    --debian-installer cdrom \
    --debian-installer-distribution trixie \
    --debian-installer-gui true \
    --debian-installer-preseedfile "preseed.cfg" \
    --debug \
    --distribution trixie \
    --distribution-binary trixie \
    --distribution-chroot trixie \
    --firmware-binary true \
    --firmware-chroot true \
    --hdd-label "CENTURIONLIVE" \
    --image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
    --initramfs "live-boot" \
    --initramfs-compression gzip \
    --initsystem systemd \
    --iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20250505 - Debian-Installer: trixie" \
    --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
    --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
    --iso-volume 'CISS.debian.live' \
    --linux-flavours "${VAR_KERNEL}" \
    --linux-packages linux-image \
    --loadlin true \
    --memtest memtest86+ \
    --mirror-binary 'https://deb/debian.org/debian/' \
    --mirror-binary-security 'https://security.debian.org/' \
    --mirror-bootstrap 'https://deb.debian.org/debian/' \
    --mirror-chroot 'https://deb.debian.org/debian/' \
    --mirror-chroot-security 'https://security.debian.org/' \
    --mirror-debian-installer 'https://deb.debian.org/debian/' \
    --mode debian \
    --parent-archive-areas main contrib non-free non-free-firmware \
    --parent-debian-installer-distribution trixie \
    --parent-distribution trixie \
    --parent-distribution-binary trixie \
    --parent-distribution-chroot trixie \
    --parent-mirror-binary 'https://deb.debian.org/debian/' \
    --parent-mirror-binary-security 'https://security.debian.org/' \
    --parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
    --parent-mirror-chroot 'https://deb.debian.org/debian/' \
    --parent-mirror-chroot-security 'https://security.debian.org/' \
    --parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
    --security true \
    --system live \
    --source false \
    --source-images tar \
    --uefi-secure-boot auto \
    --updates true \
    --utc-time true \
    --verbose
  sleep 1
  sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
  sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
  cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_source_guard.sh
+++ b/lib/lib_source_guard.sh
@@ -0,0 +1,28 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Prevent the file to be sourced twice.
 # Arguments:
 #   1: File to source.
 #######################################
 source_guard() {
  declare var_file="${1}"
  declare var_name="${var_file##*/}"
  declare var_guard="_${var_name//[^a-zA-Z0-9_]/_}_LOADED"
  if ! declare -p "${var_guard}" &>/dev/null; then
    # shellcheck disable=SC1090
    . "${var_file}"
  fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_trap_on_err.sh
+++ b/lib/lib_trap_on_err.sh
@@ -15,8 +15,8 @@ guard_sourcing
 #######################################
 # Print Error Message for Trap on 'ERR' in ${ERROR_LOG}
 # Globals:
-#   ARGUMENTS_COUNT
+#   VAR_PARAM_COUNT
-#   ARG_STR_ORG_INPUT
+#   VAR_PARAM_STRING
 #   VAR_ARG_SANITIZED
 #   LOG_DEBUG
 #   ERRCMMD
@@ -45,8 +45,8 @@ print_file_err() {
    printf "❌ Function               : %s \n" "${ERRFUNC}"
    printf "❌ Command                : %s \n" "${ERRCMMD}"
    printf "❌ Script Runtime         : %s \n" "${SECONDS}"
-    printf "❌ Arguments Counter      : %s \n" "${ARGUMENTS_COUNT}"
+    printf "❌ Arguments Counter      : %s \n" "${VAR_PARAM_COUNT}"
-    printf "❌ Arguments Original     : %s \n" "${ARG_STR_ORG_INPUT}"
+    printf "❌ Arguments Original     : %s \n" "${VAR_PARAM_STRING}"
    printf "❌ Arguments Sanitized    : %s \n" "${VAR_ARG_SANITIZED}"
    if "${VAR_EARLY_DEBUG}"; then
      printf "❌ Vars Dump saved at     : %s \n" "${LOG_VAR}"
@@ -60,8 +60,8 @@ print_file_err() {
 #######################################
 # Print Error Message for Trap on 'ERR' on Terminal
 # Globals:
-#   ARGUMENTS_COUNT
+#   VAR_PARAM_COUNT
-#   ARG_STR_ORG_INPUT
+#   VAR_PARAM_STRING
 #   VAR_ARG_SANITIZED
 #   LOG_DEBUG
 #   ERRCMMD
@@ -89,8 +89,8 @@ print_scr_err() {
  printf "\e[91m❌ Function               : %s \e[0m\n" "${ERRFUNC}" >&2
