V8.13.064.2025.10.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
Merge remote-tracking branch 'origin/master'
2025-10-07 18:41:01 +01:00 · 2025-10-07 18:32:52 +01:00 · 2025-10-07 18:32:33 +01:00 · 2025-10-07 17:29:37 +00:00 · 2025-10-07 16:38:35 +00:00 · 2025-10-07 17:36:43 +01:00
149 changed files with 2853 additions and 1240 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -21,7 +21,7 @@ usage() {
  clear
  cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.03.864.2025.07.15\e[0m")
+$(echo -e "\e[92mMaster V8.13.064.2025.10.07\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
--- a/config/hooks/live/0003_install_backports.chroot
+++ b/config/hooks/live/0003_install_backports.chroot
@@ -6,10 +6,10 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot
+++ b/config/hooks/live/1024_git_clone_ciss_2025_debian_installer.chroot
@@ -9,17 +9,14 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 # TODO: MUST be uncommented
 cd /root/git
-# git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
+git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/icon.lib
+++ b/.archive/icon.lib
@@ -5,7 +5,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ✅
--- a/.editorconfig
+++ b/.editorconfig
@@ -25,6 +25,10 @@ charset = utf-8
 insert_final_newline = true
 trim_trailing_whitespace = true
 [{makefile,*.mk}]
 indent_style = tab
 tab_width    = 8
 [*.md]
 end_of_line = lf
 # Markdown benefits from a final newline for POSIX tools
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.03.864.2025.07.15"
+      placeholder: "e.g., Master V8.13.064.2025.10.07"
    validations:
      required: true
--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.064.2025.10.07
 FROM debian:bookworm
--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -5,11 +5,11 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.064.2025.10.07
 name: 🔁 Render README.md to README.html.
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.864.2025.07.15
+  version: V8.13.064.2025.10.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.864.2025.07.15
+  version: V8.13.064.2025.10.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.864.2025.07.15
+  version: V8.13.064.2025.10.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.03.864.2025.07.15
+  version: V8.13.064.2025.10.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_0.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,9 +9,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.064.2025.10.07
-name: 🔐 Generating a Private Live ISO FLV 0.
+name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
@@ -21,164 +25,35 @@ on:
    branches:
      - master
    paths:
-      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_0.yaml'
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-private-cdlb-trixie:
-    name: 🔐 Generating a Private Live ISO FLV 0.
+    name: 🔐 Generating a Private Live ISO TRIXIE.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
    ### Run all steps inside Debian Bookworm
    container:
-      image: debian:bookworm
+      image: debian:trixie
    steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+      - name: 🛠️ Basic Image Setup.
        run: |
          apt-get update -y
          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
            >| /etc/apt/sources.list.d/bookworm-backports.list
          apt-get update -y
          apt-get upgrade -y
      - name: 🛠️ Installing Build Tools.
        shell: bash
        run: |
-          apt-get update -y
+          export DEBIAN_FRONTEND=noninteractive
-          apt-get install -y \
+          apt-get update
-            autoconf \
+          apt-get upgrade -y
-            automake \
+          apt-get install -y --no-install-recommends \
-            build-essential \
+            apt-utils \
-            cryptsetup \
+            bash \
            ca-certificates \
            curl \
            debootstrap \
            dosfstools \
            efibootmgr \
            gettext \
            git \
            gnupg \
-            haveged \
+            openssh-client \
-            libbz2-dev \
+            openssl \
-            zlib1g-dev \
+            perl \
            liblzma-dev \
            libtool \
            live-build \
            parted \
            pkg-config \
            ssh \
            ssl-cert \
            sudo \
-            texinfo \
+            util-linux
            wget \
            whois \
      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
        shell: bash
        run: |
          urls=(
            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
          )
          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
          gpg --batch --import signature_key.asc
          for url in "${urls[@]}"; do
            archive_name="${url##*/}"
            pkg_name="${archive_name%.tar.bz2}"
            echo "🔄 Processing ${pkg_name}"
            if [[ ! -f "${archive_name}" ]]; then
              echo "📥 Downloading: '${archive_name}'."
              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                echo "✅ Download successful: '${archive_name}'."
              else
                echo "❌ Download NOT successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping download, package already exists: '${archive_name}'."
            fi
            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
            if [[ ! -d "${pkg_name}" ]]; then
              echo "📂 Extracting: '${archive_name}'."
              if tar -xjf "${archive_name}"; then
                echo "✅ Extraction successful: '${archive_name}'."
              else
                echo "❌ Extraction not successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping directory, already exists: '${pkg_name}'."
            fi
            echo "🏗️ Build and install the package: '${pkg_name}'."
            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
            mkdir -p build
            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
            echo "✅ Successful build and installation of '${pkg_name}'."
            echo "-------------------------------------------------------------------------------------"
          done
          rm -f signature_key.asc
          echo "✅ All packages were built and installed successfully."
          mv_bin=(
            "/usr/bin/gpg"
            "/usr/bin/gpg-agent"
            "/usr/bin/gpgconf"
            "/usr/bin/gpg-connect-agent"
            "/usr/bin/gpg-wks-client"
            "/usr/bin/gpg-preset-passphrase"
          )
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
              if mv "${bin}" "${bin}.debian-backup"; then
                echo "✅ Moved successfully: '${bin}'."
              else
                echo "❌ Moved NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist as build binary: '${bin}'."
            fi
          done
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "/usr/local/bin/${name}" ]]; then
              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
                echo "✅ 'update-alternatives' successfully: '${bin}'."
              else
                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist: '/usr/local/bin/${name}'."
            fi
          done
          sudo ldconfig
          gpgconf --kill all
          /usr/local/bin/gpg-agent --daemon
      - name: ⚙️ Check GnuPG Version.
        shell: bash
@@ -188,6 +63,11 @@ jobs:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
@@ -262,17 +142,91 @@ jobs:
          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
      - name: 🔧 Render live hook with secrets.
        shell: bash
        working-directory: ${{ github.workspace }}
        env:
          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
        run: |
          set -Ceuo pipefail
          umask 077
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
            echo "::group::Tree of config/hooks/live"
            ls -la "${REPO_ROOT}/config/hooks/live" || true
            echo "::endgroup::"
            exit 2
          fi
          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
          export RSA_PUB="${RSA_PUB//$'\r'/}"
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
          (
          cat << EOF >| "${ID_OUT}"
          ${CISS_PRIMORDIAL}
          EOF
          ) && chmod 0600 "${ID_OUT}"
          if [[ -f "${ID_OUT}" ]]; then
            echo "Written: ${ID_OUT}"
          else
            echo "Error: ${ID_OUT} not written."
          fi
          (
          cat << EOF >| "${ID_OUT_PUB}"
          ${CISS_PRIMORDIAL_PUB}
          EOF
          ) && chmod 0600 "${ID_OUT_PUB}"
          if [[ -f "${ID_OUT_PUB}" ]]; then
            echo "Written: ${ID_OUT_PUB}"
          else
            echo "Error: ${ID_OUT_PUB} not written."
          fi
          perl -0777 -pe '
            BEGIN{
              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
            }
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
          ' "${TPL}" > "${OUT}"
          chmod 0755 "${OUT}"
          echo "Hook rendered: ${OUT}"
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.30+bpo-amd64 \
+            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --cdi \
            --control "${timestamp}" \
            --debug \
            --dhcp-centurion \
@@ -280,7 +234,14 @@ jobs:
            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
            --root-password-file /opt/config/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
            --sshfp \
            --trixie
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
          rm -f "$OUT"
          echo "Hook removed: $OUT"
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
@@ -367,11 +328,12 @@ jobs:
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -381,7 +343,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
@@ -435,7 +397,7 @@ jobs:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO_FLV_0.private"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
@@ -459,7 +421,7 @@ jobs:
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
-            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 0 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
          ${CI_HEADER}
--- a/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_iso_flavour_1.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,9 +9,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.064.2025.10.07
-name: 🔐 Generating a Private Live ISO FLV 1.
+name: 🔐 Generating a Private Live ISO TRIXIE.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
@@ -21,164 +25,35 @@ on:
    branches:
      - master
    paths:
-      - '.gitea/trigger/t_generate_PRIVATE_iso_flavour_1.yaml'
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml'
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-private-cdlb-trixie:
-    name: 🔐 Generating a Private Live ISO FLV 1.
+    name: 🔐 Generating a Private Live ISO TRIXIE.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
    ### Run all steps inside Debian Bookworm
    container:
-      image: debian:bookworm
+      image: debian:trixie
    steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+      - name: 🛠️ Basic Image Setup.
        run: |
          apt-get update -y
          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
            >| /etc/apt/sources.list.d/bookworm-backports.list
          apt-get update -y
          apt-get upgrade -y
      - name: 🛠️ Installing Build Tools.
        shell: bash
        run: |
-          apt-get update -y
+          export DEBIAN_FRONTEND=noninteractive
-          apt-get install -y \
+          apt-get update
-            autoconf \
+          apt-get upgrade -y
-            automake \
+          apt-get install -y --no-install-recommends \
-            build-essential \
+            apt-utils \
-            cryptsetup \
+            bash \
            ca-certificates \
            curl \
            debootstrap \
            dosfstools \
            efibootmgr \
            gettext \
            git \
            gnupg \
-            haveged \
+            openssh-client \
-            libbz2-dev \
+            openssl \
-            zlib1g-dev \
+            perl \
            liblzma-dev \
            libtool \
            live-build \
            parted \
            pkg-config \
            ssh \
            ssl-cert \
            sudo \
-            texinfo \
+            util-linux
            wget \
            whois \
      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
        shell: bash
        run: |
          urls=(
            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
          )
          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
          gpg --batch --import signature_key.asc
          for url in "${urls[@]}"; do
            archive_name="${url##*/}"
            pkg_name="${archive_name%.tar.bz2}"
            echo "🔄 Processing ${pkg_name}"
            if [[ ! -f "${archive_name}" ]]; then
              echo "📥 Downloading: '${archive_name}'."
              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                echo "✅ Download successful: '${archive_name}'."
              else
                echo "❌ Download NOT successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping download, package already exists: '${archive_name}'."
            fi
            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
            if [[ ! -d "${pkg_name}" ]]; then
              echo "📂 Extracting: '${archive_name}'."
              if tar -xjf "${archive_name}"; then
                echo "✅ Extraction successful: '${archive_name}'."
              else
                echo "❌ Extraction not successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping directory, already exists: '${pkg_name}'."
            fi
            echo "🏗️ Build and install the package: '${pkg_name}'."
            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
            mkdir -p build
            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
            echo "✅ Successful build and installation of '${pkg_name}'."
            echo "-------------------------------------------------------------------------------------"
          done
          rm -f signature_key.asc
          echo "✅ All packages were built and installed successfully."
          mv_bin=(
            "/usr/bin/gpg"
            "/usr/bin/gpg-agent"
            "/usr/bin/gpgconf"
            "/usr/bin/gpg-connect-agent"
            "/usr/bin/gpg-wks-client"
            "/usr/bin/gpg-preset-passphrase"
          )
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
              if mv "${bin}" "${bin}.debian-backup"; then
                echo "✅ Moved successfully: '${bin}'."
              else
                echo "❌ Moved NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist as build binary: '${bin}'."
            fi
          done
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "/usr/local/bin/${name}" ]]; then
              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
                echo "✅ 'update-alternatives' successfully: '${bin}'."
              else
                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist: '/usr/local/bin/${name}'."
            fi
          done
          sudo ldconfig
          gpgconf --kill all
          /usr/local/bin/gpg-agent --daemon
      - name: ⚙️ Check GnuPG Version.
        shell: bash
@@ -188,6 +63,11 @@ jobs:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
@@ -262,22 +142,103 @@ jobs:
          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
      - name: 🔧 Render live hook with secrets.
        shell: bash
        working-directory: ${{ github.workspace }}
        env:
          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
        run: |
          set -Ceuo pipefail
          umask 077
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
          if [[ ! -f "${TPL}" ]]; then
            echo "Template not found: ${TPL}"
            echo "::group::Tree of config/hooks/live"
            ls -la "${REPO_ROOT}/config/hooks/live" || true
            echo "::endgroup::"
            exit 2
          fi
          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
          export RSA_PUB="${RSA_PUB//$'\r'/}"
          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
          (
          cat << EOF >| "${ID_OUT}"
          ${CISS_PRIMORDIAL}
          EOF
          ) && chmod 0600 "${ID_OUT}"
          if [[ -f "${ID_OUT}" ]]; then
            echo "Written: ${ID_OUT}"
          else
            echo "Error: ${ID_OUT} not written."
          fi
          (
          cat << EOF >| "${ID_OUT_PUB}"
          ${CISS_PRIMORDIAL_PUB}
          EOF
          ) && chmod 0600 "${ID_OUT_PUB}"
          if [[ -f "${ID_OUT_PUB}" ]]; then
            echo "Written: ${ID_OUT_PUB}"
          else
            echo "Error: ${ID_OUT_PUB} not written."
          fi
          perl -0777 -pe '
            BEGIN{
              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
            }
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
          ' "${TPL}" > "${OUT}"
          chmod 0755 "${OUT}"
          echo "Hook rendered: ${OUT}"
      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
        shell: bash
        working-directory: ${{ github.workspace }}
        run: |
          set -euo pipefail
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.30+bpo-amd64 \
+            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --cdi \
            --control "${timestamp}" \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
            --root-password-file /opt/config/password.txt \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
            --sshfp \
            --trixie
          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
          rm -f "$OUT"
          echo "Hook removed: $OUT"
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
@@ -364,11 +325,12 @@ jobs:
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -378,7 +340,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
@@ -432,7 +394,7 @@ jobs:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          PRIVATE_FILE="LIVE_ISO_FLV_1.private"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
      - name: 🔑 Commit and sign changes with CI metadata.
