DEPLOY BOT : 🛡️ Shell Script Linting [skip ci]

X-CI-Metadata: master@0f85ba6 at 2025-10-24T19:04:20Z on 1429f44f78b9

Generated at : 2025-10-24T19:04:20Z
Runner Host  : 1429f44f78b9
Workflow ID  : 🛡️ Shell Script Linting
Git Commit   : 0f85ba6 HEAD -> master

.archive/.0000_lib_usage.sh

@@ -21,7 +21,7 @@ usage() {
   clear
   cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.142.2025.10.14\e[0m")
+$(echo -e "\e[92mMaster V8.13.288.2025.10.24\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.142.2025.10.14"
+      placeholder: "e.g., Master V8.13.288.2025.10.24"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.288.2025.10.24
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.288.2025.10.24
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.288.2025.10.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.288.2025.10.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -10,6 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 build:
-  counter: 1023
-  version: V8.13.142.2025.10.14
+  counter: 1024
+  version: V8.13.288.2025.10.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.288.2025.10.24
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.288.2025.10.24
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -40,7 +40,7 @@ jobs:
         shell: bash
         run: |
           export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+          apt-get update -qq
           apt-get upgrade -y
           apt-get install -y --no-install-recommends \
             apt-utils \

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.288.2025.10.24
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -40,7 +40,7 @@ jobs:
         shell: bash
         run: |
           export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+          apt-get update -qq
           apt-get upgrade -y
           apt-get install -y --no-install-recommends \
             apt-utils \
@@ -152,6 +152,7 @@ jobs:
           RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
           CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
           CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
+          CISS_PHYS_AGE:       ${{ secrets.CISS_PHYS_AGE }}
         run: |
           set -Ceuo pipefail
           umask 077
@@ -162,6 +163,7 @@ jobs:
           OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
           ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
           ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
+          SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot"
 
           if [[ ! -f "${TPL}" ]]; then
             echo "Template not found: ${TPL}"
@@ -177,6 +179,7 @@ jobs:
           export RSA_PUB="${RSA_PUB//$'\r'/}"
           export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
           export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
+          export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}"
 
           (
           cat << EOF >| "${ID_OUT}"
@@ -212,6 +215,16 @@ jobs:
           ' "${TPL}" > "${OUT}"
 
           chmod 0755 "${OUT}"
+
+          perl -0777 -i -pe '
+            BEGIN {
+              our $age = $ENV{CISS_PHYS_AGE} // q{};
+            }
+            s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
+          ' -- "${SOPS}"
+
+          chmod 0755 "${SOPS}"
+
           echo "Hook rendered: ${OUT}"
 
       - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.288.2025.10.24
 
 name: 💙 Generating a PUBLIC Live ISO.
 
@@ -40,7 +40,7 @@ jobs:
         shell: bash
         run: |
           export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+          apt-get update -qq
           apt-get upgrade -y
           apt-get install -y --no-install-recommends \
             apt-utils \

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.288.2025.10.24
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.288.2025.10.24
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.288.2025.10.24
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.142.2025.10.14"
+properties_version="V8.13.288.2025.10.24"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.142.2025.10.14
+PackageVersion: Master V8.13.288.2025.10.24
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-24; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,8 +9,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T19:37:03Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-24T19:04:18Z"
 
-⚠️ The last linter check was NOT successful. ⚠️
+✅ The last linter check was successful. ✅
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO.public

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-24; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T22:23:27Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-24T14:50:31Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_14T21_30_07Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_24T13_56_21Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  442037d11eb48f4adbd1a3da17cf36062ec6be816627c38fe814458840020f212c551b96d5e785c4372fa09fc11fd9529f34166530b1e1f5ce9335abadb5f771
+  036a1004fee05962610c6e604510bc5293aecf56ddca6cde311179f4b437f6d1d474c6deaca0189de5bea80186068ac82de17b9814fbd6ab2e9ed54e47f3de8f
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO7NXwAKCRA85KY4hzOw
-IT3LAP4uP8glLMDEpUntKJQTiPqSYjGUyIFoKmsgALGPJcnnoQD/fcz4Mq12mF32
-jf4ETKQBqlxuQyLTPvPFhLsrBbDD0AI=
-=/UNR
+iHQEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaPuSNwAKCRA85KY4hzOw
+IXoDAP9cfoBONoT0ckPEZS7Ny/4l3hLGW4hKcJYz/bTJLy9MkAD468vyMLOwI9yM
+ipWXHva/2ghh0CqBXzuR+QfSRToABg==
+=8+N2
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_0.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-24; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T20:32:28Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-24T10:55:59Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_14T19_36_59Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_24T09_59_04Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  57559f9b9c5e50dad6a5b2023d992c26b8f4d25dd0d45ffa5cfd479ee623287e2c2eead70016267b848c5910db5ba5c4e2dfeeb12cca6f59fe455dad886c51d9
+  b94678cc36ce57c9654d45d5906e9007a68a80315feacdc000863a28a5a349778c90e5ca714dfb0e0821c9aacb004174989cc841eac0a0c33eda08a9443f2a8a
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO6zXAAKCRA85KY4hzOw
-Idq2AQDRmgHRGnX1bn+cNV5JirecSke0IAwlAjEXOl4tFoQlewEA0s2R1A3OQjIq
-fAhdl2wltVNT5+jUg6EUj3FE3kVPaQo=
-=fmxg
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaPtbPwAKCRA85KY4hzOw
+IbPnAP4ne99rPOalQAI9hyNzUz6DDTlm8MAmdwnBXILW74E72AD/WYE6s9iPrcir
+5Cfw8hZfrbVZ9zn7j6iSyjYE0dzxNQ0=
+=qsi8
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_1.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-24; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T21:28:34Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-24T13:54:56Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_14T20_33_51Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_24T13_00_25Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  4a47a1ed0986b67774047b2bfc6fdd53753fa8f301f8376b23ccde1f5187aeffbca7fce3194a3d7b61278630291a1d2d954a289da712c064326eb6b7020c228c
+  4116e79492aff727ab922e6930eadecb40e9ac581cd518ec4fd8fbeecc9bec236fa70a96c3d7b371347246f6a037413a53dc61821b9c8f5a131cb28fa7257871
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO7AggAKCRA85KY4hzOw
-IWpdAP4xCxUP4V0lOBE1u7+wEOoEmXiRC10Va4Hf2UXjH1BSVwEAsz/cMaGt+rJT
-q0i+5EftPavvIst48aXQsp7QKjyNewM=
-=x3/T
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaPuFMAAKCRA85KY4hzOw
+IVhjAP9+anGqL2AmV2s2BI1kIKyVHMCv4tPrFfyn7BZGaVcIOgD/SBXKuG6C2qp4
+viYBma9iYdBDPZtrs5e1h9hF5BBC4Ac=
+=UZZn
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.142.2025.10.14-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.288.2025.10.24-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.13.142.2025.10.14`
+Example: `V8.13.288.2025.10.24`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
@@ -290,7 +290,7 @@ apply or revert these controls.
 * **Description**: The SSH tunnel and access are secured through multiple layers of defense:
   * **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
   * **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
-  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
+  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/ciss-default.conf` immediately bans any host 
     that touches closed ports. 
     * Additionally, the `fail2ban` service is hardened as well according to:
     [Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening) 

