V8.13.032.2025.10.03

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.archive/.0000_lib_usage.sh

@@ -21,7 +21,7 @@ usage() {
   clear
   cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m")
+$(echo -e "\e[92mMaster V8.13.032.2025.10.03\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")

.archive/0003_install_backports.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.008.2025.08.22"
+      placeholder: "e.g., Master V8.13.032.2025.10.03"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.032.2025.10.03
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.032.2025.10.03
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.008.2025.08.22
+  version: V8.13.032.2025.10.03
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.008.2025.08.22
+  version: V8.13.032.2025.10.03
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.008.2025.08.22
+  version: V8.13.032.2025.10.03
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.008.2025.08.22
+  version: V8.13.032.2025.10.03
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.032.2025.10.03
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -51,6 +51,7 @@ jobs:
             gnupg \
             openssh-client \
             openssl \
+            perl \
             sudo \
             util-linux
 
@@ -136,15 +137,60 @@ jobs:
           echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
           echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
 
+      - name: 🔧 Render live hook with secrets.
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        env:
+          ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+          ED25519_PUB:  ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+          RSA_PRIV:     ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+          RSA_PUB:      ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+        run: |
+          set -Ceuo pipefail
+          umask 077
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+
+          TPL="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+
+          if [[ ! -f "$TPL" ]]; then
+            echo "Template not found: $TPL"
+            echo "::group::Tree of config/hooks/live"
+            ls -la "$REPO_ROOT/config/hooks/live" || true
+            echo "::endgroup::"
+            exit 2
+          fi
+
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+
+          perl -0777 -pe '
+            BEGIN{
+              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
+              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
+            }
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+          ' "$TPL" > "$OUT"
+
+          chmod 0755 "$OUT"
+          echo "Hook rendered: $OUT"
+
       - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
         shell: bash
+        working-directory: ${{ github.workspace }}
         run: |
           set -euo pipefail
           chmod 0755 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.12.48+deb13-amd64'.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.41+deb13-amd64 \
+            --autobuild=6.12.48+deb13-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
@@ -155,8 +201,14 @@ jobs:
             --root-password-file /opt/config/password.txt \
             --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
             --ssh-pubkey /opt/config \
+            --sshfp \
             --trixie
 
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          rm -f "$OUT"
+          echo "Hook removed: $OUT"
+
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
         env:

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.032.2025.10.03
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -51,6 +51,7 @@ jobs:
             gnupg \
             openssh-client \
             openssl \
+            perl \
             sudo \
             util-linux
 
@@ -136,15 +137,60 @@ jobs:
           echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
           echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
 
+      - name: 🔧 Render live hook with secrets.
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        env:
+          ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+          ED25519_PUB:  ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+          RSA_PRIV:     ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+          RSA_PUB:      ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+        run: |
+          set -Ceuo pipefail
+          umask 077
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+
+          TPL="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+
+          if [[ ! -f "$TPL" ]]; then
+            echo "Template not found: $TPL"
+            echo "::group::Tree of config/hooks/live"
+            ls -la "$REPO_ROOT/config/hooks/live" || true
+            echo "::endgroup::"
+            exit 2
+          fi
+
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+
+          perl -0777 -pe '
+            BEGIN{
+              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
+              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
+            }
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+          ' "$TPL" > "$OUT"
+
+          chmod 0755 "$OUT"
+          echo "Hook rendered: $OUT"
+
       - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
         shell: bash
+        working-directory: ${{ github.workspace }}
         run: |
           set -euo pipefail
           chmod 0755 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
           ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.41+deb13-amd64 \
+            --autobuild=6.12.48+deb13-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
@@ -152,8 +198,14 @@ jobs:
             --root-password-file /opt/config/password.txt \
             --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
             --ssh-pubkey /opt/config \
+            --sshfp \
             --trixie
 
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          rm -f "$OUT"
+          echo "Hook removed: $OUT"
+
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
         env:

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,10 +9,14 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.032.2025.10.03
 
 name: 💙 Generating a PUBLIC Live ISO.
 
