DEPLOY BOT : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]

X-CI-Metadata: master@181b73b at 2025-10-07T00:00:01Z on ff2a36e41830

Generated at : 2025-10-07T00:00:01Z
Runner Host  : ff2a36e41830
Workflow ID  : 🔐 Generating a Private Live ISO TRIXIE.
Git Commit   : 181b73b HEAD -> master

.archive/.0000_lib_usage.sh

@@ -21,7 +21,7 @@ usage() {
   clear
   cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.008.2025.08.22\e[0m")
+$(echo -e "\e[92mMaster V8.13.048.2025.10.06\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")

.archive/0003_install_backports.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

.archive/1024_git_clone_ciss_debian_installer.chroot

@@ -9,17 +9,14 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
-# TODO: MUST be uncommented
 cd /root/git
-# git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
+git clone https://git.coresecret.dev/msw/CISS.debian.installer.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.008.2025.08.22"
+      placeholder: "e.g., Master V8.13.048.2025.10.06"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.048.2025.10.06
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.048.2025.10.06
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.008.2025.08.22
+  version: V8.13.048.2025.10.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.008.2025.08.22
+  version: V8.13.048.2025.10.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.008.2025.08.22
+  version: V8.13.048.2025.10.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.008.2025.08.22
+  version: V8.13.048.2025.10.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.048.2025.10.06
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -51,6 +51,7 @@ jobs:
             gnupg \
             openssh-client \
             openssl \
+            perl \
             sudo \
             util-linux
 
@@ -136,17 +137,63 @@ jobs:
           echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
           echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
 
+      - name: 🔧 Render live hook with secrets.
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        env:
+          ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+          ED25519_PUB:  ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+          RSA_PRIV:     ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+          RSA_PUB:      ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+        run: |
+          set -Ceuo pipefail
+          umask 077
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+
+          TPL="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+
+          if [[ ! -f "$TPL" ]]; then
+            echo "Template not found: $TPL"
+            echo "::group::Tree of config/hooks/live"
+            ls -la "$REPO_ROOT/config/hooks/live" || true
+            echo "::endgroup::"
+            exit 2
+          fi
+
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+
+          perl -0777 -pe '
+            BEGIN{
+              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
+              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
+            }
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+          ' "$TPL" > "$OUT"
+
+          chmod 0755 "$OUT"
+          echo "Hook rendered: $OUT"
+
       - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
         shell: bash
+        working-directory: ${{ github.workspace }}
         run: |
           set -euo pipefail
           chmod 0755 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.41+deb13-amd64 \
+            --autobuild=6.16.3+deb13-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
+            --cdi \
             --control "${timestamp}" \
             --debug \
             --dhcp-centurion \
@@ -155,8 +202,14 @@ jobs:
             --root-password-file /opt/config/password.txt \
             --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
             --ssh-pubkey /opt/config \
+            --sshfp \
             --trixie
 
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          rm -f "$OUT"
+          echo "Hook removed: $OUT"
+
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
         env:

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.048.2025.10.06
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -51,6 +51,7 @@ jobs:
             gnupg \
             openssh-client \
             openssl \
+            perl \
             sudo \
             util-linux
 
@@ -136,24 +137,76 @@ jobs:
           echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
           echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
 
+      - name: 🔧 Render live hook with secrets.
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        env:
+          ED25519_PRIV: ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+          ED25519_PUB:  ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+          RSA_PRIV:     ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+          RSA_PUB:      ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+        run: |
+          set -Ceuo pipefail
+          umask 077
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+
+          TPL="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+
+          if [[ ! -f "$TPL" ]]; then
+            echo "Template not found: $TPL"
+            echo "::group::Tree of config/hooks/live"
+            ls -la "$REPO_ROOT/config/hooks/live" || true
+            echo "::endgroup::"
+            exit 2
+          fi
+
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+
+          perl -0777 -pe '
+            BEGIN{
+              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
+              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
+            }
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+          ' "$TPL" > "$OUT"
+
+          chmod 0755 "$OUT"
+          echo "Hook rendered: $OUT"
+
       - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
         shell: bash
+        working-directory: ${{ github.workspace }}
         run: |
           set -euo pipefail
           chmod 0755 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.12.41+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
           ./ciss_live_builder.sh \
-            --autobuild=6.12.41+deb13-amd64 \
+            --autobuild=6.16.3+deb13-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
+            --cdi \
             --control "${timestamp}" \
             --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
             --root-password-file /opt/config/password.txt \
             --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
             --ssh-pubkey /opt/config \
+            --sshfp \
             --trixie
 
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          rm -f "$OUT"
+          echo "Hook removed: $OUT"
+
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
         env:

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,10 +9,14 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.048.2025.10.06
 
 name: 💙 Generating a PUBLIC Live ISO.
 
+defaults:
+  run:
+    shell: bash
+
 permissions:
   contents: write
 
@@ -24,161 +28,31 @@ on:
       - '.gitea/trigger/t_generate_PUBLIC.yaml'
 
 jobs:
-  generate-private-ciss-debian-live-iso:
+  generate-public-cdlb-trixie:
     name: 💙 Generating a PUBLIC Live ISO.
-    runs-on: ciss.debian.live.builder.iso.generator
+    runs-on: cdlb.trixie
 