REPOSITORY.md

@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2.1. Repository Structure
 
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.142.2025.10.14** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.288.2025.10.24** (as of 2025-10-11)
 
 ## 2.2. Top-Level Layout
 
@@ -69,7 +69,7 @@ CISS.debian.live.builder/
 
 ### 2.3.2. `config/` — Live-Build Configuration
 - **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
-- **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_fail2ban_hardening.chroot`).
+- **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_hardening_fail2ban.chroot`).
 - **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
 - **`includes.chroot/`**: Files copied into the live system’s root:
   - `etc/` (APT configuration, `live/`, `modprobe.d/`, network, SSH, `sysctl.d/`, systemd drop-ins, banners),

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -13,8 +13,183 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+#######################################
+# Generates '/etc/default/ciss-xdg-profile'
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_ciss_xdg_profile() {
+  cat << 'EOF' >> /etc/default/ciss-xdg-profile
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Default toggles for ciss-xdg-profile
+# 1 = enable, 0 = disable
+
+ENABLE_XDG_BASH_HISTORY=1
+ENABLE_XDG_LESS_HISTORY=1
+ENABLE_XDG_ZSH_HISTORY=1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  chmod 0644 /etc/default/ciss-xdg-profile
+
+  return 0
+}
+
+#######################################
+# Generates '/etc/profile.d/ciss-xdg.sh'
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_ciss_xdg_sh() {
+  cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# shellcheck shell=sh
+
+# This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
+
+### XDG variables (do not override if already set).
+export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path.
+# shellcheck disable=SC2312
+if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then
+  # shellcheck disable=SC2155
+  export XDG_RUNTIME_DIR="/run/user/$(id -u)"
+fi
+
+### Create canonical directories idempotently with 0700.
+_xdg_umask="$(umask)"
+umask 077
+[ -d "${XDG_CONFIG_HOME}"     ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
+[ -d "${XDG_DATA_HOME}"       ] || install -d -m 0700 -- "${XDG_DATA_HOME}"
+[ -d "${XDG_CACHE_HOME}"      ] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
+[ -d "${XDG_STATE_HOME}"      ] || install -d -m 0700 -- "${XDG_STATE_HOME}"
+umask "${_xdg_umask}"
+unset _xdg_umask
+
+### Optional migrations (controlled via /'etc/default/ciss-xdg-profile').
+[ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then
+  [ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
+  export HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+### Less history -> XDG_STATE_HOME
+if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then
+  [ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
+  export LESSHISTFILE="${XDG_STATE_HOME}/less/history"
+fi
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  chmod 0755 /etc/profile.d/ciss-xdg.sh
+
+  return 0
+}
+
+#######################################
+# Generates '/root/ciss_xdg_tmp.sh'
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_ciss_xdg_tmp_sh() {
+  cat << 'EOF' >> /root/ciss_xdg_tmp.sh
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+### XDG variables (do not override if already set).
+
+set -a
+
+# shellcheck disable=SC2034
+XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+# shellcheck disable=SC2034
+XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+# shellcheck disable=SC2034
+XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+# shellcheck disable=SC2034
+XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+# shellcheck disable=SC2034
+XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+# shellcheck disable=SC2034
+XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### Optional migrations (controlled via /etc/default/ciss-xdg-profile).
+[[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then
+  HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+set +a
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+  chmod 0700 /root/ciss_xdg_tmp.sh
+
+  return 0
+}
+
+generate_ciss_xdg_profile
+generate_ciss_xdg_sh
+generate_ciss_xdg_tmp_sh
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 apt-get update -qq
+apt-get install -y --no-install-suggests libpam-systemd amd64-microcode intel-microcode
 
 mkdir -p /root/.ciss/dlb/{backup,log}
 chmod 0700 /root/.ciss/dlb/{backup,log}

config/hooks/live/0001_initramfs_modules.chroot

@@ -53,6 +53,7 @@ grep_nic_driver_modules() {
   return 0
 }
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y intel-microcode amd64-microcode
 
@@ -82,19 +83,10 @@ cat << EOF >| /etc/initramfs-tools/modules
 # raid1
 # sd_mod
 
-### Load AppArmor early:
+### AppArmor -------------------------------------------------------------------------------------------------------------------
 apparmor
 
-### Entropy source for '/dev/random':
-jitterentropy_rng
-rng_core
-
-### Live-ISO-Stack:
-loop
-squashfs
-overlay
-
-### Main btrfs-Stack:
+### btrfs ----------------------------------------------------------------------------------------------------------------------
 btrfs
 lzo
 xor
@@ -102,28 +94,7 @@ xxhash
 zstd
 zstd_compress
 
-### Main ext4-Stack:
-ext4
-jbd2
-libcrc32c
-
-### Main VFAT/ESP/FAT/UEFI-Stack:
-exfat
-fat
-nls_ascii
-nls_cp437
-nls_iso8859-1
-nls_iso8859-15
-nls_utf8
-vfat
-
-### Device mapper, encryption & integrity:
-dm_mod
-dm_crypt
-dm_integrity
-dm_verity
-
-### Main cryptography-Stack:
+### cryptography ---------------------------------------------------------------------------------------------------------------
 aes_generic
 blake2b_generic
 crc32c_generic
@@ -133,16 +104,67 @@ sha256_generic
 sha512_generic
 xts
 
-### QEMU Bochs-compatible virtual machine support:
+### cryptsetup -----------------------------------------------------------------------------------------------------------------
+dm_mod
+dm_crypt
+dm_integrity
+dm_verity
+
+### Entropy --------------------------------------------------------------------------------------------------------------------
+jitterentropy_rng
+rng_core
+
+### ESP/FAT/UEFI ---------------------------------------------------------------------------------------------------------------
+exfat
+fat
+vfat
+
+### ext4 -----------------------------------------------------------------------------------------------------------------------
+ext4
+jbd2
+libcrc32c
+
+### Live-ISO -------------------------------------------------------------------------------------------------------------------
+loop
+squashfs
+overlay
+
+#### nftables ------------------------------------------------------------------------------------------------------------------
+#nf_log_common  # built-in
+#nft_counter    # built-in
+#nft_icmp       # built-in
+#nft_icmpv6     # built-in
+#nft_meta       # built-in
+#nft_set_hash   # built-in
+#nft_set_rbtree # built-in
+#nft_tcp        # built-in
+#nft_udp        # built-in
+nf_conntrack
+nf_nat
+nf_reject_ipv4
+nf_reject_ipv6
+nf_tables
+nft_ct
+nft_limit
+nft_log
+nft_masq
+nft_nat
+nft_reject_inet
+nfnetlink
+nfnetlink_log
+
+### NVMe -----------------------------------------------------------------------------------------------------------------------
+nvme
+nvme_core
+
+### QEMU -----------------------------------------------------------------------------------------------------------------------
 bochs
 