+defaults:
+  run:
+    shell: bash
+
 permissions:
   contents: write
 
@@ -24,161 +28,31 @@ on:
       - '.gitea/trigger/t_generate_PUBLIC.yaml'
 
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-public-cdlb-trixie:
     name: 💙 Generating a PUBLIC Live ISO.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
 
-    ### Run all steps inside Debian Bookworm
     container:
-      image: debian:bookworm
+      image: debian:trixie
 
     steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
+      - name: 🛠️ Basic Image Setup.
-        run: |
-          apt-get update -y
-          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
-          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
-            >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update -y
-          apt-get upgrade -y
-
-      - name: 🛠️ Installing Build Tools.
         shell: bash
         run: |
-          apt-get update -y
+          export DEBIAN_FRONTEND=noninteractive
-          apt-get install -y \
+          apt-get update
-            autoconf \
+          apt-get upgrade -y
-            automake \
+          apt-get install -y --no-install-recommends \
-            build-essential \
+            apt-utils \
-            cryptsetup \
+            bash \
+            ca-certificates \
             curl \
-            debootstrap \
-            dosfstools \
-            efibootmgr \
-            gettext \
             git \
             gnupg \
-            haveged \
+            openssh-client \
-            libbz2-dev \
+            openssl \
-            zlib1g-dev \
-            liblzma-dev \
-            libtool \
-            live-build \
-            parted \
-            pkg-config \
-            ssh \
-            ssl-cert \
             sudo \
-            texinfo \
+            util-linux
-            wget \
-            whois \
-
-      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
-        shell: bash
-        run: |
-          urls=(
-            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
-          )
-
-          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
-          gpg --batch --import signature_key.asc
-
-          for url in "${urls[@]}"; do
-            archive_name="${url##*/}"
-            pkg_name="${archive_name%.tar.bz2}"
-            echo "🔄 Processing ${pkg_name}"
-            if [[ ! -f "${archive_name}" ]]; then
-              echo "📥 Downloading: '${archive_name}'."
-              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
-                echo "✅ Download successful: '${archive_name}'."
-              else
-                echo "❌ Download NOT successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping download, package already exists: '${archive_name}'."
-            fi
-
-            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
-
-            if [[ ! -d "${pkg_name}" ]]; then
-              echo "📂 Extracting: '${archive_name}'."
-              if tar -xjf "${archive_name}"; then
-                echo "✅ Extraction successful: '${archive_name}'."
-              else
-                echo "❌ Extraction not successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping directory, already exists: '${pkg_name}'."
-            fi
-
-            echo "🏗️ Build and install the package: '${pkg_name}'."
-            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
-            mkdir -p build
-            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
-
-            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
-            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
-            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
-
-            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
-
-            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
-            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
-            echo "✅ Successful build and installation of '${pkg_name}'."
-            echo "-------------------------------------------------------------------------------------"
-
-          done
-
-          rm -f signature_key.asc
-
-          echo "✅ All packages were built and installed successfully."
-
-          mv_bin=(
-            "/usr/bin/gpg"
-            "/usr/bin/gpg-agent"
-            "/usr/bin/gpgconf"
-            "/usr/bin/gpg-connect-agent"
-            "/usr/bin/gpg-wks-client"
-            "/usr/bin/gpg-preset-passphrase"
-          )
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
-              if mv "${bin}" "${bin}.debian-backup"; then
-                echo "✅ Moved successfully: '${bin}'."
-              else
-                echo "❌ Moved NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist as build binary: '${bin}'."
-            fi
-          done
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "/usr/local/bin/${name}" ]]; then
-              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
-                echo "✅ 'update-alternatives' successfully: '${bin}'."
-              else
-                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist: '/usr/local/bin/${name}'."
-            fi
-          done
-
-          sudo ldconfig
-
-          gpgconf --kill all
-          /usr/local/bin/gpg-agent --daemon
 
       - name: ⚙️ Check GnuPG Version.
         shell: bash
@@ -271,13 +145,14 @@ jobs:
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
           ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
           ./ciss_live_builder.sh \
-            --autobuild=6.1.0-37-amd64 \
+            --autobuild=6.12.48+deb13-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
             --control "${timestamp}" \
             --root-password-file /opt/config/password.txt \
             --ssh-port 42137 \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
+            --trixie
 