-    ### Run all steps inside Debian Bookworm
     container:
-      image: debian:bookworm
+      image: debian:trixie
 
     steps:
-      - name: 🛠️ Basic Image Setup and enable Bookworm Backports.
-        run: |
-          apt-get update -y
-          apt-get install -y apt-transport-https apt-utils bash ca-certificates openssl sudo
-          echo 'deb https://deb.debian.org/debian bookworm-backports main' \
-            >| /etc/apt/sources.list.d/bookworm-backports.list
-          apt-get update -y
-          apt-get upgrade -y
-
-      - name: 🛠️ Installing Build Tools.
+      - name: 🛠️ Basic Image Setup.
         shell: bash
         run: |
-          apt-get update -y
-          apt-get install -y \
-            autoconf \
-            automake \
-            build-essential \
-            cryptsetup \
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            ca-certificates \
             curl \
-            debootstrap \
-            dosfstools \
-            efibootmgr \
-            gettext \
             git \
             gnupg \
-            haveged \
-            libbz2-dev \
-            zlib1g-dev \
-            liblzma-dev \
-            libtool \
-            live-build \
-            parted \
-            pkg-config \
-            ssh \
-            ssl-cert \
+            openssh-client \
+            openssl \
             sudo \
-            texinfo \
-            wget \
-            whois \
-
-      - name: 🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.
-        shell: bash
-        run: |
-          urls=(
-            "https://gnupg.org/ftp/gcrypt/npth/npth-1.8.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.55.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.11.1.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libksba/libksba-1.6.7.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/libassuan/libassuan-3.0.2.tar.bz2"
-            "https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2"
-          )
-
-          wget --https-only https://gnupg.org/signature_key.asc -O signature_key.asc > /dev/null 2>&1
-          gpg --batch --import signature_key.asc
-
-          for url in "${urls[@]}"; do
-            archive_name="${url##*/}"
-            pkg_name="${archive_name%.tar.bz2}"
-            echo "🔄 Processing ${pkg_name}"
-            if [[ ! -f "${archive_name}" ]]; then
-              echo "📥 Downloading: '${archive_name}'."
-              if wget --https-only "${url}" -O "${archive_name}" > /dev/null 2>&1 && wget --https-only "${url}.sig" -O "${archive_name}.sig" > /dev/null 2>&1; then
-                echo "✅ Download successful: '${archive_name}'."
-              else
-                echo "❌ Download NOT successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping download, package already exists: '${archive_name}'."
-            fi
-
-            if ! gpg --verify "${archive_name}.sig" "${archive_name}"; then echo "❌ Bad Signature: '${archive_name}'.";exit 1; fi
-
-            if [[ ! -d "${pkg_name}" ]]; then
-              echo "📂 Extracting: '${archive_name}'."
-              if tar -xjf "${archive_name}"; then
-                echo "✅ Extraction successful: '${archive_name}'."
-              else
-                echo "❌ Extraction not successful: '${archive_name}'."
-                exit 1
-              fi
-            else
-              echo "💡 Skipping directory, already exists: '${pkg_name}'."
-            fi
-
-            echo "🏗️ Build and install the package: '${pkg_name}'."
-            cd "${pkg_name}" || { echo "❌ Could not change to '${pkg_name}'."; exit 1; }
-            mkdir -p build
-            cd build || { echo "❌ Could not change to '/build'."; exit 1; }
-
-            sudo ../configure > /dev/null 2>&1  || { echo "❌ '../configure' NOT successful for '${pkg_name}'."; exit 1; }
-            make > /dev/null 2>&1 || { echo "❌ 'make' NOT successful for '${pkg_name}'."; exit 1; }
-            sudo make install > /dev/null 2>&1 || { echo "❌ 'make install' NOT successful for '${pkg_name}'."; exit 1; }
-
-            cd ../.. || { echo "❌ Could not change to '../..'."; exit 1; }
-
-            rm -f "${archive_name}" && rm -f "${archive_name}.sig" && echo "✅ Removed archive: '${pkg_name}'."
-            rm -fr "${pkg_name}" && echo "✅ Removed build artifacts: '${pkg_name}'."
-            echo "✅ Successful build and installation of '${pkg_name}'."
-            echo "-------------------------------------------------------------------------------------"
-
-          done
-
-          rm -f signature_key.asc
-
-          echo "✅ All packages were built and installed successfully."
-
-          mv_bin=(
-            "/usr/bin/gpg"
-            "/usr/bin/gpg-agent"
-            "/usr/bin/gpgconf"
-            "/usr/bin/gpg-connect-agent"
-            "/usr/bin/gpg-wks-client"
-            "/usr/bin/gpg-preset-passphrase"
-          )
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "${bin}" && -f "/usr/local/bin/${name}" ]]; then
-              if mv "${bin}" "${bin}.debian-backup"; then
-                echo "✅ Moved successfully: '${bin}'."
-              else
-                echo "❌ Moved NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist as build binary: '${bin}'."
-            fi
-          done
-
-          for bin in "${mv_bin[@]}"; do
-            name="${bin##*/}"
-            if [[ -f "/usr/local/bin/${name}" ]]; then
-              if update-alternatives --install "${bin}" "${name}" "/usr/local/bin/${name}" 100; then
-                echo "✅ 'update-alternatives' successfully: '${bin}'."
-              else
-                echo "❌ 'update-alternatives' NOT successfully: '${bin}'."
-              fi
-            else
-              echo "💡 Does not exist: '/usr/local/bin/${name}'."
-            fi
-          done
-
-          sudo ldconfig
-
-          gpgconf --kill all
-          /usr/local/bin/gpg-agent --daemon
+            util-linux
 
       - name: ⚙️ Check GnuPG Version.
         shell: bash
@@ -269,15 +143,18 @@ jobs:
           sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
           chmod 0755 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: 6.12.22+bpo-amd64.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
           ./ciss_live_builder.sh \
-            --autobuild=6.1.0-37-amd64 \
+            --autobuild=6.16.3+deb13-amd64 \
             --architecture amd64 \
             --build-directory /opt/livebuild \
+            --cdi \
             --control "${timestamp}" \
+            --debug \
             --root-password-file /opt/config/password.txt \
             --ssh-port 42137 \
-            --ssh-pubkey /opt/config
+            --ssh-pubkey /opt/config \
+            --trixie
 