-### RAID6 parity generation module:
+### RAID -----------------------------------------------------------------------------------------------------------------------
+raid456
 raid6_pq
 
-### Combined RAID4/5/6 support module:
-raid456
-
-### SCSI/SATA-Stack:
+### SCSI/SATA ------------------------------------------------------------------------------------------------------------------
 sd_mod
 sr_mod
 sg
@@ -153,11 +175,7 @@ libata
 scsi_mod
 scsi_dh_alua
 
-### NVMe-Stack:
-nvme
-nvme_core
-
-### USB-Stack:
+### USB ------------------------------------------------------------------------------------------------------------------------
 xhci_pci
 xhci_hcd
 ehci_pci
@@ -166,14 +184,14 @@ uhci_hcd
 usb_storage
 uas
 
-### Virtual-Machines-Stack:
-virtio_pci
+### Virtual --------------------------------------------------------------------------------------------------------------------
 virtio_blk
-virtio_scsi
-virtio_rng
 virtio_console
+virtio_pci
+virtio_rng
+virtio_scsi
 
-### Network Driver Host-machine:
+### Network Driver Host-machine ------------------------------------------------------------------------------------------------
 "${nic_driver}"
 
 EOF

config/hooks/live/0007_update_logrotate.chroot

@@ -0,0 +1,77 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+
+rm -f         "/etc/logrotate.conf"
+cat << EOF >| "/etc/logrotate.conf"
+# See "man logrotate" for details. Global options do not affect preceding include directives.
+
+# Rotate log files daily
+daily
+
+# Keep 384 daily worth of backlogs.
+rotate 384
+
+# Hard cap: delete rotated logs older than 384 days.
+maxage 384
+
+# Do not rotate the log if it is empty (this overrides the ifempty option).
+notifempty
+
+# Create new (empty) log files after rotating old ones.
+create
+
+# Use date as a suffix of the rotated file.
+dateext
+
+# Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
+# that is the same as the timestamps within it.
+dateyesterday
+
+# Enable compression
+compress
+
+# Use zstd instead of gzip.
+compresscmd /usr/bin/zstd
+
+# File extension for compressed logs.
+compressext .zst
+
+# Set zstd level 3 (default).
+compressoptions -20
+
+# How to decompress for 'logrotate -d' or similar.
+uncompresscmd /usr/bin/unzstd
+
+# Keep the most recent rotation uncompressed for one cycle.
+delaycompress
+
+# Delete log files using shred -u instead of unlink().
+shred
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# system-specific logs may also be configured here.
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0010_install_apparmor.chroot

@@ -13,6 +13,7 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra
 

config/hooks/live/0080_keyboard_layout.chroot

@@ -21,6 +21,8 @@ XKBOPTIONS=""
 BACKSPACE="guess"
 EOF
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
 dpkg-reconfigure -f noninteractive keyboard-configuration
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

config/hooks/live/0090_jitterentropy.chroot

@@ -13,18 +13,20 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
-apt-get install -y --no-install-recommends haveged
+apt-get install -y --no-install-recommends jitterentropy-rngd
 
 cd /root
-cat << 'EOF' >| /etc/default/haveged
-# Configuration file for haveged
 
-# Options to pass to haveged:
-DAEMON_ARGS="-w 2048 -v 1"
+mkdir -p /etc/systemd/system/jitterentropy-rngd.service.d
+
+cat << 'EOF' >> /etc/systemd/system/jitterentropy-rngd.service.d/override.conf
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
 EOF
 
-
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/0120_set_hostname.chroot

@@ -12,7 +12,6 @@
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak
 mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak
@@ -28,7 +27,6 @@ localhost.local
 EOF
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0130_machineid.chroot

@@ -12,7 +12,6 @@
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -22,7 +21,7 @@ fi
 cat << 'EOF' >| /var/lib/dbus/machine-id
 b08dfa6083e7567a1921a715000001fb
 EOF
-chmod 644 /var/lib/dbus/machine-id
+chmod 0644 /var/lib/dbus/machine-id
 
 if [[ -f /etc/machine-id ]]; then
   rm /etc/machine-id
@@ -34,7 +33,6 @@ EOF
 chmod 644 /etc/machine-id
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0400_eza_install.chroot

@@ -23,8 +23,9 @@ wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg
 echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
-apt-get update
+apt-get update -qq
 apt-get install -y eza
 
 git clone https://github.com/eza-community/eza-themes.git

config/hooks/live/0800_lynis_setup.chroot

@@ -16,8 +16,9 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
-apt-get update
+apt-get update -qq
 apt-get install -y lynis
 lynis show version
 

config/hooks/live/0810_chrony_setup.chroot

@@ -15,6 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 mkdir -p /var/log/chrony
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export TZ="Etc/UTC"
 
@@ -50,13 +51,13 @@ log tracking measurements statistics
 
 authselectmode require
 
-server ntp.ripe.net      iburst nts minpoll 5 maxpoll 9
+# server ntp.ripe.net      iburst nts minpoll 5 maxpoll 9
 server ptbtime3.ptb.de   iburst nts minpoll 5 maxpoll 9
 server ptbtime2.ptb.de   iburst nts minpoll 5 maxpoll 9
 server ptbtime1.ptb.de   iburst nts minpoll 5 maxpoll 9
-server ntp13.metas.ch    iburst nts minpoll 5 maxpoll 9
-server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
-server sth1.ntp.se       iburst nts minpoll 5 maxpoll 9
+# server ntp13.metas.ch    iburst nts minpoll 5 maxpoll 9
+# server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
+# server sth1.ntp.se       iburst nts minpoll 5 maxpoll 9
 server ntp0.fau.de       iburst nts minpoll 5 maxpoll 9
 
 leapsectz right/UTC
@@ -110,6 +111,8 @@ if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
 
 fi
 
+chronyd -Q -f /etc/chrony/chrony.conf 2>&1
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/0822_ssh_restart_hook.chroot

@@ -20,7 +20,7 @@ cat << 'EOF' >| "${target_script}"
 @reboot root /usr/local/bin/restart-ssh.sh
 EOF
 
-chmod 0644 "${target_script}"
+chmod 0444 "${target_script}"
 
 cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
 #!/bin/bash

config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot

@@ -13,6 +13,7 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs

config/hooks/live/0845_harbian_audit.chroot

@@ -12,13 +12,11 @@
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0850_ssh_audit.chroot

@@ -12,13 +12,11 @@
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0855_dnsviz.chroot

@@ -12,13 +12,11 @@
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 cd /root/git
 git clone https://github.com/dnsviz/dnsviz.git
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0860_sops.chroot

@@ -13,7 +13,8 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
-export DEBIAN_FRONTEND=noninteractive
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
 
 SOPS_VER="v3.11.0"
 ARCH="$(dpkg --print-architecture)"
@@ -47,6 +48,14 @@ rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
 
+umask 0077
+
+mkdir -p /root/.config/sops/age
+cat << 'EOF' /root/.config/sops/age/keys.txt
+{{ secrets.CISS_PHYS_AGE }}
+EOF
+chmod 0400 /root/.config/sops/age/keys.txt
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/0900_ufw_setup.chroot

@@ -12,10 +12,9 @@
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1
 
 declare -r UFW_OUT_POLICY="deny"
-declare -r SSHPORT="MUST_BE_SET"
+declare -r SSHPORT="SSHPORT_MUST_BE_SET"
 
 ufw --force reset
 
@@ -51,6 +50,7 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
   ufw allow out  853/udp comment 'Outgoing DoQ'
 fi
 
+### Allowing ICMP IPv4 outgoing per default.
 sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" /etc/ufw/before.rules
@@ -61,7 +61,6 @@ sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9900_process_accounting.chroot

@@ -13,6 +13,7 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y acct
 

config/hooks/live/9950_fail2ban_hardening.chroot

@@ -1,146 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-cd /root
-
-cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak
-
-### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
-sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
-
-mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak
-
-cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-[DEFAULT]
-usedns    = yes
-# local | vpn
-ignoreip  = 127.0.0.0/8 ::1 MUST_BE_SET
-maxretry  = 8
-findtime  = 24h
-bantime   = 24h
-
-### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
-###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
-
-[sshd]
-enabled   = true
-backend   = systemd
-filter    = sshd
-mode      = normal
-port      = MUST_BE_SET
-protocol  = tcp
-logpath   = /var/log/auth.log
-maxretry  = 4
-findtime  = 24h
-bantime   = 24h
-
-[sshd-refused]
-enabled   = true
-filter    = sshd-refused
-port      = MUST_BE_SET
-protocol  = tcp
-logpath   = /var/log/auth.log
-maxretry  = 1
-findtime  = 24h
-bantime   = 24h
-
-# ufw aggressive approach:
-# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
-# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
-
-[ufw]
-enabled   = true
-filter    = ufw.aggressive
-action    = iptables-allports
-logpath   = /var/log/ufw.log
-maxretry  = 1
-findtime  = 24h
-bantime   = 24h
-protocol  = tcp,udp
-
-EOF
-
-cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf
-[Definition]
-failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
-EOF
-
-cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf
-[Definition]
-failregex = ^refused connect from \S+ \(<HOST>\)
-EOF
-
-###########################################################################################
-# Remarks: hardening of fail2ban systemd                                                  #
-###########################################################################################
-# https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
-# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
-# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
-# operate # on any firewall that has a command-line shell interface. By using             #
-# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
-# allows Fail2ban to have write access on required paths.                                 #
-###########################################################################################
-mkdir -p /etc/systemd/system/fail2ban.service.d
-mkdir /var/log/fail2ban
-
-cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
-[Service]
-PrivateDevices=yes
-PrivateTmp=yes
-ProtectHome=read-only
-ProtectSystem=strict
-ReadWritePaths=-/var/run/fail2ban
-ReadWritePaths=-/var/lib/fail2ban
-ReadWritePaths=-/var/log/fail2ban
-ReadWritePaths=-/var/spool/postfix/maildrop
-ReadWritePaths=-/run/xtables.lock
-CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
-
-### Added by CISS.debian.live.builder
-ProtectClock=true
-ProtectHostname=true
-
-EOF
-
-cat << 'EOF' >> /etc/fail2ban/fail2ban.local
-[Definition]
-logtarget = /var/log/fail2ban/fail2ban.log
-EOF
-
-###########################################################################################
-# Remarks: Logrotate must be updated either                                               #
-###########################################################################################
-cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
-sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
-touch /var/log/fail2ban/fail2ban.log
-chmod 640 /var/log/fail2ban/fail2ban.log
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9950_hardening_fail2ban.chroot

@@ -0,0 +1,241 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+cd /root
+
+cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
+chmod 0400 /root/.ciss/dlb/backup/fail2ban.conf.bak
+
+### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
+sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
+
+mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
+chmod 0400 /root/.ciss/dlb/backup/defaults-debian.conf.bak
+
+cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[DEFAULT]
+banaction             = nftables-multiport
+banaction_allports    = nftables-allports
+dbpurgeage            = 384d
+#                       127.0.0.1/8 - IPv4 loopback range (local host)
+#                       ::1/128     - IPv6 loopback
+#                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
+#                       ff00::/8    - IPv6 multicast (not an unicast host)
+#                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
+ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
+
+[recidive]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 8d
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 128d
+bantime.multipliers   = 1 2 4 8 16
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = recidive
+findtime              = 16d
+logpath               = /var/log/fail2ban/fail2ban.log*
+maxretry              = 3
+
+### SSH Handling:     Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
+###                   Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
+
+[sshd]
+enabled               = true
+backend               = systemd
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = sshd
+findtime              = 16m
+maxretry              = 4
+mode                  = aggressive
+port                  = PORT_MUST_BE_SET
+protocol              = tcp
+
+[sshd-refused]
+enabled               = true
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-sshd-refused
+findtime              = 16m
+logpath               = /var/log/auth.log
+maxretry              = 1
+port                  = PORT_MUST_BE_SET
+protocol              = tcp
+
+#
+# CISS aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
+# There is no necessity to ping our servers excessively. Any client pinging us more than 1 times will be blocked.
+#
+
+[ufw]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-ufw
+findtime              = 16m
+logpath               = /var/log/ufw.log
+maxretry              = 1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Definition]
+# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
+failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
+ignoreregex           =
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Definition]
+failregex = ^refused connect from \S+ \(<HOST>\)
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+###########################################################################################
+# Remarks: hardening of fail2ban systemd                                                  #
+###########################################################################################
+# https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
+# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
+# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
+# operate # on any firewall that has a command-line shell interface. By using             #
+# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
+# allows Fail2ban to have write access on required paths.                                 #
+###########################################################################################
+mkdir -p /etc/systemd/system/fail2ban.service.d
+mkdir -p /var/log/fail2ban
+
+cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
+
+### Added by CISS.debian.live.builder
+ProtectClock=true
+ProtectHostname=true
+
+EOF
+
+cat << 'EOF' >> /etc/fail2ban/fail2ban.local
+[Definition]
+logtarget             = /var/log/fail2ban/fail2ban.log
+
+[Database]
+# Keep entries for at least 384 days to cover recidive findtime.
+dbpurgeage            = 384d
+EOF
+
+###########################################################################################
+# Remarks: Logrotate must be updated either                                               #
+###########################################################################################
+cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
+cat << EOF >| /etc/logrotate.d/fail2ban
+/var/log/fail2ban/fail2ban.log {
+    daily
+    rotate 384
+    maxage 384
+    notifempty
+    dateext
+    dateyesterday
+    compress
+    compresscmd /usr/bin/zstd
+    compressext .zst
+    compressoptions -20
+    uncompresscmd /usr/bin/unzstd
+    delaycompress
+    shred
+    missingok
+    postrotate
+        fail2ban-client flushlogs 1>/dev/null
+    endscript
+    # If fail2ban runs as non-root it still needs to have write access
+    # to logfiles.
+    # create 640 fail2ban adm
+    create 640 root adm
+}
+EOF
+
+touch /var/log/fail2ban/fail2ban.log
+chmod 0640 /var/log/fail2ban/fail2ban.log
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9970_remove_exim.chroot

@@ -13,16 +13,19 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+
 cd /etc
 
-apt-get purge exim4 exim4-base exim4-config  -y
+apt-get purge exim4 exim4-base exim4-config -y
 apt-get autoremove -y
 apt-get autoclean -y
 apt-get autopurge -y
 
 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config
 
-apt-get update
+apt-get update -qq
 apt-get upgrade -y
 
 if [[ -d /etc/exim4 ]]; then

config/hooks/live/9980_usb_guard.chroot

@@ -13,6 +13,7 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y usbguard
 

config/hooks/live/9990_final_purge.chroot

@@ -13,13 +13,15 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+
 export DEBIAN_FRONTEND="noninteractive"
 
 apt-get update -qq
 
-apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config postfix-mta-sts-resolver postfix qemu-guest-agent rmail
 
-apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config postfix-mta-sts-resolver postfix qemu-guest-agent rmail
 
 dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 

config/hooks/live/9993_aide.chroot

@@ -13,6 +13,7 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y aide > /dev/null 2>&1
 

config/hooks/live/9996_auditd.chroot

@@ -25,6 +25,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 cd /root
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y auditd
 
@@ -33,22 +34,39 @@ cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
 cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
 rm -rf /etc/audit/rules.d/audit.rules
 
-############################################################### /etc/audit/rules.d/10-base-config.rules
-cat << EOF >| /etc/audit/rules.d/10-base-config.rules
+############################################################### /etc/audit/rules.d/00-base-config.rules
+cat << EOF >| /etc/audit/rules.d/00-base-config.rules
 ## First rule - delete all
 -D
 
 ## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
--b 8192
+## Make this bigger for busy systems.
+-b 16384
 
-## This determine how long to wait in burst of events
---backlog_wait_time 60000
+## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
+-r 200
 
-## Set failure mode to syslog
+## This determine how long to wait in burst of events. How long to wait in bursts (us).
+--backlog_wait_time 1024
+
+## Set failure mode to syslog.
 -f 1
 EOF
 
+############################################################### /etc/audit/rules.d/10-ciss-noise-floor.rules
+cat << EOF >| /etc/audit/rules.d/10-ciss-noise-floor.rules
+## Ignore kernel/daemon noise without a loginuid (unset = 4294967295).
+-a never,exit -F auid=4294967295
+
+## Make privileged exec tracing user-initiated only (no boot-time daemons).
+-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
+-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
+
+## (Optional, same principle for suid/sgid transitions).
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
+EOF
+
 ############################################################### /etc/audit/rules.d/11-loginuid.rules
 cat << EOF >| /etc/audit/rules.d/11-loginuid.rules
 --loginuid-immutable
@@ -91,6 +109,17 @@ cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 -a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF
 
+############################################################### /etc/audit/rules.d/25-ciss-exec.rules
+cat << EOF >| /etc/audit/rules.d/25-ciss-exec.rules
+## Focus on privileged exec, not every user command
+-a always,exit -F arch=b64 -S execve -F euid=0 -k exec_root
+-a always,exit -F arch=b32 -S execve -F euid=0 -k exec_root
+-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k exec_sudo
+-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/sudo -k exec_sudo
+-a always,exit -F arch=b64 -S execve -C uid!=euid -k exec_suid_sgid
+-a always,exit -F arch=b32 -S execve -C uid!=euid -k exec_suid_sgid
+EOF
+
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 ## Unsuccessful file creation (open with O_CREAT)
@@ -108,17 +137,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-## Successful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 ## Unsuccessful file modifications (open for write or truncate)
@@ -136,17 +154,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-## Successful file modifications (open for write or truncate)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 ## Unsuccessful file access (any other opens) This has to go last.
@@ -156,14 +163,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-## Successful file access (any other opens) This has to go last.
-## These next two are likely to result in a whole lot of events
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 ## Unsuccessful file delete
@@ -173,13 +172,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-## Successful file delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 ## Unsuccessful permission change
@@ -189,13 +181,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-## Successful permission change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 ## Unsuccessful ownership change
@@ -205,13 +190,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 EOF
 
-############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-## Successful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules
 ## The purpose of these rules is to meet the requirements for Operating

config/hooks/live/9997_debsums.chroot

@@ -15,6 +15,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 
 cd /root
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 apt-get install -y --no-install-recommends debsums
 

config/hooks/live/9998_sources_list_bookworm.chroot

@@ -55,7 +55,6 @@ deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free
 EOF
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9998_sources_list_trixie.chroot

@@ -13,6 +13,9 @@ set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
 
@@ -121,6 +124,11 @@ Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 EOF
 fi
 
+apt-get update -qq
+apt-get dist-upgrade -y        # (= apt full-upgrade) allow installs/replacements/removals.
+apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'; don't run both.
+apt-get clean -y               # Stronger than autoclean: removes the entire '.deb'-cache.
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0

config/hooks/live/9999_yyyy_logrotate.chroot

@@ -0,0 +1,62 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+### Declare Arrays, HashMaps, and Variables.
+declare -ar ary_logrotate=(
+  "alternatives"
+  "apt"
+  "btmp"
+  "chrony"
+  "clamav-daemon"
+  "clamav-freshclam"
+  "dpkg"
+  "fail2ban"
+  "rkhunter"
+  "rsnapshot"
+  "rsyslog"
+  "ufw"
+  "unattended-upgrades"
+  "usbguard"
+  "wtmp"
+)
+
+declare     var_file="" var_log=""
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive"
+
+for var_log in "${ary_logrotate[@]}"; do
+  var_file="/etc/logrotate.d/${var_log}"
+  [[ -e "${var_file}" ]] || continue
+  ### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
+  sed -E -i \
+    -e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
+    -e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 384\3\4/' \
+    "${var_file}"
+done
+
+if ! logrotate -d /etc/logrotate.conf; then
+
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
+
+else
+
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
+
+fi
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9999_zzzz.chroot