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
@@ -364,11 +239,12 @@ jobs:
           gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
 
           timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
           PRIVATE_FILE="LIVE_ISO.public"
           touch "${PRIVATE_FILE}"
           cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.032.2025.10.03
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.032.2025.10.03
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.032.2025.10.03
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.008.2025.08.22"
+properties_version="V8.13.032.2025.10.03"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.008.2025.08.22
+PackageVersion: Master V8.13.032.2025.10.03
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:25:58Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-03T21:17:45Z"
 
 ✅ The last linter check was successful. ✅
 

LIVE_ISO.public

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-09-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-11T22:40:21Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-09-28T18:07:13Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_11T21_49_56Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_09_28T17_20_38Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  4aa02673b9a8d5b974014eca4371d1ed69b05eaea9e92203cf7c092880833e18812bf31ab053399eda98b7a3da0b76b8dcdaaba892e9f52f836ea9d2b0e09e38
+  49ea0ecfbcbe086786887a4d77727a582436d1b0172af34a4d85cf008541a6215d33b7326f7ff5445adfd0a687cbe67850b6d176b4c58be52e3858129ab369fc
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpxVQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaNl5UQAKCRA85KY4hzOw
-IZWOAQDJriUoDvDNSQiHbFfW4KVV1E1wqe12eS7GyfVFr9bISwEAoDKhQ85+RiGr
+IW0DAQCOeexEEvs4TmIQGQKmGv4EJee4M5uCK8EGAYR5MkqgDAD/QB5/DglUkK3z
-pCdWqvU8wcfzEIlKIpAgAZVrhX/xRw8=
+4KvoqoWSL5j0aB8JKVB+GU9pSc+emwA=
-=wNVV
+=WSB7
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_0.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-09-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-22T16:55:09Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-09-28T16:27:07Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_22T16_11_02Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_09_28T15_39_28Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  35c288d96239804e244cbe99c8ce3895aec39104a7200c2ef7326d38e1ec4eea3bf60b895eaa4d981cb718ae4d27d2d4166f16252b88606a870d14c3db096a37
+  df9eb4fb9ee0598bef7665dd07c0c5935622dca2d8f42747cd4a187a9750ecb6381bd3a42bbc44ccf7bf70900c0ae99b9163d9e82acbf1dbedcd801a9d3c7bc2
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKig7QAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaNlh2wAKCRA85KY4hzOw
-IWKWAP0Wlqbi3ArURSGW5m+E+OstdsU7qHjf+e1SVRJ3BGUzaAEAr3ceyHiiA2/7
+IfNnAQCMk83R452cTjogw59Ak8ohaHCHX8LFP7poMPFWtpGPygEAtTOEysHAXBPF
-RlXsvZxNgVDaEVSdjmt99dMrZK7DRws=
+j2/p3TcTYyssUYQXcaeCvyHiFr1BHwM=
-=4Oh3
+=8sNE
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_1.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-03; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:41:13Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-03T22:07:42Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_22T16_56_12Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_03T21_17_21Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  4925332b61dbd91f0c444624bbe7de586dbd911fbb27b080a99e44ae312c5139afc502d0415d0bef7dfbd1e5461c07e0a0700f7206e746a91cbcb5403ef003e3
+  df265db7b6f2ef72d43d3430ca9854d09cb26c70e76560172193916c061fb05f4467a5208b4990f3374175826555e8f453d185181fd3c9c54fd35ee8fa5e7b31
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKiruQAKCRA85KY4hzOw
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaOBJLgAKCRA85KY4hzOw
-IdoTAQDqyOBkGA0xDoLsDvjFSaf3tmzz8mD/5qvsDtF6y/rEWwD/dAXzMOdQjxg8
+IeCeAQCgQIF7HeJII4ChUxSbZfr5b4Q0Z/bQ51G8j1WpZ6pF6QD/XsOJ0l74BDjg
-IcK+GK6u4k5/HT5bYlCvTy/WxRb5ggQ=
+A03OMLkQBM/WgPnWM9UvtPdfkkX+Kwo=
-=boDM
+=R/Dp
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,17 +2,17 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.008.2025.08.22-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.032.2025.10.03-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
-[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/)  
+[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.37-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/)  
 [![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/)  
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)  
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.5-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)  
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.13.008.2025.08.22`
+Example: `V8.13.032.2025.10.03`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 