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
         shell: bash
@@ -364,11 +241,12 @@ jobs:
           gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
 
           timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
           PRIVATE_FILE="LIVE_ISO.public"
           touch "${PRIVATE_FILE}"
           cat << EOF >| "${PRIVATE_FILE}"
           # SPDX-Version: 3.0
-          # SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
           # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
           # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
           # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.048.2025.10.06
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.048.2025.10.06
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.048.2025.10.06
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.008.2025.08.22"
+properties_version="V8.13.048.2025.10.06"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.008.2025.08.22
+PackageVersion: Master V8.13.048.2025.10.06
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:25:58Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-06T23:10:27Z"
 
 ✅ The last linter check was successful. ✅
 

LIVE_ISO.public

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-01; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-11T22:40:21Z".
+This file was automatically generated by the DEPLOY BOT on: "2025-10-06T21:22:13Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_11T21_49_56Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_06T20_28_04Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  4aa02673b9a8d5b974014eca4371d1ed69b05eaea9e92203cf7c092880833e18812bf31ab053399eda98b7a3da0b76b8dcdaaba892e9f52f836ea9d2b0e09e38
+  462f68354a3b7e1c17d654126e686783694feb88fb1cb90787e262e4a6332d69f6abea2d1a67adc459f6ba8c6720defbe87c739eb2947a9f2410e10c56f6615c
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaJpxVQAKCRA85KY4hzOw
-IZWOAQDJriUoDvDNSQiHbFfW4KVV1E1wqe12eS7GyfVFr9bISwEAoDKhQ85+RiGr
-pCdWqvU8wcfzEIlKIpAgAZVrhX/xRw8=
-=wNVV
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaOQzBQAKCRA85KY4hzOw
+IaBlAQDVAFVdGRDFZ//1gBlQIAFlmYSV7G5/k2gl3mX+CvRpTgEAlyjD63v9dGiI
+WBMF9hYXElzZ7BC7nOzpEWMsNbKbRgI=
+=nPKO
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_0.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-22T16:55:09Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-06T19:34:02Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_22T16_11_02Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_06T18_30_18Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  35c288d96239804e244cbe99c8ce3895aec39104a7200c2ef7326d38e1ec4eea3bf60b895eaa4d981cb718ae4d27d2d4166f16252b88606a870d14c3db096a37
+  e1964f783ce6da34853a73fc27723228a71d3f5afde9388fadf686f1a367ed36f8fbe4ad0747b842395603f549b6d99b1cff25938511093f5313a310bf94b7fe
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKig7QAKCRA85KY4hzOw
-IWKWAP0Wlqbi3ArURSGW5m+E+OstdsU7qHjf+e1SVRJ3BGUzaAEAr3ceyHiiA2/7
-RlXsvZxNgVDaEVSdjmt99dMrZK7DRws=
-=4Oh3
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaOQZqgAKCRA85KY4hzOw
+IeeUAP4i9Dh/ZBJVCfwlWzyIqbR0SBHio2ErW+NuQ7KOKxG6JwD+If47NhNGmazi
+QTTQAWOjdQiCibBZFO1h9udGX4SFvww=
+=gaNi
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_1.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-08-22T17:41:13Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-06T23:59:58Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_08_22T16_56_12Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_06T23_10_02Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  4925332b61dbd91f0c444624bbe7de586dbd911fbb27b080a99e44ae312c5139afc502d0415d0bef7dfbd1e5461c07e0a0700f7206e746a91cbcb5403ef003e3
+  b6fea877a0107b4ab715ef898187f061d77c599ab671dc3026833f0acfec37fde3d97367c2cd757a3fa359eb717db0f23d49d9b7c3ddcf919449f8d3e00ac922
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaKiruQAKCRA85KY4hzOw
-IdoTAQDqyOBkGA0xDoLsDvjFSaf3tmzz8mD/5qvsDtF6y/rEWwD/dAXzMOdQjxg8
-IcK+GK6u4k5/HT5bYlCvTy/WxRb5ggQ=
-=boDM
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaORX/gAKCRA85KY4hzOw
+IVqhAQDzPkKEstVodAu0ZqI8vc0YbjLyUBQLZu1mpRZ8iwJdSgD/YYpe2uktaMLj
+FN869xpuNo38nZDUTKwER29fQxFaSAE=
+=niz8
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,17 +2,17 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.008.2025.08.22-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.048.2025.10.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
-[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.15-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/)  
+[![Static Badge](https://badges.coresecret.dev/badge/Bash-V5.2.37-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=Bash&color=%234EAA25)](https://www.gnu.org/software/bash/)  
 [![Static Badge](https://badges.coresecret.dev/badge/shellcheck-passed-white?style=plastic&logo=gnubash&logoColor=white&logoSize=auto&label=shellcheck&color=%234EAA25)](https://shellcheck.net/)  
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)  
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.5-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)  
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.13.008.2025.08.22`
+Example: `V8.13.048.2025.10.06`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
@@ -453,6 +453,7 @@ predictable script behavior.
                           --build-directory /opt/livebuild \
                           --change-splash hexagon \
                           --control "${timestamp}" \
+                          --cdi \
                           --debug \
                           --dhcp-centurion \
                           --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \

config/hooks/live/0000_generate_backup_dir.chroot

@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 mkdir -p /root/.ciss/dlb/backup
 chmod 0700 /root/.ciss/dlb/backup
@@ -21,7 +20,6 @@ mkdir -p /root/git
 chmod 0700 /root/git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0001_initramfs_modules.chroot

@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 #######################################
 # Get all NIC Driver of the current Host-machine
@@ -331,7 +330,6 @@ chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
 update-initramfs -u -k all
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0002_verify_checksums.chroot

@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 target="/usr/lib/live/boot/0030-verify-checksums"
 src="$(mktemp)"
@@ -138,7 +137,6 @@ rm -f "${src}"
 unset target src
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0050_activate_root.chroot