  printf "\e[91m❌ Command                : %s \e[0m\n" "${ERRCMMD}" >&2
  printf "\e[91m❌ Script Runtime         : %s \e[0m\n" "${SECONDS}" >&2
-  printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
+  printf "\e[91m❌ Arguments Counter      : %s \e[0m\n" "${VAR_PARAM_COUNT}" >&2
-  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
+  printf "\e[91m❌ Arguments Original     : %s \e[0m\n" "${VAR_PARAM_STRING}" >&2
  printf "\e[91m❌ Arguments Sanitized    : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
  printf "\e[91m❌ Error Log saved at     : %s \e[0m\n" "${LOG_ERROR}" >&2
  printf "\e[91m❌ batcat --pager='less -r' %s \e[0m\n" "${LOG_ERROR}" >&2
--- a/lib/lib_usage.sh
+++ b/lib/lib_usage.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-25; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -12,131 +12,155 @@
 #######################################
 # Usage Wrapper CISS.debian.live.builder
 # Globals:
 #   none
 # Arguments:
 #   $0: Script name
 #######################################
 usage() {
-  clear
+  # shellcheck disable=SC2155
-  cat << EOF
+  declare var_cols=$(tput cols 2>/dev/null || echo 80)
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
 $(echo -e "\e[92mMaster V8.03.832.2025.06.24\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.\e[0m")
-$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
+  #######################################
-$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
+  # Header, Footer wrapper for dynamical output.
  # Arguments:
  #   $1: Text.
  #   $2: Width of Terminal.
  #######################################
  center() {
    declare var_text="$1"
    declare var_width="$2"
    declare var_padding=$(( (var_width - ${#var_text}) / 2 ))
    printf "%*s%s%*s\n" "${var_padding}" "" "${var_text}" "${var_padding}" ""
  }
-"${0} <option>", where <option> is one or more of:
+  # shellcheck disable=SC2155
  declare var_header=$(center "CLB(1)                        CISS.debian.live.builder                        CLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
  declare var_footer=$(center "V8.04.002.2025.08.11                        2025-08-11                        CLB(1)" "${var_cols}")
-$(echo -e "\e[97m  --help, -h\e[0m")
+  {
-    What you're looking at.
+    echo -e "\e[1;97m${var_header}\e[0m"
-
+    echo
-$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
+    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
+    echo -e "\e[92mMaster V8.04.002.2025.08.11\e[0m"
-    selector dialog. Change '*' to your desired Linux kernel and trim the
+    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
+    echo
-
+    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
-$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
+    echo -e "\e[97m(p) Centurion Press, 2024 - 2025 \e[0m"
-    A string reflecting the architecture of the Live System.
+    echo
-    MUST be provided.
+    echo -e "\e[97m${0} <option>, where <option> is one or more of: \e[0m"
-
+    echo
-$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
+    echo -e "\e[97m  --help, -h \e[0m"
-    Where the Debian Live Build Image should be generated.
+    echo "    What you're looking at."
-    MUST be provided.
+    echo
-
+    echo -e "\e[97m  --autobuild=*, -a=* \e[0m"
-$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
+    echo "    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel"
-    A string reflecting the GRub Boot Screen Splash you want to use.
+    echo "    selector dialog. Change '*' to your desired Linux kernel and trim the"
-    If omitted defaults to "./.archive/background/club.png".
+    echo "    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'."
-
+    echo
-$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
+    echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64> \e[0m"
-    This option generates a boot menu entry to start the forthcoming
+    echo "    A string reflecting the architecture of the Live System."
-    'CISS.debian.installer', which will be executed after
+    echo "    MUST be provided."
-    the system has successfully booted up.
+    echo
-
+    echo -e "\e[97m  --build-directory </path/to/build_directory> \e[0m"
-$(echo -e "\e[97m  --contact, -c\e[0m")
+    echo "    Where the Debian Live Build Image should be generated."
-    Displays contact information of the author.
+    echo "    MUST be provided."
-
+    echo
-$(echo -e "\e[97m  --control <INTEGER>\e[0m")
+    echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m"
-    An integer that reflects the version of your Live ISO Image.
+    echo "    A string reflecting the Grub Boot Screen Splash you want to use."
-    MUST be provided.
+    echo "    If omitted defaults to './.archive/background/club.png'."
-
+    echo
-$(echo -e "\e[97m  --debug\e[0m")
+    echo -e "\e[97m  --cdi (Experimental Feature)\e[0m"
-    Enables debug logging for the main program routine. Detailed logging
+    echo "    This option generates a boot menu entry to start the forthcoming"
-    information are written to "/tmp/ciss_live_builder_$$.log"
+    echo "    'CISS.debian.installer', which will be executed after"
-
+    echo "    the system has successfully booted up."
-$(echo -e "\e[97m  --dhcp-centurion\e[0m")
+    echo
-    If a DHCP lease is provided, the provider's nameserver will be overridden,
+    echo -e "\e[97m  --contact, -c\ e[0m"
-    and only the hardened, privacy-focused Centurion DNS servers will be used:
+    echo "    Show author contact information."
-      - https://dns01.eddns.eu/
+    echo
-      - https://dns02.eddns.de/
+    echo -e "\e[97m  --control <INTEGER>\e[0m"
-      - https://dns03.eddns.eu/
+    echo "    An integer that reflects the version of your Live ISO Image."
-
+    echo "    MUST be provided."
-$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
+    echo
-    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
+    echo -e "\e[97m  --debug, -d \e[0m"
-    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
+    echo "    Enables debug logging for the main program routine. Detailed logging"
-    If provided, than it MUST be a <SPACE> separated list.
+    echo "    information are written to '/tmp/ciss_live_builder_$$.log'."
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
+    echo
-
+    echo -e "\e[97m  --dhcp-centurion \e[0m"
-$(echo -e "\e[97m  --log-statistics-only\e[0m")
+    echo "    If a DHCP lease is provided, the provider's nameserver will be overridden,"
-    Provides statistic only after successful building a
+    echo "    and only the hardened, privacy-focused Centurion DNS servers will be used:"
-    CISS.debian.live-ISO. While enabling "--log-statistics-only"
+    echo "      - https://dns01.eddns.eu/"
-    the argument "--build-directory" MUST be provided while
+    echo "      - https://dns02.eddns.de/"
-    all further options MUST be omitted.
+    echo "      - https://dns03.eddns.eu/"
-
+    echo
-$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
+    echo -e "\e[97m  --jump-host <IP | IP | ... > \e[0m"
-    Activates IPv6 support for Netcup Root Server. One unique
+    echo "    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access."
-    IPv6 address MUST be provided in this case and MUST be encapsulated
+    echo "    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation."
-    with [], e.g., [1234::abcd].
+    echo "    If provided, than it MUST be a <SPACE> separated list."
-
+    echo "    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64."
-$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
+    echo
-    Reset the nice priority value of the script and all its children
+    echo -e "\e[97m  --log-statistics-only\e[0m"
-    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
+    echo "    Provides statistic only after successful building a"
-    Negative (higher) values MUST be enclosed in double quotes '"'.
+    echo "    CISS.debian.live-ISO. While enabling '--log-statistics-only'"
-
+    echo "    the argument '--build-directory' MUST be provided while"
-$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
+    echo "    all further options MUST be omitted."
-    Reset the ionice priority value of the script and all its children
+    echo
-    to the desired <CLASS>. MUST be an integer:
+    echo -e "\e[97m  --provider-netcup-ipv6 \e[0m"
-      1: realtime
+    echo "    Activates IPv6 support for Netcup Root Server. One unique"
-      2: best-effort
+    echo "    IPv6 address MUST be provided in this case and MUST be encapsulated"
-      3: idle
+    echo "    with [], e.g., [1234::abcd]."
-    Defaults to '2'.
+    echo
-    Whereas <PRIORITY> MUST be an integer as well between:
+    echo -e "\e[97m  --renice-priority <PRIORITY> \e[0m"
-      0: highest priority and
+    echo "    Reset the nice priority value of the script and all its children"
-      7: lowest priority.
+    echo "    to the desired <PRIORITY>. MUST be an integer (between '-19' and 19)."
-    Defaults to '4'.
+    echo "    Negative (higher) values MUST be enclosed in double quotes '\"'."
-    A real-time I/O process can significantly slow down other processes
+    echo
-    or even cause them to starve if it continuously requests I/O.
+    echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY> \e[0m"
-
+    echo "    Reset the ionice priority value of the script and all its children"
-$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
+    echo "    to the desired <CLASS>. MUST be an integer:"
-    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
+    echo "      1: realtime"
-    and MUST NOT contain the special character '"'.
+    echo "      2: best-effort"
-    If the argument is omitted, no further login authentication is required for
+    echo "      3: idle"
-    the local console. The root password is hashed with an 16 Byte '/dev/random'
+    echo "    Defaults to '2'."
-    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
+    echo "    Whereas <PRIORITY> MUST be an integer as well between:"
-    after Hash generation all Variables containing plain password fragments are
+    echo "      0: highest priority and"
-    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
+    echo "      7: lowest priority."
-    further prompt after password hash has been successfully generated via:
+    echo "    Defaults to '4'."
-    'shred -vfzu 5 -f'.
+    echo "    A real-time I/O process can significantly slow down other processes"
-    No tracing of any plain text password fragment in any debug log.
+    echo "    or even cause them to starve if it continuously requests I/O."
-
+    echo
-$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
+    echo -e "\e[97m  --root-password-file </path/to/password.txt> \e[0m"
-    The desired Port SSH should listen to.
+    echo "    Password file for 'root', if given, MUST be a string of 20 to 64 characters,"
-    If not provided defaults to Port 22.
+    echo "    and MUST NOT contain the special character '\"'."
-
+    echo "    If the argument is omitted, no further login authentication is required for"
-$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
+    echo "    the local console. The root password is hashed with an 16 Byte '/dev/random'"
-    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
+    echo "    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately"
-    specified PATH into the Live ISO. MUST be provided.
+    echo "    after Hash generation all Variables containing plain password fragments are"
-
+    echo "    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without"
-$(echo -e "\e[97m  --version, -v\e[0m")
+    echo "    further prompt after password hash has been successfully generated via:"
-    Displays version of ${0}.
+    echo "    'shred -vfzu 5 -f'."
-
+    echo "    'No tracing of any plain text password fragment in any debug log."
-$(echo -e "\e[93m💡 Notes:\e[0m")
+    echo
-🔵 You MUST be 'root' to run this script.
+    echo -e "\e[97m  --ssh-port <INTEGER> \e[0m"
-
+    echo "    The desired Port SSH should listen to."
-$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
+    echo "    If not provided defaults to Port '22'."
-$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
+    echo
-
+    echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/> \e[0m"
-EOF
+    echo "    Imports the SSH Public Key from the FILE 'authorized_keys' of the"
    echo "    specified PATH into the Live ISO. MUST be provided."
    echo
    echo -e "\e[97m  --trixie \e[0m"
    echo "    Create a Debian Trixie Live ISO. Experimental Feature"
    echo
    echo -e "\e[97m  --version, -v \e[0m"
    echo "    Show version of ${0}."
    echo
    echo -e "\e[93m💡 Notes:\e[0m"
    echo -e "\e[93m🔵 You MUST be 'root' to run this script.\e[0m"
    echo
    echo -e "\e[95m💷 Please consider donating to my work at: \e[0m"
    echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m"
    echo
    echo -e "\e[1;97m${var_footer}\e[0m"
  } | less -R
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/lib_version.sh
+++ b/lib/lib_version.sh
@@ -0,0 +1,54 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-25; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Version Wrapper CISS.debian.live.builder
 # Globals:
 #   VAR_VERSION
 # Arguments:
 #   None
 #######################################
 version() {
  # shellcheck disable=SC2155
  declare -r var_repo_ver="$(git log --format='%h %ci' -1 2>/dev/null | awk '{ print $1" "$2" "$3 }')"
  # shellcheck disable=SC2155
  declare -r var_lb_ver="$(lb -v)"
  # shellcheck disable=SC2155
  declare -r var_ds_ver="$(debootstrap --version)"
  # shellcheck disable=SC2155
  declare -r var_host="$(uname -n)"
  # shellcheck disable=SC2155
  declare -r var_bash_ver="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')"
  clear
  cat << EOF
 $(echo -e "\e[97m################################################################################ \e[0m")
 $(echo -e "\e[92m  CISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m")
 $(echo -e "\e[92m  A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
  Version : ${VAR_VERSION}
  Git     : ${var_repo_ver}
 $(echo -e "\e[97m  This program is free software. Distribution and modification under  \e[0m")
 $(echo -e "\e[97m  EUPL-1.2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! \e[0m")
  Please file bugs @
 $(echo -e "\e[95m  https://git.coresecret.dev/msw/CISS.debian.live.builder/issues \e[0m")
 $(echo -e "\e[97m################################################################################\e[0m")
  Using   : lb (${var_lb_ver}) debootstrap (${var_ds_ver})
  on      : ${var_host}
  Bash    : ${var_bash_ver}
 EOF
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/scripts/0010_dhcp_supersede.sh
+++ b/scripts/0010_dhcp_supersede.sh
@@ -21,9 +21,9 @@ fi
 cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp/dhclient.conf
 # Custom dhclient config to override DHCP DNS
-# dns01.eddns.eu, dns02.eddns.de; dns03.eddns.eu;
+# dns01.eddns.eu, dns02.eddns.de, dns03.eddns.eu;
-supersede domain-name-servers 135.181.207.105, 89.58.62.53; 138.199.237.109;
+supersede domain-name-servers 135.181.207.105, 89.58.62.53, 138.199.237.109;
 EOF
--- a/scripts/9000-cdi-starter
+++ b/scripts/9000-cdi-starter
@@ -15,7 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # sleep 1
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.03.832.2025.06.24 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.04.002.2025.08.11 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
  chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
--- a/var/bash.var.sh
+++ b/var/bash.var.sh
@@ -10,12 +10,31 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin
-set -o errexit   # Exit script when a command exits with non-zero status, the same as "set -e".
+set -o errexit           # Exit script when a command exits with non-zero status, the same as "set -e".
-set -o errtrace  # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
+set -o errtrace          # Any traps on ERR are inherited in a subshell environment, the same as "set -E".
-set -o functrace # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
+set -o functrace         # Any traps on DEBUG and RETURN are inherited in a subshell environment, the same as "set -T".
-set -o nounset   # Exit script on use of an undefined variable, the same as "set -u".
+set -o ignoreeof         # An interactive shell will not exit upon reading EOF.
-set -o pipefail  # Makes pipelines return the exit status of the last command in the pipe that failed.
+set -o noclobber         # Prevent overwriting, the same as "set -C".
-set -o noclobber # Prevent overwriting, the same as "set -C".
+set -o nounset           # Exit script on use of an undefined variable, the same as "set -u".
 set -o pipefail          # Makes pipelines return the exit status of the last command in the pipe that failed.
 ### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Shopt-Builtin
 shopt -s failglob        # If set, patterns that fail to match filenames during filename expansion result in an expansion error.
 shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option instead of unsetting it in the
                         # subshell environment. This option is enabled when POSIX mode is enabled.
 shopt -s lastpipe        # If set, and job control is not active, the shell runs the last command of a pipeline not executed in
                         # the background in the current shell environment.
 shopt -u expand_aliases  # If set, aliases are expanded as described below under Aliases, Aliases. This option is enabled by
                         # default for interactive shells.
 shopt -u dotglob         # If set, Bash includes filenames beginning with a '.' in the results of filename expansion.
 shopt -u extglob         # If set, enable the extended pattern matching features.
 shopt -u nullglob        # If set, filename expansion patterns that match no files expand to nothing and are removed.
 declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 declare -gx IFS=$' \t\n'
 umask 0022
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/color.var.sh
+++ b/var/color.var.sh
@@ -10,14 +10,20 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -grx C_BLA='\e[90m' # Beautiful black For the techno fans.
+guard_sourcing
-declare -grx C_RED='\e[91m' # Bright red.
+
-declare -grx C_GRE='\e[92m' # Vibrant green.
+### Definition of color variables.
-declare -grx C_YEL='\e[93m' # Fancy yellow
+
-declare -grx C_BLU='\e[94m' # Organic blue.
+declare -grx BLA='\e[90m' # Beautiful black For the techno fans.
-declare -grx C_MAG='\e[95m' # Super gay magenta.
+declare -grx RED='\e[91m' # Bright red.
-declare -grx C_CYA='\e[96m' # Lovely cyan.
+declare -grx GRE='\e[92m' # Vibrant green.
-declare -grx C_WHI='\e[97m' # Fantastic color mix.
+declare -grx YEL='\e[93m' # Fancy yellow
-declare -grx C_RES='\e[0m'  # Forget everything.
+declare -grx BLU='\e[94m' # Organic blue.
 declare -grx MAG='\e[95m' # Super gay magenta.
 declare -grx CYA='\e[96m' # Lovely cyan.
 declare -grx WHI='\e[97m' # Fantastic color mix.
 declare -grx RES='\e[0m'  # Forget everything.
 declare -grx TAB='\t'     # Tabulator.
 declare -grx NL='\n'      # New line.
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/early.var.sh
+++ b/var/early.var.sh
@@ -13,13 +13,10 @@
 ### Definition of MUST set early Variables
 # shellcheck disable=SC2155
 declare -agx ARY_PARAM_ARRAY=("$@")
 declare -grx VAR_PARAM_COUNT="$#"
 declare -grx VAR_PARAM_STRNG="$*"
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.03.832.2025.06.24"
+declare -grx VAR_VERSION="Master V8.04.002.2025.08.11"
 declare -grx VAR_SYSTEM="$(uname -a)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"
-umask 0022
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/var/global.var.sh
+++ b/var/global.var.sh
@@ -10,11 +10,18 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 ### Definition of MUST set global variables.
 # shellcheck disable=SC2155
 declare -gr VAR_ISO8601="$(date +%Y_%m_%d_%H_%M_%S)"
 # shellcheck disable=SC2155
 declare -gr VAR_KERNEL_INF="$(mktemp)"
 # shellcheck disable=SC2155
 declare -gr VAR_KERNEL_TMP="$(mktemp)"
 # shellcheck disable=SC2155
 declare -gr VAR_KERNEL_SRT="$(mktemp)"
 # shellcheck disable=SC2155
 declare -gr VAR_NOTES="$(mktemp)"
 declare -gr LOG_ERROR="/tmp/ciss_live_builder_$$_error.log"
@@ -28,12 +35,14 @@ declare -g VAR_HANDLER_SPLASH=""
 declare -g VAR_SSHPORT=""
 declare -g VAR_SSHPUBKEY=""
 declare -g VAR_SCRIPT_SUCCESS="false"
 declare -g VAR_SUITE="bookworm"
 declare -g VAR_HANDLER_PRIORITY=""
 declare -g VAR_HANDLER_NETCUP_IPV6="false"
 declare -g VAR_HASHED_PWD=""
 declare -gi VAR_HANDLER_STA=0
-declare -g VAR_REIONICE_CLASS=""
+declare -gi VAR_HANDLER_PRIORITY=0
-declare -g VAR_REIONICE_PRIORITY=""
+declare -gi VAR_REIONICE_CLASS=2
 declare -gi VAR_REIONICE_PRIORITY=4
 declare -gr VAR_CHROOT_DIR="chroot"
 declare -gr VAR_PACKAGES_FILE="chroot.packages.live"
 declare -ga ARY_HANDLER_JUMPHOST=()