config/hooks/live/0000_generate_backup_dir.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0001_initramfs_modules.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0002_verify_checksums.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0050_activate_root.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0080_keyboard_layout.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0090_haveged.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0120_set_hostname.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0130_machineid.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0400_eza_install.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0800_lynis_setup.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0810_chrony_setup.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0820_kernel_hardening_checker.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0822_ssh_restart_hook.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0825_my_sqltuner_perl.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0830_download_yq.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0835_testssl.sh.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0845_harbian_audit.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0850_ssh_audit.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0855_dnsviz.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0900_ufw_setup.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/1024_git_clone_ciss_debian_installer.chroot

@@ -9,17 +9,14 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-# TODO: MUST be uncommented
 cd /root/git
-# git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
+git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9900_process_accounting.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9910_motd.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9920_deleting_invalid_x509.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9930_hardening_ssh.chroot

@@ -9,17 +9,18 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /etc/ssh || {
   printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
 }
 rm -rf ssh_host_*key*
 
+# shellcheck disable=SC2312
 ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
+# shellcheck disable=SC2312
 ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
 
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
@@ -44,7 +45,26 @@ ssh-keygen -r @ >| /root/sshfp
 # The chmod +x command ensures that the file is executed in every shell session.          #
 ###########################################################################################
 cat << 'EOF' >| /etc/profile.d/idle-users.sh
-declare -girx TMOUT=14400
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+case $- in
+  *i*)
+    TMOUT=14400
+    export TMOUT
+    readonly TMOUT
+  ;;
+esac
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 
 chmod +x /etc/profile.d/idle-users.sh
@@ -58,7 +78,6 @@ EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9935_hardening_ssh.chroot.tmpl

@@ -0,0 +1,94 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+cd /etc/ssh || {
+  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
+}
+
+cat << 'EOF' >| ssh_host_ed25519_key
+{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+EOF
+
+cat << 'EOF' >| ssh_host_ed25519_key.pub
+{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+EOF
+
+cat << 'EOF' >| ssh_host_rsa_key
+{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+EOF
+
+cat << 'EOF' >| ssh_host_rsa_key.pub
+{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+EOF
+
+awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
+rm -rf /etc/ssh/moduli
+mv /etc/ssh/moduli.safe /etc/ssh/moduli
+
+chmod 0600 /etc/ssh/ssh_host_*_key
+chown root:root /etc/ssh/ssh_host_*_key
+chmod 0644 /etc/ssh/ssh_host_*_key.pub
+chown root:root /etc/ssh/ssh_host_*_key.pub
+
+chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
+
+touch /root/sshfp
+ssh-keygen -r @ >| /root/sshfp
+
+###########################################################################################
+# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only          #
+# environment variables: TMOUT and HISTFILE.                                              #
+# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
+# readonly HISTFILE ensures that the command history cannot be changed.                   #
+# The chmod +x command ensures that the file is executed in every shell session.          #
+###########################################################################################
+cat << 'EOF' >| /etc/profile.d/idle-users.sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+case $- in
+  *i*)
+    TMOUT=14400
+    export TMOUT
+    readonly TMOUT
+  ;;
+esac
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+chmod +x /etc/profile.d/idle-users.sh
+
+mkdir -p /etc/systemd/system/ssh.service.d
+cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
+[Unit]
+After=ufw.service
+Requires=ufw.service
+EOF
+chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+# sleep 1
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9940_hardening_memory.dump.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9960_disable_services.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9970_remove_exim.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9980_usb_guard.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9985_clamav.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9990_final_purge.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9991_file_permissions.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9992_password_expiration.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9993_aide.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9994_password_policy.chroot

@@ -13,7 +13,7 @@
 ### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
 ### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9995_sysstat.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9996_auditd.chroot