@@ -9,16 +9,13 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 if [[ ! -f /root/.pwd ]]; then
   printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
-  # sleep 1
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
-  # sleep 1
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
   exit 0
 fi
@@ -38,7 +35,6 @@ sed -i "s|^user:[^:]*:\(.*\)|user:${safe_hashed_pwd}:\1|" /etc/shadow
 unset hashed_pwd safe_hashed_pwd
 
 cat /etc/shadow
-# sleep 1
 
 if shred -vfzu -n 5 /root/.pwd; then
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
@@ -47,7 +43,6 @@ else
 fi
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0080_keyboard_layout.chroot

@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
@@ -25,7 +24,6 @@ EOF
 dpkg-reconfigure -f noninteractive keyboard-configuration
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0090_haveged.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0120_set_hostname.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0130_machineid.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0400_eza_install.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0800_lynis_setup.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0810_chrony_setup.chroot

@@ -9,10 +9,9 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 mkdir -p /var/log/chrony
 # See https://coresecret.eu/tutorials/debian-package-glossary/ for a brief description of the installed packages.

config/hooks/live/0820_kernel_hardening_checker.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0822_ssh_restart_hook.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0825_my_sqltuner_perl.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0830_download_yq.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0835_testssl.sh.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0845_harbian_audit.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0850_ssh_audit.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0855_dnsviz.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/0900_ufw_setup.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9900_process_accounting.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9910_motd.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
@@ -24,7 +24,7 @@ EOF
 
 chmod 0755 /etc/update-motd.d/10-uname
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 # sleep 1
 
 exit 0

config/hooks/live/9920_deleting_invalid_x509.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9930_hardening_ssh.chroot

@@ -9,17 +9,18 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /etc/ssh || {
   printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
 }
 rm -rf ssh_host_*key*
 
+# shellcheck disable=SC2312
 ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
+# shellcheck disable=SC2312
 ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
 
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
@@ -44,7 +45,26 @@ ssh-keygen -r @ >| /root/sshfp
 # The chmod +x command ensures that the file is executed in every shell session.          #
 ###########################################################################################
 cat << 'EOF' >| /etc/profile.d/idle-users.sh
-declare -girx TMOUT=14400
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+case $- in
+  *i*)
+    TMOUT=14400
+    export TMOUT
+    readonly TMOUT
+  ;;
+esac
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 
 chmod +x /etc/profile.d/idle-users.sh
@@ -58,7 +78,6 @@ EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9935_hardening_ssh.chroot.tmpl

@@ -0,0 +1,94 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+cd /etc/ssh || {
+  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
+}
+
+cat << 'EOF' >| ssh_host_ed25519_key
+{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+EOF
+
+cat << 'EOF' >| ssh_host_ed25519_key.pub
+{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+EOF
+
+cat << 'EOF' >| ssh_host_rsa_key
+{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+EOF
+
+cat << 'EOF' >| ssh_host_rsa_key.pub
+{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+EOF
+
+awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
+rm -rf /etc/ssh/moduli
+mv /etc/ssh/moduli.safe /etc/ssh/moduli
+
+chmod 0600 /etc/ssh/ssh_host_*_key
+chown root:root /etc/ssh/ssh_host_*_key
+chmod 0644 /etc/ssh/ssh_host_*_key.pub
+chown root:root /etc/ssh/ssh_host_*_key.pub
+
+chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
+
+touch /root/sshfp
+ssh-keygen -r @ >| /root/sshfp
+
+###########################################################################################
+# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only          #
+# environment variables: TMOUT and HISTFILE.                                              #
+# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
+# readonly HISTFILE ensures that the command history cannot be changed.                   #
+# The chmod +x command ensures that the file is executed in every shell session.          #
+###########################################################################################
+cat << 'EOF' >| /etc/profile.d/idle-users.sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+case $- in
+  *i*)
+    TMOUT=14400
+    export TMOUT
+    readonly TMOUT
+  ;;
+esac
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+chmod +x /etc/profile.d/idle-users.sh
+
+mkdir -p /etc/systemd/system/ssh.service.d
+cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
+[Unit]
+After=ufw.service
+Requires=ufw.service
+EOF
+chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+# sleep 1
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9940_hardening_memory.dump.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9960_disable_services.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9970_remove_exim.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9980_usb_guard.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9985_clamav.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9990_final_purge.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
@@ -52,7 +52,7 @@ apt-get autopurge -y
 
 updatedb
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 # sleep 1
 
 exit 0

config/hooks/live/9991_file_permissions.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1
@@ -99,7 +99,7 @@ for bin in as gcc g++ cc clang; do
 done
 unset bin target
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successful applied. \e[0m\n" "${0}"
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
 # sleep 1
 
 exit 0

config/hooks/live/9992_password_expiration.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9993_aide.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9994_password_policy.chroot

@@ -13,7 +13,7 @@
 ### NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
 ### NIST SP 800-63B, https://pages.nist.gov/800-63-3/sp800-63b.html
 
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9995_sysstat.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9996_auditd.chroot

@@ -12,7 +12,7 @@
 
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules
 
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9997_debsums.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9998_sources_list_bookworm.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9998_sources_list_trixie.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/hooks/live/9999_interfaces_update.chroot

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 # sleep 1

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.048.2025.10.06
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Version Master V8.13.008.2025.08.22
+### Version Master V8.13.048.2025.10.06
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/iso.sh

@@ -9,7 +9,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 
 # The example names get mapped to their roles here
 declare timestamp

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.008.2025.08.22"
+declare -gr VERSION="Master V8.13.048.2025.10.06"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.008.2025.08.22 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.048.2025.10.06 at: 10:18:37.9542

config/package-lists/live.list.common.chroot

@@ -21,6 +21,7 @@ bash-completion
 bat
 bc
 bind9-dnsutils
+bison
 bsdmainutils
 btrfs-progs
 build-essential
@@ -28,6 +29,7 @@ bzip2
 ca-certificates
 clamav
 clamav-daemon
+clang-18
 console-setup
 cpuid
 cryptsetup
@@ -47,6 +49,7 @@ dirmngr
 dmsetup
 dnsviz
 dosfstools
+dpkg-dev
 e2fsprogs
 efibootmgr
 expect
@@ -54,6 +57,7 @@ fail2ban
 fdisk
 figlet
 fio
+flex
 fzf
 gawk
 gdisk
@@ -80,6 +84,7 @@ linux-source
 live-boot
 live-config
 live-config-systemd
+lld-18
 locate
 logrotate
 lsb-release