@@ -456,7 +418,7 @@ jobs:
            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
-            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO FLV 1 [skip ci]
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
          ${CI_HEADER}
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -9,10 +9,14 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.064.2025.10.07
 name: 💙 Generating a PUBLIC Live ISO.
 defaults:
  run:
    shell: bash
 permissions:
  contents: write
@@ -24,161 +28,32 @@ on:
      - '.gitea/trigger/t_generate_PUBLIC.yaml'
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-public-cdlb-trixie:
    name: 💙 Generating a PUBLIC Live ISO.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
    ### Run all steps inside Debian Bookworm
    container:
-      image: debian:bookworm
+      image: debian:trixie
    steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+      - name: 🛠️ Basic Image Setup.
        run: |
          apt-get update -y
          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
            >| /etc/apt/sources.list.d/bookworm-backports.list
          apt-get update -y
          apt-get upgrade -y
      - name: 🛠️ Installing Build Tools.
        shell: bash
        run: |
-          apt-get update -y
+          export DEBIAN_FRONTEND=noninteractive
-          apt-get install -y \
+          apt-get update
-            autoconf \
+          apt-get upgrade -y
-            automake \
+          apt-get install -y --no-install-recommends \
-            build-essential \
+            apt-utils \
-            cryptsetup \
+            bash \
            ca-certificates \
            curl \
            debootstrap \
            dosfstools \
            efibootmgr \
            gettext \
            git \
            gnupg \
-            haveged \
+            openssh-client \
-            libbz2-dev \
+            openssl \
-            zlib1g-dev \
+            perl \
            liblzma-dev \
            libtool \
            live-build \
            parted \
            pkg-config \
            ssh \
            ssl-cert \
            sudo \
-            texinfo \
+            util-linux
            wget \
            whois \
      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
        shell: bash
        run: |
          urls=(
            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
          )
          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
          gpg --batch --import signature_key.asc
          for url in "${urls[@]}"; do
            archive_name="${url##*/}"
            pkg_name="${archive_name%.tar.bz2}"
            echo "🔄 Processing ${pkg_name}"
            if [[ ! -f "${archive_name}" ]]; then
              echo "📥 Downloading: '${archive_name}'."
              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
                echo "✅ Download successful: '${archive_name}'."
              else
                echo "❌ Download NOT successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping download, package already exists: '${archive_name}'."
            fi
            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
            if [[ ! -d "${pkg_name}" ]]; then
              echo "📂 Extracting: '${archive_name}'."
              if tar -xjf "${archive_name}"; then
                echo "✅ Extraction successful: '${archive_name}'."
              else
                echo "❌ Extraction not successful: '${archive_name}'."
                exit 1
              fi
            else
              echo "💡 Skipping directory, already exists: '${pkg_name}'."
            fi
            echo "🏗️ Build and install the package: '${pkg_name}'."
            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
            mkdir -p build
            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
            echo "✅ Successful build and installation of '${pkg_name}'."
            echo "-------------------------------------------------------------------------------------"
          done
          rm -f signature_key.asc
          echo "✅ All packages were built and installed successfully."
          mv_bin=(
            "/usr/bin/gpg"
            "/usr/bin/gpg-agent"
            "/usr/bin/gpgconf"
            "/usr/bin/gpg-connect-agent"
            "/usr/bin/gpg-wks-client"
            "/usr/bin/gpg-preset-passphrase"
          )
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
              if mv "${bin}" "${bin}.debian-backup"; then
                echo "✅ Moved successfully: '${bin}'."
              else
                echo "❌ Moved NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist as build binary: '${bin}'."
            fi
          done
          for bin in "${mv_bin[@]}"; do
            name="${bin##*/}"
            if [[ -f "/usr/local/bin/${name}" ]]; then
              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
                echo "✅ 'update-alternatives' successfully: '${bin}'."
              else
                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
              fi
            else
              echo "💡 Does not exist: '/usr/local/bin/${name}'."
            fi
          done
          sudo ldconfig
          gpgconf --kill all
          /usr/local/bin/gpg-agent --daemon
      - name: ⚙️ Check GnuPG Version.
        shell: bash
@@ -188,6 +63,11 @@ jobs:
      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
@@ -269,15 +149,18 @@ jobs:
          sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
          chmod 0755 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
-            --autobuild=6.12.30+bpo-amd64 \
+            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
            --build-directory /opt/livebuild \
            --cdi \
            --control "${timestamp}" \
            --debug \
            --root-password-file /opt/config/password.txt \
            --ssh-port 42137 \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
            --trixie
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
@@ -364,11 +247,12 @@ jobs:
          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO.public"
          touch "${PRIVATE_FILE}"
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -378,7 +262,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          CISS.debian.live.builder ISO :
            "${VAR_ISO_FILE_NAME}"
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.064.2025.10.07
 # Gitea Workflow: Shell-Script Linting
 #
@@ -41,6 +41,10 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
@@ -202,11 +206,12 @@ jobs:
            echo -e "⚠️ Linting issues detected:\n"
            echo -e "${findings}"
            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
            VAR_DATE="$(date +%F)"
            PRIVATE_FILE="LINTER_RESULTS.txt"
            touch "${PRIVATE_FILE}"
            cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -216,7 +221,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          ⚠️ The last linter check was NOT successful. ⚠️
@@ -225,11 +230,12 @@ jobs:
          else
            echo "✅ No issues found in shell scripts."
            timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
            VAR_DATE="$(date +%F)"
            PRIVATE_FILE="LINTER_RESULTS.txt"
            touch "${PRIVATE_FILE}"
            cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -239,7 +245,7 @@ jobs:
          # SPDX-PackageName: CISS.debian.live.builder
          # SPDX-Security-Contact: security@coresecret.eu
-          This file was automatically generated by the DEPLOY BOT on: "${timestamp}".
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
          ✅ The last linter check was successful. ✅
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.064.2025.10.07
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -33,6 +33,10 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.064.2025.10.07
 name: 🔁 Render Graphviz Diagrams.
@@ -34,6 +34,10 @@ jobs:
        shell: bash
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
          ### Private Key
--- a/.gitignore
+++ b/.gitignore
@@ -16,5 +16,6 @@ target/
 *.DS_Store
 *.log
 *.ps1
 config.mk
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.shellcheckrc
+++ b/.shellcheckrc
@@ -0,0 +1,28 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 encoding=utf-8
 external-sources=true
 shell=bash
 source-path=~/lib
 source-path=~/scripts
 source-path=~/var
 enable=avoid-nullary-conditions
 enable=check-extra-masked-returns
 enable=check-set-e-suppressed
 enable=check-unassigned-uppercase
 enable=deprecate-which
 enable=quote-safe-variables
 enable=require-double-brackets
 enable=require-variable-braces
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.03.864.2025.07.15"
+properties_version="V8.13.064.2025.10.07"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.03.864.2025.07.15
+PackageVersion: Master V8.13.064.2025.10.07
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-07; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-07-15T17:55:19Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-07T16:38:32Z"
 ✅ The last linter check was successful. ✅
--- a/LIVE_ISO.public
+++ b/LIVE_ISO.public
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-07-15T13:01:05Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-06T21:22:13Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_07_15T12_12_23Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_06T20_28_04Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  e94f1f698fb6d6a078d3aed785302ffcad25221c92439e84bb505a39d7b4da50674063cc2f7957cca655afdcdb55871ed4990aebbb096f964336af682891aed0
+  462f68354a3b7e1c17d654126e686783694feb88fb1cb90787e262e4a6332d69f6abea2d1a67adc459f6ba8c6720defbe87c739eb2947a9f2410e10c56f6615c
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHZREQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaOQzBQAKCRA85KY4hzOw
-IQE/APsGY1Q8yonOxKTBUxgPPIA7ugHTfub9yWbPLcisC7J+sQEA17e8hmjJSX+O
+IaBlAQDVAFVdGRDFZ//1gBlQIAFlmYSV7G5/k2gl3mX+CvRpTgEAlyjD63v9dGiI
-NpAtnhF4dfZheybcyfJwsscrNtOieAM=
+WBMF9hYXElzZ7BC7nOzpEWMsNbKbRgI=
-=V2i8
+=nPKO
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_0.private
+++ b/LIVE_ISO_TRIXIE_0.private
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-07-15T11:05:11Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-06T19:34:02Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_07_15T10_13_20Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_06T18_30_18Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  b18d79055f12e6f61a1d0b46f8648f8097da419701f3366ba127b0eff1bb0d9ef4794b1a59b66ad8d48c3e3812a1fbc81f948a66b913b036cf2b740a778a88cd
+  e1964f783ce6da34853a73fc27723228a71d3f5afde9388fadf686f1a367ed36f8fbe4ad0747b842395603f549b6d99b1cff25938511093f5313a310bf94b7fe
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHY15wAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaOQZqgAKCRA85KY4hzOw
-Idw3AQDzmYnaCI3OADP+DB+u805S8F+QUmVIcfmUGnM0sDz78gD+I+m+BHte8lzp
+IeeUAP4i9Dh/ZBJVCfwlWzyIqbR0SBHio2ErW+NuQ7KOKxG6JwD+If47NhNGmazi
-rwudtbEBn9wZvy2KyFWcxlSCn3go2gU=
+QTTQAWOjdQiCibBZFO1h9udGX4SFvww=
-=nGnJ
+=gaNi
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_1.private
+++ b/LIVE_ISO_TRIXIE_1.private
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-07; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-This file was automatically generated by the DEPLOY BOT on: "2025-07-15T12:03:16Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-07T17:29:34Z"
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_07_15T11_14_23Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_07T16_37_57Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  a022fe082d5d06db05e4c53f09b59ee57f483a3d2a2a143403d93c27a2d454ec8982ccaeb957f654c0879276befc7d9ab2333f407c8089306348c7a10fd39a20
+  f1c8377d5b627acea54a83c2e54d807d6dd189b7036772d347bcf20f3f172737cd7aec8165adc220e643efe744619254e78937a3958b87515fb41f67beb79d72
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaHZDhAAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaOVN/gAKCRA85KY4hzOw
-IV0hAQCl7xeM8Art2obImFmhUBKDOLcLifegqY/jKY9729EM/wEAzJTRuLts9Jzy
+IdozAQCEp41v8I2pEzLpcVeWvIr4nPN2pPr5EoR/pkmWwmYrRgEA4aBkNCAqtNlR
-PXje4fYxZiNOoFv3hz7Xwt5q9rPn/AE=
+6O6vjOaor2r6wZKtu06ytxtvh4vIlgw=
-=S0vW
+=l0QQ
 -----END PGP SIGNATURE-----
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -2,17 +2,17 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.03.864.2025.07.15-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.064.2025.10.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.37-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
@@ -25,8 +25,8 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Build**: V8.13.064.2025.10.07<br>
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -70,7 +70,16 @@ separate directory tree, employs `DynamicUser` features, and adheres to strict s
 rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
 of both UFW software firewalls and dedicated hardware firewall appliances.