@@ -12,7 +12,7 @@
 
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules
 
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9997_debsums.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9998_sources_list_bookworm.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9998_sources_list_trixie.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9999_interfaces_update.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.032.2025.10.03
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.032.2025.10.03
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/iso.sh

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 # The example names get mapped to their roles here
 declare timestamp

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.008.2025.08.22"
+declare -gr VERSION="Master V8.13.032.2025.10.03"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.008.2025.08.22 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.032.2025.10.03 at: 10:18:37.9542

config/package-lists/live.list.common.chroot

@@ -21,6 +21,7 @@ bash-completion
 bat
 bc
 bind9-dnsutils
+bison
 bsdmainutils
 btrfs-progs
 build-essential
@@ -28,6 +29,7 @@ bzip2
 ca-certificates
 clamav
 clamav-daemon
+clang-18
 console-setup
 cpuid
 cryptsetup
@@ -47,6 +49,7 @@ dirmngr
 dmsetup
 dnsviz
 dosfstools
+dpkg-dev
 e2fsprogs
 efibootmgr
 expect
@@ -54,6 +57,7 @@ fail2ban
 fdisk
 figlet
 fio
+flex
 fzf
 gawk
 gdisk
@@ -80,6 +84,7 @@ linux-source
 live-boot
 live-config
 live-config-systemd
+lld-18
 locate
 logrotate
 lsb-release

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,14 +8,15 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. TLS Audit:
-
 ````text
+./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
+
 #####################################################################
-  testssl.sh version 3.2.1 from https://testssl.sh/
+  testssl.sh version 3.2.2 from https://testssl.sh/
-  (81471c3 2025-06-15 09:48:31)
+  (2e77f5e 2025-09-22 19:35:27)
 
   This program is free software. Distribution and modification under
   GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -26,7 +27,7 @@ include_toc: true
   Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
   on kali:./bin/openssl.Linux.x86_64
 
- Start 2025-06-23 17:58:48        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Start 2025-09-28 16:12:17        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 
  Further IP addresses:   2a0a:4cc0:80:330f:152:53:110:40
  rDNS (152.53.110.40):   git.coresecret.dev.
@@ -188,18 +189,17 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Server key size              RSA 4096 bits (exponent is 65537)
  Server key usage             Digital Signature, Key Encipherment
  Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
- Serial                       1230B34459C6F27FA9BCD2 (OK: length 11)
+ Serial                       13292523EB168BD226CE46 (OK: length 11)
- Fingerprints                 SHA1 1A8BD98862771602E7DD46B742FB66D6C03E622E
+ Fingerprints                 SHA1 1CCF67686A5FFF33D163EFC9E67AB5C70D1122B8
-                              SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
+                              SHA256 565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
  Common Name (CN)             coresecret.dev
  subjectAltName (SAN)         coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
  Trust (hostname)             Ok via SAN (same w/o SNI)
  Chain of trust               Ok
  EV cert (experimental)       no
- Certificate Validity (UTC)   153 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
+ Certificate Validity (UTC)   178 >= 60 days (2025-09-27 18:27 --> 2026-03-25 22:59)
  ETS/"eTLS", visibility info  not present
- In pwnedkeys.com DB          not in database
+ In pwnedkeys.com DB          not in database Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
- Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
  OCSP URI                     http://ocsp.buypass.com, not revoked
  OCSP stapling                offered, not revoked
  OCSP must staple extension   --
@@ -226,9 +226,9 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Cookie(s)                    2 issued: 2/2 secure, 2/2 HttpOnly
  Security headers             X-Frame-Options: SAMEORIGIN
                               X-Content-Type-Options: nosniff
-                              Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self';
+                              Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'
-                                frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
+                                git.coresecret.dev; frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
-                                https://uml.coresecret.dev; manifest-src 'self'; media-src 'self' data: https://badges.coresecret.dev
+                                https://uml.coresecret.dev; manifest-src 'self' data:; media-src 'self' data: https://badges.coresecret.dev
                                 https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none';
                               Expect-CT: max-age=86400, enforce
                               Permissions-Policy: interest-cohort=()
@@ -258,7 +258,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  FREAK (CVE-2015-0204)                     not vulnerable (OK)
  DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                            make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
-                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
+                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
  LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
  BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
  LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
@@ -309,7 +309,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 
  Rating (experimental)
 
- Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
+ Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)
  Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
  Protocol Support (weighted)  100 (30)
  Key Exchange     (weighted)  100 (30)
@@ -317,7 +317,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Final Score                  100
  Overall Grade                A+
 
- Done 2025-06-23 18:00:16 [  99s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Done 2025-09-28 16:13:50 [  95s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 ````
 
 ---

docs/BOOTPARAMS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. Hardened Kernel Boot Parameters
 

docs/CHANGELOG.md

@@ -8,10 +8,16 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. Changelog
 
+## V8.13.032.2025.10.03
+* **Added**: Internal Gitea Action Runner switch for static SSHFP records.
+
+## V8.13.016.2025.09.28
+* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64``
+
 ## V8.13.008.2025.08.22
 * **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot)
 

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.13.008.2025.08.22
+Master V8.13.032.2025.10.03
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.13.008.2025.08.22
+Master V8.13.032.2025.10.03
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.032.2025.10.03<br>
 
 # 2. Resources
 

lib/lib_arg_parser.sh

@@ -95,6 +95,7 @@ arg_parser() {
 
         --architecture)
           if [[ "${2}" == "amd64" || "${2}" == "arm64" ]]; then
+            # shellcheck disable=SC2034
             declare -gx VAR_ARCHITECTURE="${2}"
             shift 2
           else
@@ -124,12 +125,14 @@ arg_parser() {
             read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
             exit "${ERR_ARG_MSMTCH}"
           fi
-          declare -g VAR_HANDLER_CDI=true
+          # shellcheck disable=SC2034
+          declare -g VAR_HANDLER_CDI="true"
           shift 1
           ;;
 
         --change-splash )
           if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then
+            # shellcheck disable=SC2034
             declare -g VAR_HANDLER_SPLASH="${2}"
             shift 2
           else
@@ -143,6 +146,7 @@ arg_parser() {
 
         --control)
           if [[ -n "${2-}" ]]; then
+            # shellcheck disable=SC2034
             declare -g VAR_HANDLER_ISO_COUNTER="${2}"
             shift 2
           else
@@ -171,6 +175,7 @@ arg_parser() {
             read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
             exit "${ERR_ARG_MSMTCH}"
           fi
+          # shellcheck disable=SC2034
           declare -gi VAR_HANDLER_DHCP=1
           shift 1
           ;;
@@ -180,6 +185,7 @@ arg_parser() {
             declare -i count=0
             shift
             while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do
+              # shellcheck disable=SC2034
               declare -g ARY_HANDLER_JUMPHOST+=("$1")
               count=$((count + 1))
               shift
@@ -202,6 +208,7 @@ arg_parser() {
             read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
             exit "${ERR_ARG_MSMTCH}"
           fi
+          # shellcheck disable=SC2034
           declare -gi VAR_HANDLER_STA=1
           shift 1
           ;;
@@ -209,10 +216,12 @@ arg_parser() {
         --provider-netcup-ipv6)
           if [[ -n "${2-}" && "${2}" != -* ]]; then
             declare -i count=0
-            declare -g VAR_HANDLER_NETCUP_IPV6=true
+            # shellcheck disable=SC2034
+            declare -g VAR_HANDLER_NETCUP_IPV6="true"
             shift
             while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 1 ]]; do
               declare cleaned="${1//[\[\]]/}"
+              # shellcheck disable=SC2034
               declare -g ARY_HANDLER_NETCUP_IPV6+=("${cleaned}")
               count=$((count + 1))
               shift
@@ -230,6 +239,7 @@ arg_parser() {
 
         --renice-priority)
           if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
+            # shellcheck disable=SC2034
             VAR_HANDLER_PRIORITY="$2"
             shift 2
           else
@@ -249,6 +259,7 @@ arg_parser() {
             exit "${ERR_REIONICE_P}"
           else
             if [[ "${2}" =~ ^[1-3]$ ]]; then
+              # shellcheck disable=SC2034
               VAR_REIONICE_CLASS="${2}"
               if [[ -z "${3-}" ]]; then
                 :
@@ -359,6 +370,7 @@ arg_parser() {
           hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
           [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
 
+          # shellcheck disable=SC2034
           declare -g VAR_HASHED_PWD="${hash_temp}"
           unset hash_temp plaintext_pw
 
@@ -375,6 +387,7 @@ arg_parser() {
 
         --ssh-port)
           if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
+            # shellcheck disable=SC2034
             declare -gi VAR_SSHPORT="${2}"
             shift 2
           else
@@ -385,12 +398,20 @@ arg_parser() {
           fi
           ;;
 
+        --sshfp)
+        # shellcheck disable=SC2034
+          declare -g VAR_SSHFP="true"
+          shift 1
+          ;;
+
         --ssh-pubkey)
+        # shellcheck disable=SC2034
           declare -g VAR_SSHPUBKEY="${2}"
           shift 2
           ;;
 
         --trixie)
+        # shellcheck disable=SC2034
           declare -g VAR_SUITE="trixie"
           shift 1
           ;;

lib/lib_hardening_ultra.sh

@@ -166,7 +166,25 @@ hardening_ultra() {
     ' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
 
+
+
+  ### Updating SSH Keys, Ports.
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
+
+  ### Check for static SSHFP key material via Gitea Actions Runner Secrets injection.
+  if [[ "${VAR_SSHFP}" == "true" ]]; then
+
+    rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9930_hardening_ssh.chroot"
+    rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+
+  else
+
+    rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot"
+    rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+
+  fi
+
+
   if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"  ]]; then
 
     mkdir -p  "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"

lib/lib_usage.sh

@@ -35,13 +35,13 @@ usage() {
   # shellcheck disable=SC2155
   declare var_header=$(center "CLB(1)                        CISS.debian.live.builder                        CLB(1)" "${var_cols}")
   # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.008.2025.08.22                        2025-08-11                        CLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.032.2025.10.03                        2025-08-11                        CLB(1)" "${var_cols}")
 
   {
     echo -e "\e[1;97m${var_header}\e[0m"
     echo
     echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m"
+    echo -e "\e[92mMaster V8.13.032.2025.10.03\e[0m"
     echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
     echo
     echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"

scripts/0010_dhcp_supersede.sh

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 

scripts/0100_centurion_dns.sh

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

scripts/9000-cdi-starter

@@ -9,20 +9,22 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 [[ ! -d /root/.cdi/log ]] && mkdir -p /root/.cdi/log
-printf "CISS.debian.installer Master V8.13.008.2025.08.22 is up!" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+printf "CISS.debian.installer Master V8.13.032.2025.10.03 is up! \n" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 
 if [[ -f /root/git/CISS.debian.installer/ciss_debian_installer.sh ]]; then
+
   chmod 0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
-  0700 /root/git/CISS.debian.installer/ciss_debian_installer.sh
+
 fi
 
+printf "CISS.debian.installer Master V8.13.032.2025.10.03 successfully executed! \n" >| /root/.cdi/log/boot_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
-# sleep 1
+
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

scripts/etc/network/9999_interfaces_update_netcup.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

var/early.var.sh

@@ -14,7 +14,7 @@
 
 # shellcheck disable=SC2155
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.13.008.2025.08.22"
+declare -grx VAR_VERSION="Master V8.13.032.2025.10.03"
 declare -grx VAR_SYSTEM="$(uname -a)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"

var/global.var.sh

@@ -38,6 +38,7 @@ declare -g VAR_SCRIPT_SUCCESS="false"
 declare -g VAR_SUITE="bookworm"
 declare -g VAR_HANDLER_NETCUP_IPV6="false"
 declare -g VAR_HASHED_PWD=""
+declare -g VAR_SSHFP="false"
 declare -gi VAR_HANDLER_STA=0
 declare -gi VAR_HANDLER_PRIORITY=0
 declare -gi VAR_REIONICE_CLASS=2