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,14 +8,15 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. TLS Audit:
-
 ````text
+./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
+
 #####################################################################
-  testssl.sh version 3.2.1 from https://testssl.sh/
-  (81471c3 2025-06-15 09:48:31)
+  testssl.sh version 3.2.2 from https://testssl.sh/
+  (2e77f5e 2025-09-22 19:35:27)
 
   This program is free software. Distribution and modification under
   GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -26,7 +27,7 @@ include_toc: true
   Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
   on kali:./bin/openssl.Linux.x86_64
 
- Start 2025-06-23 17:58:48        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Start 2025-09-28 16:12:17        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 
  Further IP addresses:   2a0a:4cc0:80:330f:152:53:110:40
  rDNS (152.53.110.40):   git.coresecret.dev.
@@ -188,18 +189,17 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Server key size              RSA 4096 bits (exponent is 65537)
  Server key usage             Digital Signature, Key Encipherment
  Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
- Serial                       1230B34459C6F27FA9BCD2 (OK: length 11)
- Fingerprints                 SHA1 1A8BD98862771602E7DD46B742FB66D6C03E622E
-                              SHA256 76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
+ Serial                       13292523EB168BD226CE46 (OK: length 11)
+ Fingerprints                 SHA1 1CCF67686A5FFF33D163EFC9E67AB5C70D1122B8
+                              SHA256 565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
  Common Name (CN)             coresecret.dev
  subjectAltName (SAN)         coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
  Trust (hostname)             Ok via SAN (same w/o SNI)
  Chain of trust               Ok
  EV cert (experimental)       no
- Certificate Validity (UTC)   153 >= 60 days (2025-05-28 09:56 --> 2025-11-23 22:59)
+ Certificate Validity (UTC)   178 >= 60 days (2025-09-27 18:27 --> 2026-03-25 22:59)
  ETS/"eTLS", visibility info  not present
- In pwnedkeys.com DB          not in database
- Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
+ In pwnedkeys.com DB          not in database Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
  OCSP URI                     http://ocsp.buypass.com, not revoked
  OCSP stapling                offered, not revoked
  OCSP must staple extension   --
@@ -226,9 +226,9 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Cookie(s)                    2 issued: 2/2 secure, 2/2 HttpOnly
  Security headers             X-Frame-Options: SAMEORIGIN
                               X-Content-Type-Options: nosniff
-                              Content-Security-Policy: default-src 'none'; connect-src 'self'; font-src 'self' data:; form-action 'self';
-                                frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
-                                https://uml.coresecret.dev; manifest-src 'self'; media-src 'self' data: https://badges.coresecret.dev
+                              Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'
+                                git.coresecret.dev; frame-src 'self'; frame-ancestors 'self'; img-src 'self' data: https://badges.coresecret.dev
+                                https://uml.coresecret.dev; manifest-src 'self' data:; media-src 'self' data: https://badges.coresecret.dev
                                 https://uml.coresecret.dev; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; base-uri 'none';
                               Expect-CT: max-age=86400, enforce
                               Permissions-Policy: interest-cohort=()
@@ -258,7 +258,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  FREAK (CVE-2015-0204)                     not vulnerable (OK)
  DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                            make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
-                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=76B6FFCE607D8514F676C286C7C76B90F5B7AE7D041631F2EF2F0079AF8D24AC
+                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
  LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
  BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
  LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
@@ -309,7 +309,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 
  Rating (experimental)
 
- Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
+ Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16)
  Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
  Protocol Support (weighted)  100 (30)
  Key Exchange     (weighted)  100 (30)
@@ -317,7 +317,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
  Final Score                  100
  Overall Grade                A+
 
- Done 2025-06-23 18:00:16 [  99s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Done 2025-09-28 16:13:50 [  95s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 ````
 
 ---

docs/BOOTPARAMS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. Hardened Kernel Boot Parameters
 

docs/CHANGELOG.md

@@ -8,10 +8,22 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. Changelog
 
+## V8.13.048.2025.10.06
+* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.16.3+deb13-amd64``
+* **Updated**: Debian 13 LIVE ISO workflows to use argument: ``--cdi``
+* **Updated**: [9000-cdi-starter](../scripts/9000-cdi-starter)
+* **Removed**: [1024_git_clone_ciss_debian_installer.chroot](../.archive/1024_git_clone_ciss_debian_installer.chroot)
+
+## V8.13.032.2025.10.03
+* **Added**: Internal Gitea Action Runner switch for static SSHFP records.
+
+## V8.13.016.2025.09.28
+* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64``
+
 ## V8.13.008.2025.08.22
 * **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot)
 