@@ -0,0 +1,81 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
+
+### Determine the canonical systemd unit dir inside chroot.
+if [[ -d /lib/systemd/system ]]; then
+
+  var_unit_dir=/lib/systemd/system
+
+elif [[ -d /usr/lib/systemd/system ]]; then
+
+  var_unit_dir=/usr/lib/systemd/system
+
+fi
+
+### Enforce 'default.target' -> 'multi-user.target' as a symlink.
+if [[ -e "${var_link}" ]] && [[ ! -L "${var_link}" ]]; then
+
+  ### A regular file here is wrong; we remove it to avoid vendor fallback to graphical.
+  rm -f -- "${var_link}"
+
+fi
+
+if [[ ! -L "${var_link}" ]]; then
+
+  ln -s "${var_unit_dir}/multi-user.target" "${var_link}"
+
+else
+
+  ### Ensure it points to multi-user.
+  # shellcheck disable=SC2312
+  if [[ "$(readlink -f "${var_link}")" != "${var_unit_dir}/multi-user.target" ]]; then
+
+    rm -f -- "${var_link}"
+    ln -s "${var_unit_dir}/multi-user.target" "${var_link}"
+
+  fi
+
+fi
+
+### Hard-block any display manager (mask via /dev/null symlink). Include common DMs, and the generic alias:
+ary_dm_units=(
+  "display-manager.service"
+  "gdm.service"
+  "gdm3.service"
+  "sddm.service"
+  "lightdm.service"
+  "xdm.service"
+  "lxdm.service"
+  "slim.service"
+)
+
+for var_dm in "${ary_dm_units[@]}"; do
+
+  if [[ ! -L "/etc/systemd/system/${var_dm}" ]]; then
+
+    ln -s /dev/null "/etc/systemd/system/${var_dm}"
+
+  fi
+
+done
+
+rm -f /root/ciss_xdg_tmp.sh
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/etc/login.defs

@@ -93,6 +93,7 @@ TTYPERM		0600
 #
 ERASECHAR	0177
 KILLCHAR	025
+UMASK 077
 
 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
 # home directories.
@@ -203,7 +204,9 @@ NONEXISTENT	/nonexistent
 USERGROUPS_ENAB yes
 
 #
-# Added by CISS.debian.live.builder for redundance
-UMASK 077
+# Added by CISS.debian.live.builder for redundancy
+UMASK 027
+SHA_CRYPT_MIN_ROUNDS 8388608
+SHA_CRYPT_MAX_ROUNDS 8388608
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

config/includes.chroot/etc/ssh/ssh_known_hosts

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.288.2025.10.24
 
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.288.2025.10.24
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -28,7 +28,7 @@ LogLevel                     VERBOSE
 AddressFamily                any
 ListenAddress                0.0.0.0
 ListenAddress                ::
-Port MUST_BE_CHANGED
+PORT_MUST_BE_CHANGED
 AllowUsers                   root
 UseDNS                       no
 ### Force a key exchange after transferring 1 GiB of data or 1 hour of session time, whichever occurs first.
@@ -46,9 +46,9 @@ StrictModes                  yes
 LoginGraceTime               2m
 MaxAuthTries                 3
 MaxSessions                  2
-### Begin randomly dropping new unauthenticated connections after the 8th attempt,
-### with a 64% chance to drop each additional connection, up to a hard limit of 16.
-MaxStartups                  08:64:16
+### Begin randomly dropping new unauthenticated connections after the 2nd attempt,
+### with a 64% chance to drop each additional connection, up to a hard limit of 08.
+MaxStartups                  02:64:08
 ### Restrict each individual source IP to only 4 unauthenticated connection slot
 ### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
 PerSourceMaxStartups         8

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.288.2025.10.24
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -280,15 +280,6 @@ net.ipv4.conf.all.forwarding=0
 net.ipv6.conf.all.accept_ra=0
 net.ipv6.conf.default.accept_ra=0
 
-###########################################################################################
-# These parameters relate to secure ICMP redirects. ICMP redirects are messages that a
-# router sends to a device to inform it that there is a better route for the data traffic.
-# This setting prevents the system from responding to redirects that have been spoofed by
-# potential attackers to redirect traffic (e.g., for man-in-the-middle attacks).
-###########################################################################################
-net.ipv4.conf.all.secure_redirects=1
-net.ipv4.conf.default.secure_redirects=1
-
 ###########################################################################################
 # This setting prevents the disclosure of TCP timestamps that can be used for system
 # fingerprinting:

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.142.2025.10.14"
+declare -gr VERSION="Master V8.13.288.2025.10.24"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.142.2025.10.14 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.288.2025.10.24 at: 10:18:37.9542

config/includes.chroot/root/.bashrc

@@ -14,21 +14,45 @@
 ### Never use 'errexit' | 'nounset' | 'pipefail' in interactive shells.
 set +o errexit +o nounset +o pipefail
 
+# shellcheck disable=SC2312
+if [[ "$(id -u)" -eq 0 ]]; then
+  umask 0022
+  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+  umask 0077
+  PATH="/usr/local/bin:/usr/bin:/bin"
+fi
+export PATH
+
 trap ' "${SHELL}" /root/.ciss/clean_logout.sh ' EXIT
 source /root/.ciss/alias
 source /root/.ciss/f2bchk.sh
 source /root/.ciss/shortcuts
 source /root/.ciss/scan_libwrap
 
-### History
-touch /tmp/.bash_history
-chmod 0660 /tmp/.bash_history
-chown root:root /tmp/.bash_history
-export HISTFILE=/tmp/.bash_history
+### Preferred editor for local and remote sessions.
+export EDITOR="nano"
+
+### History-Settings
+# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history
+# is not saved when a shell exits.
+export HISTFILE="${XDG_STATE_HOME}/bash/history"
+
+touch "${HISTFILE}"
+chmod 0660 "${HISTFILE}"
+chown root:root "${HISTFILE}"
+
 export HISTSIZE=2048
 export HISTFILESIZE=2048
 shopt -s histappend
 
+# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
+export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*'
+
+# -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
+# -'erasedups' Causes all previous lines matching the current line to be removed from the history before that line is saved.
+export HISTCONTROL='ignoreboth:erasedups'
+
 ### Define colors for bash prompt
 export CRED='\033[1;91m'
 export CGRE='\033[1;92m'

config/includes.chroot/root/.ciss/alias

@@ -10,9 +10,6 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-########################################################################################### Alpha
-alias genkeyfile='haveged -n 1048576 >| /tmp/secure_keyfile_$(date +%s)'
-
 ########################################################################################### Bash
 alias clear="printf '\033c'"
 alias c='clear'

config/includes.chroot/root/.ciss/check_chrony.sh

@@ -14,7 +14,7 @@ set -Ceuo pipefail
 
 #######################################
 # Minimal leap-second probe for Debian/chrony systems.
-# - Prints kernel leap flags & TAI offset (ΔAT).
+# - Prints kernel leap flags & TAI offset (delta AT).
 # - Reads tzdata's leap-seconds list (authoritative TAI-UTC).
 # - Shows chrony tracking summary (incl. leap status).
 # - Demonstrates 23:59:60 rendering via TZ=right/UTC.
@@ -38,7 +38,7 @@ main() {
     tz_tai="$(awk '{print $2}' <<<"${tz_leap_line}")"
     ts_human="$(awk -F'#' '{gsub(/^[[:space:]]+/, "", $2); print $2}' <<<"${tz_leap_line}")"
 
-    printf "tzdata ΔAT (TAI-UTC): %s s [last change at: %s; NTP ts: %s]\n\n" "${tz_tai:-?}" "${ts_human:-?}" "${tz_ntp:-?}"
+    printf "tzdata delta AT (TAI-UTC): %s s [last change at: %s; NTP ts: %s]\n\n" "${tz_tai:-?}" "${ts_human:-?}" "${tz_ntp:-?}"
 
   else
 
@@ -56,7 +56,7 @@ main() {
 
     if [[ -n "${k_tai:-}" ]]; then
 
-      printf "Kernel-exported ΔAT [tai]: %s s\n" "${k_tai}"
+      printf "Kernel-exported delta AT [tai]: %s s\n" "${k_tai}"
 
     fi
 
@@ -96,8 +96,8 @@ main() {
   printf "\n"
   printf "Hint:\n"
 
-  printf "  • ΔAT (TAI-UTC) should match tzdata and kernel (chrony sets kernel TAI if leapsectz/leapseclist is used).\n"
-  printf "  • For monotonic intervals, apps must use CLOCK_MONOTONIC, not CLOCK_REALTIME.\n"
+  printf "  - delta AT (TAI-UTC) should match tzdata and kernel (chrony sets kernel TAI if leapsectz/leapseclist is used).\n"
+  printf "  - For monotonic intervals, apps must use CLOCK_MONOTONIC, not CLOCK_REALTIME.\n"
 
   return 0
 }

config/includes.chroot/root/.ciss/shortcuts

@@ -41,7 +41,6 @@ declare -ga shortcuts=(
   "f2bubn: f2b unban --all"
   "f2bufw: f2b status ufw"
   "free: free -m"
-  "genkeyfile: 1MiBi"
   "genpasswd: PWD"
   "genpasswdhash: PWD Hash"
   "genstring: Random String"

config/includes.chroot/root/.zshenv

@@ -0,0 +1,27 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-19; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+: "${XDG_CONFIG_HOME:=${HOME}/.config}"
+: "${XDG_CACHE_HOME:=${HOME}/.cache}"
+: "${XDG_DATA_HOME:=${HOME}/.local/share}"
+: "${XDG_STATE_HOME:=${HOME}/.local/state}"
+
+# Do NOT set XDG_RUNTIME_DIR here.
+
+export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME
+
+### Zsh history -> XDG_STATE_HOME (best-effort; zsh might not read /etc/profile)
+if [ "${ENABLE_XDG_ZSH_HISTORY:-1}" = "1" ] && [ -n "${ZSH_VERSION:-}" ]; then
+  [ -d "${XDG_STATE_HOME}/zsh" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/zsh"
+  export HISTFILE="${XDG_STATE_HOME}/zsh/history"
+fi
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/package-lists/live.list.amd64.chroot

@@ -8,5 +8,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
+
 grub-efi-amd64-signed
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/package-lists/live.list.arm64.chroot

@@ -8,5 +8,7 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
+
 grub-efi-arm64-signed
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/package-lists/live.list.common.chroot

@@ -67,11 +67,11 @@ gawk
 gdisk
 git
 gnupg
-haveged
 htop
 iftop
 iproute2
 iputils-ping
+jitterentropy-rngd
 jq
 keyboard-configuration
 keychain
@@ -83,7 +83,7 @@ libpwquality-tools
 libtomcrypt-dev
 libtommath-dev
 libtool
-linux-doc-6.12
+linux-doc-6.16
 linux-source
 live-boot
 live-config

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. TLS Audit:
 ````text

docs/BOOTPARAMS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. Hardened Kernel Boot Parameters
 

docs/CHANGELOG.md

@@ -8,10 +8,58 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. Changelog
 
+## V8.13.288.2025.10.24
+* **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + nftables mods
+* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) + banaction = nftables-*
+* **Updated**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) changed var injection
+* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) changed var injection
+* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) changed var injection
+* **Updated**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) changed var injection
+
+## V8.13.280.2025.10.23
+* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) + 10-ciss-noise-floor.rules
+* **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) changed: audit_backlog_limit=262144
+
+## V8.13.272.2025.10.22
+* **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) + amd64-microcode intel-microcode
+* **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot) removed --sp800-90b
+* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) unified auditd configuration, removed success rules
+* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot) + apt-get dist-upgrade -y
+* **Updated**: [login.defs](../config/includes.chroot/etc/login.defs) 
+* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter) 
+
+## V8.13.256.2025.10.21
+* **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
+* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
+* **Updated**: [.zshenv](../config/includes.chroot/root/.zshenv)
+
+## V8.13.224.2025.10.19
+* **Added**: [.zshenv](../config/includes.chroot/root/.zshenv)
+* **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
+* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) updated ignoreip
+* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) + rsyslog
+* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - haveged, + jitterentropy-rngd
+
+## V8.13.192.2025.10.18
+* **Added**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
+* **Added**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot)
+* **Added**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)
+* **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) XDG Base Directory Support
+* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
+* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) hardened MaxStartups
+* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) removed haveged alias
+* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts) removed haveged entry
+* **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc) added HISTIGNORE and EDITOR
+
+## V8.13.144.2025.10.16
+* **Bugfixes**: [99_local.hardened](../config/includes.chroot/etc/sysctl.d/99_local.hardened)
+* **Updated**:  [check_chrony.sh](../config/includes.chroot/root/.ciss/check_chrony.sh)
+* **Changed**:  [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
+
 ## V8.13.142.2025.10.14
 * **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter)
 
@@ -19,7 +67,6 @@ include_toc: true
 * **Added**: [REPOSITORY.md](../REPOSITORY.md)
 
 ## V8.13.128.2025.10.10
-
 * **Added**: Packages ``age``, ``cosign``
 * **Added**: Repository https://github.com/getsops/sops.git
 * **Added**: [0040_ssh_config_setup.chroot](../config/hooks/live/0040_ssh_config_setup.chroot)

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.13.142.2025.10.14
+Master V8.13.288.2025.10.24
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.13.142.2025.10.14
+Master V8.13.288.2025.10.24
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.288.2025.10.24<br>
 
 # 2. Resources
 

lib/lib_hardening_ultra.sh

@@ -184,7 +184,7 @@ hardening_ultra() {
 
   fi
 
-
+  ### /config/includes.chroot/root/.ssh
   if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"  ]]; then
 
     mkdir -p  "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
@@ -194,15 +194,27 @@ hardening_ultra() {
 
     declare -r sshport="${VAR_SSHPORT:-22}"
 
-    sed -i "s|^port      = MUST_BE_SET|port      = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
-    sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
-    sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
+    ### /config/includes.chroot/etc/ssh/sshd_config
+    # shellcheck disable=SC2155
+    declare pad="$(printf '%-29s' 'Port')"
+    sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
 
+    ### /config/hooks/live/9950_hardening_fail2ban.chroot
+    sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
+
+    ### /config/hooks/live/0900_ufw_setup.chroot
+    sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+
+
+    ### /config/hooks/live/0900_ufw_setup.chroot
     if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
 
       declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+
       sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
+
       declare line
+
       # shellcheck disable=SC2312
       line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
 
@@ -212,10 +224,15 @@ hardening_ultra() {
       fi
 
       declare host
+
       for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
+
         ((line++))
+
         sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
+
       done
+
     fi
 
   else
@@ -226,14 +243,25 @@ hardening_ultra() {
 
     declare -r sshport="${VAR_SSHPORT:-22}"
 
-    sed -i "s|^port      = MUST_BE_SET|port      = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
-    sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
-    sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
+    ### /config/includes.chroot/etc/ssh/sshd_config
+    # shellcheck disable=SC2155
+    declare pad="$(printf '%-29s' 'Port')"
+    sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
 
+    ### /config/hooks/live/9950_hardening_fail2ban.chroot
+    sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
+
+    ### /config/hooks/live/0900_ufw_setup.chroot
+    sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+
+
+    ### /config/hooks/live/0900_ufw_setup.chroot
     if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
 
       declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
+
       sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
+
       declare line
       # shellcheck disable=SC2312
       line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
@@ -244,46 +272,67 @@ hardening_ultra() {
       fi
 
       declare host
+
       for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
+
         ((line++))
         sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
+
       done
+
     fi
+
   fi
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
 
+
+  ### /config/includes.chroot/etc/hosts.allow
   if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
+
     printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
+
     cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
     cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
+
     chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
     chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
+
     rm -f "${VAR_WORKDIR}/hosts.allow"
     rm -f "${VAR_WORKDIR}/hosts.deny"
+
     printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
+
   fi
 
+
+  ### /config/hooks/live/9950_hardening_fail2ban.chroot
   if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
+
     printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
+
     # Join array entries with spaces, preserving any newlines
     declare ips="${ARY_HANDLER_JUMPHOST[*]}"
+
     # Flatten to a single line and strip literal brackets []
     declare flat_ips
     # shellcheck disable=SC2312
     flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
     # flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64"
 
-    # Perform an in-place replacement of MUST_BE_SET with the cleaned list
-    sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \
-        "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
+    # Perform an in-place replacement of IGNORE_IP_MUST_BE_SET with the cleaned list
+    sed -i -E "/^[[:space:]]*ignoreip[[:space:]]*=/ s|IGNORE_IP_MUST_BE_SET|${flat_ips}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
+
     printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
+
   else
+
     printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
-    sed -i \
-        -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \
-        -e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \
-        "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
+
+    sed -i 's/IGNORE_IP_MUST_BE_SET//g' "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
+
     printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
+
   fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/lib_lb_config_write_trixie.sh

@@ -40,8 +40,8 @@ lb_config_write_trixie() {
     --backports true \
     --binary-filesystem fat32 \
     --binary-image iso-hybrid \
-    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
-    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
+    --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
+    --bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
     --bootloaders grub-efi \
     --cache true \
     --checksums sha512 sha256 md5 \

lib/lib_note_target.sh

@@ -53,6 +53,18 @@ note_target() {
   https://coresecret.eu/spenden/
 ################################################################################
 EOF
+  chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.txt"
+
+  cat << EOF >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.env"
+export CDLB_VERSION="${VAR_VERSION}"
+export CDLB_GIT_REL="${VAR_GIT_REL}"
+export CDLB_CR_DATE="${VAR_DATE_INFO}"
+export CDLB_CR_HOST="${VAR_HOST}"
+export CDLB_BASHVER="${VAR_BASH_VER}"
+export CDLB_DS_VER="${VAR_DS_VER}"
+export CDLB_LB_VER="${VAR_LB_VER}"
+EOF
+  chmod 0444 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/ciss-debian-live-builder.env"
 
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
 

lib/lib_usage.sh

@@ -35,13 +35,13 @@ usage() {
   # shellcheck disable=SC2155
   declare var_header=$(center "CLB(1)                        CISS.debian.live.builder                        CLB(1)" "${var_cols}")
   # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.142.2025.10.14                        2025-10-07                        CLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.288.2025.10.24                        2025-10-07                        CLB(1)" "${var_cols}")
 
   {
     echo -e "\e[1;97m${var_header}\e[0m"
     echo
     echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.142.2025.10.14\e[0m"
+    echo -e "\e[92mMaster V8.13.288.2025.10.24\e[0m"
     echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
     echo
     echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"

scripts/9999-cdi-starter

@@ -50,7 +50,7 @@ readonly -f sysp
 #######################################
 # Main autostart function.
 # Arguments:
-#   none
+#   None
 #######################################
 main() {
   declare -r repo_url="https://git.coresecret.dev/msw/CISS.debian.installer.git"
@@ -66,7 +66,7 @@ main() {
   # shellcheck disable=SC2312
   exec > >(tee -a "${log}") 2>&1
 
-  printf "CISS.debian.installer Master V8.13.142.2025.10.14 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+  printf "CISS.debian.installer Master V8.13.288.2025.10.24 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 
   net_wait
 
@@ -74,20 +74,20 @@ main() {
 
   [[ -d "${repo_dir}" ]] && rm -rf "${repo_dir}"
 
-  git clone --depth 1 "${repo_url}" "${repo_dir}"
+  git clone "${repo_url}" "${repo_dir}"
 
   chmod 0700 "${repo_dir}/ciss_debian_installer.sh"
 
   cd "${repo_dir}"
 
-  #./ciss_debian_installer.sh \
+#./ciss_debian_installer.sh \
 #  --autoinstall \
 #  --debug XTRACE \
 #  --log debug \
 #  --reionice-priority 1 0 \
 #  --renice-priority "-19"
 
-  printf "CISS.debian.installer Master V8.13.142.2025.10.14 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+  printf "CISS.debian.installer Master V8.13.288.2025.10.24 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 
   exit 0
 }

var/early.var.sh

@@ -14,7 +14,7 @@
 
 # shellcheck disable=SC2155
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.13.142.2025.10.14"
+declare -grx VAR_VERSION="Master V8.13.288.2025.10.24"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"

var/global.var.sh

@@ -14,7 +14,13 @@
 guard_sourcing
 
 ### Definition of MUST set global variables.
-declare -gr VAR_BASH_VER="$(bash --version | head -n1 | awk '{print $4" "$5" "$6}')"
+declare -gr VAR_BASH_VER="$(bash --version | head -n1 | awk '{
+  # Print $4 and $5; include $6 only if it exists
+  out = $4
+  if (NF >= 5) out = out " " $5
+  if (NF >= 6) out = out " " $6
+  print out
+}')"
 declare -gr VAR_HOST="$(uname -n)"
 declare -gr VAR_DATE_EPOCH="$(date -u +%s)"
 declare -gr VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"