DEPLOY BOT : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]

X-CI-Metadata: master@131b29e at 2025-10-14T22:23:31Z on f4002627fb64 Generated at : 2025-10-14T22:23:31Z Runner Host : f4002627fb64 Workflow ID : 💙 Generating a PUBLIC Live ISO. Git Commit : 131b29e HEAD -> master
DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
2025-10-14 22:23:31 +00:00 · 2025-10-14 21:28:38 +00:00 · 2025-10-14 20:32:31 +00:00 · 2025-10-14 19:37:06 +00:00 · 2025-10-14 19:36:51 +00:00 · 2025-10-14 20:35:02 +01:00
157 changed files with 3626 additions and 1387 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.864.2025.07.15\e[0m")
+$(echo -e "\e[92mMaster V8.13.142.2025.10.14\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
--- a/config/hooks/live/0003_install_backports.chroot
+++ b/config/hooks/live/0003_install_backports.chroot
@@ -6,13 +6,12 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 DEBIAN_FRONTEND=noninteractive \
  apt-get update && \
@@ -33,7 +32,6 @@ DEBIAN_FRONTEND=noninteractive \
        whois
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/0005_tmpfile_dublette.chroot
+++ b/.archive/0005_tmpfile_dublette.chroot
@@ -0,0 +1,72 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # Purpose: Copy vendor 'legacy.conf' to '/etc/tmpfiles.d' and drop duplicate '/run/lock' lines.
 #######################################
 # Simple error terminal logger.
 # Arguments:
 #   None
 #######################################
 log() { printf '[tmpfiles-fix] %s\n' "$*" >&2; }
 ### Locate vendor 'legacy.conf' (The path can vary).
 declare vendor=""
 for p in /usr/lib/tmpfiles.d/legacy.conf /lib/tmpfiles.d/legacy.conf; do
  if [[ -f "${p}" ]]; then vendor="${p}"; break; fi
 done
 if [[ -z "${vendor}" ]]; then
  log "WARN: vendor legacy.conf not found; creating a minimal override"
  install -D -m 0644 /dev/null /etc/tmpfiles.d/legacy.conf
 else
  install -D -m 0644 "${vendor}" /etc/tmpfiles.d/legacy.conf
 fi
 ### Deduplicate: keep only the FIRST 'd /run/lock ' definition, drop subsequent ones.
 # shellcheck disable=SC2155
 declare tmpdir="$(mktemp -d)"
 declare out="${tmpdir}/legacy.conf"
 awk '
 BEGIN{seen=0}
 {
  # Preserve everything by default
  keep=1
  # Match tmpfiles "d /run/lock ..." (allowing variable spacing and case of directive)
  if ($1 ~ /^[dD]$/ && $2 == "/run/lock") {
    if (seen==1) { keep=0 } else { seen=1 }
  }
  if (keep) print
 }' /etc/tmpfiles.d/legacy.conf >| "${out}"
 ### Install the sanitized file atomically.
 install -m 0644 -o root -g root "${out}" /etc/tmpfiles.d/legacy.conf
 rm -rf -- "${tmpdir}"
 log "Deduplicated /etc/tmpfiles.d/legacy.conf (kept only first /run/lock entry)."
 command -v systemd-tmpfiles >/dev/null 2>&1 && systemd-tmpfiles --create --prefix /run/lock || true
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/icon.lib
+++ b/.archive/icon.lib
@@ -5,7 +5,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ✅
--- a/.editorconfig
+++ b/.editorconfig
@@ -25,6 +25,10 @@ charset = utf-8
 insert_final_newline = true
 trim_trailing_whitespace = true
 [{makefile,*.mk}]
 indent_style = tab
 tab_width    = 8
 [*.md]
 end_of_line = lf
 # Markdown benefits from a final newline for POSIX tools
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.864.2025.07.15"
+      placeholder: "e.g., Master V8.13.142.2025.10.14"
    validations:
      required: true
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+# Version Master V8.13.142.2025.10.14
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -5,11 +5,11 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+# Version Master V8.13.142.2025.10.14
 name: 🔁 Render README.md to README.html.
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.864.2025.07.15
+  version: V8.13.142.2025.10.14
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.864.2025.07.15
+  version: V8.13.142.2025.10.14
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.864.2025.07.15
+  version: V8.13.142.2025.10.14
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.864.2025.07.15
+  version: V8.13.142.2025.10.14
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,9 +9,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+# Version Master V8.13.142.2025.10.14
-name: 🔐 Generating a Private Live ISO FLV 0.
+name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
@@ -21,164 +25,35 @@ on:
    branches:
      - master
    paths:
-      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml'
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-private-cdlb-trixie:
-    name: 🔐 Generating a Private Live ISO FLV 0.
+    name: 🔐 Generating a Private Live ISO TRIXIE.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
    ### Run all steps inside Debian Bookworm
    container:
-      image: debian:bookworm
+      image: debian:trixie
    steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+      - name: 🛠️ Basic Image Setup.
        run: |
          apt-get update -y
          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
            >| /etc/apt/sources.list.d/bookworm-backports.list
          apt-get update -y
          apt-get upgrade -y
      - name: 🛠️ Installing Build Tools.
        shell: bash
        run: |
-          apt-get update -y
+          export DEBIAN_FRONTEND=noninteractive
-          apt-get install -y \
+          apt-get update
-            autoconf \
+          apt-get upgrade -y
-            automake \
+          apt-get install -y --no-install-recommends \
-            build-essential \
+            apt-utils \
-            cryptsetup \
+            bash \
            ca-certificates \
            curl \
            debootstrap \
            dosfstools \
            efibootmgr \
            gettext \
            git \
            gnupg \
-            haveged \
+            openssh-client \
-            libbz2-dev \
+            openssl \
-            zlib1g-dev \
+            perl \
            liblzma-dev \
            libtool \
            live-build \
            parted \
            pkg-config \
            ssh \
            ssl-cert \
            sudo \
-            texinfo \
+            util-linux
            wget \
            whois \
      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
        shell: bash
        run: |
          urls=(
            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
          )
          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
          gpg --batch --import signature_key.asc
          for url in "${urls[@]}"; do
            archive_name="${url##*/}"
            pkg_name="${archive_name%.tar.bz2}"
            echo "🔄 Processing ${pkg_name}"
            if [[ ! -f "${archive_name}" ]]; then
              echo "📥 Downloading: '${archive_name}'."
              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                echo "✅ Download successful: '${archive_name}'."
              else
                echo "❌ Download NOT successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping download, package already exists: '${archive_name}'."
            fi
            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
            if [[ ! -d "${pkg_name}" ]]; then
              echo "📂 Extracting: '${archive_name}'."
              if tar -xjf "${archive_name}"; then
                echo "✅ Extraction successful: '${archive_name}'."
              else
                echo "❌ Extraction not successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping directory, already exists: '${pkg_name}'."
            fi
            echo "🏗️ Build and install the package: '${pkg_name}'."
            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
            mkdir -p build
            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
            echo "✅ Successful build and installation of '${pkg_name}'."
            echo "-------------------------------------------------------------------------------------"
          done
          rm -f signature_key.asc
          echo "✅ All packages were built and installed successfully."
          mv_bin=(
            "/usr/bin/gpg"
            "/usr/bin/gpg-agent"
            "/usr/bin/gpgconf"
            "/usr/bin/gpg-connect-agent"
            "/usr/bin/gpg-wks-client"
            "/usr/bin/gpg-preset-passphrase"
          )
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
              if mv "${bin}" "${bin}.debian-backup"; then
                echo "✅ Moved successfully: '${bin}'."
              else
                echo "❌ Moved NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist as build binary: '${bin}'."
            fi
          done
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "/usr/local/bin/${name}" ]]; then
              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
                echo "✅ 'update-alternatives' successfully: '${bin}'."
              else
                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist: '/usr/local/bin/${name}'."
            fi
          done
          sudo ldconfig
          gpgconf --kill all
          /usr/local/bin/gpg-agent --daemon
      - name: ⚙️ Check GnuPG Version.
        shell: bash
@@ -188,6 +63,11 @@ jobs:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
@@ -262,17 +142,91 @@ jobs:
          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
      - name: 🔧 Render live hook with secrets.
        shell: bash
        working-directory: ${{ github.workspace }}
        env:
          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
        run: |
          set -Ceuo pipefail
          umask 077
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
            echo "::group::Tree of config/hooks/live"
            ls -la "${REPO_ROOT}/config/hooks/live" || true
            echo "::endgroup::"
            exit 2
          fi
          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
          export RSA_PUB="${RSA_PUB//$'\r'/}"
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
          (
          cat << EOF >| "${ID_OUT}"
          ${CISS_PRIMORDIAL}
          EOF
          ) && chmod 0600 "${ID_OUT}"
          if [[ -f "${ID_OUT}" ]]; then
            echo "Written: ${ID_OUT}"
          else
            echo "Error: ${ID_OUT} not written."
          fi
          (
          cat << EOF >| "${ID_OUT_PUB}"
          ${CISS_PRIMORDIAL_PUB}
          EOF
          ) && chmod 0600 "${ID_OUT_PUB}"
          if [[ -f "${ID_OUT_PUB}" ]]; then
            echo "Written: ${ID_OUT_PUB}"
          else
            echo "Error: ${ID_OUT_PUB} not written."
          fi
          perl -0777 -pe '
            BEGIN{
              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
            }
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
          ' "${TPL}" > "${OUT}"
          chmod 0755 "${OUT}"
          echo "Hook rendered: ${OUT}"
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.30+bpo-amd64 \
+            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --cdi \
            --control "${timestamp}" \
            --debug \
            --dhcp-centurion \
@@ -280,7 +234,14 @@ jobs:
            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
            --root-password-file /opt/config/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
            --sshfp \
            --trixie
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
          rm -f "$OUT"
          echo "Hook removed: $OUT"
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
@@ -367,11 +328,12 @@ jobs:
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -381,7 +343,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
@@ -435,7 +397,7 @@ jobs:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
@@ -459,7 +421,7 @@ jobs:
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
-            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
          ${CI_HEADER}
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,9 +9,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+# Version Master V8.13.142.2025.10.14
-name: 🔐 Generating a Private Live ISO FLV 1.
+name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
@@ -21,164 +25,35 @@ on:
    branches:
      - master
    paths:
-      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml'
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-private-cdlb-trixie:
-    name: 🔐 Generating a Private Live ISO FLV 1.
+    name: 🔐 Generating a Private Live ISO TRIXIE.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
    ### Run all steps inside Debian Bookworm
    container:
-      image: debian:bookworm
+      image: debian:trixie
    steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+      - name: 🛠️ Basic Image Setup.
        run: |
          apt-get update -y
          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
            >| /etc/apt/sources.list.d/bookworm-backports.list
          apt-get update -y
          apt-get upgrade -y
      - name: 🛠️ Installing Build Tools.
        shell: bash
        run: |
-          apt-get update -y
+          export DEBIAN_FRONTEND=noninteractive
-          apt-get install -y \
+          apt-get update
-            autoconf \
+          apt-get upgrade -y
-            automake \
+          apt-get install -y --no-install-recommends \
-            build-essential \
+            apt-utils \
-            cryptsetup \
+            bash \
            ca-certificates \
            curl \
            debootstrap \
            dosfstools \
            efibootmgr \
            gettext \
            git \
            gnupg \
-            haveged \
+            openssh-client \
-            libbz2-dev \
+            openssl \
-            zlib1g-dev \
+            perl \
            liblzma-dev \
            libtool \
            live-build \
            parted \
            pkg-config \
            ssh \
            ssl-cert \
            sudo \
-            texinfo \
+            util-linux
            wget \
            whois \
      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
        shell: bash
        run: |
          urls=(
            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
          )
          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
          gpg --batch --import signature_key.asc
          for url in "${urls[@]}"; do
            archive_name="${url##*/}"
            pkg_name="${archive_name%.tar.bz2}"
            echo "🔄 Processing ${pkg_name}"
            if [[ ! -f "${archive_name}" ]]; then
              echo "📥 Downloading: '${archive_name}'."
              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                echo "✅ Download successful: '${archive_name}'."
              else
                echo "❌ Download NOT successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping download, package already exists: '${archive_name}'."
            fi
            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
            if [[ ! -d "${pkg_name}" ]]; then
              echo "📂 Extracting: '${archive_name}'."
              if tar -xjf "${archive_name}"; then
                echo "✅ Extraction successful: '${archive_name}'."
              else
                echo "❌ Extraction not successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping directory, already exists: '${pkg_name}'."
            fi
            echo "🏗️ Build and install the package: '${pkg_name}'."
            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
            mkdir -p build
            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
            echo "✅ Successful build and installation of '${pkg_name}'."
            echo "-------------------------------------------------------------------------------------"
          done
          rm -f signature_key.asc
          echo "✅ All packages were built and installed successfully."
          mv_bin=(
            "/usr/bin/gpg"
            "/usr/bin/gpg-agent"
            "/usr/bin/gpgconf"
            "/usr/bin/gpg-connect-agent"
            "/usr/bin/gpg-wks-client"
            "/usr/bin/gpg-preset-passphrase"
          )
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
              if mv "${bin}" "${bin}.debian-backup"; then
                echo "✅ Moved successfully: '${bin}'."
              else
                echo "❌ Moved NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist as build binary: '${bin}'."
            fi
          done
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "/usr/local/bin/${name}" ]]; then
              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
                echo "✅ 'update-alternatives' successfully: '${bin}'."
              else
                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist: '/usr/local/bin/${name}'."
            fi
          done
          sudo ldconfig
          gpgconf --kill all
          /usr/local/bin/gpg-agent --daemon
      - name: ⚙️ Check GnuPG Version.
        shell: bash
@@ -188,6 +63,11 @@ jobs:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
@@ -262,22 +142,103 @@ jobs:
          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
      - name: 🔧 Render live hook with secrets.
        shell: bash
        working-directory: ${{ github.workspace }}
        env:
          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
        run: |
          set -Ceuo pipefail
          umask 077
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
            echo "::group::Tree of config/hooks/live"
            ls -la "${REPO_ROOT}/config/hooks/live" || true
            echo "::endgroup::"
            exit 2
          fi
          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
          export RSA_PUB="${RSA_PUB//$'\r'/}"
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
          (
          cat << EOF >| "${ID_OUT}"
          ${CISS_PRIMORDIAL}
          EOF
          ) && chmod 0600 "${ID_OUT}"
          if [[ -f "${ID_OUT}" ]]; then
            echo "Written: ${ID_OUT}"
          else
            echo "Error: ${ID_OUT} not written."
          fi
          (
          cat << EOF >| "${ID_OUT_PUB}"
          ${CISS_PRIMORDIAL_PUB}
          EOF
          ) && chmod 0600 "${ID_OUT_PUB}"
          if [[ -f "${ID_OUT_PUB}" ]]; then
            echo "Written: ${ID_OUT_PUB}"
          else
            echo "Error: ${ID_OUT_PUB} not written."
          fi
          perl -0777 -pe '
            BEGIN{
              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
            }
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
          ' "${TPL}" > "${OUT}"
          chmod 0755 "${OUT}"
          echo "Hook rendered: ${OUT}"
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.30+bpo-amd64 \
+            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --cdi \
            --control "${timestamp}" \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
            --root-password-file /opt/config/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
            --sshfp \
            --trixie
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
          rm -f "$OUT"
          echo "Hook removed: $OUT"
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
@@ -364,11 +325,12 @@ jobs:
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -378,7 +340,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
@@ -432,7 +394,7 @@ jobs:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
@@ -456,7 +418,7 @@ jobs:
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
-            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
          ${CI_HEADER}
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,10 +9,14 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+# Version Master V8.13.142.2025.10.14
 name: 💙 Generating a PUBLIC Live ISO.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
@@ -24,161 +28,32 @@ on:
      - '.gitea/trigger/t_generate_PUBLIC.yaml'
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-public-cdlb-trixie:
    name: 💙 Generating a PUBLIC Live ISO.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
    ### Run all steps inside Debian Bookworm
    container:
-      image: debian:bookworm
+      image: debian:trixie
    steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+      - name: 🛠️ Basic Image Setup.
        run: |
          apt-get update -y
          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
            >| /etc/apt/sources.list.d/bookworm-backports.list
          apt-get update -y
          apt-get upgrade -y
      - name: 🛠️ Installing Build Tools.
        shell: bash
        run: |
-          apt-get update -y
+          export DEBIAN_FRONTEND=noninteractive
-          apt-get install -y \
+          apt-get update
-            autoconf \
+          apt-get upgrade -y
-            automake \
+          apt-get install -y --no-install-recommends \
-            build-essential \
+            apt-utils \
-            cryptsetup \
+            bash \
            ca-certificates \
            curl \
            debootstrap \
            dosfstools \
            efibootmgr \
            gettext \
            git \
            gnupg \
-            haveged \
+            openssh-client \
-            libbz2-dev \
+            openssl \
-            zlib1g-dev \
+            perl \
            liblzma-dev \
            libtool \
            live-build \
            parted \
            pkg-config \
            ssh \
            ssl-cert \
            sudo \
-            texinfo \
+            util-linux
            wget \
            whois \
      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
        shell: bash
        run: |
          urls=(
            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
          )
          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
          gpg --batch --import signature_key.asc
          for url in "${urls[@]}"; do
            archive_name="${url##*/}"
            pkg_name="${archive_name%.tar.bz2}"
            echo "🔄 Processing ${pkg_name}"
            if [[ ! -f "${archive_name}" ]]; then
              echo "📥 Downloading: '${archive_name}'."
              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                echo "✅ Download successful: '${archive_name}'."
              else
                echo "❌ Download NOT successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping download, package already exists: '${archive_name}'."
            fi
            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
            if [[ ! -d "${pkg_name}" ]]; then
              echo "📂 Extracting: '${archive_name}'."
              if tar -xjf "${archive_name}"; then
                echo "✅ Extraction successful: '${archive_name}'."
              else
                echo "❌ Extraction not successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping directory, already exists: '${pkg_name}'."
            fi
            echo "🏗️ Build and install the package: '${pkg_name}'."
            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
            mkdir -p build
            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
            echo "✅ Successful build and installation of '${pkg_name}'."
            echo "-------------------------------------------------------------------------------------"
          done
          rm -f signature_key.asc
          echo "✅ All packages were built and installed successfully."
          mv_bin=(
            "/usr/bin/gpg"
            "/usr/bin/gpg-agent"
            "/usr/bin/gpgconf"
            "/usr/bin/gpg-connect-agent"
            "/usr/bin/gpg-wks-client"
            "/usr/bin/gpg-preset-passphrase"
          )
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
              if mv "${bin}" "${bin}.debian-backup"; then
                echo "✅ Moved successfully: '${bin}'."
              else
                echo "❌ Moved NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist as build binary: '${bin}'."
            fi
          done
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "/usr/local/bin/${name}" ]]; then
              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
                echo "✅ 'update-alternatives' successfully: '${bin}'."
              else
                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist: '/usr/local/bin/${name}'."
            fi
          done
          sudo ldconfig
          gpgconf --kill all
          /usr/local/bin/gpg-agent --daemon
      - name: ⚙️ Check GnuPG Version.
        shell: bash
@@ -188,6 +63,11 @@ jobs:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
@@ -269,15 +149,18 @@ jobs:
          sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.30+bpo-amd64 \
+            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --cdi \
            --control "${timestamp}" \
            --debug \
            --root-password-file /opt/config/password.txt \
            --ssh-port 42137 \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
            --trixie
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
@@ -364,11 +247,12 @@ jobs:
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO.public"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -378,7 +262,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+# Version Master V8.13.142.2025.10.14
 # Gitea Workflow: Shell-Script Linting
 #
@@ -41,6 +41,10 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
@@ -202,11 +206,12 @@ jobs:
            echo -e "⚠️ Linting issues detected:\n"
            echo -e "${findings}"
            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
            VAR_DATE="$(date +%F)"
            PRIVATE_FILE="LINTER_RESULTS.txt"
            touch "${PRIVATE_FILE}"
            cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -216,7 +221,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          ⚠️ The last linter check was NOT successful. ⚠️
@@ -225,11 +230,12 @@ jobs:
          else
            echo "✅ No issues found in shell scripts."
            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
            VAR_DATE="$(date +%F)"
            PRIVATE_FILE="LINTER_RESULTS.txt"
            touch "${PRIVATE_FILE}"
            cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -239,7 +245,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          ✅ The last linter check was successful. ✅
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+# Version Master V8.13.142.2025.10.14
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -33,6 +33,10 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+# Version Master V8.13.142.2025.10.14
 name: 🔁 Render Graphviz Diagrams.
@@ -34,6 +34,10 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
--- a/.gitignore
+++ b/.gitignore
@@ -16,5 +16,6 @@ target/
 *.DS_Store
 *.log
 *.ps1
 config.mk
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.shellcheckrc
+++ b/.shellcheckrc
@@ -0,0 +1,28 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 encoding=utf-8
 external-sources=true
 shell=bash
 source-path=~/lib
 source-path=~/scripts
 source-path=~/var
 enable=avoid-nullary-conditions
 enable=check-extra-masked-returns
 enable=check-set-e-suppressed
 enable=check-unassigned-uppercase
 enable=deprecate-which
 enable=quote-safe-variables
 enable=require-double-brackets
 enable=require-variable-braces
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.864.2025.07.15"
+properties_version="V8.13.142.2025.10.14"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.864.2025.07.15
+PackageVersion: Master V8.13.142.2025.10.14
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,8 +9,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-07-15T17:55:19Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-14T19:37:03Z"
-✅ The last linter check was successful. ✅
+⚠️ The last linter check was NOT successful. ⚠️
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO.public
+++ b/LIVE_ISO.public
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-07-15T13:01:05Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-14T22:23:27Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_07_15T12_12_23Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_14T21_30_07Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  e94f1f698fb6d6a078d3aed785302ffcad25221c92439e84bb505a39d7b4da50674063cc2f7957cca655afdcdb55871ed4990aebbb096f964336af682891aed0
+  442037d11eb48f4adbd1a3da17cf36062ec6be816627c38fe814458840020f212c551b96d5e785c4372fa09fc11fd9529f34166530b1e1f5ce9335abadb5f771
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHZREQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO7NXwAKCRA85KY4hzOw
-IQE/APsGY1Q8yonOxKTBUxgPPIA7ugHTfub9yWbPLcisC7J+sQEA17e8hmjJSX+O
+IT3LAP4uP8glLMDEpUntKJQTiPqSYjGUyIFoKmsgALGPJcnnoQD/fcz4Mq12mF32
-NpAtnhF4dfZheybcyfJwsscrNtOieAM=
+jf4ETKQBqlxuQyLTPvPFhLsrBbDD0AI=
-=V2i8
+=/UNR
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_0.private
+++ b/LIVE_ISO_TRIXIE_0.private
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-07-15T11:05:11Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-14T20:32:28Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_07_15T10_13_20Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_14T19_36_59Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  b18d79055f12e6f61a1d0b46f8648f8097da419701f3366ba127b0eff1bb0d9ef4794b1a59b66ad8d48c3e3812a1fbc81f948a66b913b036cf2b740a778a88cd
+  57559f9b9c5e50dad6a5b2023d992c26b8f4d25dd0d45ffa5cfd479ee623287e2c2eead70016267b848c5910db5ba5c4e2dfeeb12cca6f59fe455dad886c51d9
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHY15wAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO6zXAAKCRA85KY4hzOw
-Idw3AQDzmYnaCI3OADP+DB+u805S8F+QUmVIcfmUGnM0sDz78gD+I+m+BHte8lzp
+Idq2AQDRmgHRGnX1bn+cNV5JirecSke0IAwlAjEXOl4tFoQlewEA0s2R1A3OQjIq
-rwudtbEBn9wZvy2KyFWcxlSCn3go2gU=
+fAhdl2wltVNT5+jUg6EUj3FE3kVPaQo=
-=nGnJ
+=fmxg
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_1.private
+++ b/LIVE_ISO_TRIXIE_1.private
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-07-15T12:03:16Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-14T21:28:34Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_07_15T11_14_23Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_14T20_33_51Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  a022fe082d5d06db05e4c53f09b59ee57f483a3d2a2a143403d93c27a2d454ec8982ccaeb957f654c0879276befc7d9ab2333f407c8089306348c7a10fd39a20
+  4a47a1ed0986b67774047b2bfc6fdd53753fa8f301f8376b23ccde1f5187aeffbca7fce3194a3d7b61278630291a1d2d954a289da712c064326eb6b7020c228c
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHZDhAAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO7AggAKCRA85KY4hzOw
-IV0hAQCl7xeM8Art2obImFmhUBKDOLcLifegqY/jKY9729EM/wEAzJTRuLts9Jzy
+IWpdAP4xCxUP4V0lOBE1u7+wEOoEmXiRC10Va4Hf2UXjH1BSVwEAsz/cMaGt+rJT
-PXje4fYxZiNOoFv3hz7Xwt5q9rPn/AE=
+q0i+5EftPavvIst48aXQsp7QKjyNewM=
-=S0vW
+=x3/T
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -2,17 +2,17 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.864.2025.07.15-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.142.2025.10.14-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.37-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
@@ -25,8 +25,8 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Build**: V8.13.142.2025.10.14<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -70,7 +70,16 @@ separate directory tree, employs `DynamicUser` features, and adheres to strict s
 rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
 of both UFW software firewalls and dedicated hardware firewall appliances.
-## 1.2. Immutable Source-of-Truth System
+## 1.2. Match Host and Target Versions
 Build, for example, a Debian Trixie live image only on a Debian Trixie host. The build toolchain and boot artifacts are 
 release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``kernel/initramfs`` tools, ``mksquashfs``, 
 ``GRUB/ISOLINUX``, and even ``dpkg/apt`` often change defaults and formats between releases (e.g., compression modes, SquashFS 
 options, hook ordering, systemd/udev behavior). Building on a different host release commonly yields non-reproducible or even 
 unbootable ISOs (missing modules/firmware, ABI mismatches, divergent paths). Keeping host and target on the same version ensures
 reproducible builds, matching dependencies, and compatible boot artifacts.
 ## 1.3. Immutable Source-of-Truth System
 This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
 source-code definitions. All configurations, system components, and installation routines are embedded during build time and 
@@ -89,7 +98,7 @@ or shell-access, also via the forthcoming `CISS.debian.installer`. Such a versio
 provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then 
 awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports
 without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of 
-`grub2 (2.12-1~bpo12+1)`.<br>
+`grub2 (2.12-9)`.<br>
 This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in 
 source-defined infrastructure logic.<br>
@@ -103,11 +112,11 @@ After build and configuration, the following audit reports can be generated:
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
  Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
-## 1.3. Preview
+## 1.4. Preview
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
-## 1.4. Caution. Significant information for those considering using D-I.
+## 1.5. Caution. Significant information for those considering using D-I.
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
@@ -138,18 +147,18 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 * Logging (rsyslog, journald) ✘ not active,
 * preseed control over the network is possible (but without any protection).
-## 1.5. Versioning Schema
+## 1.6. Versioning Schema
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.03.864.2025.07.15`
+Example: `V8.13.142.2025.10.14`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
 reproducibility and traceability.
-## 1.6. Keywords
+## 1.7. Keywords
 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
 "MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], 
@@ -389,35 +398,52 @@ apply or revert these controls.
 set -o errexit   # Exit script when a command exits with non-zero status (same as "set -e").
 set -o errtrace  # Inherit ERR traps in subshells (same as "set -E").
 set -o functrace # Inherit DEBUG and RETURN traps in subshells (same as "set -T").
 set -o ignoreeof # An interactive shell will not exit upon reading EOF.
 set -o nounset   # Exit script on use of an undefined variable (same as "set -u").
 set -o pipefail  # Return the exit status of the last failed command in a pipeline.
 set -o noclobber # Prevent overwriting files via redirection (same as "set -C").
 ```
 * The following `shopt` options are applied at the beginning of the script (see
  [Bash Manual, The Shopt Builtin](https://www.gnu.org/software/bash/manual/bash.html#The-Shopt-Builtin)):
 ````bash
 shopt -s failglob        # If set, patterns that fail to match filenames during filename expansion result in an expansion error.
 shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option instead of unsetting it in the
                         # subshell environment.
 shopt -s lastpipe        # If set, and job control is not active, the shell runs the last command of a pipeline not executed in
                         # the background in the current shell environment.
 shopt -u expand_aliases  # If set, aliases are expanded as described. This option is enabled by default for interactive shells.
 shopt -u dotglob         # If set, Bash includes filenames beginning with a '.' in the results of filename expansion.
 shopt -u extglob         # If set, enable the extended pattern matching features.
 shopt -u nullglob        # If set, filename expansion patterns that match no files expand to nothing and are removed.
 ````
 * **Rationale**: These options enforce strict error checking and handling, reducing silent failures and ensuring 
 predictable script behavior.
 # 4. Prerequisites
-* **Host**: Debian Bookworm or newer with `live-build` package installed.
+* **Host**: Debian Trixie with `live-build` and ``debootstrap`` packages installed.
 * **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
 * **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
 # 5. Installation & Usage
-# 5.1. Interactive CLI / Dialog Wrapper
+## 5.1. Interactive CLI / Dialog Wrapper
 1. Clone the repository:
   ```bash
   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
   cd CISS.debian.live.builder
   ```
 2. Preparation:
   1. Ensure you are root.
   2. Create the build directory `mkdir /opt/livebuild`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   5. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
   ````bash
@@ -427,6 +453,7 @@ predictable script behavior.
                          --build-directory /opt/livebuild \
                          --change-splash hexagon \
                          --control "${timestamp}" \
                          --cdi \
                          --debug \
                          --dhcp-centurion \
                          --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
@@ -435,8 +462,10 @@ predictable script behavior.
                          --reionice-priority 1 2 \
                          --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
                          --ssh-port 4242 \
-                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder
+                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder \
                          --trixie
   ````
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -444,7 +473,46 @@ predictable script behavior.
 8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
 9. Type `celp` for some shortcuts.
-# 5.2. CI/CD Gitea Runner Workflow Example
+## 5.2. Make Wrapper, Quick Usage
 This repo ships a thin make wrapper around ``./ciss_live_builder.sh``, so you can compose a correctly quoted command and either 
 preview it or run it.
 1. Clone the repository:
   ```bash
   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
   cd CISS.debian.live.builder
   ```
 2. Preparation:
   1. Ensure you are root.
   2. Create the build directory `mkdir /opt/livebuild`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
    ````bash
    cp config.mk.sample config.mk
    ````
    ````bash
    BUILD_DIR=/opt/livebuild
    ROOT_PASSWORD_FILE=/opt/gitea/CISS.debian.live.builder/password.txt
    SSH_PORT=4242
    SSH_PUBKEY=/root/.ssh
    # Optional
    PROVIDER_NETCUP_IPV6=2001:cdb::1
    # comma-separated; IPv6 in [] is fine
    JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
    ````
 3. Dry-run first (prints the exact command): ````make dry-run````
 4. Execute the build: ````make live````
 ## 5.3. CI/CD Gitea Runner Workflow Example
 1. Clone the repository:
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -0,0 +1,119 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. CISS.debian.live.builder
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
 **Build**: V8.13.142.2025.10.14<br>
 # 2.1. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
 **Repository State:** Master Version **8.13**, Build **V8.13.142.2025.10.14** (as of 2025-10-11)
 ## 2.2. Top-Level Layout
 ````text
 CISS.debian.live.builder/
 ├─ .archive/                                                                           # Archived artefacts or historical assets
 ├─ .gitea/ # Gitea CI/CD metadata (workflows, triggers, templates)
 │ ├─ ISSUE_TEMPLATE/
 │ ├─ properties/{json, lua}
 │ ├─ TO DO/{dockerfile, render-md-to-html.yaml}
 │ ├─ trigger/{t_generate_.yaml}
 │ └─ workflows/{generate_.yaml, linter_char_scripts.yaml, render-.yaml}
 ├─ .pubkey/                                                                         # Public keys (e.g., for CI or verification)
 ├─ config/ # Live-build configuration (boot, hooks, includes, package lists)
 │ ├─ bootloaders/{grub-efi, grub-pc, splash.png}
 │ ├─ hooks/live/.chroot                                                                  # Ordered chroot hooks (0000_* … 99xx_)
 │ ├─ includes.binary/boot/grub/config.cfg
 │ ├─ includes.chroot/{etc, preseed, root}
 │ └─ package-lists/{live.list.amd64.chroot, live.list.arm64.chroot, live.list.common.chroot}
 ├─ docs/                                                                  # Project documentation (audits, change log, policies)
 │ ├─ AUDIT_.md, BOOTPARAMS.md, CHANGELOG.md, CODING_CONVENTION.md, ...
 │ ├─ SECURITY/, LICENSES/, graphviz/, screenshots/
 ├─ lib/                                                                              # Shell library modules used by the builder
 ├─ scripts/ # Helper/orchestration scripts (e.g., network, live-boot)
 ├─ var/                                                                     # Variable sets and early/global defaults (*.var.sh)
 ├─ .editorconfig
 ├─ .gitignore
 ├─ .shellcheckrc
 ├─ .version.properties
 ├─ CISS.debian.live.builder.spdx                                                     # SPDX bill of materials / license manifest
 ├─ LICENSE
 ├─ SECURITY.md
 ├─ README.md
 ├─ config.mk.sample
 ├─ ciss_live_builder.sh                                                                              # Main entrypoint / wrapper
 ├─ makefile
 ├─ meta_sources_debug.sh
 ├─ LIVE_ISO_TRIXIE_0.private                                                                               # CI artefact markers
 ├─ LIVE_ISO_TRIXIE_1.private                                                                               # CI artefact markers
 └─ LIVE_ISO.public                                                                                         # CI artefact markers
 ````
 > **Note:** The ISO marker files (`LIVE_ISO.*`) are produced by CI workflows for convenient retrieval of generated images.
 ## 2.3. Directory Semantics
 ### 2.3.1. `.gitea/` — CI/CD Orchestration
 - **`workflows/`**: Declarative Gitea Actions to lint shell scripts, render Graphviz/DNSSEC status, and generate **PUBLIC**/**PRIVATE (TRIXIE)** ISOs reproducibly.
 - **`trigger/`**: Manual/auxiliary trigger manifests (`t_generate_PUBLIC.yaml`, `t_generate_PRIVATE_trixie_{0,1}.yaml`, `t_generate_dns.yaml`) to drive pipeline variants.
 - **`ISSUE_TEMPLATE/`**: Issue and pull request templates to standardize change management.
 - **`properties/`** and **`TODO/`**: Auxiliary config fragments (JSON/Lua) and maintenance utilities (e.g., `render-md-to-html.yaml`).
 ### 2.3.2. `config/` — Live-Build Configuration
 - **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
 - **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_fail2ban_hardening.chroot`).
 - **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
 - **`includes.chroot/`**: Files copied into the live system’s root:
  - `etc/` (APT configuration, `live/`, `modprobe.d/`, network, SSH, `sysctl.d/`, systemd drop-ins, banners),
  - `preseed/` (installer preseeding and supporting artifacts),
  - `root/` (administrator dotfiles and keys).
 - **`package-lists/`**: Architecture-specific and common package manifests (`amd64`, `arm64`, `common`) used by `live-build`.
 ### 2.3.3. `docs/` — Documentation Corpus
 Audit reports (DNSSEC, Lynis, SSH, TLS, Haveged), **BOOTPARAMS**, **CHANGELOG**, **CODING_CONVENTION**, **CONTRIBUTING**, **REFERENCES**; plus `SECURITY/`, `LICENSES/`, architecture diagrams under `graphviz/`, and illustrative `screenshots/`.
 ### 2.3.4. `lib/` — Shell Library Modules
 Composable, single-purpose modules used by the wrapper and CI steps (argument parsing and validation, kernel/CPU mitigation checks, provider support, `lb config/build` scaffolding, usage/version banners, sanitization and traps, SSH/root-password hardening, ultra-hardening profile, etc.).
 ### 2.3.5. `scripts/` — Operational Helpers
 Ancillary scripts for DHCP supersedes, resolver bootstrapping, and live-boot verification; targeted paths such as `scripts/etc/network/` and `scripts/live-boot/` encapsulate deploy-time adjustments and integrity checks.
 ### 2.3.6. `var/` — Variables & Defaults
 Layered variable sets (`early.var.sh`, `global.var.sh`, `bash.var.sh`, `color.var.sh`) providing early-boot defaults, global tuning, and TTY/UI niceties.
 ## 2.4. Key Files
 - **`ciss_live_builder.sh`** — Primary entrypoint; orchestrates argument parsing, environment preparation, `lb config`/`lb build` execution and post-processing.
 - **`makefile`** & **`config.mk.sample`** — Make-based convenience wrapper and a sample configuration surface.
 - **`README.md`, `SECURITY.md`, `LICENSE`, `CISS.debian.live.builder.spdx`** — Project overview, security policy, licensing, and SPDX manifest for compliance.
 - **ISO markers**: `LIVE_ISO.public`, `LIVE_ISO_TRIXIE_{0,1}.private` reflect CI pipeline outputs.
 ## 2.5. Conventions & Build Logic
 - **Hook Ordering**: Numeric prefixes (`0000_…` → `99xx_…`) strictly determine execution sequencing within `config/hooks/live/`. Early hooks establish base state (initramfs modules, checksums), mid-range hooks integrate security services (AppArmor, Chrony/NTPsec, Lynis, UFW, Fail2Ban, SSH auditing), late hooks enforce hardening and cleanup (SSH tightening, memory-dump policies, service disablement).
 - **Binary vs. Chroot Includes**: Assets under `includes.binary/` affect the ISO’s bootloader stage; `includes.chroot/` become part of the runtime filesystem.
 - **Architecture Scoping**: Package lists are split into `*amd64*`, `*arm64*`, and `*common*` to keep images minimal and deterministic.
 - **CI/CD**: Reproducible ISO builds are executed via Gitea workflows; dedicated `trigger/` manifests parameterize public vs. private images and auxiliary rendering jobs (e.g., DNSSEC status, Graphviz diagrams).
 ## 2.6. Cross-References (Documentation)
 - **Boot Parameters**: see `docs/BOOTPARAMS.md`.
 - **Audits**: `docs/AUDIT_*.md` (DNSSEC, Lynis, SSH, TLS, Haveged).
 - **Coding & Contribution**: `docs/CODING_CONVENTION.md`, `docs/CONTRIBUTING.md`.
 - **Change Log & References**: `docs/CHANGELOG.md`, `docs/REFERENCES.md`.
 ## 2.7. Licensing & Compliance
 The repository is **SPDX-compliant**; source files carry SPDX identifiers. See `CISS.debian.live.builder.spdx` and `LICENSE` for details.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -13,85 +13,143 @@
 ### Contributions so far see ./docs/CREDITS.md
 ### WHY BASH?
-# Ease of installation.
+# Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
-# No compiling or installing gems, CPAN modules, pip packages, etc.
+# and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
-# Simple to use and read. Clear syntax and straightforward output interpretation.
+# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
-# Built-in power.
+# Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
-# Pattern matching, line processing, and regular expression support are available natively,
+# default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
-# no external binaries required.
+# or Cygwin on Windows systems.
 # Cross-platform consistency.
 # '/bin/bash' is the default shell on most Linux distributions, ensuring scripts run unmodified across systems.
 # macOS compatibility.
 # Since macOS Catalina (10.15), the default login shell has been zsh, but bash remains available at '/bin/bash'.
 # Windows support.
 # You can use bash via WSL, MSYS2, or Cygwin on Windows systems.
-### Preliminary checks
+### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
 # shellcheck disable=SC2155
 declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
 declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
 declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
 declare -ag   ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -grx  VAR_SETUP_FILE="${0##*/}"                                  # 'ciss_debian_live_builder.sh'
 declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/opt/git/CISS.debian.live.builder'
 declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
 # shellcheck disable=SC2155
 declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
 # shellcheck disable=SC2155
 declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 # shellcheck disable=SC2155
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### PRELIMINARY CHECKS.
 ### No ash, dash, ksh, sh.
 # shellcheck disable=2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### No zsh.
 [[ -n "${ZSH_VERSION:-}" ]] && {
  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### Not root.
 [[ ${EUID} -ne 0 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2; exit "${ERR_NOT_USER_0}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2
  exit "${ERR_NOT_USER_0}"
 }
 ### Check to be not called by sh.
 # shellcheck disable=2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### Check to be not sourced.
 [[ "${BASH_SOURCE[0]}" != "$0" ]] && {
  . ./var/global.var.sh
  printf "\e[91m❌ This script must be executed, not sourced. Please run '%s' directly! Bye... \e[0m\n" "$0" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### Minimum Bash version 5.
 [[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### Minimum Bash version 5.1.
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### No arguments.
 [[ ${#} -eq 0 ]] && {
-  . ./lib/lib_usage.sh; usage; exit 1; }
+  . ./lib/lib_usage.sh
  usage
  exit 1
 }
 ### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
 . ./var/early.var.sh
 . ./lib/lib_guard_sourcing.sh
-. ./lib/lib_git_var.sh
+. ./lib/lib_source_guard.sh
 source_guard "./lib/lib_git_var.sh"
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh  ; usage  ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done
 ### ALL CHECKS DONE. READY TO START THE SCRIPT
 source_guard "./var/bash.var.sh"
 check_git
-for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
+for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 declare -gx VAR_SETUP="true"
 ### SOURCING VARIABLES
 [[ "${VAR_SETUP}" == true ]] && {
-  . ./var/bash.var.sh
+  source_guard "./var/color.var.sh"
-  . ./var/color.var.sh
+  source_guard "./var/global.var.sh"
  . ./var/global.var.sh
 }
 ### SOURCING LIBRARIES
 [[ "${VAR_SETUP}" == true ]] && {
-  . ./lib/lib_arg_parser.sh
+  source_guard "./lib/lib_arg_parser.sh"
-  . ./lib/lib_arg_priority_check.sh
+  source_guard "./lib/lib_arg_priority_check.sh"
-  . ./lib/lib_boot_screen.sh
+  source_guard "./lib/lib_boot_screen.sh"
-  . ./lib/lib_cdi.sh
+  source_guard "./lib/lib_cdi.sh"
-  . ./lib/lib_change_splash.sh
+  source_guard "./lib/lib_change_splash.sh"
-  . ./lib/lib_check_dhcp.sh
+  source_guard "./lib/lib_check_dhcp.sh"
-  . ./lib/lib_check_hooks.sh
+  source_guard "./lib/lib_check_hooks.sh"
-  . ./lib/lib_check_kernel.sh
+  source_guard "./lib/lib_check_kernel.sh"
-  . ./lib/lib_check_pkgs.sh
+  source_guard "./lib/lib_check_pkgs.sh"
-  . ./lib/lib_check_provider.sh
+  source_guard "./lib/lib_check_provider.sh"
-  . ./lib/lib_check_stats.sh
+  source_guard "./lib/lib_check_stats.sh"
-  . ./lib/lib_check_var.sh
+  source_guard "./lib/lib_check_var.sh"
-  . ./lib/lib_clean_screen.sh
+  source_guard "./lib/lib_clean_screen.sh"
-  . ./lib/lib_clean_up.sh
+  source_guard "./lib/lib_clean_up.sh"
-  . ./lib/lib_copy_integrity.sh
+  source_guard "./lib/lib_copy_integrity.sh"
-  . ./lib/lib_hardening_root_pw.sh
+  source_guard "./lib/lib_hardening_root_pw.sh"
-  . ./lib/lib_hardening_ssh.sh
+  source_guard "./lib/lib_hardening_ssh.sh"
-  . ./lib/lib_hardening_ultra.sh
+  source_guard "./lib/lib_hardening_ultra.sh"
-  . ./lib/lib_helper_ip.sh
+  source_guard "./lib/lib_helper_ip.sh"
-  . ./lib/lib_lb_build_start.sh
+  source_guard "./lib/lib_lb_build_start.sh"
-  . ./lib/lib_lb_config_start.sh
+  source_guard "./lib/lib_lb_config_start.sh"
-  . ./lib/lib_lb_config_write.sh
+  source_guard "./lib/lib_lb_config_write.sh"
-  . ./lib/lib_provider_netcup.sh
+  source_guard "./lib/lib_lb_config_write_trixie.sh"
-  . ./lib/lib_run_analysis.sh
+  source_guard "./lib/lib_note_target.sh"
-  . ./lib/lib_sanitizer.sh
+  source_guard "./lib/lib_provider_netcup.sh"
-  . ./lib/lib_trap_on_err.sh
+  source_guard "./lib/lib_run_analysis.sh"
-  . ./lib/lib_trap_on_exit.sh
+  source_guard "./lib/lib_sanitizer.sh"
-  . ./lib/lib_usage.sh
+  source_guard "./lib/lib_trap_on_err.sh"
  source_guard "./lib/lib_trap_on_exit.sh"
  source_guard "./lib/lib_usage.sh"
 }
 ### ADVISORY LOCK
@@ -113,67 +171,79 @@ for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *)
 check_pkgs
 ### DIALOG OUTPUT FOR INITIALIZATION
-if ! $VAR_HANDLER_AUTOBUILD; then boot_screen; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 ### Initialization
 declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
 #declare -ar ARG_ARY_ORG_INPUT=("$@")
 # shellcheck disable=SC2155
 declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
 # shellcheck disable=SC2155
 declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 # shellcheck disable=SC2155
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
 declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 ### Turn off Dialog Wrapper
-if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
 ### MAIN Program
 arg_priority_check
 check_stats
-if ! $VAR_HANDLER_AUTOBUILD; then check_provider; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
-if ! $VAR_HANDLER_AUTOBUILD; then check_kernel; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
 if [[ ! "${VAR_SSHFP}" == "true" ]]; then
  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
 fi
 check_hooks
 hardening_ssh
 lb_config_start
 lb_config_write
 if [[ "${VAR_SUITE}" == "bookworm" ]]; then
  lb_config_write
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs"
 else
  lb_config_write_trixie
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
 fi
 # shellcheck disable=SC2164
 cd "${VAR_WORKDIR}"
 hardening_ultra
 hardening_root_pw
 change_splash
 check_dhcp
 cdi
 provider_netcup
 note_target
 ### Start the build process
 set +o errtrace
--- a/config.mk.sample
+++ b/config.mk.sample
@@ -0,0 +1,21 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-21; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 BUILD_DIR            ?=
 PROVIDER_NETCUP_IPV6 ?=
 ROOT_PASSWORD_FILE   ?=
 SSH_PORT             ?=
 SSH_PUBKEY           ?=
 ### Comma-separated jump hosts (can be empty):
 JUMP_HOSTS           ?=
 # vim: set ft=make noet ts=8 sw=8
--- a/config/hooks/live/0000_generate_backup_dir.chroot
+++ b/config/hooks/live/0000_generate_backup_dir.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,20 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-mkdir -p /root/.ciss/dlb/backup
+export DEBIAN_FRONTEND="noninteractive"
-chmod 0700 /root/.ciss/dlb/backup
+apt-get update -qq
 mkdir -p /root/.ciss/dlb/{backup,log}
 chmod 0700 /root/.ciss/dlb/{backup,log}
 mkdir -p /root/git
 chmod 0700 /root/git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -1,27 +1,32 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 #######################################
-# Get all NIC Driver of the current Host-machine
+# Get all NIC drivers of the current Host machine.
 # Globals:
 #   None
 # Arguments:
-#  None
+#   None
 # Returns:
 #   0: on success
 #######################################
 grep_nic_driver_modules() {
  declare _mods
-  # Gather all Driver and sort unique
+
  ### Gather all Driver and sort unique.
  # shellcheck disable=SC2312
  readarray -t _mods < <(
    lspci -k \
      | grep -A2 -i ethernet \
@@ -32,26 +37,36 @@ grep_nic_driver_modules() {
  declare nic_module
  declare nic_modules
  if [[ "${#_mods[@]}" -eq 1 ]]; then
    nic_module="${_mods[0]}"
    echo "${nic_module}"
  else
    nic_modules="${_mods[*]}"
    echo "${nic_modules}"
  fi
  return 0
 }
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y intel-microcode amd64-microcode
 # shellcheck disable=SC2155
 declare nic_driver="$(grep_nic_driver_modules)"
 cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -67,56 +82,111 @@ cat << EOF >| /etc/initramfs-tools/modules
 # raid1
 # sd_mod
-### QEMU Bochs-compatible virtual machine support
+### Load AppArmor early:
-bochs
+apparmor
-### Device-mapper core module (required for all dm_* features)
+### Entropy source for '/dev/random':
-dm_mod
+jitterentropy_rng
 rng_core
-### Device-mapper integrity target (provides integrity checking)
+### Live-ISO-Stack:
-dm-integrity
+loop
 squashfs
 overlay
-### Device-mapper crypt target (provides disk encryption)
+### Main btrfs-Stack:
 dm-crypt
 ### Generic AES block cipher implementation (used by dm-crypt)
 aes_generic
 ### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
 sha256_generic
 ### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
 crc32c_generic
 ### Main btrfs filesystem module
 btrfs
-
+lzo
-### Zstandard compression support for btrfs
+xor
 xxhash
 zstd
 zstd_compress
-### XOR parity implementation for RAID functionality
+### Main ext4-Stack:
-xor
+ext4
 jbd2
 libcrc32c
-### RAID6 parity generation module
+### Main VFAT/ESP/FAT/UEFI-Stack:
 exfat
 fat
 nls_ascii
 nls_cp437
 nls_iso8859-1
 nls_iso8859-15
 nls_utf8
 vfat
 ### Device mapper, encryption & integrity:
 dm_mod
 dm_crypt
 dm_integrity
 dm_verity
 ### Main cryptography-Stack:
 aes_generic
 blake2b_generic
 crc32c_generic
 cryptd
 libcrc32c
 sha256_generic
 sha512_generic
 xts
 ### QEMU Bochs-compatible virtual machine support:
 bochs
 ### RAID6 parity generation module:
 raid6_pq
-### Combined RAID4/5/6 support module
+### Combined RAID4/5/6 support module:
 raid456
-### Network Driver Host-machine
+### SCSI/SATA-Stack:
 sd_mod
 sr_mod
 sg
 ahci
 libahci
 ata_generic
 libata
 scsi_mod
 scsi_dh_alua
 ### NVMe-Stack:
 nvme
 nvme_core
 ### USB-Stack:
 xhci_pci
 xhci_hcd
 ehci_pci
 ohci_pci
 uhci_hcd
 usb_storage
 uas
 ### Virtual-Machines-Stack:
 virtio_pci
 virtio_blk
 virtio_scsi
 virtio_rng
 virtio_console
 ### Network Driver Host-machine:
 "${nic_driver}"
 EOF
 cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -145,13 +215,13 @@ EOF
 cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -250,13 +320,13 @@ EOF
 cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 #!/bin/sh
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -285,10 +355,9 @@ EOF
 chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
 ### Regenerate the initramfs for the live system kernel
-update-initramfs -u -k all
+update-initramfs -u -k all -v
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0002_verify_checksums.chroot
+++ b/config/hooks/live/0002_verify_checksums.chroot
@@ -1,18 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 target="/usr/lib/live/boot/0030-verify-checksums"
 src="$(mktemp)"
@@ -24,13 +23,13 @@ fi
 cat << 'EOF' >| "${src}"
 #!/bin/sh
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -138,7 +137,6 @@ rm -f "${src}"
 unset target src
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0010_install_apparmor.chroot
+++ b/config/hooks/live/0010_install_apparmor.chroot
@@ -0,0 +1,34 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
 install -d /etc/systemd/system/apparmor.service.d
 cat << EOF >| /etc/systemd/system/apparmor.service.d/10-live-force.conf
 [Unit]
 ### Drop any negative live conditions that would skip AppArmor on overlay.
 ConditionPathExists=
 ### Ensure we only rely on the security=apparmor condition.
 ConditionSecurity=apparmor
 EOF
 install -d -m 0755 /var/cache/apparmor
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0040_ssh_config_setup.chroot
+++ b/config/hooks/live/0040_ssh_config_setup.chroot
@@ -0,0 +1,44 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Host git.coresecret.dev
    Port                    42842
    VerifyHostKeyDNS        yes
    StrictHostKeyChecking   yes
    GlobalKnownHostsFile    /etc/ssh/ssh_known_hosts
    UserKnownHostsFile      /dev/null
    HostKeyAlgorithms       ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
    CanonicalizeHostname    no
    UpdateHostKeys          no
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -1,32 +1,32 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 if [[ ! -f /root/.pwd ]]; then
  printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
  # sleep 1
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
  # sleep 1
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
  exit 0
 fi
 cd /root
 # shellcheck disable=SC2312
 cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
-chmod 600 /root/.ciss/dlb/backup/shadow.bak.*
+chmod 0600 /root/.ciss/dlb/backup/shadow.bak.*
 declare hashed_pwd
 declare safe_hashed_pwd
@@ -38,16 +38,18 @@ sed -i "s|^user:[^:]*:\(.*\)|user:${safe_hashed_pwd}:\1|" /etc/shadow
 unset hashed_pwd safe_hashed_pwd
 cat /etc/shadow
 # sleep 1
 if shred -vfzu -n 5 /root/.pwd; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
 else
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0080_keyboard_layout.chroot
+++ b/config/hooks/live/0080_keyboard_layout.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
@@ -25,7 +24,6 @@ EOF
 dpkg-reconfigure -f noninteractive keyboard-configuration
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0090_haveged.chroot
+++ b/config/hooks/live/0090_haveged.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,13 +9,12 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-apt-get update -y
+export DEBIAN_FRONTEND="noninteractive"
-apt-get install --no-install-recommends haveged -y
+apt-get install -y --no-install-recommends haveged
 cd /root
 cat << 'EOF' >| /etc/default/haveged
@@ -25,18 +24,8 @@ cat << 'EOF' >| /etc/default/haveged
 DAEMON_ARGS="-w 2048 -v 1"
 EOF
 #mkdir -p /etc/systemd/system/haveged.service.d
 #cat << 'EOF' >| /etc/systemd/system/haveged.service.d/override.conf
 #[Service]
 #NoNewPrivileges=yes
 #ReadWritePaths=/dev/random /dev/urandom
 #AmbientCapabilities=
 #User=haveged
 #Group=nogroup
 #EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0120_set_hostname.chroot
+++ b/config/hooks/live/0120_set_hostname.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0130_machineid.chroot
+++ b/config/hooks/live/0130_machineid.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
@@ -24,7 +23,8 @@ wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg
 echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
-apt-get update -y
+export DEBIAN_FRONTEND="noninteractive"
 apt-get update
 apt-get install -y eza
 git clone https://github.com/eza-community/eza-themes.git
@@ -145,10 +145,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
 fc-cache -fv
 rm -rf /tmp/nerd
 unset repo latest_release download_url
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,20 +9,19 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
-apt-get update -y
+export DEBIAN_FRONTEND="noninteractive"
 apt-get update
 apt-get install -y lynis
 lynis show version
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,20 +9,34 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /var/log/chrony
-# See https://coresecret.eu/tutorials/debian-package-glossary/ for a brief description of the installed packages.
+
-apt-get install chrony -y
+export DEBIAN_FRONTEND="noninteractive"
 export TZ="Etc/UTC"
 apt-get install -y adjtimex chrony tzdata
 systemctl enable chrony.service
 mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak
-chmod 644 /root/.ciss/dlb/backup/chrony.conf.bak
+chmod 0644 /root/.ciss/dlb/backup/chrony.conf.bak
 cat << EOF >| /etc/chrony/chrony.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 cat << 'EOF' >| /etc/chrony/chrony.conf
 # Include configuration files found in /etc/chrony/conf.d.
 confdir /etc/chrony/conf.d
 driftfile /var/lib/chrony/chrony.drift
@@ -36,17 +50,14 @@ log tracking measurements statistics
 authselectmode require
-server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9
+server ntp.ripe.net      iburst nts minpoll 5 maxpoll 9
-server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9
+server ptbtime3.ptb.de   iburst nts minpoll 5 maxpoll 9
-server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9
+server ptbtime2.ptb.de   iburst nts minpoll 5 maxpoll 9
-server ptbtime4.ptb.de iburst nts noselect minpoll 5 maxpoll 9
+server ptbtime1.ptb.de   iburst nts minpoll 5 maxpoll 9
-# server nts.netnod.se iburst nts minpoll 5 maxpoll 9
+server ntp13.metas.ch    iburst nts minpoll 5 maxpoll 9
-
+server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
-# server ntp.ripe.net iburst nts minpoll 5 maxpoll 9
+server sth1.ntp.se       iburst nts minpoll 5 maxpoll 9
-# server ntp12.metas.ch iburst nts minpoll 5 maxpoll 9
+server ntp0.fau.de       iburst nts minpoll 5 maxpoll 9
 # server ntp2.tecnico.ulisboa.pt iburst nts minpoll 5 maxpoll 9
 # server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
 server ntp0.fau.de iburst nts minpoll 5 maxpoll 9
 leapsectz right/UTC
@@ -56,13 +67,50 @@ maxupdateskew 100.0
 rtcsync
-makestep 1 3
+makestep 0.25 3
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-chmod 644 /etc/chrony/chrony.conf
+chmod 0644 /etc/chrony/chrony.conf
 [[ -f /root/.ciss/check_chrony.sh ]] && chmod 0700 /root/.ciss/check_chrony.sh
 ### Build right/UTC from tzdata leap table if missing.
 if [[ ! -e /usr/share/zoneinfo/right/UTC ]]; then
  install -d -m 0755 /usr/share/zoneinfo/right
  ### Minimal zic source for a fixed UTC zone.
  declare -r tmp_src="/tmp/UTC.src"
  printf 'Zone UTC  0  -  UTC\n' > "${tmp_src}"
  ### Prefer the zic-format leapseconds file.
  declare leap_zic="/usr/share/zoneinfo/leapseconds"
  if [[ -s "${leap_zic}" ]]; then
    zic -d /usr/share/zoneinfo/right -L "${leap_zic}" "${tmp_src}"
  else
    echo "WARNING: ${leap_zic} not found; building right/UTC without leap info." >&2
    zic -d /usr/share/zoneinfo/right -L /dev/null "${tmp_src}"
  fi
  rm -f "${tmp_src}"
 fi
 if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
  ### Expect to see 'Sat Dec 31 23:59:60 UTC 2016' rendered in right/UTC
  TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0820_kernel_hardening_checker.chroot
+++ b/config/hooks/live/0820_kernel_hardening_checker.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,16 +9,14 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0822_ssh_restart_hook.chroot
+++ b/config/hooks/live/0822_ssh_restart_hook.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
 declare target_script="/etc/cron.d/restart-ssh"
@@ -21,12 +20,12 @@ cat << 'EOF' >| "${target_script}"
@reboot root /usr/local/bin/restart-ssh.sh
 EOF
-chmod 644 "${target_script}"
+chmod 0644 "${target_script}"
 cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -43,10 +42,8 @@ systemctl start ssh
 EOF
 chmod +x /usr/local/bin/restart-ssh.sh
 unset target_script
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0825_my_sqltuner_perl.chroot
+++ b/config/hooks/live/0825_my_sqltuner_perl.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,16 +9,14 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0830_download_yq.chroot
+++ b/config/hooks/live/0830_download_yq.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,16 +9,14 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 chmod +x /usr/bin/yq
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0835_testssl.sh.chroot
+++ b/config/hooks/live/0835_testssl.sh.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,16 +9,14 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root/git
 git clone https://github.com/testssl/testssl.sh.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,12 +9,11 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-apt-get install -y curl
+export DEBIAN_FRONTEND="noninteractive"
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs
@@ -22,7 +21,6 @@ cd /root/git
 git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0845_harbian_audit.chroot
+++ b/config/hooks/live/0845_harbian_audit.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0850_ssh_audit.chroot
+++ b/config/hooks/live/0850_ssh_audit.chroot
@@ -1,15 +1,15 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0855_dnsviz.chroot
+++ b/config/hooks/live/0855_dnsviz.chroot
@@ -1,15 +1,15 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -0,0 +1,53 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 export DEBIAN_FRONTEND=noninteractive
 SOPS_VER="v3.11.0"
 ARCH="$(dpkg --print-architecture)"
 case "${ARCH}" in
  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
  arm64)  SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
  *)  echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
 esac
 cd /tmp
 curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
 curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
 curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
 curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"
 cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
  --certificate    "sops-${SOPS_VER}.checksums.pem" \
  --signature      "sops-${SOPS_VER}.checksums.sig" \
  --certificate-identity-regexp="https://github.com/getsops" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
 sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
 install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
 sops --version --check-for-updates
 age --version
 rm -f "/tmp/${SOPS_FILE}"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0900_ufw_setup.chroot
+++ b/config/hooks/live/0900_ufw_setup.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -1,33 +1,38 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y acct
 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
  mkdir -p /etc/systemd/system/multi-user.target.wants
 fi
 if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
 else
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9910_motd.chroot
+++ b/config/hooks/live/9910_motd.chroot
@@ -1,18 +1,17 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /root/.ciss/dlb/backup/update-motd.d
 cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
@@ -24,8 +23,7 @@ EOF
 chmod 0755 /etc/update-motd.d/10-uname
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9920_deleting_invalid_x509.chroot
+++ b/config/hooks/live/9920_deleting_invalid_x509.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
 declare backup_dir="/root/.ciss/dlb/backup/certificates"
@@ -27,17 +26,24 @@ declare -ax expired_certificates=()
 #   search_dirs
 #   dir
 # Arguments:
-#  None
+#   None
 #######################################
 create_backup() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
  mkdir -p "${backup_dir}"
  declare dir=""
  for dir in "${search_dirs[@]}"; do
-    if [ -d "${dir}" ] && compgen -G "${dir}"/* > /dev/null; then
+
    if [[ -d "${dir}" ]] && compgen -G "${dir}"/* > /dev/null; then
      cp -r "${dir}"/* "${backup_dir}"
    fi
  done
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
 }
@@ -52,25 +58,32 @@ create_backup() {
 #   EXPIRED_CERTIFICATES
 #   SEARCH_DIRS
 # Arguments:
-#  None
+#   None
 #######################################
 check_certificates() {
  declare dir=""
  declare cert=""
  declare cert_date=""
  declare cert_date_seconds=""
  for dir in "${search_dirs[@]}"; do
    # shellcheck disable=SC2312
    while IFS= read -r -d '' cert; do
      cert_date=$(openssl x509 -in "${cert}" -noout -enddate | sed 's/notAfter=//')
      cert_date_seconds=$(date -d "${cert_date}" +%s)
      if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
        declare -g expired_certificates+=("${cert}")
      fi
    done < <(find "${dir}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
  done
 }
 #   done < <(find "${dir}" -type f -name "*.crt" -o -name "*.pem" -print0)
 #   done < <(find "${DIR}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
 #######################################
 # Find and clean all ca-certificates.crt files in SEARCH_DIRS.
@@ -80,13 +93,17 @@ check_certificates() {
 #   cert
 #   line
 # Arguments:
-#  None
+#   None
 #######################################
 delete_expired_from_all_bundles() {
  declare dir bundle
  for dir in "${search_dirs[@]}"; do
    bundle="${dir}/ca-certificates.crt"
    if [[ -f ${bundle} ]]; then
      printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
      declare tmp_bundle="${bundle}.tmp"
      declare -a block=()
@@ -97,33 +114,57 @@ delete_expired_from_all_bundles() {
      declare line=""
      while IFS= read -r line; do
        block+=("${line}")
        if [[ ${line} == "-----END CERTIFICATE-----"   ]]; then
          cert=$(printf "%s\n" "${block[@]}")
          enddate=$(echo "${cert}" | openssl x509 -noout -enddate 2> /dev/null | sed 's/notAfter=//')
          if [[ -n ${enddate}   ]]; then
            declare cert_date_seconds=""
            cert_date_seconds=$(date -d "${enddate}" +%s)
            if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
              expired=1
            else
              expired=0
            fi
          else
            expired=0
          fi
          if [[ ${expired} -eq 0 ]]; then
            printf "%s\n" "${block[@]}" >> "${tmp_bundle}"
          else
            printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
          fi
          block=()
        fi
      done < "${bundle}"
      mv -f "${tmp_bundle}" "${bundle}"
      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
    fi
  done
 }
@@ -141,30 +182,38 @@ else
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
  for exp_cert in "${expired_certificates[@]}"; do
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
  done
  for exp_cert in "${expired_certificates[@]}"; do
    rm -f "${exp_cert}"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
    basename=$(basename "${exp_cert}")
    mozilla_entry="mozilla/${basename%.pem}.crt"
    mozilla_entry="${mozilla_entry%.crt}.crt"
    declare ca_conf="/etc/ca-certificates.conf"
    if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
      sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
    fi
  done
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
  update-ca-certificates --fresh
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
-  # sleep 1
+
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
+
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,17 +9,18 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /etc/ssh || {
  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
 }
 rm -rf ssh_host_*key*
 # shellcheck disable=SC2312
 ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
 # shellcheck disable=SC2312
 ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
@@ -44,7 +45,26 @@ ssh-keygen -r @ >| /root/sshfp
 # The chmod +x command ensures that the file is executed in every shell session.          #
 ###########################################################################################
 cat << 'EOF' >| /etc/profile.d/idle-users.sh
-declare -girx TMOUT=14400
+# SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 case $- in
  *i*)
    TMOUT=14400
    export TMOUT
    readonly TMOUT
  ;;
 esac
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod +x /etc/profile.d/idle-users.sh
@@ -58,7 +78,6 @@ EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9935_hardening_ssh.chroot.tmpl
+++ b/config/hooks/live/9935_hardening_ssh.chroot.tmpl
@@ -0,0 +1,93 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /etc/ssh || {
  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
 }
 cat << 'EOF' >| ssh_host_ed25519_key
 {{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
 EOF
 cat << 'EOF' >| ssh_host_ed25519_key.pub
 {{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
 EOF
 cat << 'EOF' >| ssh_host_rsa_key
 {{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
 EOF
 cat << 'EOF' >| ssh_host_rsa_key.pub
 {{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
 EOF
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli
 mv /etc/ssh/moduli.safe /etc/ssh/moduli
 chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
 chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp
 ###########################################################################################
 # Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only          #
 # environment variables: TMOUT and HISTFILE.                                              #
 # TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
 # readonly HISTFILE ensures that the command history cannot be changed.                   #
 # The chmod +x command ensures that the file is executed in every shell session.          #
 ###########################################################################################
 cat << 'EOF' >| /etc/profile.d/idle-users.sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 case $- in
  *i*)
    TMOUT=14400
    export TMOUT
    readonly TMOUT
  ;;
 esac
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod +x /etc/profile.d/idle-users.sh
 mkdir -p /etc/systemd/system/ssh.service.d
 cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
 [Unit]
 After=ufw.service
 Requires=ufw.service
 EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9940_hardening_memory.dump.chroot
+++ b/config/hooks/live/9940_hardening_memory.dump.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,18 +9,23 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
 chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
-sed -i "/#*               soft    core            0/ i\*               soft    core            0" /etc/security/limits.conf
+
-sed -i "/#root            hard    core            100000/ i\*               hard    core            0" /etc/security/limits.conf
+grep -Eq '^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
  || sed -i -E '/^[[:space:]]*#?[[:space:]]*soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/ i\*               soft    core            0' /etc/security/limits.conf
 grep -Eq '^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
  || sed -i -E '/^[[:space:]]*#?[[:space:]]*root[[:space:]]+hard[[:space:]]+core[[:space:]]+100000[[:space:]]*$/ i\*               hard    core            0' /etc/security/limits.conf
 if [[ ! -d /etc/systemd/coredump.conf.d ]]; then
  mkdir -p /etc/systemd/coredump.conf.d
 fi
 touch /etc/systemd/coredump.conf.d/disable.conf
@@ -31,7 +36,6 @@ Storage=none
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
@@ -33,8 +32,8 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [DEFAULT]
@@ -142,7 +141,6 @@ touch /var/log/fail2ban/fail2ban.log
 chmod 640 /var/log/fail2ban/fail2ban.log
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9960_disable_services.chroot
+++ b/config/hooks/live/9960_disable_services.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 ###########################################################################################
 # Remarks: Turn off Energy saving mode and ctrl-alt-del                                   #
@@ -25,7 +24,6 @@ done
 unset target
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9970_remove_exim.chroot
+++ b/config/hooks/live/9970_remove_exim.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,24 +9,20 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /etc
-apt-get purge exim4 -y
+apt-get purge exim4 exim4-base exim4-config  -y
 apt-get purge exim4-base -y
 apt-get purge exim4-config -y
 apt-get autoremove -y
 apt-get autoclean -y
 apt-get autopurge -y
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config
-apt-get update -y
+apt-get update
 apt-get upgrade -y
 if [[ -d /etc/exim4 ]]; then
@@ -34,7 +30,6 @@ if [[ -d /etc/exim4 ]]; then
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,37 +9,37 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y usbguard
-# sleep 1
+### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
 # Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
 touch /tmp/rules.conf
 usbguard generate-policy >> /tmp/rules.conf
 if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
  mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
  cp -a /tmp/rules.conf /etc/usbguard/rules.conf
  chmod 0600 /etc/usbguard/rules.conf
 else
  rm -f /etc/usbguard/rules.conf
  cp -a /tmp/rules.conf /etc/usbguard/rules.conf
  chmod 0600 /etc/usbguard/rules.conf
 fi
 cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
-sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
+#sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
 # sleep 1
 rm -f /tmp/rules.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9985_clamav.chroot
+++ b/config/hooks/live/9985_clamav.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /etc/systemd/system/clamav-daemon.service.d
 cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
@@ -71,7 +70,6 @@ EOF
 chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,39 +9,44 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-apt-get update -y
+export DEBIAN_FRONTEND="noninteractive"
 apt-get update -qq
 apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
 #sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
 #sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then
  printf "\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
  sed -i 's!deinstall!!' /tmp/deinstall.log
  while IFS= read -r line; do
    declare trimmed_string
-    trimmed_string=$(echo "$line" | awk '{$1=$1};1')
+    trimmed_string=$(echo "${line}" | awk '{$1=$1};1')
    echo "y" | apt-get purge "${trimmed_string}"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
-    # sleep 1
+
  done < /tmp/deinstall.log
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
 else
  printf "\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
 fi
 apt-get update -y
 apt-get upgrade -y
 rm -f /tmp/deinstall.log
@@ -52,8 +57,7 @@ apt-get autopurge -y
 updatedb
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9991_file_permissions.chroot
+++ b/config/hooks/live/9991_file_permissions.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 chmod 0644 /etc/banner
 chmod 0644 /etc/issue
@@ -55,8 +54,8 @@ fi
 if [[ -f /etc/cron.allow ]]; then
  cp -u /etc/cron.allow /root/.backup/cron.allow.bak
-  chmod 644 /root/.backup/cron.allow.bak
+  chmod 0644 /root/.backup/cron.allow.bak
-  chmod 600 /etc/cron.allow
+  chmod 0600 /etc/cron.allow
  cat << EOF >| /etc/cron.allow
 root
 EOF
@@ -99,8 +98,18 @@ for bin in as gcc g++ cc clang; do
 done
 unset bin target
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
+###    Directories: 0700
-# sleep 1
+find /root -type d -exec chmod 0700 {} +
 ###    Executable files: 0700 (any x-bit set)
 find /root -type f -perm /111 -exec chmod 0700 {} +
 ###    Non-executable files: 0600
 find /root -type f ! -perm /111 -exec chmod 0600 {} +
 ###    Ownership: UID:GID (do not dereference symlinks; stay on this filesystem)
 find /root -xdev -exec chown -h root:root {} +
 rm -f /etc/tmpfiles.d/legacy.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9992_password_expiration.chroot
+++ b/config/hooks/live/9992_password_expiration.chroot
@@ -1,42 +1,46 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 if ! command -v chage &>/dev/null; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-  # sleep 1
+
  exit 0
 fi
 declare -i max_days=16384
 # shellcheck disable=SC2312
 mapfile -t users_to_update < <(
  awk -F: '$2 !~ /^[!*]/ { print $1 }' /etc/shadow
 )
 if [[ ${#users_to_update[@]} -eq 0 ]]; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-  # sleep 1
+
  exit 0
 fi
 declare user
 for user in "${users_to_update[@]}"; do
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
-  chage --maxdays "$max_days" "$user"
+  chage --maxdays "${max_days}" "${user}"
 done
 unset max_days user users_to_update
@@ -46,7 +50,6 @@ awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -1,32 +1,35 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y aide > /dev/null 2>&1
 cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 if aideinit > /dev/null 2>&1; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
 else
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9994_password_policy.chroot
+++ b/config/hooks/live/9994_password_policy.chroot
@@ -1,35 +1,37 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
 ### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
+
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
 chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
-cat << 'EOF' >| /etc/security/pwquality.conf
+cat << EOF >| /etc/security/pwquality.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -129,7 +131,6 @@ local_users_only
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9995_sysstat.chroot
+++ b/config/hooks/live/9995_sysstat.chroot
@@ -1,23 +1,21 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -1,25 +1,32 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 #######################################
 # Simple error terminal logger.
 # Arguments:
 #   None
 #######################################
 log() { printf '[auditd-build] %s\n' "${*}" >&2; }
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
-apt-get install auditd -y
+export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y auditd
 cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
 cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
@@ -50,13 +57,18 @@ EOF
 ############################################################### /etc/audit/rules.d/20-dont-audit.rules
 cat << EOF >| /etc/audit/rules.d/20-dont-audit.rules
 ## This is for don't audit rules. We put these early because audit
-### is a first match wins system. Uncomment the rules you want.
+## is a first match wins system. Uncomment the rules you want.
 ## Cron jobs fill the logs with stuff we normally don't want
-a never,user -F subj_type=crond_t
+-a never,user
 ## This prevents chrony from overwhelming the logs
-a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F exe=/usr/sbin/chronyd
 -a never,exit -F arch=b32 -S adjtimex -F exe=/usr/sbin/chronyd
 ## Human-attributable time changes
 -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
 ### This is not very interesting and wastes a lot of space if
 ### the server is public facing
@@ -75,8 +87,8 @@ EOF
 ############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
 cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 ## This rule suppresses the time-change event when chrony does time updates
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
@@ -325,8 +337,65 @@ cat << EOF >| /etc/audit/rules.d/99-finalize.rules
 -e 2
 EOF
 shopt -s nullglob
 rules=(/etc/audit/rules.d/*.rules)
 if (( ${#rules[@]} == 0 )); then
  log "ERROR: /etc/audit/rules.d is empty. Seed rules before this hook."
  exit 127
 fi
 if ! /sbin/augenrules --check >/dev/null 2>&1; then
  log "ERROR: augenrules --check failed. Fix the /etc/audit/rules.d/*.rules first."
  exit 128
 fi
 # shellcheck disable=2155
 declare tmp="$(mktemp)"
 printf '%s\0' "${rules[@]}" \
  | xargs -0 -I{} basename "{}" \
  | sort -V \
  | while read -r fname; do
    f="/etc/audit/rules.d/${fname}"
    ### Normalize CRLF and strip UTF-8 BOM.
    sed -e 's/\r$//' -e '1s/^\xEF\xBB\xBF//' "${f}" >> "${tmp}"
    printf '\n' >> "${tmp}"
  done
 # shellcheck disable=2155
 declare tmp_stripped="$(mktemp)"
 sed -e '/^[[:space:]]*#/d' -e '/^[[:space:]]*$/d' "${tmp}" >| "${tmp_stripped}"
 sed -E 's/[[:space:]]+#.*$//' -i "${tmp_stripped}"
 install -m 0600 -o root -g root "${tmp_stripped}" /etc/audit/audit.rules
 rm -f "${tmp}" "${tmp_stripped}"
 if ! grep -Eq '(^-a|^-w|^-e[[:space:]]+1|^-e[[:space:]]+2)' /etc/audit/audit.rules; then
  log "WARN: /etc/audit/audit.rules contains no -a/-w rules or '-e 1/2'; is this intended?"
 fi
 log "Done. /etc/audit/audit.rules generated at build-time (no kernel load)."
 mkdir -p /etc/systemd/system/audit-rules.service.d
 cat << EOF >| /etc/systemd/system/audit-rules.service.d/10-ciss.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [Service]
 ExecStart=
 ExecStart=/usr/sbin/augenrules --load
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,28 +9,31 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
-apt-get install --no-install-recommends debsums -y
+export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y --no-install-recommends debsums
 cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
 chmod 0644 /root/.ciss/dlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 if debsums -g > /dev/null 2>&1; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
 else
  # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9998_sources_list_bookworm.chroot
+++ b/config/hooks/live/9998_sources_list_bookworm.chroot
@@ -1,18 +1,20 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
+
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 cd /root
@@ -22,14 +24,14 @@ fi
 cat << 'EOF' >| /etc/apt/sources.list
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #-----------------------------------------------------------------------------------------#
 #                                  OFFICIAL DEBIAN REPOS
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -0,0 +1,127 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 cd /root
 mkdir -p /etc/apt/apt.conf.d
 cat << EOF >| /etc/apt/apt.conf.d/00-deb822-prefer
 // Make APT ignore the classic /etc/apt/sources.list entirely.
 Dir::Etc {
  sourcelist  "/dev/null";                // classic list is ignored
  sourceparts "/etc/apt/sources.list.d";  // deb822 *.sources remain authoritative
 }
 EOF
 if [[ ! -f /etc/apt/sources.list.d/trixie.sources ]]; then
  cat << EOF >| /etc/apt/sources.list.d/trixie.sources
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://deb.debian.org/debian/
 Suites: trixie
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 fi
 if [[ ! -f /etc/apt/sources.list.d/trixie-security.sources ]]; then
  cat << EOF >| /etc/apt/sources.list.d/trixie-security.sources
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://security.debian.org/debian-security/
 Suites: trixie-security
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 fi
 if [[ ! -f /etc/apt/sources.list.d/trixie-updates.sources ]]; then
 cat << EOF >| /etc/apt/sources.list.d/trixie-updates.sources
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://deb.debian.org/debian/
 Suites: trixie-updates
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 fi
 if [[ ! -f /etc/apt/sources.list.d/trixie-backports.sources ]]; then
  cat << EOF >| /etc/apt/sources.list.d/trixie-backports.sources
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://deb.debian.org/debian/
 Suites: trixie-backports
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9999_interfaces_update.chroot
+++ b/config/hooks/live/9999_interfaces_update.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,17 +9,19 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
+
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
 rm -f /etc/network/interfaces
-cat << 'EOF' >| /etc/network/interfaces
+cat << EOF >| /etc/network/interfaces
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -32,6 +34,9 @@ cat << 'EOF' >| /etc/network/interfaces
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 EOF
 cat << 'EOF' >> /etc/network/interfaces
 ### The loopback network interface
 auto lo
 iface lo inet loopback
@@ -59,7 +64,6 @@ EOF
 chmod 0644 /etc/network/interfaces
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.binary/boot/grub/config.cfg
+++ b/config/includes.binary/boot/grub/config.cfg
@@ -5,7 +5,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/etc/apt/sources.list
+++ b/config/includes.chroot/etc/apt/sources.list
@@ -0,0 +1,15 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # File: /etc/apt/sources.list
 # Intentionally empty, disable classic sources.list generation (deb822 in use).
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources
@@ -0,0 +1,18 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://deb.debian.org/debian/
 Suites: trixie-backports
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources
@@ -0,0 +1,18 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://security.debian.org/debian-security/
 Suites: trixie-security
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources
@@ -0,0 +1,18 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://deb.debian.org/debian/
 Suites: trixie-updates
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie.sources
@@ -0,0 +1,18 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://deb.debian.org/debian/
 Suites: trixie
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/live/config.conf
+++ b/config/includes.chroot/etc/live/config.conf
@@ -8,6 +8,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-LIVE_CONFIGS="username"
+
-USERNAME=root
+# LIVE_CONFIG_CMDLINE="${LIVE_CONFIG_CMDLINE} ADD PARAMETER HERE"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/login.defs
+++ b/config/includes.chroot/etc/login.defs
@@ -0,0 +1,209 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #
 # /etc/login.defs - Configuration control definitions for the shadow package.
 #
 # REQUIRED for useradd/userdel/usermod
 #   Directory where mailboxes reside, _or_ name of file, relative to the
 #   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
 #   MAIL_DIR takes precedence.
 #
 #   Essentially:
 #      - MAIL_DIR defines the location of users mail spool files
 #        (for mbox use) by appending the username to MAIL_DIR as defined
 #        below.
 #      - MAIL_FILE defines the location of the users mail spool files as the
 #        fully-qualified filename obtained by prepending the user home
 #        directory before $MAIL_FILE
 #
 # NOTE: This is no more used for setting up users MAIL environment variable
 #       which is, starting from shadow 4.0.12-1 in Debian, entirely the
 #       job of the pam_mail PAM modules
 #       See default PAM configuration files provided for
 #       login, su, etc.
 #
 # This is a temporary situation: setting these variables will soon
 # move to /etc/default/useradd and the variables will then be
 # no more supported
 MAIL_DIR        /var/mail
 #MAIL_FILE      .mail
 #
 # Enable display of unknown usernames when login(1) failures are recorded.
 #
 # WARNING: Unknown usernames may become world readable.
 # See #290803 and #298773 for details about how this could become a security
 # concern
 LOG_UNKFAIL_ENAB	no
 #
 # Enable logging of successful logins
 #
 LOG_OK_LOGINS		yes
 #
 # If defined, file which maps tty line to TERM environment parameter.
 # Each line of the file is in a format similar to "vt100  tty01".
 #
 #TTYTYPE_FILE	/etc/ttytype
 #
 # If defined, file which inhibits all the usual chatter during the login
 # sequence.  If a full pathname, then hushed mode will be enabled if the
 # user's name or shell are found in the file.  If not a full pathname, then
 # hushed mode will be enabled if the file exists in the user's home directory.
 #
 HUSHLOGIN_FILE	.hushlogin
 #HUSHLOGIN_FILE	/etc/hushlogins
 #
 # *REQUIRED*  The default PATH settings, for superuser and normal users.
 #
 # (they are minimal, add the rest in the shell startup files)
 ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
 #
 # Terminal permissions for terminals after login(1).
 # These settings are ignored for remote and other logins.
 #
 #	TTYGROUP	Login tty will be assigned this group ownership.
 #	TTYPERM		Login tty will be set to this permission.
 #
 #TTYGROUP	tty
 TTYPERM		0600
 #
 # Login configuration initializations:
 #
 #	ERASECHAR	Terminal ERASE character ('\010' = backspace).
 #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
 #
 # The ERASECHAR and KILLCHAR are used only on System V machines.
 #
 ERASECHAR	0177
 KILLCHAR	025
 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
 # home directories.
 HOME_MODE	0700
 #
 # Password aging controls:
 #
 #	PASS_MAX_DAYS	Maximum number of days a password may be used.
 #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
 #	PASS_WARN_AGE	Number of days warning given before a password expires.
 #
 PASS_MAX_DAYS	16384
 PASS_MIN_DAYS	1
 PASS_WARN_AGE	128
 #
 # Min/max values for automatic uid selection in useradd(8)
 #
 UID_MIN			 1000
 UID_MAX			60000
 # System accounts
 #SYS_UID_MIN		  101
 #SYS_UID_MAX		  999
 # Extra per user uids
 SUB_UID_MIN		   100000
 SUB_UID_MAX		600100000
 SUB_UID_COUNT		    65536
 #
 # Min/max values for automatic gid selection in groupadd(8)
 #
 GID_MIN			 1000
 GID_MAX			60000
 # System accounts
 #SYS_GID_MIN		  101
 #SYS_GID_MAX		  999
 # Extra per user group ids
 SUB_GID_MIN		   100000
 SUB_GID_MAX		600100000
 SUB_GID_COUNT		    65536
 #
 # Max number of login(1) retries if password is bad
 # This will most likely be overriden by PAM, since the default pam_unix module
 # has it's own built in of 3 retries. However, this is a safe fallback in case
 # you are using an authentication module that does not enforce PAM_MAXTRIES.
 #
 LOGIN_RETRIES		5
 #
 # Max time in seconds for login(1)
 #
 LOGIN_TIMEOUT		180
 #
 # Which fields may be changed by regular users using chfn(1) - use
 # any combination of letters "frwh" (full name, room number, work
 # phone, home phone).  If not defined, no changes are allowed.
 # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
 #
 CHFN_RESTRICT		rwh
 #
 # If set to MD5, MD5-based algorithm will be used for encrypting password
 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
 # If set to SHA512, SHA512-based algorithm will be used for encrypting password
 # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
 # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
 # If set to DES, DES-based algorithm will be used for encrypting password (default)
 # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
 # Overrides the MD5_CRYPT_ENAB option
 #
 # Note: It is recommended to use a value consistent with
 # the PAM modules configuration.
 #
 ENCRYPT_METHOD YESCRYPT
 #
 # Should login be allowed if we can't cd to the home directory?
 # Default is no.
 #
 DEFAULT_HOME	yes
 #
 # The pwck(8) utility emits a warning for any system account with a home
 # directory that does not exist.  Some system accounts intentionally do
 # not have a home directory.  Such accounts may have this string as
 # their home directory in /etc/passwd to avoid a spurious warning.
 #
 NONEXISTENT	/nonexistent
 #
 # If defined, this command is run when removing a user.
 # It should remove any at/cron/print jobs etc. owned by
 # the user to be removed (passed as the first argument).
 #
 #USERDEL_CMD	/usr/sbin/userdel_local
 #
 # If set to yes, userdel(8) will remove the user's group if it contains no more
 # members, and useradd(8) will create by default a group with the name of the
 # user.
 #
 # Other former uses of this variable are not used in PAM environments, such as
 # Debian.
 #
 USERGROUPS_ENAB yes
 #
 # Added by CISS.debian.live.builder for redundance
 UMASK 077
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/ssh/ssh_known_hosts
+++ b/config/includes.chroot/etc/ssh/ssh_known_hosts
@@ -0,0 +1,17 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Version Master V8.13.142.2025.10.14
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+# Version Master V8.13.142.2025.10.14
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -31,12 +31,12 @@ ListenAddress                ::
 Port MUST_BE_CHANGED
 AllowUsers                   root
 UseDNS                       no
-### Force a key exchange after transferring 1 GiB of data or 1 hour of session time,
+### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, whichever occurs first.
 ### whichever occurs first.
 RekeyLimit                   1G 1h
 HostKey                      /etc/ssh/ssh_host_ed25519_key
 HostKey                      /etc/ssh/ssh_host_rsa_key
 TrustedUserCAKeys            none
 PubkeyAuthentication         yes
 PermitRootLogin              prohibit-password
@@ -65,12 +65,12 @@ GatewayPorts                 no
 ### A+ Rating 100/100
 RequiredRSASize              4096
 Ciphers                      aes256-gcm@openssh.com
-KexAlgorithms                sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
+KexAlgorithms                mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512
-HostKeyAlgorithms            sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+HostKeyAlgorithms            ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 MACs                         hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-CASignatureAlgorithms        rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
+CASignatureAlgorithms        rsa-sha2-512,rsa-sha2-256,ssh-ed25519
 GSSAPIKexAlgorithms          gss-curve25519-sha256-,gss-group16-sha512-
-HostbasedAcceptedAlgorithms  sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+HostbasedAcceptedAlgorithms  ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 PubkeyAcceptedAlgorithms     sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
 ### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+# Version Master V8.13.142.2025.10.14
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/iso.sh
+++ b/config/includes.chroot/preseed/.iso/iso.sh
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 # The example names get mapped to their roles here
 declare timestamp
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.03.864.2025.07.15"
+declare -gr VERSION="Master V8.13.142.2025.10.14"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/.lib/sshd_config.lib
+++ b/config/includes.chroot/preseed/.lib/sshd_config.lib
@@ -5,8 +5,8 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Include /etc/ssh/sshd_config.d/*.conf
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.864.2025.07.15 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.142.2025.10.14 at: 10:18:37.9542
--- a/config/includes.chroot/root/.bashrc
+++ b/config/includes.chroot/root/.bashrc
@@ -1,4 +1,3 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
@@ -10,28 +9,12 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # ~/.bashrc: executed by bash(1) for non-login shells.
 # Note: PS1 and umask are already set in /etc/profile. You should not
 # need this unless you want different defaults for root.
 # PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
 # umask 022
 # You may uncomment the following lines if you want `ls' to be colorized:
 # export LS_OPTIONS='--color=auto'
 # eval "$(dircolors)"
 # alias ls='ls $LS_OPTIONS'
 # alias ll='ls $LS_OPTIONS -l'
 # alias l='ls $LS_OPTIONS -lA'
 #
 # Some more alias to avoid making mistakes:
 # alias rm='rm -i'
 # alias cp='cp -i'
 # alias mv='mv -i'
 [[ $- != *i* ]] && return
-trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
 set +o errexit +o nounset +o pipefail
 trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' EXIT
 source /root/.ciss/alias
 source /root/.ciss/f2bchk.sh
 source /root/.ciss/shortcuts
@@ -55,27 +38,20 @@ export CMAG='\033[1;95m'
 export CCYA='\033[1;96m'
 export CWHI='\033[1;97m'
 export CRES='\033[0m'
-
+export NL='\n'
 #if [[ "${UID}" -eq 0 ]]; then
 #  export user_color="${CRED}"
 #else
 #  export user_color="${CGRE}"
 #fi
 ### Define bash colorful prompt
-# PS1="${user_color}\d${CRES}|${user_color}\u${CRES}@${CMAG}\h${CRES}:${CCYA}\w${CRES}/>>\$(if [[ \$? -eq 0 ]]; then echo -e \"${CGRE}\$?${CRES}\"; else echo -e \"${CRED}\$?${CRES}\"; fi)|~\$ "
+export PS1="\
-PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\
-\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;91m\]\u\[\033[0m\]@\
 \[\033[1;95m\]\h\[\033[0m\]:\
 \[\033[1;96m\]\w\[\033[0m\]/>>\
 \$(if [[ \$? -eq 0 ]]; then \
    # Show exit status in green if zero
    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
  else \
    # Show exit status in red otherwise
    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
  fi)\
-|~\$ "
+\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
 ### Overwrite Protection
 set -o noclobber
@@ -83,11 +59,15 @@ alias cp="cp -iv"
 alias mv='mv -iv'
 alias rm='rm -iv'
-# Welcome message after login
+### Welcome message after login.
-printf "\n"
+printf "%b" "${NL}"
-printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
-printf "\e[92m✅ Welcome back\e[0m"; printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
+printf "%b✅ Welcome back %b " "${CGRE}" "${CRES}"
-printf "\n"
+printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
-printf "\n"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
 printf "%b 'celp'%b" "${CMAG}" "${CRES}"
 printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
 printf "%b" "${NL}"
 printf "%b" "${NL}"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/alias
+++ b/config/includes.chroot/root/.ciss/alias
@@ -11,16 +11,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 ########################################################################################### Alpha
 #######################################
 # Outputs a 16-character random printable string
 # Arguments:
 #  None
 #######################################
 genstring() {
  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
 }
 # Generates 1,048,576 random bytes into a timestamped file
 alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
 ########################################################################################### Bash
@@ -60,6 +50,7 @@ alias aptupd='apt update'
 alias aptupg='apt upgrade'
 alias apti='apt install'
 alias aptp='apt purge'
 alias aptpp='dpkg --purge'
 alias aptr='apt remove'
 alias aptse='apt search'
 alias aptsh='apt show'
@@ -104,11 +95,11 @@ alias whatpurge='dpkg --get-selections | grep deinstall'
 ########################################################################################### Functions
-###########################################################################################
+#######################################
 # Generates Secure (/dev/random) Passwords
 # Arguments:
-#  Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
+#    Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
-###########################################################################################
+#######################################
 # shellcheck disable=SC2317
 genpasswd() {
  declare -i length=32
@@ -128,6 +119,7 @@ genpasswd() {
  done
  declare passwd
  # shellcheck disable=SC2312
  passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}")
  if [[ ${usebase64} -eq 1 ]]; then
@@ -137,23 +129,38 @@ genpasswd() {
  fi
 }
-###########################################################################################
+#######################################
-# Generates Secure (/dev/random) Passwords
+# Generates Secure (/dev/random) Passwords.
 # Arguments:
-#  none
+#   none
-###########################################################################################
+#######################################
 # shellcheck disable=SC2317
 genpasswdhash() {
  declare salt
  # shellcheck disable=SC2312
  salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
  mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
 }
 #######################################
-# Wrapper for secure curl
+# Outputs a 16-character random printable string
 # Arguments:
-#  $1: URL from which to download a specific file
+#   None
-#  $2: /path/to/file to be saved to
+#######################################
 genstring() {
  # shellcheck disable=SC2312
  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
 }
 #######################################
 # Wrapper for secure curl
 # Globals:
 #   CRED
 #   CRES
 #   NL
 # Arguments:
 #   1: URL from which to download a specific file
 #   2: /path/to/file to be saved to
 # Returns:
 #   0: Download successful
 #   1: Usage error
@@ -161,7 +168,7 @@ genpasswdhash() {
 #######################################
 scurl() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
+    printf "%s❌ Error: Usage: scurl <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
    return 1
  fi
  declare url="$1"
@@ -173,7 +180,7 @@ scurl() {
            -o "${output_path}" \
            "${url}"
  then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
    return 2
  fi
  return 0
@@ -181,9 +188,13 @@ scurl() {
 #######################################
 # Wrapper for secure wget
 # Globals:
 #   CRED
 #   CRES
 #   NL
 # Arguments:
-#  $1: URL from which to download a specific file
+#   1: URL from which to download a specific file
-#  $2: /path/to/file to be saved to
+#   2: /path/to/file to be saved to
 # Returns:
 #   0: Download successful
 #   1: Usage error
@@ -191,7 +202,7 @@ scurl() {
 #######################################
 swget() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
+    printf "%s❌ Error: Usage: swget <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
    return 1
  fi
  declare url="$1"
@@ -204,30 +215,56 @@ swget() {
            -qO "${output_path}" \
            "${url}"
  then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
    return 2
  fi
  return 0
 }
 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
-#  None
+#   None
 #######################################
 sysp() {
  sysctl -p /etc/sysctl.d/99_local.hardened
-  # sleep 1
+  # shellcheck disable=SC2312
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 #######################################
 # Wrapper for tree
 # Arguments:
-#  $1: Depth of Directory Listing
+#   1: Depth of Directory Listing
 #######################################
 trel() {
  declare depth=${1:-3}
  tree -C -h --dirsfirst -L "${depth}"
 }
 #######################################
 # Wrapper for package and path to bin.
 # Arguments:
 #   1: Program
 #######################################
 whichpackage() {
  if ! command -v "$1" >/dev/null 2>&1; then
    printf '%s❌ Error: Program '%s' not found. %s%s' "${CRED}" "$1" "${CRES}" "${NL}" >&2
    exit 1
  fi
  # shellcheck disable=SC2230,SC2312
  dpkg -S "$(which "$1")"
 }
 #######################################
 # Wrapper for Diskspace used in Path.
 # Arguments:
 #   1: Path (defaults /var)
 #   2: Depth (defaults 1)
 #   3: Number of Entries (defaults 16)
 #######################################
 whichused() {
  # shellcheck disable=SC2312
  du -h --max-depth="${2:-1}" "${1:-/var}" | sort -hr | head -n "${3:-16}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/check_chrony.sh
+++ b/config/includes.chroot/root/.ciss/check_chrony.sh
@@ -0,0 +1,142 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 #######################################
 # Minimal leap-second probe for Debian/chrony systems.
 # - Prints kernel leap flags & TAI offset (ΔAT).
 # - Reads tzdata's leap-seconds list (authoritative TAI-UTC).
 # - Shows chrony tracking summary (incl. leap status).
 # - Demonstrates 23:59:60 rendering via TZ=right/UTC.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 main() {
  ### 1) System TZ and tzdata source.
  printf "System TZ link: [%s]\n\n" "$(readlink -f /etc/localtime || true)"
  if [[ -f /usr/share/zoneinfo/leap-seconds.list ]]; then
    declare tz_leap_line tz_tai tz_ntp ts_human
    tz_leap_line="$(awk '($1 !~ /^#/) {L=$0} END{print L}' /usr/share/zoneinfo/leap-seconds.list)"
    tz_ntp="$(awk '{print $1}' <<<"${tz_leap_line}")"
    tz_tai="$(awk '{print $2}' <<<"${tz_leap_line}")"
    ts_human="$(awk -F'#' '{gsub(/^[[:space:]]+/, "", $2); print $2}' <<<"${tz_leap_line}")"
    printf "tzdata ΔAT (TAI-UTC): %s s [last change at: %s; NTP ts: %s]\n\n" "${tz_tai:-?}" "${ts_human:-?}" "${tz_ntp:-?}"
  else
    printf "tzdata leap-seconds.list not found.\n"
  fi
  ### 2) Kernel view (requires adjtimex).
  if command -v adjtimex >/dev/null 2>&1; then
    printf "Kernel time status (adjtimex -p):\n"
    adjtimex -p | sed 's/^/  /'
    declare k_tai
    k_tai="$(adjtimex -p | awk '/^tai:/ {print $2}')"
    if [[ -n "${k_tai:-}" ]]; then
      printf "Kernel-exported ΔAT [tai]: %s s\n" "${k_tai}"
    fi
  else
    printf "Package: 'adjtimex' not found. Install 'adjtimex' for kernel leap/TAI details.\n\n"
  fi
  ### 3) Chrony summary.
  if command -v chronyc >/dev/null 2>&1; then
    printf "\n"
    printf "chronyc tracking:\n"
    chronyc -n tracking | sed 's/^/  /'
  else
    printf "Package: 'chronyc' not found. Skipping chrony status.\n\n"
  fi
  ### 4) right/UTC demonstration of 23:59:60 (uses 2016-12-31 leap).
  if [[ -f /usr/share/zoneinfo/right/UTC ]]; then
    printf "\n"
    printf "right/UTC leap rendering check (expect 23:59:60):\n\n"
    TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
  else
    printf "\n"
    printf "File: 'tzdata right/UTC' zone not installed; skipping 23:59:60 demo.\n\n"
  fi
  printf "\n"
  printf "Hint:\n"
  printf "  • ΔAT (TAI-UTC) should match tzdata and kernel (chrony sets kernel TAI if leapsectz/leapseclist is used).\n"
  printf "  • For monotonic intervals, apps must use CLOCK_MONOTONIC, not CLOCK_REALTIME.\n"
  return 0
 }
 ### Build right/UTC from tzdata leap table if missing.
 if [[ ! -e /usr/share/zoneinfo/right/UTC ]]; then
  install -d -m 0755 /usr/share/zoneinfo/right
  ### Minimal zic source for a fixed UTC zone.
  declare -r tmp_src="/tmp/UTC.src"
  printf 'Zone UTC  0  -  UTC\n' > "${tmp_src}"
  ### Prefer the zic-format leapseconds file.
  declare leap_zic="/usr/share/zoneinfo/leapseconds"
  if [[ -s "${leap_zic}" ]]; then
    zic -d /usr/share/zoneinfo/right -L "${leap_zic}" "${tmp_src}"
  else
    echo "WARNING: ${leap_zic} not found; building right/UTC without leap info." >&2
    zic -d /usr/share/zoneinfo/right -L /dev/null "${tmp_src}"
  fi
  rm -f "${tmp_src}"
 fi
 if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
  ### Expect to see 'Sat Dec 31 23:59:60 UTC 2016' rendered in right/UTC
  TZ=right/UTC date -ud '2017-01-01 00:00:00 -1 second' || true
 fi
 main "$@"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/clean_logout.sh
+++ b/config/includes.chroot/root/.ciss/clean_logout.sh
@@ -36,4 +36,5 @@ echo -e "\e[92m          All done" "\e[95m'${USER}'" "\e[92m! \e[0m"
 echo -e "\e[92m          Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m"
 # shellcheck disable=SC2162
 read
 [[ -x /usr/bin/clear_console ]] && /usr/bin/clear_console -q
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/f2bchk.sh
+++ b/config/includes.chroot/root/.ciss/f2bchk.sh
@@ -17,16 +17,18 @@
 #               --log=/var/log/ufw.log \
 #               --output=/tmp/f2bchk.log
 # Globals:
-#   DEFAULT_FILTER
+#   CGRE
-#   DEFAULT_LOG
+#   CRED
-#   DEFAULT_MODE
+#   CRES
 #   NL
 # Arguments:
-#  None
+#   None
 # Returns:
-#   1 In case of any errors
+#   0: on success
 #   1: In case of any errors
 #######################################
 f2bchk(){
-  # Declare default values (readonly)
+  ### Declare default values (readonly)
  declare -r DEFAULT_MODE="matched"
  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
  declare -r DEFAULT_LOG="/var/log/ufw.log"
@@ -44,7 +46,7 @@ f2bchk(){
      --log=*)    log="${arg#--log=}";;
      --output=*) output="${arg#--output=}";;
      *)
-        printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
+        printf "%s[ERROR]%s Unknown argument: '%s' %s" "${CRED}" "${CRES}" "${arg}" "${CRED}"
        return 1
        ;;
    esac
@@ -56,7 +58,7 @@ f2bchk(){
    matched) flag="--print-all-matched"; suffix="all.matched";;
    missed)  flag="--print-all-missed";  suffix="all.missed";;
    *)
-      printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
+      printf "%s[ERROR]%s Invalid mode: '%s' %s" "${CRED}" "${CRES}" "${mode}" "${NL}"
      return 1
      ;;
  esac
@@ -66,22 +68,30 @@ f2bchk(){
    filter_name="${filter_name%.conf}"
    output="/tmp/${filter_name}.${suffix}.log"
  fi
  if [[ ! -r "${log}" ]]; then
-    printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
+    printf "%s[ERROR]%s Log file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${log}" "${NL}"
    return 1
  fi
  if [[ ! -r "${filter}" ]]; then
    printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
    return 1
  fi
-  printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
+  if [[ ! -r "${filter}" ]]; then
-  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
+    printf "%s[ERROR]%s Filter file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${filter}" "${NL}"
    printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
    printf "You can view it with: cat %s\n" "$output"
  else
    printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
    return 1
  fi
  printf "%s[INFO]%s Running: fail2ban-regex '%s %s %s' %s" "${CGRE}" "${CRES}" "${log}" "${filter}" "${flag}" "${NL}"
  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
    printf "%s[SUCCESS]%s Saved log to: '%s' %s" "${CGRE}" "${CRES}" "${output}" "${NL}"
    printf "You can view it with: cat %s%s" "${output}" "${NL}"
  else
    printf "%s[ERROR]%s fail2ban-regex execution failed. %s" "${CRED}" "${CRES}" "${NL}"
    return 1
  fi
  exit 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/scan_libwrap
+++ b/config/includes.chroot/root/.ciss/scan_libwrap
@@ -6,36 +6,44 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Scanner for 'libwrap' usage.
 # Globals:
 #   CGRE
 #   CRES
 #   NL
 # Arguments:
-#  None
+#   None
 #######################################
 scanlw() {
-  printf "\e[92m🔍 Scanning all running processes for 'libwrap' usage ... \e[0m\n"
+  printf "%s🔍 Scanning all running processes for 'libwrap' usage ... %s%s" "${CGRE}" "${CRES}" "${NL}"
  printf "\n"
-  # Collect binaries from all running PIDs
+  ### Collect binaries from all running PIDs.
  declare pid exe_path comm user
  for pid in $(ps -e -o pid=); do
    exe_path=$(readlink -f "/proc/${pid}/exe" 2>/dev/null)
-    # Skip if not a regular executable
+    ### Skip if not a regular executable.
    [[ -x "${exe_path}" ]] || continue
-    # Check if the binary is linked with libwrap
+    ### Check if the binary is linked with libwrap.
-    if ldd "$exe_path" 2>/dev/null | grep -q "libwrap"; then
+    # shellcheck disable=SC2312
-      comm=$(ps -p "$pid" -o comm=)
+    if ldd "${exe_path}" 2>/dev/null | grep -q "libwrap"; then
-      user=$(ps -p "$pid" -o user=)
+      comm=$(ps -p "${pid}" -o comm=)
-      printf "\e[92m✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. \e[0m\n" "${pid}" "${comm}" "${user}"
+      user=$(ps -p "${pid}" -o user=)
      printf "%s✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. %s%s" "${CGRE}" "${pid}" "${comm}" "${user}" "${CRES}" "${NL}"
    fi
  done
  printf "\n"
-  printf "\e[92m✅ Scan complete. \e[0m\n"
+  printf "%s✅ Scan complete. %s%s" "${CGRE}" "${CRES}" "${NL}"
  exit 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/shortcuts
+++ b/config/includes.chroot/root/.ciss/shortcuts
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -21,6 +21,7 @@ declare -ga shortcuts=(
  "apti: apt install"
  "aptimage: get Kernel Img"
  "aptp: apt purge"
  "aptpp: dpkg --purge"
  "aptr: apt remove"
  "aptse: apt search"
  "aptsh: apt show"
@@ -83,6 +84,8 @@ declare -ga shortcuts=(
  "whatdelete: lsof | grep deleted"
  "whatimage: dpkg --list | grep linux"
  "whatpurge: dpkg --get-selections"
  "whichpackage <PROGRAM>"
  "whichused <PATH> <DEPTH> <ENTRIES>"
 )
 #######################################
@@ -101,7 +104,7 @@ celp() {
  declare i=0
  declare entry
  for entry in "${arr[@]}"; do
-    # Print entry left-aligned in fixed width, colored
+    ### Print entry left-aligned in fixed width, colored.
    printf "${CMAG}%-${col_width}s${CRES}" "${entry}"
    ((i++))
    if ((i % cols == 0)); then
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -8,6 +8,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 adjtimex
 age
 apparmor
 apparmor-profiles-extra
 apparmor-utils
@@ -15,17 +18,23 @@ apt-file
 apt-mirror
 apt-show-versions
 apt-transport-https
 autoconf
 automake
 bash-completion
 bat
 bc
 bind9-dnsutils
 bison
 bsdmainutils
 btrfs-progs
 build-essential
 bzip2
 ca-certificates
 clamav
 clamav-daemon
 clang-18
 console-setup
 cosign
 cpuid
 cryptsetup
 cryptsetup-nuke-password
@@ -44,6 +53,7 @@ dirmngr
 dmsetup
 dnsviz
 dosfstools
 dpkg-dev
 e2fsprogs
 efibootmgr
 expect
@@ -51,6 +61,7 @@ fail2ban
 fdisk
 figlet
 fio
 flex
 fzf
 gawk
 gdisk
@@ -69,26 +80,29 @@ knot-dnsutils
 libpam-google-authenticator
 libpam-pwquality
 libpwquality-tools
 libtomcrypt-dev
 libtommath-dev
 libtool
 linux-doc-6.12
 linux-source
 live-boot
 live-config
 live-config-systemd
 lld-18
 locate
 logrotate
 lsb-release
 lvm2
 makedev
 makepasswd
 man
 man-db
 manpages
 manpages-dev
 mdadm
 mtr
 musl-tools
 nano
 ncat
-neofetch
+ncdu
 neovim
 net-tools
 netselect-apt
@@ -96,8 +110,8 @@ nmap
 nodejs
 openssl
 parted
 pciutils
 perl
 pollinate
 pwgen
 python3
 rkhunter
@@ -107,7 +121,6 @@ rsync
 rsyslog
 screen
 shellcheck
 software-properties-common
 spectre-meltdown-checker
 speedtest-cli
 squashfs-tools
@@ -136,4 +149,5 @@ xz-utils
 yq
 zip
 zsh
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -7,8 +7,8 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Build**: V8.13.142.2025.10.14<br>
 # 2. DNSSEC Status
--- a/Show More
+++ b/Show More