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.13.008.2025.08.22
+Master V8.13.048.2025.10.06
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.13.008.2025.08.22
+Master V8.13.048.2025.10.06
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.008.2025.08.22<br>
+**Build**: V8.13.048.2025.10.06<br>
 
 # 2. Resources
 

lib/lib_arg_parser.sh

@@ -17,22 +17,6 @@ guard_sourcing
 # Globals:
 #   ARY_HANDLER_JUMPHOST
 #   ARY_HANDLER_NETCUP_IPV6
-#   ERR_ARG_MSMTCH
-#   ERR_CONTROL_CT
-#   ERR_MISS_PWD_F
-#   ERR_MISS_PWD_P
-#   ERR_NOTABSPATH
-#   ERR_OWNS_PWD_F
-#   ERR_PASS_LENGH
-#   ERR_PASS_PLICY
-#   ERR_REIONICE_P
-#   ERR_REIO_C_VAL
-#   ERR_REIO_P_VAL
-#   ERR_RENICE_PRI
-#   ERR_RGHT_PWD_F
-#   ERR_SPLASH_PNG
-#   ERR_UNCRITICAL
-#   ERR__SSH__PORT
 #   VAR_ARCHITECTURE
 #   VAR_BUILD_LOG
 #   VAR_EARLY_DEBUG
@@ -49,14 +33,35 @@ guard_sourcing
 #   VAR_ISO8601
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
+#   VAR_SSHFP
 #   VAR_SSHPORT
 #   VAR_SSHPUBKEY
+#   VAR_SUITE
 # Arguments:
 #   None
+# Returns:
+#   0: on success
+#   ERR_ARG_MSMTCH: on failure
+#   ERR_CONTROL_CT: on failure
+#   ERR_MISS_PWD_F: on failure
+#   ERR_MISS_PWD_P: on failure
+#   ERR_NOTABSPATH: on failure
+#   ERR_OWNS_PWD_F: on failure
+#   ERR_PASS_LENGH: on failure
+#   ERR_PASS_PLICY: on failure
+#   ERR_REIONICE_P: on failure
+#   ERR_REIO_C_VAL: on failure
+#   ERR_REIO_P_VAL: on failure
+#   ERR_RENICE_PRI: on failure
+#   ERR_RGHT_PWD_F: on failure
+#   ERR_SPLASH_PNG: on failure
+#   ERR__SSH__PORT: on failure
 #######################################
 arg_parser() {
   while [[ $# -gt 0 ]]; do
+
     declare argument="${1}"
+
       case "${argument,,}" in
 
         -a=* | --autobuild=*)
@@ -95,6 +100,7 @@ arg_parser() {
 
         --architecture)
           if [[ "${2}" == "amd64" || "${2}" == "arm64" ]]; then
+            # shellcheck disable=SC2034
             declare -gx VAR_ARCHITECTURE="${2}"
             shift 2
           else
@@ -124,12 +130,14 @@ arg_parser() {
             read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
             exit "${ERR_ARG_MSMTCH}"
           fi
-          declare -g VAR_HANDLER_CDI=true
+          # shellcheck disable=SC2034
+          declare -g VAR_HANDLER_CDI="true"
           shift 1
           ;;
 
         --change-splash )
           if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then
+            # shellcheck disable=SC2034
             declare -g VAR_HANDLER_SPLASH="${2}"
             shift 2
           else
@@ -143,6 +151,7 @@ arg_parser() {
 
         --control)
           if [[ -n "${2-}" ]]; then
+            # shellcheck disable=SC2034
             declare -g VAR_HANDLER_ISO_COUNTER="${2}"
             shift 2
           else
@@ -171,6 +180,7 @@ arg_parser() {
             read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
             exit "${ERR_ARG_MSMTCH}"
           fi
+          # shellcheck disable=SC2034
           declare -gi VAR_HANDLER_DHCP=1
           shift 1
           ;;
@@ -180,6 +190,7 @@ arg_parser() {
             declare -i count=0
             shift
             while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 10 ]]; do
+              # shellcheck disable=SC2034
               declare -g ARY_HANDLER_JUMPHOST+=("$1")
               count=$((count + 1))
               shift
@@ -202,6 +213,7 @@ arg_parser() {
             read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
             exit "${ERR_ARG_MSMTCH}"
           fi
+          # shellcheck disable=SC2034
           declare -gi VAR_HANDLER_STA=1
           shift 1
           ;;
@@ -209,10 +221,12 @@ arg_parser() {
         --provider-netcup-ipv6)
           if [[ -n "${2-}" && "${2}" != -* ]]; then
             declare -i count=0
-            declare -g VAR_HANDLER_NETCUP_IPV6=true
+            # shellcheck disable=SC2034
+            declare -g VAR_HANDLER_NETCUP_IPV6="true"
             shift
             while [[ "${#}" -gt 0 && "${1}" != -* && count -lt 1 ]]; do
               declare cleaned="${1//[\[\]]/}"
+              # shellcheck disable=SC2034
               declare -g ARY_HANDLER_NETCUP_IPV6+=("${cleaned}")
               count=$((count + 1))
               shift
@@ -230,6 +244,7 @@ arg_parser() {
 
         --renice-priority)
           if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
+            # shellcheck disable=SC2034
             VAR_HANDLER_PRIORITY="$2"
             shift 2
           else
@@ -249,6 +264,7 @@ arg_parser() {
             exit "${ERR_REIONICE_P}"
           else
             if [[ "${2}" =~ ^[1-3]$ ]]; then
+              # shellcheck disable=SC2034
               VAR_REIONICE_CLASS="${2}"
               if [[ -z "${3-}" ]]; then
                 :
@@ -359,6 +375,7 @@ arg_parser() {
           hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
           [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
 
+          # shellcheck disable=SC2034
           declare -g VAR_HASHED_PWD="${hash_temp}"
           unset hash_temp plaintext_pw
 
@@ -375,6 +392,7 @@ arg_parser() {
 
         --ssh-port)
           if [[ -n "${2-}" && "${2}" =~ ^-?[0-9]+$ && "${2}" -ge 1 && "${2}" -le 65535 ]]; then
+            # shellcheck disable=SC2034
             declare -gi VAR_SSHPORT="${2}"
             shift 2
           else
@@ -385,12 +403,20 @@ arg_parser() {
           fi
           ;;
 
+        --sshfp)
+        # shellcheck disable=SC2034
+          declare -g VAR_SSHFP="true"
+          shift 1
+          ;;
+
         --ssh-pubkey)
+        # shellcheck disable=SC2034
           declare -g VAR_SSHPUBKEY="${2}"
           shift 2
           ;;
 
         --trixie)
+        # shellcheck disable=SC2034
           declare -g VAR_SUITE="trixie"
           shift 1
           ;;
@@ -400,6 +426,12 @@ arg_parser() {
           usage
           ;;
     esac
+
   done
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f arg_parser