-## 1.2. Immutable Source-of-Truth System
+## 1.2. Match Host and Target Versions
 Build, for example, a Debian Trixie live image only on a Debian Trixie host. The build toolchain and boot artifacts are 
 release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``kernel/initramfs`` tools, ``mksquashfs``, 
 ``GRUB/ISOLINUX``, and even ``dpkg/apt`` often change defaults and formats between releases (e.g., compression modes, SquashFS 
 options, hook ordering, systemd/udev behavior). Building on a different host release commonly yields non-reproducible or even 
 unbootable ISOs (missing modules/firmware, ABI mismatches, divergent paths). Keeping host and target on the same version ensures
 reproducible builds, matching dependencies, and compatible boot artifacts.
 ## 1.3. Immutable Source-of-Truth System
 This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
 source-code definitions. All configurations, system components, and installation routines are embedded during build time and 
@@ -89,7 +98,7 @@ or shell-access, also via the forthcoming `CISS.debian.installer`. Such a versio
 provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then 
 awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports
 without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of 
-`grub2 (2.12-1~bpo12+1)`.<br>
+`grub2 (2.12-9)`.<br>
 This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in 
 source-defined infrastructure logic.<br>
@@ -103,11 +112,11 @@ After build and configuration, the following audit reports can be generated:
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
  Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
-## 1.3. Preview
+## 1.4. Preview
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
-## 1.4. Caution. Significant information for those considering using D-I.
+## 1.5. Caution. Significant information for those considering using D-I.
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
@@ -138,18 +147,18 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 * Logging (rsyslog, journald) ✘ not active,
 * preseed control over the network is possible (but without any protection).
-## 1.5. Versioning Schema
+## 1.6. Versioning Schema
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.03.864.2025.07.15`
+Example: `V8.13.064.2025.10.07`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 Date (YYYY.MM.DD) denotes the build or release date, facilitating clear tracking of incremental changes and ensuring 
 reproducibility and traceability.
-## 1.6. Keywords
+## 1.7. Keywords
 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
 "MAY", and "OPTIONAL" in this Repo are to be interpreted as described in [[BCP 14](https://www.rfc-editor.org/info/bcp14)], 
@@ -389,35 +398,52 @@ apply or revert these controls.
 set -o errexit   # Exit script when a command exits with non-zero status (same as "set -e").
 set -o errtrace  # Inherit ERR traps in subshells (same as "set -E").
 set -o functrace # Inherit DEBUG and RETURN traps in subshells (same as "set -T").
 set -o ignoreeof # An interactive shell will not exit upon reading EOF.
 set -o nounset   # Exit script on use of an undefined variable (same as "set -u").
 set -o pipefail  # Return the exit status of the last failed command in a pipeline.
 set -o noclobber # Prevent overwriting files via redirection (same as "set -C").
 ```
 * The following `shopt` options are applied at the beginning of the script (see
  [Bash Manual, The Shopt Builtin](https://www.gnu.org/software/bash/manual/bash.html#The-Shopt-Builtin)):
 ````bash
 shopt -s failglob        # If set, patterns that fail to match filenames during filename expansion result in an expansion error.
 shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option instead of unsetting it in the
                         # subshell environment.
 shopt -s lastpipe        # If set, and job control is not active, the shell runs the last command of a pipeline not executed in
                         # the background in the current shell environment.
 shopt -u expand_aliases  # If set, aliases are expanded as described. This option is enabled by default for interactive shells.
 shopt -u dotglob         # If set, Bash includes filenames beginning with a '.' in the results of filename expansion.
 shopt -u extglob         # If set, enable the extended pattern matching features.
 shopt -u nullglob        # If set, filename expansion patterns that match no files expand to nothing and are removed.
 ````
 * **Rationale**: These options enforce strict error checking and handling, reducing silent failures and ensuring 
 predictable script behavior.
 # 4. Prerequisites
-* **Host**: Debian Bookworm or newer with `live-build` package installed.
+* **Host**: Debian Trixie with `live-build` and ``debootstrap`` packages installed.
 * **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
 * **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
 # 5. Installation & Usage
-# 5.1. Interactive CLI / Dialog Wrapper
+## 5.1. Interactive CLI / Dialog Wrapper
 1. Clone the repository:
   ```bash
   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
   cd CISS.debian.live.builder
   ```
 2. Preparation:
   1. Ensure you are root.
   2. Create the build directory `mkdir /opt/livebuild`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   5. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
   ````bash
@@ -427,6 +453,7 @@ predictable script behavior.
                          --build-directory /opt/livebuild \
                          --change-splash hexagon \
                          --control "${timestamp}" \
                          --cdi \
                          --debug \
                          --dhcp-centurion \
                          --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
@@ -435,8 +462,10 @@ predictable script behavior.
                          --reionice-priority 1 2 \
                          --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
                          --ssh-port 4242 \
-                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder
+                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder \
                          --trixie
   ````
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -444,7 +473,46 @@ predictable script behavior.
 8. Finally, audit your environment with `lsadt` for a comprehensive Lynis audit.
 9. Type `celp` for some shortcuts.
-# 5.2. CI/CD Gitea Runner Workflow Example
+## 5.2. Make Wrapper, Quick Usage
 This repo ships a thin make wrapper around ``./ciss_live_builder.sh``, so you can compose a correctly quoted command and either 
 preview it or run it.
 1. Clone the repository:
   ```bash
   git clone https://git.coresecret.dev/msw/CISS.debian.live.builder.git
   cd CISS.debian.live.builder
   ```
 2. Preparation:
   1. Ensure you are root.
   2. Create the build directory `mkdir /opt/livebuild`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
    ````bash
    cp config.mk.sample config.mk
    ````
    ````bash
    BUILD_DIR=/opt/livebuild
    ROOT_PASSWORD_FILE=/opt/gitea/CISS.debian.live.builder/password.txt
    SSH_PORT=4242
    SSH_PUBKEY=/root/.ssh
    # Optional
    PROVIDER_NETCUP_IPV6=2001:cdb::1
    # comma-separated; IPv6 in [] is fine
    JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
    ````
 3. Dry-run first (prints the exact command): ````make dry-run````
 4. Execute the build: ````make live````
 ## 5.3. CI/CD Gitea Runner Workflow Example
 1. Clone the repository:
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -13,37 +13,93 @@
 ### Contributions so far see ./docs/CREDITS.md
 ### WHY BASH?
-# Ease of installation.
+# Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
-# No compiling or installing gems, CPAN modules, pip packages, etc.
+# and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
-# Simple to use and read. Clear syntax and straightforward output interpretation.
+# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
-# Built-in power.
+# Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
-# Pattern matching, line processing, and regular expression support are available natively,
+# default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
-# no external binaries required.
+# or Cygwin on Windows systems.
 # Cross-platform consistency.
 # '/bin/bash' is the default shell on most Linux distributions, ensuring scripts run unmodified across systems.
 # macOS compatibility.
 # Since macOS Catalina (10.15), the default login shell has been zsh, but bash remains available at '/bin/bash'.
 # Windows support.
 # You can use bash via WSL, MSYS2, or Cygwin on Windows systems.
-### Preliminary checks
+### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
 # shellcheck disable=SC2155
 declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
 declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
 declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
 declare -ag   ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -grx  VAR_SETUP_FILE="${0##*/}"                                  # 'ciss_debian_live_builder.sh'
 declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/opt/git/CISS.debian.live.builder'
 declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
 # shellcheck disable=SC2155
 declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
 # shellcheck disable=SC2155
 declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 # shellcheck disable=SC2155
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### PRELIMINARY CHECKS.
 ### No ash, dash, ksh, sh.
 # shellcheck disable=2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### No zsh.
 [[ -n "${ZSH_VERSION:-}" ]] && {
  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### Not root.
 [[ ${EUID} -ne 0 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2; exit "${ERR_NOT_USER_0}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2
  exit "${ERR_NOT_USER_0}"
 }
 ### Check to be not called by sh.
 # shellcheck disable=2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### Check to be not sourced.
 [[ "${BASH_SOURCE[0]}" != "$0" ]] && {
  . ./var/global.var.sh
  printf "\e[91m❌ This script must be executed, not sourced. Please run '%s' directly! Bye... \e[0m\n" "$0" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### Minimum Bash version 5.
 [[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### Minimum Bash version 5.1.
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
-  . ./var/global.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSPPTBASH}"; }
+  . ./var/global.var.sh
  printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2
  exit "${ERR_UNSPPTBASH}"
 }
 ### No arguments.
 [[ ${#} -eq 0 ]] && {
-  . ./lib/lib_usage.sh; usage; exit 1; }
+  . ./lib/lib_usage.sh
  usage
  exit 1
 }
 ### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
 . ./var/early.var.sh
 . ./lib/lib_guard_sourcing.sh
-. ./lib/lib_git_var.sh
+. ./lib/lib_source_guard.sh
 source_guard "./lib/lib_git_var.sh"
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
@@ -51,47 +107,49 @@ for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh; usage
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done
 ### ALL CHECKS DONE. READY TO START THE SCRIPT
 source_guard "./var/bash.var.sh"
 check_git
 for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 declare -gx VAR_SETUP="true"
 ### SOURCING VARIABLES
 [[ "${VAR_SETUP}" == true ]] && {
-  . ./var/bash.var.sh
+  source_guard "./var/color.var.sh"
-  . ./var/color.var.sh
+  source_guard "./var/global.var.sh"
  . ./var/global.var.sh
 }
 ### SOURCING LIBRARIES
 [[ "${VAR_SETUP}" == true ]] && {
-  . ./lib/lib_arg_parser.sh
+  source_guard "./lib/lib_arg_parser.sh"
-  . ./lib/lib_arg_priority_check.sh
+  source_guard "./lib/lib_arg_priority_check.sh"
-  . ./lib/lib_boot_screen.sh
+  source_guard "./lib/lib_boot_screen.sh"
-  . ./lib/lib_cdi.sh
+  source_guard "./lib/lib_cdi.sh"
-  . ./lib/lib_change_splash.sh
+  source_guard "./lib/lib_change_splash.sh"
-  . ./lib/lib_check_dhcp.sh
+  source_guard "./lib/lib_check_dhcp.sh"
-  . ./lib/lib_check_hooks.sh
+  source_guard "./lib/lib_check_hooks.sh"
-  . ./lib/lib_check_kernel.sh
+  source_guard "./lib/lib_check_kernel.sh"
-  . ./lib/lib_check_pkgs.sh
+  source_guard "./lib/lib_check_pkgs.sh"
-  . ./lib/lib_check_provider.sh
+  source_guard "./lib/lib_check_provider.sh"
-  . ./lib/lib_check_stats.sh
+  source_guard "./lib/lib_check_stats.sh"
-  . ./lib/lib_check_var.sh
+  source_guard "./lib/lib_check_var.sh"
-  . ./lib/lib_clean_screen.sh
+  source_guard "./lib/lib_clean_screen.sh"
-  . ./lib/lib_clean_up.sh
+  source_guard "./lib/lib_clean_up.sh"
-  . ./lib/lib_copy_integrity.sh
+  source_guard "./lib/lib_copy_integrity.sh"
-  . ./lib/lib_hardening_root_pw.sh
+  source_guard "./lib/lib_hardening_root_pw.sh"
-  . ./lib/lib_hardening_ssh.sh
+  source_guard "./lib/lib_hardening_ssh.sh"
-  . ./lib/lib_hardening_ultra.sh
+  source_guard "./lib/lib_hardening_ultra.sh"
-  . ./lib/lib_helper_ip.sh
+  source_guard "./lib/lib_helper_ip.sh"
-  . ./lib/lib_lb_build_start.sh
+  source_guard "./lib/lib_lb_build_start.sh"
-  . ./lib/lib_lb_config_start.sh
+  source_guard "./lib/lib_lb_config_start.sh"
-  . ./lib/lib_lb_config_write.sh
+  source_guard "./lib/lib_lb_config_write.sh"
-  . ./lib/lib_provider_netcup.sh
+  source_guard "./lib/lib_lb_config_write_trixie.sh"
-  . ./lib/lib_run_analysis.sh
+  source_guard "./lib/lib_note_target.sh"
-  . ./lib/lib_sanitizer.sh
+  source_guard "./lib/lib_provider_netcup.sh"
-  . ./lib/lib_trap_on_err.sh
+  source_guard "./lib/lib_run_analysis.sh"
-  . ./lib/lib_trap_on_exit.sh
+  source_guard "./lib/lib_sanitizer.sh"
-  . ./lib/lib_usage.sh
+  source_guard "./lib/lib_trap_on_err.sh"
  source_guard "./lib/lib_trap_on_exit.sh"
  source_guard "./lib/lib_usage.sh"
 }
 ### ADVISORY LOCK
@@ -113,67 +171,79 @@ for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *)
 check_pkgs
 ### DIALOG OUTPUT FOR INITIALIZATION
-if ! $VAR_HANDLER_AUTOBUILD; then boot_screen; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
 ### Initialization
 declare -gr ARGUMENTS_COUNT="$#"
 declare -gr ARG_STR_ORG_INPUT="$*"
 #declare -ar ARG_ARY_ORG_INPUT=("$@")
 # shellcheck disable=SC2155
 declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
 # shellcheck disable=SC2155
 declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
 # shellcheck disable=SC2155
 declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?"' EXIT
 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
 declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip
 ### Updating Status of Dialog Gauge Bar
-if ! $VAR_HANDLER_AUTOBUILD; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi
 ### Turn off Dialog Wrapper
-if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
 ### MAIN Program
 arg_priority_check
 check_stats
-if ! $VAR_HANDLER_AUTOBUILD; then check_provider; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
-if ! $VAR_HANDLER_AUTOBUILD; then check_kernel; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi
 if [[ ! "${VAR_SSHFP}" == "true" ]]; then
  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
 fi
 check_hooks
 hardening_ssh
 lb_config_start
 lb_config_write
 if [[ "${VAR_SUITE}" == "bookworm" ]]; then
  lb_config_write
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs"
 else
  lb_config_write_trixie
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
 fi
 # shellcheck disable=SC2164
 cd "${VAR_WORKDIR}"
 hardening_ultra
 hardening_root_pw
 change_splash
 check_dhcp
 cdi
 provider_netcup
 note_target
 ### Start the build process
 set +o errtrace
--- a/config.mk.sample
+++ b/config.mk.sample
@@ -0,0 +1,21 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-21; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 BUILD_DIR            ?=
 PROVIDER_NETCUP_IPV6 ?=
 ROOT_PASSWORD_FILE   ?=
 SSH_PORT             ?=
 SSH_PUBKEY           ?=
 ### Comma-separated jump hosts (can be empty):
 JUMP_HOSTS           ?=
 # vim: set ft=make noet ts=8 sw=8
--- a/config/hooks/live/0000_generate_backup_dir.chroot
+++ b/config/hooks/live/0000_generate_backup_dir.chroot
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /root/.ciss/dlb/backup
 chmod 0700 /root/.ciss/dlb/backup
@@ -21,7 +20,6 @@ mkdir -p /root/git
 chmod 0700 /root/git
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -6,13 +6,12 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 #######################################
 # Get all NIC Driver of the current Host-machine
@@ -21,7 +20,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 #######################################
 grep_nic_driver_modules() {
  declare _mods
-  # Gather all Driver and sort unique
+
  ### Gather all Driver and sort unique.
  # shellcheck disable=SC2312
  readarray -t _mods < <(
    lspci -k \
      | grep -A2 -i ethernet \
@@ -51,7 +52,7 @@ cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -67,35 +68,45 @@ cat << EOF >| /etc/initramfs-tools/modules
 # raid1
 # sd_mod
-### QEMU Bochs-compatible virtual machine support
+### Main btrfs-Stack
 bochs
 ### Device-mapper core module (required for all dm_* features)
 dm_mod
 ### Device-mapper integrity target (provides integrity checking)
 dm-integrity
 ### Device-mapper crypt target (provides disk encryption)
 dm-crypt
 ### Generic AES block cipher implementation (used by dm-crypt)
 aes_generic
 ### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
 sha256_generic
 ### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
 crc32c_generic
 ### Main btrfs filesystem module
 btrfs
-
+lzo
-### Zstandard compression support for btrfs
+xor
 xxhash
 zstd
 zstd_compress
-### XOR parity implementation for RAID functionality
+### Main ext4-Stack
-xor
+ext4
 jbd2
 libcrc32c
 ### Main VFAT/ESP/FAT/UEFI-Stack
 exfat
 fat
 nls_ascii
 nls_cp437
 nls_iso8859-1
 nls_iso8859-15
 nls_utf8
 vfat
 ### Device mapper, encryption & integrity
 dm_mod
 dm_crypt
 dm_integrity
 dm_verity
 ### Main cryptography-Stack
 aes_generic
 blake2b_generic
 crc32c_generic
 libcrc32c
 sha256_generic
 sha512_generic
 ### QEMU Bochs-compatible virtual machine support
 bochs
 ### RAID6 parity generation module
 raid6_pq
@@ -103,6 +114,37 @@ raid6_pq
 ### Combined RAID4/5/6 support module
 raid456
 ### SCSI/SATA-Stack
 sd_mod
 sr_mod
 sg
 ahci
 libahci
 ata_generic
 libata
 scsi_mod
 scsi_dh_alua
 ### NVMe-Stack
 nvme
 nvme_core
 ### USB-Stack
 xhci_pci
 xhci_hcd
 ehci_pci
 ohci_pci
 uhci_hcd
 usb_storage
 uas
 ### Virtual-Machines-Stack
 virtio_pci
 virtio_blk
 virtio_scsi
 virtio_rng
 virtio_console
 ### Network Driver Host-machine
 "${nic_driver}"
@@ -116,7 +158,7 @@ cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -151,7 +193,7 @@ cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -256,7 +298,7 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -285,10 +327,9 @@ EOF
 chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
 ### Regenerate the initramfs for the live system kernel
-update-initramfs -u -k all
+update-initramfs -u -k all -v
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0002_verify_checksums.chroot
+++ b/config/hooks/live/0002_verify_checksums.chroot
@@ -6,13 +6,12 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 target="/usr/lib/live/boot/0030-verify-checksums"
 src="$(mktemp)"
@@ -30,7 +29,7 @@ cat << 'EOF' >| "${src}"
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -138,7 +137,6 @@ rm -f "${src}"
 unset target src
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -6,19 +6,16 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 if [[ ! -f /root/.pwd ]]; then
  printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
  # sleep 1
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
  # sleep 1
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
  exit 0
 fi
@@ -38,7 +35,6 @@ sed -i "s|^user:[^:]*:\(.*\)|user:${safe_hashed_pwd}:\1|" /etc/shadow
 unset hashed_pwd safe_hashed_pwd
 cat /etc/shadow
 # sleep 1
 if shred -vfzu -n 5 /root/.pwd; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
@@ -47,7 +43,6 @@ else
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0080_keyboard_layout.chroot
+++ b/config/hooks/live/0080_keyboard_layout.chroot
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
@@ -25,7 +24,6 @@ EOF
 dpkg-reconfigure -f noninteractive keyboard-configuration
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0090_haveged.chroot
+++ b/config/hooks/live/0090_haveged.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0120_set_hostname.chroot
+++ b/config/hooks/live/0120_set_hostname.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0130_machineid.chroot
+++ b/config/hooks/live/0130_machineid.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /var/log/chrony
 # See https://coresecret.eu/tutorials/debian-package-glossary/ for a brief description of the installed packages.
@@ -39,14 +38,13 @@ authselectmode require
 server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9
 server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9
 server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9
-server ptbtime4.ptb.de iburst nts noselect minpoll 5 maxpoll 9
+server ptbtime4.ptb.de iburst nts minpoll 5 maxpoll 9
-# server nts.netnod.se iburst nts minpoll 5 maxpoll 9
+server sth1.ntp.se iburst nts minpoll 5 maxpoll 9
-
+server ntp0.fau.de iburst nts minpoll 5 maxpoll 9
 server ntp13.metas.ch iburst nts minpoll 5 maxpoll 9
 # server ntp.ripe.net iburst nts minpoll 5 maxpoll 9
 # server ntp12.metas.ch iburst nts minpoll 5 maxpoll 9
 # server ntp2.tecnico.ulisboa.pt iburst nts minpoll 5 maxpoll 9
 # server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
 server ntp0.fau.de iburst nts minpoll 5 maxpoll 9
 leapsectz right/UTC
--- a/config/hooks/live/0820_kernel_hardening_checker.chroot
+++ b/config/hooks/live/0820_kernel_hardening_checker.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0822_ssh_restart_hook.chroot
+++ b/config/hooks/live/0822_ssh_restart_hook.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0825_my_sqltuner_perl.chroot
+++ b/config/hooks/live/0825_my_sqltuner_perl.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0830_download_yq.chroot
+++ b/config/hooks/live/0830_download_yq.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0835_testssl.sh.chroot
+++ b/config/hooks/live/0835_testssl.sh.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0845_harbian_audit.chroot
+++ b/config/hooks/live/0845_harbian_audit.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0850_ssh_audit.chroot
+++ b/config/hooks/live/0850_ssh_audit.chroot
@@ -6,10 +6,10 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0855_dnsviz.chroot
+++ b/config/hooks/live/0855_dnsviz.chroot
@@ -6,10 +6,10 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/0900_ufw_setup.chroot
+++ b/config/hooks/live/0900_ufw_setup.chroot
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -6,28 +6,32 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 apt-get install -y acct
 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
  mkdir -p /etc/systemd/system/multi-user.target.wants
 fi
 if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
 else
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9910_motd.chroot
+++ b/config/hooks/live/9910_motd.chroot
@@ -6,13 +6,12 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /root/.ciss/dlb/backup/update-motd.d
 cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
@@ -24,8 +23,7 @@ EOF
 chmod 0755 /etc/update-motd.d/10-uname
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9920_deleting_invalid_x509.chroot
+++ b/config/hooks/live/9920_deleting_invalid_x509.chroot
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
 declare backup_dir="/root/.ciss/dlb/backup/certificates"
@@ -31,13 +30,20 @@ declare -ax expired_certificates=()
 #######################################
 create_backup() {
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
  mkdir -p "${backup_dir}"
  declare dir=""
  for dir in "${search_dirs[@]}"; do
-    if [ -d "${dir}" ] && compgen -G "${dir}"/* > /dev/null; then
+
    if [[ -d "${dir}" ]] && compgen -G "${dir}"/* > /dev/null; then
      cp -r "${dir}"/* "${backup_dir}"
    fi
  done
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
 }
@@ -59,18 +65,25 @@ check_certificates() {
  declare cert=""
  declare cert_date=""
  declare cert_date_seconds=""
  for dir in "${search_dirs[@]}"; do
    # shellcheck disable=SC2312
    while IFS= read -r -d '' cert; do
      cert_date=$(openssl x509 -in "${cert}" -noout -enddate | sed 's/notAfter=//')
      cert_date_seconds=$(date -d "${cert_date}" +%s)
      if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
        declare -g expired_certificates+=("${cert}")
      fi
    done < <(find "${dir}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
  done
 }
 #   done < <(find "${dir}" -type f -name "*.crt" -o -name "*.pem" -print0)
 #   done < <(find "${DIR}" -type f \( -name "*.crt" -o -name "*.pem" \) -print0)
 #######################################
 # Find and clean all ca-certificates.crt files in SEARCH_DIRS.
@@ -84,9 +97,13 @@ check_certificates() {
 #######################################
 delete_expired_from_all_bundles() {
  declare dir bundle
  for dir in "${search_dirs[@]}"; do
    bundle="${dir}/ca-certificates.crt"
    if [[ -f ${bundle} ]]; then
      printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
      declare tmp_bundle="${bundle}.tmp"
      declare -a block=()
@@ -97,33 +114,57 @@ delete_expired_from_all_bundles() {
      declare line=""
      while IFS= read -r line; do
        block+=("${line}")
        if [[ ${line} == "-----END CERTIFICATE-----"   ]]; then
          cert=$(printf "%s\n" "${block[@]}")
          enddate=$(echo "${cert}" | openssl x509 -noout -enddate 2> /dev/null | sed 's/notAfter=//')
          if [[ -n ${enddate}   ]]; then
            declare cert_date_seconds=""
            cert_date_seconds=$(date -d "${enddate}" +%s)
            if [[ ${cert_date_seconds} -lt ${current_date} ]]; then
              expired=1
            else
              expired=0
            fi
          else
            expired=0
          fi
          if [[ ${expired} -eq 0 ]]; then
            printf "%s\n" "${block[@]}" >> "${tmp_bundle}"
          else
            printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
          fi
          block=()
        fi
      done < "${bundle}"
      mv -f "${tmp_bundle}" "${bundle}"
      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
    fi
  done
 }
@@ -141,30 +182,38 @@ else
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
  for exp_cert in "${expired_certificates[@]}"; do
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
  done
  for exp_cert in "${expired_certificates[@]}"; do
    rm -f "${exp_cert}"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
    basename=$(basename "${exp_cert}")
    mozilla_entry="mozilla/${basename%.pem}.crt"
    mozilla_entry="${mozilla_entry%.crt}.crt"
    declare ca_conf="/etc/ca-certificates.conf"
    if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
      sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
    fi
  done
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
  update-ca-certificates --fresh
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
-  # sleep 1
+
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
+
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -9,17 +9,18 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /etc/ssh || {
  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
 }
 rm -rf ssh_host_*key*
 # shellcheck disable=SC2312
 ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
 # shellcheck disable=SC2312
 ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
@@ -44,7 +45,26 @@ ssh-keygen -r @ >| /root/sshfp
 # The chmod +x command ensures that the file is executed in every shell session.          #
 ###########################################################################################
 cat << 'EOF' >| /etc/profile.d/idle-users.sh
-declare -girx TMOUT=14400
+# SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 case $- in
  *i*)
    TMOUT=14400
    export TMOUT
    readonly TMOUT
  ;;
 esac
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod +x /etc/profile.d/idle-users.sh
@@ -58,7 +78,6 @@ EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9935_hardening_ssh.chroot.tmpl
+++ b/config/hooks/live/9935_hardening_ssh.chroot.tmpl
@@ -0,0 +1,93 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /etc/ssh || {
  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
 }
 cat << 'EOF' >| ssh_host_ed25519_key
 {{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
 EOF
 cat << 'EOF' >| ssh_host_ed25519_key.pub
 {{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
 EOF
 cat << 'EOF' >| ssh_host_rsa_key
 {{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
 EOF
 cat << 'EOF' >| ssh_host_rsa_key.pub
 {{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
 EOF
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli
 mv /etc/ssh/moduli.safe /etc/ssh/moduli
 chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
 chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp
 ###########################################################################################
 # Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only          #
 # environment variables: TMOUT and HISTFILE.                                              #
 # TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
 # readonly HISTFILE ensures that the command history cannot be changed.                   #
 # The chmod +x command ensures that the file is executed in every shell session.          #
 ###########################################################################################
 cat << 'EOF' >| /etc/profile.d/idle-users.sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 case $- in
  *i*)
    TMOUT=14400
    export TMOUT
    readonly TMOUT
  ;;
 esac
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 chmod +x /etc/profile.d/idle-users.sh
 mkdir -p /etc/systemd/system/ssh.service.d
 cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
 [Unit]
 After=ufw.service
 Requires=ufw.service
 EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9940_hardening_memory.dump.chroot
+++ b/config/hooks/live/9940_hardening_memory.dump.chroot
@@ -9,18 +9,23 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
 chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
-sed -i "/#*               soft    core            0/ i\*               soft    core            0" /etc/security/limits.conf
+
-sed -i "/#root            hard    core            100000/ i\*               hard    core            0" /etc/security/limits.conf
+grep -Eq '^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
  || sed -i -E '/^[[:space:]]*#?[[:space:]]*soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/ i\*               soft    core            0' /etc/security/limits.conf
 grep -Eq '^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
  || sed -i -E '/^[[:space:]]*#?[[:space:]]*root[[:space:]]+hard[[:space:]]+core[[:space:]]+100000[[:space:]]*$/ i\*               hard    core            0' /etc/security/limits.conf
 if [[ ! -d /etc/systemd/coredump.conf.d ]]; then
  mkdir -p /etc/systemd/coredump.conf.d
 fi
 touch /etc/systemd/coredump.conf.d/disable.conf
@@ -31,7 +36,6 @@ Storage=none
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
@@ -33,8 +32,8 @@ cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 [DEFAULT]
@@ -142,7 +141,6 @@ touch /var/log/fail2ban/fail2ban.log
 chmod 640 /var/log/fail2ban/fail2ban.log
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9960_disable_services.chroot
+++ b/config/hooks/live/9960_disable_services.chroot
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 ###########################################################################################
 # Remarks: Turn off Energy saving mode and ctrl-alt-del                                   #
@@ -25,7 +24,6 @@ done
 unset target
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9970_remove_exim.chroot
+++ b/config/hooks/live/9970_remove_exim.chroot
@@ -9,24 +9,20 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /etc
-apt-get purge exim4 -y
+apt-get purge exim4 exim4-base exim4-config  -y
 apt-get purge exim4-base -y
 apt-get purge exim4-config -y
 apt-get autoremove -y
 apt-get autoclean -y
 apt-get autopurge -y
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config
-apt-get update -y
+apt-get update
 apt-get upgrade -y
 if [[ -d /etc/exim4 ]]; then
@@ -34,7 +30,6 @@ if [[ -d /etc/exim4 ]]; then
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -9,37 +9,36 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 apt-get install -y usbguard
-# sleep 1
+### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
 # Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
 touch /tmp/rules.conf
 usbguard generate-policy >> /tmp/rules.conf
 if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then
  mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
  cp -a /tmp/rules.conf /etc/usbguard/rules.conf
  chmod 0600 /etc/usbguard/rules.conf
 else
  rm -f /etc/usbguard/rules.conf
  cp -a /tmp/rules.conf /etc/usbguard/rules.conf
  chmod 0600 /etc/usbguard/rules.conf
 fi
 cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
-sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
+#sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf
 # sleep 1
 rm -f /tmp/rules.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9985_clamav.chroot
+++ b/config/hooks/live/9985_clamav.chroot
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 mkdir -p /etc/systemd/system/clamav-daemon.service.d
 cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
@@ -71,7 +70,6 @@ EOF
 chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -9,39 +9,43 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
-apt-get update -y
+apt-get update
 apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
 #sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
 #sendmail-base sendmail-bin sendmail-cf sensible-mda sendmail-doc
 dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then
  printf "\n"
  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
  sed -i 's!deinstall!!' /tmp/deinstall.log
  while IFS= read -r line; do
    declare trimmed_string
-    trimmed_string=$(echo "$line" | awk '{$1=$1};1')
+    trimmed_string=$(echo "${line}" | awk '{$1=$1};1')
    echo "y" | apt-get purge "${trimmed_string}"
    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
-    # sleep 1
+
  done < /tmp/deinstall.log
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
 else
  printf "\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
 fi
-apt-get update -y
+apt-get update
 apt-get upgrade -y
 rm -f /tmp/deinstall.log
@@ -52,8 +56,7 @@ apt-get autopurge -y
 updatedb
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9991_file_permissions.chroot
+++ b/config/hooks/live/9991_file_permissions.chroot
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 chmod 0644 /etc/banner
 chmod 0644 /etc/issue
@@ -99,8 +98,16 @@ for bin in as gcc g++ cc clang; do
 done
 unset bin target
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
+###    Directories: 0700
-# sleep 1
+find /root -type d -exec chmod 0700 {} +
 ###    Executable files: 0700 (any x-bit set)
 find /root -type f -perm /111 -exec chmod 0700 {} +
 ###    Non-executable files: 0600
 find /root -type f ! -perm /111 -exec chmod 0600 {} +
 ###    Ownership: UID:GID (do not dereference symlinks; stay on this filesystem)
 find /root -xdev -exec chown -h root:root {} +
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9992_password_expiration.chroot
+++ b/config/hooks/live/9992_password_expiration.chroot
@@ -6,37 +6,41 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 if ! command -v chage &>/dev/null; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-  # sleep 1
+
  exit 0
 fi
 declare -i max_days=16384
 # shellcheck disable=SC2312
 mapfile -t users_to_update < <(
  awk -F: '$2 !~ /^[!*]/ { print $1 }' /etc/shadow
 )
 if [[ ${#users_to_update[@]} -eq 0 ]]; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-  # sleep 1
+
  exit 0
 fi
 declare user
 for user in "${users_to_update[@]}"; do
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
-  chage --maxdays "$max_days" "$user"
+  chage --maxdays "${max_days}" "${user}"
 done
 unset max_days user users_to_update
@@ -46,7 +50,6 @@ awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -6,13 +6,12 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 apt-get install -y aide > /dev/null 2>&1
@@ -20,13 +19,16 @@ cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 if aideinit > /dev/null 2>&1; then
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
 else
  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9994_password_policy.chroot
+++ b/config/hooks/live/9994_password_policy.chroot
@@ -6,30 +6,32 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
 ### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
+
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
 chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
-cat << 'EOF' >| /etc/security/pwquality.conf
+cat << EOF >| /etc/security/pwquality.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -129,7 +131,6 @@ local_users_only
 EOF
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9995_sysstat.chroot
+++ b/config/hooks/live/9995_sysstat.chroot
@@ -6,18 +6,16 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -6,16 +6,15 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
@@ -50,13 +49,18 @@ EOF
 ############################################################### /etc/audit/rules.d/20-dont-audit.rules
 cat << EOF >| /etc/audit/rules.d/20-dont-audit.rules
 ## This is for don't audit rules. We put these early because audit
-### is a first match wins system. Uncomment the rules you want.
+## is a first match wins system. Uncomment the rules you want.
 ## Cron jobs fill the logs with stuff we normally don't want
-a never,user -F subj_type=crond_t
+-a never,user
 ## This prevents chrony from overwhelming the logs
-a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F exe=/usr/sbin/chronyd
 -a never,exit -F arch=b32 -S adjtimex -F exe=/usr/sbin/chronyd
 ## Human-attributable time changes
 -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
 ### This is not very interesting and wastes a lot of space if
 ### the server is public facing
@@ -75,8 +79,8 @@ EOF
 ############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
 cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 ## This rule suppresses the time-change event when chrony does time updates
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
 cd /root
@@ -30,7 +29,6 @@ else
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9998_sources_list_bookworm.chroot
+++ b/config/hooks/live/9998_sources_list_bookworm.chroot
@@ -6,13 +6,15 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
+
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 cd /root
@@ -22,14 +24,14 @@ fi
 cat << 'EOF' >| /etc/apt/sources.list
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #-----------------------------------------------------------------------------------------#
 #                                  OFFICIAL DEBIAN REPOS
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -0,0 +1,127 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 cd /root
 mkdir -p /etc/apt/apt.conf.d
 cat << EOF >| /etc/apt/apt.conf.d/00-deb822-prefer
 // Make APT ignore the classic /etc/apt/sources.list entirely.
 Dir::Etc {
  sourcelist  "/dev/null";                // classic list is ignored
  sourceparts "/etc/apt/sources.list.d";  // deb822 *.sources remain authoritative
 }
 EOF
 if [[ ! -f /etc/apt/sources.list.d/trixie.sources ]]; then
  cat << EOF >| /etc/apt/sources.list.d/trixie.sources
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://deb.debian.org/debian/
 Suites: trixie
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 fi
 if [[ ! -f /etc/apt/sources.list.d/trixie-security.sources ]]; then
  cat << EOF >| /etc/apt/sources.list.d/trixie-security.sources
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://security.debian.org/debian-security/
 Suites: trixie-security
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 fi
 if [[ ! -f /etc/apt/sources.list.d/trixie-updates.sources ]]; then
 cat << EOF >| /etc/apt/sources.list.d/trixie-updates.sources
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://deb.debian.org/debian/
 Suites: trixie-updates
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 fi
 if [[ ! -f /etc/apt/sources.list.d/trixie-backports.sources ]]; then
  cat << EOF >| /etc/apt/sources.list.d/trixie-backports.sources
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://deb.debian.org/debian/
 Suites: trixie-backports
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9999_interfaces_update.chroot
+++ b/config/hooks/live/9999_interfaces_update.chroot
@@ -9,17 +9,19 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
+
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
 rm -f /etc/network/interfaces
-cat << 'EOF' >| /etc/network/interfaces
+cat << EOF >| /etc/network/interfaces
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -32,6 +34,9 @@ cat << 'EOF' >| /etc/network/interfaces
 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
 EOF
 cat << 'EOF' >> /etc/network/interfaces
 ### The loopback network interface
 auto lo
 iface lo inet loopback
@@ -59,7 +64,6 @@ EOF
 chmod 0644 /etc/network/interfaces
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 # sleep 1
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.binary/boot/grub/config.cfg
+++ b/config/includes.binary/boot/grub/config.cfg
@@ -5,7 +5,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/etc/apt/sources.list
+++ b/config/includes.chroot/etc/apt/sources.list
@@ -0,0 +1,15 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # File: /etc/apt/sources.list
 # Intentionally empty, disable classic sources.list generation (deb822 in use).
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources
@@ -0,0 +1,18 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://deb.debian.org/debian/
 Suites: trixie-backports
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources
@@ -0,0 +1,18 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://security.debian.org/debian-security/
 Suites: trixie-security
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources
@@ -0,0 +1,18 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://deb.debian.org/debian/
 Suites: trixie-updates
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/apt/sources.list.d/trixie.sources
+++ b/config/includes.chroot/etc/apt/sources.list.d/trixie.sources
@@ -0,0 +1,18 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-11; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Types: deb deb-src
 URIs: https://deb.debian.org/debian/
 Suites: trixie
 Components: main contrib non-free non-free-firmware
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/login.defs
+++ b/config/includes.chroot/etc/login.defs
@@ -0,0 +1,209 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-08-12; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #
 # /etc/login.defs - Configuration control definitions for the shadow package.
 #
 # REQUIRED for useradd/userdel/usermod
 #   Directory where mailboxes reside, _or_ name of file, relative to the
 #   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
 #   MAIL_DIR takes precedence.
 #
 #   Essentially:
 #      - MAIL_DIR defines the location of users mail spool files
 #        (for mbox use) by appending the username to MAIL_DIR as defined
 #        below.
 #      - MAIL_FILE defines the location of the users mail spool files as the
 #        fully-qualified filename obtained by prepending the user home
 #        directory before $MAIL_FILE
 #
 # NOTE: This is no more used for setting up users MAIL environment variable
 #       which is, starting from shadow 4.0.12-1 in Debian, entirely the
 #       job of the pam_mail PAM modules
 #       See default PAM configuration files provided for
 #       login, su, etc.
 #
 # This is a temporary situation: setting these variables will soon
 # move to /etc/default/useradd and the variables will then be
 # no more supported
 MAIL_DIR        /var/mail
 #MAIL_FILE      .mail
 #
 # Enable display of unknown usernames when login(1) failures are recorded.
 #
 # WARNING: Unknown usernames may become world readable.
 # See #290803 and #298773 for details about how this could become a security
 # concern
 LOG_UNKFAIL_ENAB	no
 #
 # Enable logging of successful logins
 #
 LOG_OK_LOGINS		yes
 #
 # If defined, file which maps tty line to TERM environment parameter.
 # Each line of the file is in a format similar to "vt100  tty01".
 #
 #TTYTYPE_FILE	/etc/ttytype
 #
 # If defined, file which inhibits all the usual chatter during the login
 # sequence.  If a full pathname, then hushed mode will be enabled if the
 # user's name or shell are found in the file.  If not a full pathname, then
 # hushed mode will be enabled if the file exists in the user's home directory.
 #
 HUSHLOGIN_FILE	.hushlogin
 #HUSHLOGIN_FILE	/etc/hushlogins
 #
 # *REQUIRED*  The default PATH settings, for superuser and normal users.
 #
 # (they are minimal, add the rest in the shell startup files)
 ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
 #
 # Terminal permissions for terminals after login(1).
 # These settings are ignored for remote and other logins.
 #
 #	TTYGROUP	Login tty will be assigned this group ownership.
 #	TTYPERM		Login tty will be set to this permission.
 #
 #TTYGROUP	tty
 TTYPERM		0600
 #
 # Login configuration initializations:
 #
 #	ERASECHAR	Terminal ERASE character ('\010' = backspace).
 #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
 #
 # The ERASECHAR and KILLCHAR are used only on System V machines.
 #
 ERASECHAR	0177
 KILLCHAR	025
 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
 # home directories.
 HOME_MODE	0700
 #
 # Password aging controls:
 #
 #	PASS_MAX_DAYS	Maximum number of days a password may be used.
 #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
 #	PASS_WARN_AGE	Number of days warning given before a password expires.
 #
 PASS_MAX_DAYS	16384
 PASS_MIN_DAYS	1
 PASS_WARN_AGE	128
 #
 # Min/max values for automatic uid selection in useradd(8)
 #
 UID_MIN			 1000
 UID_MAX			60000
 # System accounts
 #SYS_UID_MIN		  101
 #SYS_UID_MAX		  999
 # Extra per user uids
 SUB_UID_MIN		   100000
 SUB_UID_MAX		600100000
 SUB_UID_COUNT		    65536
 #
 # Min/max values for automatic gid selection in groupadd(8)
 #
 GID_MIN			 1000
 GID_MAX			60000
 # System accounts
 #SYS_GID_MIN		  101
 #SYS_GID_MAX		  999
 # Extra per user group ids
 SUB_GID_MIN		   100000
 SUB_GID_MAX		600100000
 SUB_GID_COUNT		    65536
 #
 # Max number of login(1) retries if password is bad
 # This will most likely be overriden by PAM, since the default pam_unix module
 # has it's own built in of 3 retries. However, this is a safe fallback in case
 # you are using an authentication module that does not enforce PAM_MAXTRIES.
 #
 LOGIN_RETRIES		5
 #
 # Max time in seconds for login(1)
 #
 LOGIN_TIMEOUT		180
 #
 # Which fields may be changed by regular users using chfn(1) - use
 # any combination of letters "frwh" (full name, room number, work
 # phone, home phone).  If not defined, no changes are allowed.
 # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
 #
 CHFN_RESTRICT		rwh
 #
 # If set to MD5, MD5-based algorithm will be used for encrypting password
 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
 # If set to SHA512, SHA512-based algorithm will be used for encrypting password
 # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
 # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
 # If set to DES, DES-based algorithm will be used for encrypting password (default)
 # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
 # Overrides the MD5_CRYPT_ENAB option
 #
 # Note: It is recommended to use a value consistent with
 # the PAM modules configuration.
 #
 ENCRYPT_METHOD YESCRYPT
 #
 # Should login be allowed if we can't cd to the home directory?
 # Default is no.
 #
 DEFAULT_HOME	yes
 #
 # The pwck(8) utility emits a warning for any system account with a home
 # directory that does not exist.  Some system accounts intentionally do
 # not have a home directory.  Such accounts may have this string as
 # their home directory in /etc/passwd to avoid a spurious warning.
 #
 NONEXISTENT	/nonexistent
 #
 # If defined, this command is run when removing a user.
 # It should remove any at/cron/print jobs etc. owned by
 # the user to be removed (passed as the first argument).
 #
 #USERDEL_CMD	/usr/sbin/userdel_local
 #
 # If set to yes, userdel(8) will remove the user's group if it contains no more
 # members, and useradd(8) will create by default a group with the name of the
 # user.
 #
 # Other former uses of this variable are not used in PAM environments, such as
 # Debian.
 #
 USERGROUPS_ENAB yes
 #
 # Added by CISS.debian.live.builder for redundance
 umask 077
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/ssh/sshd_config
+++ b/config/includes.chroot/etc/ssh/sshd_config
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.064.2025.10.07
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -31,12 +31,12 @@ ListenAddress                ::
 Port MUST_BE_CHANGED
 AllowUsers                   root
 UseDNS                       no
-### Force a key exchange after transferring 1 GiB of data or 1 hour of session time,
+### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, whichever occurs first.
 ### whichever occurs first.
 RekeyLimit                   1G 1h
 HostKey                      /etc/ssh/ssh_host_ed25519_key
 HostKey                      /etc/ssh/ssh_host_rsa_key
 TrustedUserCAKeys            none
 PubkeyAuthentication         yes
 PermitRootLogin              prohibit-password
--- a/config/includes.chroot/etc/sysctl.d/99_local.hardened
+++ b/config/includes.chroot/etc/sysctl.d/99_local.hardened
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-### Version Master V8.03.864.2025.07.15
+### Version Master V8.13.064.2025.10.07
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
--- a/config/includes.chroot/preseed/.iso/iso.sh
+++ b/config/includes.chroot/preseed/.iso/iso.sh
@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 # The example names get mapped to their roles here
 declare timestamp
--- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
+++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.03.864.2025.07.15"
+declare -gr VERSION="Master V8.13.064.2025.10.07"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
--- a/config/includes.chroot/preseed/.lib/sshd_config.lib
+++ b/config/includes.chroot/preseed/.lib/sshd_config.lib
@@ -5,8 +5,8 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.2025.debian.live.builder
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 Include /etc/ssh/sshd_config.d/*.conf
--- a/config/includes.chroot/preseed/preseed.cfg
+++ b/config/includes.chroot/preseed/preseed.cfg
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.03.864.2025.07.15 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.064.2025.10.07 at: 10:18:37.9542
--- a/config/includes.chroot/root/.bashrc
+++ b/config/includes.chroot/root/.bashrc
@@ -1,4 +1,3 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
@@ -10,28 +9,12 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # ~/.bashrc: executed by bash(1) for non-login shells.
 # Note: PS1 and umask are already set in /etc/profile. You should not
 # need this unless you want different defaults for root.
 # PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
 # umask 022
 # You may uncomment the following lines if you want `ls' to be colorized:
 # export LS_OPTIONS='--color=auto'
 # eval "$(dircolors)"
 # alias ls='ls $LS_OPTIONS'
 # alias ll='ls $LS_OPTIONS -l'
 # alias l='ls $LS_OPTIONS -lA'
 #
 # Some more alias to avoid making mistakes:
 # alias rm='rm -i'
 # alias cp='cp -i'
 # alias mv='mv -i'
 [[ $- != *i* ]] && return
-trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' 0
+### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
 set +o errexit +o nounset +o pipefail
 trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' EXIT
 source /root/.ciss/alias
 source /root/.ciss/f2bchk.sh
 source /root/.ciss/shortcuts
@@ -55,27 +38,20 @@ export CMAG='\033[1;95m'
 export CCYA='\033[1;96m'
 export CWHI='\033[1;97m'
 export CRES='\033[0m'
-
+export NL='\n'
 #if [[ "${UID}" -eq 0 ]]; then
 #  export user_color="${CRED}"
 #else
 #  export user_color="${CGRE}"
 #fi
 ### Define bash colorful prompt
-# PS1="${user_color}\d${CRES}|${user_color}\u${CRES}@${CMAG}\h${CRES}:${CCYA}\w${CRES}/>>\$(if [[ \$? -eq 0 ]]; then echo -e \"${CGRE}\$?${CRES}\"; else echo -e \"${CRED}\$?${CRES}\"; fi)|~\$ "
+export PS1="\
-PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\
-\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;91m\]\u\[\033[0m\]@\
 \[\033[1;95m\]\h\[\033[0m\]:\
 \[\033[1;96m\]\w\[\033[0m\]/>>\
 \$(if [[ \$? -eq 0 ]]; then \
    # Show exit status in green if zero
    echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
  else \
    # Show exit status in red otherwise
    echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
  fi)\
-|~\$ "
+\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
 ### Overwrite Protection
 set -o noclobber
@@ -83,11 +59,15 @@ alias cp="cp -iv"
 alias mv='mv -iv'
 alias rm='rm -iv'
-# Welcome message after login
+### Welcome message after login.
-printf "\n"
+printf "%b" "${NL}"
-printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
+printf "%b🔐 Coresecret Channel Established. %b%b" "${CRED}" "${CRES}" "${NL}"
-printf "\e[92m✅ Welcome back\e[0m"; printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
+printf "%b✅ Welcome back %b " "${CGRE}" "${CRES}"
-printf "\n"
+printf "%b'%s'%b" "${CMAG}" "${USER}" "${CRES}"
-printf "\n"
+printf "%b! Type%b" "${CGRE}" "${CRES}"
 printf "%b 'celp'%b" "${CMAG}" "${CRES}"
 printf "%b for shortcuts. %b%b" "${CGRE}" "${CRES}" "${NL}"
 printf "%b" "${NL}"
 printf "%b" "${NL}"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/alias
+++ b/config/includes.chroot/root/.ciss/alias
@@ -11,16 +11,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 ########################################################################################### Alpha
 #######################################
 # Outputs a 16-character random printable string
 # Arguments:
 #  None
 #######################################
 genstring() {
  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
 }
 # Generates 1,048,576 random bytes into a timestamped file
 alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
 ########################################################################################### Bash
@@ -60,6 +50,7 @@ alias aptupd='apt update'
 alias aptupg='apt upgrade'
 alias apti='apt install'
 alias aptp='apt purge'
 alias aptpp='dpkg --purge'
 alias aptr='apt remove'
 alias aptse='apt search'
 alias aptsh='apt show'
@@ -104,11 +95,11 @@ alias whatpurge='dpkg --get-selections | grep deinstall'
 ########################################################################################### Functions
-###########################################################################################
+#######################################
 # Generates Secure (/dev/random) Passwords
 # Arguments:
 #    Length of Password, e.g., 32, and --base64 in case of encoding in BASE64.
-###########################################################################################
+#######################################
 # shellcheck disable=SC2317
 genpasswd() {
  declare -i length=32
@@ -128,6 +119,7 @@ genpasswd() {
  done
  declare passwd
  # shellcheck disable=SC2312
  passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}")
  if [[ ${usebase64} -eq 1 ]]; then
@@ -137,23 +129,38 @@ genpasswd() {
  fi
 }
-###########################################################################################
+#######################################
-# Generates Secure (/dev/random) Passwords
+# Generates Secure (/dev/random) Passwords.
 # Arguments:
 #   none
-###########################################################################################
+#######################################
 # shellcheck disable=SC2317
 genpasswdhash() {
  declare salt
  # shellcheck disable=SC2312
  salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
  mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
 }
 #######################################
-# Wrapper for secure curl
+# Outputs a 16-character random printable string
 # Arguments:
-#  $1: URL from which to download a specific file
+#   None
-#  $2: /path/to/file to be saved to
+#######################################
 genstring() {
  # shellcheck disable=SC2312
  (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
 }
 #######################################
 # Wrapper for secure curl
 # Globals:
 #   CRED
 #   CRES
 #   NL
 # Arguments:
 #   1: URL from which to download a specific file
 #   2: /path/to/file to be saved to
 # Returns:
 #   0: Download successful
 #   1: Usage error
@@ -161,7 +168,7 @@ genpasswdhash() {
 #######################################
 scurl() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2
+    printf "%s❌ Error: Usage: scurl <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
    return 1
  fi
  declare url="$1"
@@ -173,7 +180,7 @@ scurl() {
            -o "${output_path}" \
            "${url}"
  then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
    return 2
  fi
  return 0
@@ -181,9 +188,13 @@ scurl() {
 #######################################
 # Wrapper for secure wget
 # Globals:
 #   CRED
 #   CRES
 #   NL
 # Arguments:
-#  $1: URL from which to download a specific file
+#   1: URL from which to download a specific file
-#  $2: /path/to/file to be saved to
+#   2: /path/to/file to be saved to
 # Returns:
 #   0: Download successful
 #   1: Usage error
@@ -191,7 +202,7 @@ scurl() {
 #######################################
 swget() {
  if [[ $# -ne 2 ]]; then
-    printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2
+    printf "%s❌ Error: Usage: swget <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
    return 1
  fi
  declare url="$1"
@@ -204,30 +215,57 @@ swget() {
            -qO "${output_path}" \
            "${url}"
  then
-    printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2
+    printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
    return 2
  fi
  return 0
 }
 #######################################
-# Wrapper for loading CISS.2025 hardened Kernel Parameters
+# Wrapper for loading CISS.2025 hardened Kernel Parameters.
 # Arguments:
 #   None
 #######################################
 sysp() {
  sysctl -p /etc/sysctl.d/99_local.hardened
  # sleep 1
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  # shellcheck disable=SC2312
  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 #######################################
 # Wrapper for tree
 # Arguments:
-#  $1: Depth of Directory Listing
+#   1: Depth of Directory Listing
 #######################################
 trel() {
  declare depth=${1:-3}
  tree -C -h --dirsfirst -L "${depth}"
 }
 #######################################
 # Wrapper for package and path to bin.
 # Arguments:
 #   1: Program
 #######################################
 whichpackage() {
  if ! command -v "$1" >/dev/null 2>&1; then
    printf '%s❌ Error: Program '%s' not found. %s%s' "${CRED}" "$1" "${CRES}" "${NL}" >&2
    exit 1
  fi
  # shellcheck disable=SC2230,SC2312
  dpkg -S "$(which "$1")"
 }
 #######################################
 # Wrapper for Diskspace used in Path.
 # Arguments:
 #   1: Path (defaults /var)
 #   2: Depth (defaults 1)
 #   3: Number of Entries (defaults 16)
 #######################################
 whichused() {
  # shellcheck disable=SC2312
  du -h --max-depth="${2:-1}" "${1:-/var}" | sort -hr | head -n "${3:-16}"
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/clean_logout.sh
+++ b/config/includes.chroot/root/.ciss/clean_logout.sh
@@ -36,4 +36,5 @@ echo -e "\e[92m          All done" "\e[95m'${USER}'" "\e[92m! \e[0m"
 echo -e "\e[92m          Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m"
 # shellcheck disable=SC2162
 read
 [[ -x /usr/bin/clear_console ]] && /usr/bin/clear_console -q
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/f2bchk.sh
+++ b/config/includes.chroot/root/.ciss/f2bchk.sh
@@ -17,16 +17,18 @@
 #               --log=/var/log/ufw.log \
 #               --output=/tmp/f2bchk.log
 # Globals:
-#   DEFAULT_FILTER
+#   CGRE
-#   DEFAULT_LOG
+#   CRED
-#   DEFAULT_MODE
+#   CRES
 #   NL
 # Arguments:
 #   None
 # Returns:
-#   1 In case of any errors
+#   0: on success
 #   1: In case of any errors
 #######################################
 f2bchk(){
-  # Declare default values (readonly)
+  ### Declare default values (readonly)
  declare -r DEFAULT_MODE="matched"
  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
  declare -r DEFAULT_LOG="/var/log/ufw.log"
@@ -44,7 +46,7 @@ f2bchk(){
      --log=*)    log="${arg#--log=}";;
      --output=*) output="${arg#--output=}";;
      *)
-        printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}"
+        printf "%s[ERROR]%s Unknown argument: '%s' %s" "${CRED}" "${CRES}" "${arg}" "${CRED}"
        return 1
        ;;
    esac
@@ -56,7 +58,7 @@ f2bchk(){
    matched) flag="--print-all-matched"; suffix="all.matched";;
    missed)  flag="--print-all-missed";  suffix="all.missed";;
    *)
-      printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}"
+      printf "%s[ERROR]%s Invalid mode: '%s' %s" "${CRED}" "${CRES}" "${mode}" "${NL}"
      return 1
      ;;
  esac
@@ -66,22 +68,30 @@ f2bchk(){
    filter_name="${filter_name%.conf}"
    output="/tmp/${filter_name}.${suffix}.log"
  fi
  if [[ ! -r "${log}" ]]; then
-    printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}"
+    printf "%s[ERROR]%s Log file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${log}" "${NL}"
    return 1
  fi
  if [[ ! -r "${filter}" ]]; then
    printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
    return 1
  fi
-  printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}"
+  if [[ ! -r "${filter}" ]]; then
-  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
+    printf "%s[ERROR]%s Filter file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${filter}" "${NL}"
    printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
    printf "You can view it with: cat %s\n" "$output"
  else
    printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
    return 1
  fi
  printf "%s[INFO]%s Running: fail2ban-regex '%s %s %s' %s" "${CGRE}" "${CRES}" "${log}" "${filter}" "${flag}" "${NL}"
  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
    printf "%s[SUCCESS]%s Saved log to: '%s' %s" "${CGRE}" "${CRES}" "${output}" "${NL}"
    printf "You can view it with: cat %s%s" "${output}" "${NL}"
  else
    printf "%s[ERROR]%s fail2ban-regex execution failed. %s" "${CRED}" "${CRES}" "${NL}"
    return 1
  fi
  exit 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/scan_libwrap
+++ b/config/includes.chroot/root/.ciss/scan_libwrap
@@ -6,36 +6,44 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 #######################################
 # Scanner for 'libwrap' usage.
 # Globals:
 #   CGRE
 #   CRES
 #   NL
 # Arguments:
 #   None
 #######################################
 scanlw() {
-  printf "\e[92m🔍 Scanning all running processes for 'libwrap' usage ... \e[0m\n"
+  printf "%s🔍 Scanning all running processes for 'libwrap' usage ... %s%s" "${CGRE}" "${CRES}" "${NL}"
  printf "\n"
-  # Collect binaries from all running PIDs
+  ### Collect binaries from all running PIDs.
  declare pid exe_path comm user
  for pid in $(ps -e -o pid=); do
    exe_path=$(readlink -f "/proc/${pid}/exe" 2>/dev/null)
-    # Skip if not a regular executable
+    ### Skip if not a regular executable.
    [[ -x "${exe_path}" ]] || continue
-    # Check if the binary is linked with libwrap
+    ### Check if the binary is linked with libwrap.
-    if ldd "$exe_path" 2>/dev/null | grep -q "libwrap"; then
+    # shellcheck disable=SC2312
-      comm=$(ps -p "$pid" -o comm=)
+    if ldd "${exe_path}" 2>/dev/null | grep -q "libwrap"; then
-      user=$(ps -p "$pid" -o user=)
+      comm=$(ps -p "${pid}" -o comm=)
-      printf "\e[92m✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. \e[0m\n" "${pid}" "${comm}" "${user}"
+      user=$(ps -p "${pid}" -o user=)
      printf "%s✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. %s%s" "${CGRE}" "${pid}" "${comm}" "${user}" "${CRES}" "${NL}"
    fi
  done
  printf "\n"
-  printf "\e[92m✅ Scan complete. \e[0m\n"
+  printf "%s✅ Scan complete. %s%s" "${CGRE}" "${CRES}" "${NL}"
  exit 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/root/.ciss/shortcuts
+++ b/config/includes.chroot/root/.ciss/shortcuts
@@ -6,7 +6,7 @@
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
@@ -21,6 +21,7 @@ declare -ga shortcuts=(
  "apti: apt install"
  "aptimage: get Kernel Img"
  "aptp: apt purge"
  "aptpp: dpkg --purge"
  "aptr: apt remove"
  "aptse: apt search"
  "aptsh: apt show"
@@ -83,6 +84,8 @@ declare -ga shortcuts=(
  "whatdelete: lsof | grep deleted"
  "whatimage: dpkg --list | grep linux"
  "whatpurge: dpkg --get-selections"
  "whichpackage <PROGRAM>"
  "whichused <PATH> <DEPTH> <ENTRIES>"
 )
 #######################################
@@ -101,7 +104,7 @@ celp() {
  declare i=0
  declare entry
  for entry in "${arr[@]}"; do
-    # Print entry left-aligned in fixed width, colored
+    ### Print entry left-aligned in fixed width, colored.
    printf "${CMAG}%-${col_width}s${CRES}" "${entry}"
    ((i++))
    if ((i % cols == 0)); then
--- a/config/package-lists/live.list.common.chroot
+++ b/config/package-lists/live.list.common.chroot
@@ -15,16 +15,21 @@ apt-file
 apt-mirror
 apt-show-versions
 apt-transport-https
 autoconf
 automake
 bash-completion
 bat
 bc
 bind9-dnsutils
 bison
 bsdmainutils
 btrfs-progs
 build-essential
 bzip2
 ca-certificates
 clamav
 clamav-daemon
 clang-18
 console-setup
 cpuid
 cryptsetup
@@ -44,6 +49,7 @@ dirmngr
 dmsetup
 dnsviz
 dosfstools
 dpkg-dev
 e2fsprogs
 efibootmgr
 expect
@@ -51,6 +57,7 @@ fail2ban
 fdisk
 figlet
 fio
 flex
 fzf
 gawk
 gdisk
@@ -69,16 +76,19 @@ knot-dnsutils
 libpam-google-authenticator
 libpam-pwquality
 libpwquality-tools
 libtomcrypt-dev
 libtommath-dev
 libtool
 linux-doc-6.12
 linux-source
 live-boot
 live-config
 live-config-systemd
 lld-18
 locate
 logrotate
 lsb-release
 lvm2
 makedev
 makepasswd
 man
 man-db
@@ -86,9 +96,10 @@ manpages
 manpages-dev
 mdadm
 mtr
 musl-tools
 nano
 ncat
-neofetch
+ncdu
 neovim
 net-tools
 netselect-apt
@@ -107,7 +118,6 @@ rsync
 rsyslog
 screen
 shellcheck
 software-properties-common
 spectre-meltdown-checker
 speedtest-cli
 squashfs-tools
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -7,8 +7,8 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Build**: V8.13.064.2025.10.07<br>
 # 2. DNSSEC Status
--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -7,8 +7,8 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Build**: V8.13.064.2025.10.07<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -7,8 +7,8 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Build**: V8.13.064.2025.10.07<br>
 # 2. Lynis Audit:
--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -7,8 +7,8 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Build**: V8.13.064.2025.10.07<br>
 # 2. SSH Audit by ssh-audit.com
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -7,15 +7,16 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Build**: V8.13.064.2025.10.07<br>
 # 2. TLS Audit:
 ````text
 ./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
 #####################################################################
-  testssl.sh version 3.2.1 from https://testssl.sh/
+  testssl.sh version 3.2.2 from https://testssl.sh/
-  (81471c3 2025-06-15 09:48:31)
+  (2e77f5e 2025-09-22 19:35:27)
  This program is free software. Distribution and modification under
  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -26,7 +27,7 @@ include_toc: true
  Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
  on kali:./bin/openssl.Linux.x86_64
- Start 2025-06-23 17:58:48        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Start 2025-09-28 16:12:17        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 Further IP addresses:   2a0a:4cc0:80:330f:152:53:110:40
 rDNS (152.53.110.40):   git.coresecret.dev.
@@ -188,18 +189,17 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Server key size              RSA 4096 bits (exponent is 65537)
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
- Serial                       1230B34459C6F27FA9BCD2 (OK: length 11)
+ Serial                       13292523EB168BD226CE46 (OK: length 11)
- Fingerprints                 SHA1 1A8BD98862771602E7DD46B742FB66D6C03E622E
+ Fingerprints                 SHA1 1CCF67686A5FFF33D163EFC9E67AB5C70D1122B8
-                              SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
+                              SHA256 565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
 Common Name (CN)             coresecret.dev
 subjectAltName (SAN)         coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
 Trust (hostname)             Ok via SAN (same w/o SNI)
 Chain of trust               Ok
 EV cert (experimental)       no
- Certificate Validity (UTC)   153 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
+ Certificate Validity (UTC)   178 >= 60 days (2025-09-27 18:27 --> 2026-03-25 22:59)
 ETS/"eTLS", visibility info  not present
- In pwnedkeys.com DB          not in database
+ In pwnedkeys.com DB          not in database Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
 Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
 OCSP URI                     http://ocsp.buypass.com, not revoked
 OCSP stapling                offered, not revoked
 OCSP must staple extension   --
@@ -226,9 +226,9 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Cookie(s)                    2 issued: 2/2 secure, 2/2 HttpOnly
 Security headers             X-Frame-Options: SAMEORIGIN
                              X-Content-Type-Options: nosniff
-                              Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self';
+                              Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'
-                                frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
+                                git.coresecret.dev; frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
-                                https://uml.coresecret.dev; manifest-src 'self'; media-src 'self' data: https://badges.coresecret.dev
+                                https://uml.coresecret.dev; manifest-src 'self' data:; media-src 'self' data: https://badges.coresecret.dev
                                https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none';
                              Expect-CT: max-age=86400, enforce
                              Permissions-Policy: interest-cohort=()
@@ -258,7 +258,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
-                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
+                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
@@ -309,7 +309,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Rating (experimental)
- Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
+ Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)
 Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
 Protocol Support (weighted)  100 (30)
 Key Exchange     (weighted)  100 (30)
@@ -317,7 +317,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Final Score                  100
 Overall Grade                A+
- Done 2025-06-23 18:00:16 [  99s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Done 2025-09-28 16:13:50 [  95s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 ````
 ---
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -7,8 +7,8 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Build**: V8.13.064.2025.10.07<br>
 # 2. Hardened Kernel Boot Parameters
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -7,74 +7,152 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Build**: V8.13.064.2025.10.07<br>
 # 2. Changelog
 ## V8.13.064.2025.10.07
 * **Added**: An internal Gitea Action Runner switch for the CISS and PHYS central configuration source of truth.
 * **Added**: Verbose status information screen on successful completion.
 * **Added**: Verbose status information in 'CISS.debian.live.iso.'
 * **Added**: Loop to desynchronize parallel workflows.
 * **Added**: [lib_note_target.sh](../lib/lib_note_target.sh)
 * **Updated**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
 * **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
 * **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter)
 * **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
 * **Updated**: [9998_sources_list_bookworm.chroot](../config/hooks/live/9998_sources_list_bookworm.chroot)
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
 * **Updated**: [9999_interfaces_update.chroot](../config/hooks/live/9999_interfaces_update.chroot)
 * **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter.
 * **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) Unified Kernel bootparameter.
 * **Updated**: [lib_run_analysis.sh](../lib/lib_run_analysis.sh)
 ## V8.13.048.2025.10.06
 * **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.16.3+deb13-amd64``
 * **Updated**: Debian 13 LIVE ISO workflows to use argument: ``--cdi``
 * **Updated**: [9000-cdi-starter](../scripts/9999-cdi-starter)
 * **Removed**: [1024_git_clone_ciss_debian_installer.chroot](../.archive/1024_git_clone_ciss_debian_installer.chroot)
 ## V8.13.032.2025.10.03
 * **Added**: Internal Gitea Action Runner switch for static SSHFP records.
 ## V8.13.016.2025.09.28
 * **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64``
 ## V8.13.008.2025.08.22
 * **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot)
 ## V8.13.004.2025.08.21
 * **Added**: [makefile](../makefile)
 ## V8.13.002.2025.08.11
 * **Added**: [lib_source_guard.sh](../lib/lib_source_guard.sh)
 * **Added**: [sources.list](../config/includes.chroot/etc/apt/sources.list)
 * **Added**: [trixie.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie.sources)
 * **Added**: [trixie-backports.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources)
 * **Added**: [trixie-security.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources)
 * **Added**: [trixie-updates.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources)
 * **Added**: [login.defs](../config/includes.chroot/etc/login.defs)
 * **Bugfixes**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot)
 * **Bugfixes**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
 * **Updated**: [bash.var.sh](../var/bash.var.sh)
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
 * **Updated**: Support for Debian Trixie via Argument ``--trixie``
 * **Updated**: Debian 12 LIVE ISO workflows to use Kernel: ``linux-image-6.1.0-37-amd64``
 ## V8.03.920.2025.08.07
 * **Updated**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh)
 * **Updated**: [ciss_live_builder.sh](../ciss_live_builder.sh)
 * **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
 ## V8.03.912.2025.07.23
 * **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
 * **Updated**: [clean_logout.sh](../config/includes.chroot/root/.ciss/clean_logout.sh)
 * **Updated**: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
 * **Updated**: [scan_libwrap](../config/includes.chroot/root/.ciss/scan_libwrap)
 * **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
 * **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc)
 ## V8.03.896.2025.07.22
 * **Added**: [.shellcheckrc](../.shellcheckrc)
 * **Bugfixes**: [ciss_live_builder.sh](../ciss_live_builder.sh)
 * **Updated**: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)
 ## V8.03.880.2025.07.19
 * **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
 * **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
 * **Added**: Package ``ncdu``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
 * **Added**: ``TrustedUserCAKeys none``: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
 ## V8.03.864.2025.07.15
-* Updated: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
+* **Updated**: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
-* Added: [BOOTPARAMS.md](BOOTPARAMS.md)
+* **Added**: [BOOTPARAMS.md](BOOTPARAMS.md)
-* Added: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
+* **Added**: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
 ## V8.03.832.2025.06.25
-* Added: [lib_version.sh](../lib/lib_version.sh)
+* **Added**: [lib_version.sh](../lib/lib_version.sh)
-* Updated:
+* **Updated**:
  * [lib_contact.sh](../lib/lib_contact.sh)
  * [lib_usage.sh](../lib/lib_usage.sh)
-* Packages added:
+* **Packages added**:
  * https://packages.debian.org/bookworm/fio
  * https://packages.debian.org/bookworm/stress 
-* Timezone changed to ``Etc/UTC``
+* **Updated**: Timezone changed to ``Etc/UTC``
 ## V8.03.832.2025.06.24
-* Updated:
+* **Updated**:
  * [lib_check_provider.sh](../lib/lib_check_provider.sh)
  * [lib_debug_header.sh](../lib/lib_debug_header.sh)
  * [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
-* The Debian package ``bat`` will be installed to enable smooth log reading.
+* **Added**: The Debian package ``bat`` will be installed to enable smooth log reading.
 ## V8.03.768.2025.06.23
-* Updated [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
+* **Updated**: [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
 * Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh)
 * Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh)
-* Added Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
+* **Added**: Git Repo specific VARs: [lib_debug_var_git.sh](../lib/lib_git_var.sh)
-* Added ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
+* **Added**: ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
-  * to prevent the caller LIB-file from being sourced twice.
+  to prevent the caller LIB-file from being sourced twice.
 ## V8.03.768.2025.06.19
 * Minor main script improvements.
-* Updated [lib_usage.sh](../lib/lib_usage.sh) output.
+* **Updated**: [lib_usage.sh](../lib/lib_usage.sh) output.
 ## V8.03.768.2025.06.18
 * Minor main script improvements.
-* Updated contact section.
+* **Updated**: Contact section.
 * Integrated third ``dns03.eddns.eu`` Centurion DNS Resolver.
 ## V8.03.768.2025.06.17
-* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64``
+* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64``
 ## V8.03.768.2025.06.11
-* Updated LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64``
+* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64``
 ## V8.03.768.2025.06.09
-* Added: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
+* **Added**: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
-* Updated: [alias](../config/includes.chroot/root/.ciss/alias)
+* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
  * ``scurl()``
  * ``swget()``
 ## V8.03.644.2025.06.07
-* Updated workflows ISO Generators Runners. 
+* **Updated**: Workflows ISO Generators Runners. 
 * Installing ``bookworm-backports`` Versions of:
  * ``btrfs-progs``
  * ``curl``
@@ -90,12 +168,12 @@ include_toc: true
 * LIVE ISO generated by workflow tested against:
  * Netcup Root Server
  * Proxmox 
-* LIVE ISO generated by script tested against:
+* LIVE ISO generated by the script tested against:
  * Netcup Root Server
 ## V8.03.512.2025.06.06
-* Updated workflows: 
+* **Updated**: Workflows: 
  1. ``git stash push``
  2. ``git fetch origin master``
  3. ``git merge --no-edit origin/master``
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -7,8 +7,8 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.03<br>
+**Master Version**: 8.13<br>
-**Build**: V8.03.864.2025.07.15<br>
+**Build**: V8.13.064.2025.10.07<br>
 # 2. Centurion Net - Developer Branch Overview
--- a/Show More
+++ b/Show More