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_arg_priority_check.sh

@@ -20,33 +20,53 @@ guard_sourcing
 #   VAR_REIONICE_PRIORITY
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 arg_priority_check() {
   declare var
+
   ### Check if nice PRIORITY is set and adjust nice priority.
   if [[  "${VAR_HANDLER_PRIORITY:-}" -ne 0 ]]; then
+
     if command -v renice >/dev/null; then
+
       renice "${VAR_HANDLER_PRIORITY}" -p "$$"
       var=$(ps -o ni= -p $$) > /dev/null 2>&1
       printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New renice value: %s\e[0m\n" "${var}"
       # sleep 1
       unset var
+
     else
+
       printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ renice not installed (util-linux) \e[0m\n"
+
     fi
+
   fi
 
   ### Check if ionice PRIORITY is set and adjust ionice priority.
   if [[ "${VAR_REIONICE_CLASS:-}" -ne 2 ]]; then
+
     if command -v ionice >/dev/null; then
+
       ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
       var=$(ionice -p $$) > /dev/null 2>&1
       printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ New ionice value: %s\e[0m\n" "${var}"
       # sleep 1
       unset var
+
     else
+
       printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ionice not installed (util-linux) \e[0m\n"
+
     fi
+
   fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f arg_priority_check
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_boot_screen.sh

@@ -19,6 +19,8 @@ guard_sourcing
 #   PIPE_BOOT_SCREEN
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 boot_screen() {
   clear
@@ -34,15 +36,22 @@ boot_screen() {
                 < "${PIPE_BOOT_SCREEN}" &
   declare -gr PID_BOOT_SCREEN="$!"
   exec 3> "${PIPE_BOOT_SCREEN}"
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f boot_screen
 
 #######################################
 # Boot Screen Terminal Cleaner
 # Globals:
-#   boot_screen_pid
-#   boot_screen_pipe
+#   PID_BOOT_SCREEN
+#   PIPE_BOOT_SCREEN
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 boot_screen_cleaner() {
   exec 3>&-
@@ -51,5 +60,9 @@ boot_screen_cleaner() {
   rm -f "${PIPE_BOOT_SCREEN}"
   clean_screen
   sleep 1
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f boot_screen_cleaner
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_cdi.sh

@@ -13,7 +13,7 @@
 guard_sourcing
 
 #######################################
-# CISS.2025.debian.installer GRUB and Autostart Generator
+# CISS.debian.installer 'GRUB' and 'Autostart' generator.
 # Globals:
 #   BASH_SOURCE
 #   VAR_HANDLER_BUILD_DIR
@@ -22,6 +22,8 @@ guard_sourcing
 #   VAR_WORKDIR
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 cdi() {
   printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
@@ -29,7 +31,9 @@ cdi() {
   if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
 
     if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
+
       mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
+
     fi
 
     cp "${VAR_WORKDIR}/scripts/9000-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9000-cdi-starter"
@@ -40,7 +44,7 @@ cdi() {
     tmp_entry="$(mktemp)"
     cat << EOF >| "${tmp_entry}"
 menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
-        linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Europe/Lisbon audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path}
+        linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums live-config.components splash nopersistence toram ramdisk-size=1024M swap=true noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none findiso=\${iso_path}
         initrd /live/initrd.img-${VAR_KERNEL}
 }
 EOF
@@ -59,6 +63,12 @@ EOF
     # shellcheck disable=SC1003
     sed -i '/#MUST_BE_REPLACED/c\\' "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
   fi
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successful applied. \e[0m\n" "${BASH_SOURCE[0]}"
+
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f cdi
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_change_splash.sh

@@ -20,20 +20,31 @@ guard_sourcing
 #   VAR_WORKDIR
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 change_splash() {
   if [[ ${VAR_HANDLER_SPLASH} == "club" ]]; then
+
     printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'club.png' selected ...\e[0m\n"
     cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
     cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
     cp -af "${VAR_WORKDIR}"/.archive/background/club.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
     printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'club.png' selected done. \e[0m\n"
+
   elif [[ ${VAR_HANDLER_SPLASH} == "hexagon" ]]; then
+
     printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Grub Splash 'hexagon.png' selected ...\e[0m\n"
     cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/splash.png
     cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-efi/splash.png
     cp -af "${VAR_WORKDIR}"/.archive/background/hexagon.png "${VAR_HANDLER_BUILD_DIR}"/config/bootloaders/grub-pc/splash.png
     printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Grub Splash 'hexagon.png' selected done. \e[0m\n"
+
   fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f change_splash
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_check_dhcp.sh

@@ -19,10 +19,17 @@ guard_sourcing
 #   VAR_WORKDIR
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 check_dhcp() {
   if [[ ${VAR_HANDLER_DHCP} -eq 1 ]]; then
-    chmod +x "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh && "${VAR_WORKDIR}"/scripts/0010_dhcp_supersede.sh
+    chmod +x "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh" && "${VAR_WORKDIR}/scripts/0010_dhcp_supersede.sh"
   fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_dhcp
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_check_hooks.sh

@@ -15,10 +15,12 @@ guard_sourcing
 #######################################
 # Check and apply 0755 Permissions on every ./config/hooks/live/*.chroot file
 # Globals:
-#   ERR_UNCRITICAL
 #   VAR_WORKDIR
 # Arguments:
 #   None
+# Returns:
+#   0: on success
+#   ERR_UNCRITICAL: on failure
 #######################################
 check_hooks() {
   declare ifs
@@ -27,13 +29,23 @@ check_hooks() {
   declare -a files=("${VAR_WORKDIR}"/config/hooks/live/*.chroot)
 
   if (( ${#files[@]} == 0 )); then
+
     printf "\e[91m❌ No '*.chroot' files found in '%s/config/hooks/live'. \e[0m\n" "${VAR_WORKDIR}" >&2
     exit "${ERR_UNCRITICAL}"
+
   fi
 
-  declare file
+  declare file=""
+
   for file in "${files[@]}"; do
+
     chmod 0755 "${file}"
+
   done
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_hooks
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_check_kernel.sh

@@ -34,9 +34,15 @@ check_kernel() {
   declare options=""
 
   if [[ ${VAR_ARCHITECTURE} != arm64 ]]; then
+
+    # shellcheck disable=SC2312
     apt-cache search linux-image | grep linux-image | grep amd64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
+
   else
+
+    # shellcheck disable=SC2312
     apt-cache search linux-image | grep linux-image | grep arm64 | grep -v "meta-package" | grep -v "dbg" | grep -v "template" >> "${VAR_KERNEL_TMP}"
+
   fi
 
   sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
@@ -47,12 +53,14 @@ check_kernel() {
   }
 
     while IFS= read -r line; do
+
       first_string=${line%% *}
       name=${first_string#linux-image-}
       options+=("${name}" "${counter}" off)
       ((counter++))
     done < "${VAR_KERNEL_SRT}"
 
+
   # shellcheck disable=SC2155
   if declare -gx VAR_KERNEL=$(dialog \
                           --no-collapse \
@@ -62,13 +70,26 @@ check_kernel() {
                           --title "Select the Kernel for the CISS Hardened Debian Live Image ISO" \
                           --radiolist "Kernel available \n *+bpo*       : Debian Backported Kernel \n *cloud*      : Special lightweight images for KVM \n *unsigned*   : Unsigned Kernel \n *preempt_rt* : Special Kernel for real-time-computing \n Not unsigned marked are MS signed Kernel for Secure Boot \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-); then
     clear
+
   else
+
     clear
+
     if [[ "${VAR_ARCHITECTURE}" == "amd64" ]]; then
+
       declare -gx VAR_KERNEL="amd64"
+
     elif [[ "${VAR_ARCHITECTURE}" == "arm64" ]]; then
+
       declare -gx VAR_KERNEL="arm64"
+
     fi
+
   fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_kernel
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_check_pkgs.sh

@@ -16,40 +16,65 @@ guard_sourcing
 # Check for required Deb Packages to run the script.
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 check_pkgs() {
-  apt-get update -y > /dev/null 2>&1
+  apt-get update > /dev/null 2>&1
 
   if [[ -z "$(command -v batcat || true)" ]]; then
+
     apt-get install -y --no-install-recommends bat
+
   fi
 
   if [[ -z "$(command -v lsb_release || true)" ]]; then
+
     apt-get install -y --no-install-recommends lsb-release
+
   fi
 
   if [[ -z "$(command -v debootstrap || true)" ]]; then
+
     if grep -RqsE '^[[:space:]]*deb .*backports' /etc/apt/sources.list /etc/apt/sources.list.d; then
+
       # shellcheck disable=SC2155
       declare codename=$(lsb_release -sc)
       apt-get install -y -t "${codename}-backports" debootstrap
+
     else
+
       apt-get install -y debootstrap
+
     fi
+
   fi
 
   if [[ ! -f /usr/share/live/build/VERSION ]]; then
+
     apt-get install -y live-build
+
   fi
 
   if [[ "${VAR_HANDLER_AUTOBUILD}" == false ]]; then
+
     if [[ -z "$(command -v dialog || true)" ]]; then
+
       apt-get install -y --no-install-recommends dialog
+
     fi
+
   fi
 
   if [[ -z "$(command -v mkpasswd || true)" ]]; then
+
     apt-get install -y --no-install-recommends whois
+
   fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_pkgs
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_check_provider.sh

@@ -13,9 +13,11 @@
 guard_sourcing
 
 #######################################
-# Notes Textbox
+# Notes Textbox.
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 check_provider() {
   clear
@@ -64,5 +66,10 @@ EOF
          --scrollbar \
          --textbox "${VAR_NOTES}" 32 128
   clear
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_provider
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_check_stats.sh

@@ -18,12 +18,21 @@ guard_sourcing
 #   VAR_HANDLER_STA
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 check_stats() {
   if [[ ${VAR_HANDLER_STA} -eq 1 ]]; then
+
     clear
     run_analysis
     exit 0
+
   fi
+
+  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_stats
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_check_var.sh

@@ -13,25 +13,38 @@
 guard_sourcing
 
 #######################################
-# Unbound Variable Check and call Trap on ERR
+# Unbound variable check and call trap on 'ERR'.
 # Globals:
 #   ERR_UNBOUNDVAR
 # Arguments:
 #   $1: VAR_NAME to check
 # Returns:
-#   "${ERR_UNBOUNDVAR}"
+#   {ERR_UNBOUNDVAR: on failure
 #######################################
 check_var() {
   declare var_name_to_check="$1"
+
   if [[ -n "${!var_name_to_check+exists}" ]]; then
+
     if [[ -n "${!var_name_to_check}" ]]; then
+
       printf "\e[92m✅ Variable: '%s' exists and is NOT empty: '%s' \e[0m\n" "${var_name_to_check}" "${!var_name_to_check}"
+
     else
+
       printf "\e[92m✅ Variable: '%s' exists but is empty. \e[0m\n" "${var_name_to_check}"
+
     fi
+
   else
+
     printf "\e[91m❌ Variable: '%s' is not declared. Exiting Script. \e[0m\n" "${var_name_to_check}" >&2
+
     return "${ERR_UNBOUNDVAR}"
+
   fi
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f check_var
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_clean_screen.sh

@@ -27,4 +27,7 @@ clean_screen() {
   #tput cup $((lines-1)) 0 > /dev/tty
   #printf "\n" > /dev/tty
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f clean_screen
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh