---
gitea: none
include_toc: true
---

# 1. CISS.debian.live.builder

**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.544.2025.12.05<br>

# 2. Changelog

## V8.13.544.2025.12.05
* **Added**: [90-ciss-local.hardened.md](documentation/90-ciss-local.hardened.md)
* * **Bugfixes**: [zzzz_ciss_crypt_squash.hook.binary](../config/hooks/live/zzzz_ciss_crypt_squash.hook.binary) + Adjusted ``OVERHEAD_PCT`` for Gitea Runner

## V8.13.536.2025.12.04
* **Added**: [ciss_live_builder.sh.md](documentation/ciss_live_builder.sh.md)
* **Bugfixes**: Unified network management via ``systemd-networkd``
* **Bugfixes**: [0822_ssh_restart_hook.chroot](../config/hooks/live/0822_ssh_restart_hook.chroot) + ssh restart cron job replaced by systemd override
* **Bugfixes**: [unlock_wrapper.sh](../config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh) + ``: > /var/log/wtmp``
* **Bugfixes**: [1000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh) + ``: > /var/log/wtmp``
* **Bugfixes**: [0000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh) + ``: > /var/log/wtmp``
* **Bugfixes**: [30-ciss-hardening.conf](../config/includes.chroot/etc/modprobe.d/30-ciss-hardening.conf) + UAS blacklisting
* **Bugfixes**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + unified ``kill`` & ``wait`` handling for ``BROKER`` & ``PROMPT`` PIDs
* **Removed** [0100_ciss_mem_wipe.chroot](../.archive/0100_ciss_mem_wipe.chroot)

## V8.13.528.2025.12.03
* **Bugfixes**: Unified network management via ``systemd-networkd``

## V8.13.520.2025.12.02
* **Bugfixes**: Unified network management via ``systemd-networkd``

## V8.13.512.2025.11.28
* **Bugfixes**: Unified network management via ``systemd-networkd``

## V8.13.512.2025.11.27
* **Global**: Unified network management via ``systemd-networkd``
* **Global**: Transition of license agreements to: 
  * [CCLA-1.1.txt](LICENSES/CCLA-1.1.txt)
  * [CNCL-1.1.txt](LICENSES/CNCL-1.1.txt)
* **Added**: [90-ciss-ethernet.network](../config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network)
* **Added**: [90-ciss-networkd.preset](../.archive/90-ciss-networkd.preset)
* **Changed**: [unlock_wrapper.sh](../config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh)
* **Changed**: [lib_provider_netcup.sh](../lib/lib_provider_netcup.sh)
* **Changed**: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)

## V8.13.512.2025.11.26
* **Global**: Final adjustments for LUKS dm-integrity integration

## V8.13.440.2025.11.19
* **Added**: [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh)
* **Bugfixes**: [0022-ciss-overlay-tmpfs](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs)
* **Bugfixes**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash)
* **Bugfixes**: [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl)
* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums)
* **Bugfixes**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest)

## V8.13.432.2025.11.18
* **Bugfixes**: [0003_cdi_autostart.chroot](../config/hooks/live/0003_cdi_autostart.chroot)
* **Bugfixes**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh)

## V8.13.416.2025.11.17
* **Global**: Explicit ``export INITRD="No"``
* **Changed**: [0100_ciss_mem_wipe.chroot](../.archive/0100_ciss_mem_wipe.chroot)

## V8.13.408.2025.11.13
* **Added**: [0002_hardening_overlay_tmpfs.chroot](../config/hooks/live/0002_hardening_overlay_tmpfs.chroot) + Remount overlay root with ``nosuid,nodev``.
* **Added**: [0100_ciss_mem_wipe.chroot](../.archive/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping.
* **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
* **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``.
* **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) + Enforce early sysctls before services start.
* **Added**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) + Late rootfs attestation and dmsetup health checking.
* **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md)
* **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection.
* **Bugfixes**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot) + mv original files to a safe backup location.
* **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + securing ``/.ciss``, removing ``.keep``.
* **Changed**: [unlock_wrapper.sh](../config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh) + integrated dynamic GPG FPR injection.
* **Changed**: [9999_ciss_debian_live_builder.sh](../config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh) + ``dmsetup``.
* **Changed**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) + integrated dynamic GPG FPR injection.
* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) + ``--signing_ca=*``.
* **Changed**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + updated shopt handling.
* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) + integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts.
* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + integration of optional import of offline GPG CA public keys.
* **Changed**: [lib_primordial.sh](../lib/lib_primordial.sh) + Updates for CISS and PhysNet primordial-workflow™.
* **Changed**: [lib_usage.sh](../lib/lib_usage.sh) + ``--signing_ca=*``.
* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) + ``! -path './live/filesystem.squashfs'``
* **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) + increased verbosity.

## V8.13.404.2025.11.10
* **Added**: [0020_dropbear_build.chroot](../config/hooks/live/0020_dropbear_build.chroot)
* **Added**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot)
* **Added**: [0022_dropbear_setup.chroot](../config/hooks/live/0022_dropbear_setup.chroot) 
* **Added**: [9999_ciss_custom_prompt.sh](../config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh)
* **Added**: [9999_ciss_debian_live_builder.sh](../config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh)
* **Added**: [1000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh)
* **Added**: [0000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh)
* **Added**: [dropbear](../config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear)
* **Added**: [MAN_SSH_Host_Key_Policy.md](MAN_SSH_Host_Key_Policy.md)
* **Added**: [zzzz_luks_squash.hook.binary](../config/hooks/live/zzzz_ciss_crypt_squash.hook.binary) + Preparing squashfs LUKS encryption
* **Bugfixes**: [generate_PRIVATE_trixie_0.yaml](../.gitea/workflows/generate_PRIVATE_trixie_0.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
* **Bugfixes**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
* **Bugfixes**: [generate_PUBLIC_iso.yaml](../.gitea/workflows/generate_PUBLIC_iso.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
* **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
* **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
* **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums)
* **Changed**: [localoptions.h](../upgrades/dropbear/localoptions.h)
* **Changed**: [.shellcheckrc](../.shellcheckrc)
* **Changed**: [9940_hardening_memory.dump.chroot](../config/hooks/live/9940_hardening_memory.dump.chroot) + added: 9999-ciss-coredump-disable.conf
* **Changed**: [9992_password_expiration.chroot](../config/hooks/live/9992_password_expiration.chroot) + added: ``update_shadow()``
* **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) + added: Securely shred all regular files below ./includes.chroot, then remove empty dirs.
* **Updated**: [AUDIT_LYNIS.md](AUDIT_LYNIS.md) + updated: Lynis Version 3.1.6

## V8.13.400.2025.11.08
* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) - GPG key handling
* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme
* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) - Unified naming scheme
* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) - Unified naming scheme, added verbosity output
* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) - added verbosity output
* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) - bugfixes
* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) - moved ``update-initramfs`` to:
* **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)

## V8.13.392.2025.11.07
* **Global**: Changed ``guard_sourcing`` to ``guard_sourcing || return "${ERR_GUARD_SRCE}"``
* **Added**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + Final secrets wiper before starting ``lb build``.
* **Added**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh) + ``print_stacktrace()``
* **Added**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh) + Trap on ``EXIT`` handler for 'non-0' exit-code.
* **Bugfixes**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + modified passphrase handling

## V8.13.384.2025.11.06
* **Global**: Debian bookworm support deprecated.
* **Global**: Changed ``shred -vfzu -n 5`` to ``shred -fzu -n 5``.
* **Global**: Live-hooks: ``apt-get`` commands safeguarded by ``export DEBIAN_FRONTEND="noninteractive" INITRD="No"``.
* **Added**: [marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc](../.pubkey/marc_s_weidner_msw%2Bdeploy%40coresecet.dev_0x2CCF4601_public.asc)
* **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot) bashdb debugger https://github.com/Trepan-Debuggers/bashdb.git
* **Added**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
* **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet primordial-workflow™.
* **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet primordial-workflow™.
* **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet primordial-workflow™.
* **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet primordial-workflow™.
* **Added**: [0030-ciss-verify-checksums](../scripts/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
* **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
* **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
* **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
* **Changed**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) Rewritten for new secrets handling.
* **Changed**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) + VAR_DATE improvements.
* **Changed**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + VAR_DATE improvements.
* **Changed**: [9930_hardening_ssh.chroot](../config/hooks/live/9930_hardening_ssh.chroot) Rewritten for CISS and PhysNet primordial-workflow™.
* **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + Final update-initramfs
* **Changed**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) + Less strict MaxStartups settings.
* **Changed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) + tmux
* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) Rewritten for CISS and PhysNet primordial-workflow™.
* **Changed**: [lib_arg_priority_check.sh](../lib/lib_arg_priority_check.sh) Unified UI.
* **Changed**: [lib_cdi.sh](../lib/lib_cdi.sh) + Commandline parameters: verify-checksums=sha512,sha384 verify-checksums-signatures
* **Changed**: [lib_change_splash.sh](../lib/lib_change_splash.sh) Unified UI.
* **Changed**: [lib_check_dhcp.sh](../lib/lib_check_dhcp.sh) Unified UI.
* **Changed**: [lib_check_hooks.sh](../lib/lib_check_hooks.sh) Unified UI.
* **Changed**: [lib_check_kernel.sh](../lib/lib_check_kernel.sh) Minor declare unification.
* **Changed**: [lib_check_pkgs.sh](../lib/lib_check_pkgs.sh) Improved command checks. Unified UI.
* **Changed**: [lib_check_provider.sh](../lib/lib_check_provider.sh) Unified variables.
* **Changed**: [lib_clean_up.sh](../lib/lib_clean_up.sh) Secure deletion of CISS and PhysNet primordial-workflow™ artifacts.
* **Changed**: [lib_debug.sh](../lib/lib_debug.sh) + Integrated EPOCH in PS4.
* **Changed**: [lib_debug_header.sh](../lib/lib_debug_header.sh) + Integrated SOURCE_DATE_EPOCH.
* **Changed**: [lib_hardening_root_pw.sh](../lib/lib_hardening_root_pw.sh) Unified UI.
* **Changed**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) Rewritten for CISS and PhysNet primordial-workflow™.
* **Changed**: [lib_hardening_ssh_tcp.sh](../lib/lib_hardening_ssh_tcp.sh) Unified UI.
* **Changed**: [lib_lb_build_start.sh](../lib/lib_lb_build_start.sh) Deterministic return code examination.
* **Changed**: [lib_lb_config_start.sh](../lib/lib_lb_config_start.sh) Removed potential disown race condition.
* **Changed**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) Unified config writing for deterministic workflow.
* **Changed**: [lib_note_target.sh](../lib/lib_note_target.sh) Unified UI.
* **Changed**: [lib_provider_netcup.sh](../lib/lib_provider_netcup.sh) Added Centurion DNS Server 03.
* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) + PGP signature verification.
* **Changed**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) + mksquashfs-excludes.
* **Changed**: [early.var.sh](../var/early.var.sh) Unified variable declaration.
* **Changed**: [global.var.sh](../var/global.var.sh) Unified variable declaration.
* **Changed**: [ciss_live_builder.sh](../ciss_live_builder.sh) Updated program workflow for deterministic environment creation.
* **Updated**: [icon.lib](../.archive/icon.lib) + Emojis

## V8.13.298.2025.10.30
* **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot)
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) + tmux

## V8.13.296.2025.10.29
* **Changed**: ``lockdown=confidentiality`` -> ``lockdown=integrity``
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - clamav, clamav-daemon
* **Removed**: [9985_clamav.chroot](../.archive/9985_clamav.chroot)

## V8.13.294.2025.10.28
* **Added**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) + mksquashfs-excludes
* **Added**: [lib_ciss_upgrades.sh](../lib/lib_ciss_upgrades_build.sh) + modifies '/usr/lib/live/build/...' scripts
* **Added**: [lib_update_microcode.sh](../lib/lib_update_microcode.sh)
* **Added**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) + modifies binary_rootfs script
* **Updated**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + --sshfp
* **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + update_initramfs=all COMPRESSLEVEL=10
* **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) = rotate 90; maxage 90
* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) = rotate 90
* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh) = unified logging

## V8.13.292.2025.10.27
* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) = modified trel()

## V8.13.290.2025.10.26
* **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + ESP/FAT/UEFI mods
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh) Preparations for CISS and PhysNet primordial-workflow™.

## V8.13.288.2025.10.24
* **Added**: Preparations for CISS and PhysNet primordial-workflow™.
* **Added**: [0865_yq.chroot](../config/hooks/live/0865_yq.chroot)Preparations for CISS and PhysNet primordial-workflow™.
* **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + nftables mods
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) + banaction = nftables-*
* **Updated**: [0900_ufw_setup.chroot](../config/hooks/live/0900_ufw_setup.chroot) changed var injection
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) changed var injection
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) changed var injection
* **Updated**: [lib_hardening_ultra.sh](../lib/lib_hardening_ultra.sh) changed var injection
* **Removed**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - yq

## V8.13.280.2025.10.23
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) + 10-ciss-noise-floor.rules
* **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) changed: audit_backlog_limit=262144

## V8.13.272.2025.10.22
* **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) + amd64-microcode intel-microcode
* **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot) removed --sp800-90b
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) unified auditd configuration, removed success rules
* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot) + apt-get dist-upgrade -y
* **Updated**: [login.defs](../config/includes.chroot/etc/login.defs) 
* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh) 

## V8.13.256.2025.10.21
* **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
* **Updated**: [.zshenv](../config/includes.chroot/root/.zshenv)

## V8.13.224.2025.10.19
* **Added**: [.zshenv](../config/includes.chroot/root/.zshenv)
* **Updated**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) updated ignoreip
* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) + rsyslog
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot) - haveged, + jitterentropy-rngd

## V8.13.192.2025.10.18
* **Added**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
* **Added**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot)
* **Added**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)
* **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) XDG Base Directory Support
* **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) hardened MaxStartups
* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) removed haveged alias
* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts) removed haveged entry
* **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc) added HISTIGNORE and EDITOR

## V8.13.144.2025.10.16
* **Bugfixes**: [99_local.hardened](../config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened)
* **Updated**:  [check_chrony.sh](../config/includes.chroot/root/.ciss/check_chrony.sh)
* **Changed**:  [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)

## V8.13.142.2025.10.14
* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh)

## V8.13.132.2025.10.11
* **Added**: [REPOSITORY.md](../REPOSITORY.md)

## V8.13.128.2025.10.10
* **Added**: Packages ``age``, ``cosign``
* **Added**: Repository https://github.com/getsops/sops.git
* **Added**: [0040_ssh_config_setup.chroot](../config/hooks/live/0040_ssh_config_setup.chroot)
* **Added**: [0860_sops.chroot](../config/hooks/live/0860_sops.chroot)
* **Added**: [check_chrony.sh](../config/includes.chroot/root/.ciss/check_chrony.sh)
* **Updated**: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)

## V8.13.096.2025.10.09
* **Added**: [0010_install_apparmor.chroot](../config/hooks/live/0010_install_apparmor.chroot)
* **Added**: [ssh_known_hosts](../config/includes.chroot/etc/ssh/ssh_known_hosts)
* **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot)
* **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot)
* **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
* **Updated**: [login.defs](../config/includes.chroot/etc/login.defs)
* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)
* **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh)
* **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh)

## V8.13.064.2025.10.07
* **Added**: An internal Gitea Action Runner switch for the CISS and PHYS central configuration source of truth.
* **Added**: Verbose status information screen on successful completion.
* **Added**: Verbose status information in 'CISS.debian.live.iso.'
* **Added**: Loop to desynchronize parallel workflows.
* **Added**: [lib_note_target.sh](../lib/lib_note_target.sh)
* **Updated**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
* **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh)
* **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
* **Updated**: [9999_interfaces_update.chroot](../.archive/9999_interfaces_update.chroot)
* **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter.
* **Updated**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) Unified Kernel bootparameter.
* **Updated**: [lib_run_analysis.sh](../lib/lib_run_analysis.sh)

## V8.13.048.2025.10.06
* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.16.3+deb13-amd64``
* **Updated**: Debian 13 LIVE ISO workflows to use argument: ``--cdi``
* **Updated**: [9000-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh)

## V8.13.032.2025.10.03
* **Added**: Internal Gitea Action Runner switch for static SSHFP records.

## V8.13.016.2025.09.28
* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64``

## V8.13.008.2025.08.22
* **Removed**: [0003_install_backports.chroot]

## V8.13.004.2025.08.21
* **Added**: [makefile](../makefile)

## V8.13.002.2025.08.11
* **Added**: [lib_source_guard.sh](../lib/lib_source_guard.sh)
* **Added**: [sources.list](../config/includes.chroot/etc/apt/sources.list)
* **Added**: [trixie.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie.sources)
* **Added**: [trixie-backports.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-backports.sources)
* **Added**: [trixie-security.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-security.sources)
* **Added**: [trixie-updates.sources](../config/includes.chroot/etc/apt/sources.list.d/trixie-updates.sources)
* **Added**: [login.defs](../config/includes.chroot/etc/login.defs)
* **Bugfixes**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot)
* **Bugfixes**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot)
* **Updated**: [bash.var.sh](../var/bash.var.sh)
* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
* **Updated**: Support for Debian Trixie via Argument ``--trixie``
* **Updated**: Debian 12 LIVE ISO workflows to use Kernel: ``linux-image-6.1.0-37-amd64``

## V8.03.920.2025.08.07

* **Updated**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh)
* **Updated**: [ciss_live_builder.sh](../ciss_live_builder.sh)
* **Updated**: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)

## V8.03.912.2025.07.23

* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
* **Updated**: [clean_logout.sh](../config/includes.chroot/root/.ciss/clean_logout.sh)
* **Updated**: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
* **Updated**: [scan_libwrap](../config/includes.chroot/root/.ciss/scan_libwrap)
* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
* **Updated**: [.bashrc](../config/includes.chroot/root/.bashrc)

## V8.03.896.2025.07.22

* **Added**: [.shellcheckrc](../.shellcheckrc)
* **Bugfixes**: [ciss_live_builder.sh](../ciss_live_builder.sh)
* **Updated**: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot)

## V8.03.880.2025.07.19

* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
* **Updated**: [shortcuts](../config/includes.chroot/root/.ciss/shortcuts)
* **Added**: Package ``ncdu``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)
* **Added**: ``TrustedUserCAKeys none``: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config)

## V8.03.864.2025.07.15

* **Updated**: [0010_dhcp_supersede.sh](../scripts/0010_dhcp_supersede.sh)
* **Added**: [BOOTPARAMS.md](BOOTPARAMS.md)
* **Added**: Package ``cpuid``: [live.list.common.chroot](../config/package-lists/live.list.common.chroot)

## V8.03.832.2025.06.25

* **Added**: [lib_version.sh](../lib/lib_version.sh)
* **Updated**:
  * [lib_contact.sh](../lib/lib_contact.sh)
  * [lib_usage.sh](../lib/lib_usage.sh)
* **Packages added**:
  * https://packages.debian.org/bookworm/fio
  * https://packages.debian.org/bookworm/stress 
* **Updated**: Timezone changed to ``Etc/UTC``

## V8.03.832.2025.06.24

* **Updated**:
  * [lib_check_provider.sh](../lib/lib_check_provider.sh)
  * [lib_debug_header.sh](../lib/lib_debug_header.sh)
  * [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
* **Added**: The Debian package ``bat`` will be installed to enable smooth log reading.

## V8.03.768.2025.06.23

* **Updated**: [lib_clean_up.sh](../lib/lib_clean_up.sh): Removal of Lock FD and Artifacts.
* Rearranged VARs sourcing: [early.var.sh](../var/early.var.sh)
* Rearranged DEBUG XTRACE sourcing: [meta_sources_debug.sh](../meta_sources_debug.sh)
* **Added**: ``guard_sourcing()``: [lib_guard_sourcing.sh](../lib/lib_guard_sourcing.sh)
  to prevent the caller LIB-file from being sourced twice.

## V8.03.768.2025.06.19

* Minor main script improvements.
* **Updated**: [lib_usage.sh](../lib/lib_usage.sh) output.

## V8.03.768.2025.06.18

* Minor main script improvements.
* **Updated**: Contact section.
* Integrated third ``dns03.eddns.eu`` Centurion DNS Resolver.

## V8.03.768.2025.06.17

* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.12.30+bpo-amd64``

## V8.03.768.2025.06.11

* **Updated**: LIVE ISO workflows to use Kernel: ``linux-image-6.12.27+bpo-amd64``

## V8.03.768.2025.06.09

* **Added**: [f2bchk.sh](../config/includes.chroot/root/.ciss/f2bchk.sh)
* **Updated**: [alias](../config/includes.chroot/root/.ciss/alias)
  * ``scurl()``
  * ``swget()``

## V8.03.644.2025.06.07

* **Updated**: Workflows ISO Generators Runners. 
* Installing ``bookworm-backports`` Versions of:
  * ``btrfs-progs``
  * ``curl``
  * ``debootstrap``
  * ``iproute2``
  * ``ncat``
  * ``nmap``
  * ``ssh``
  * ``systemd``
  * ``systemd-sysv``
  * ``whois``
* Changed default: ``/etc/login.defs`` ``LOGIN_TIMEOUT 60`` to: ``LOGIN_TIMEOUT 180``
* LIVE ISO generated by workflow tested against:
  * Netcup Root Server
  * Proxmox 
* LIVE ISO generated by the script tested against:
  * Netcup Root Server

## V8.03.512.2025.06.06

* **Updated**: Workflows: 
  1. ``git stash push``
  2. ``git fetch origin master``
  3. ``git merge --no-edit origin/master``
  4. ``git stash pop``

* Changed workflows ISO Generators routines ``🛠️ Build GnuPG from the sources, as the Bookworm GPG does not understand key format 5.``
  * added ``wget --https-only`` flag
  * added verification step

## V8.03.400.2025.06.05

* The workflow ISO Generators image was changed to ``debian:bookworm``.
* Added a LIVE ISO workflow routine to build GnuPG from sources, since Bookworm GPG does not recognize key format 5.
* Changed verbosity of:
  * [9993_aide.chroot](../config/hooks/live/9993_aide.chroot)
  * [9997_debsums.chroot](../config/hooks/live/9997_debsums.chroot)
* Added basic linter checks for:
  * **``*.sh``**,
  * **``*.zsh``**,
  * **``*.chroot``**,
  * all files with Shebang **``#``**! for:
    * Windows CRLF line endings
    * unauthorized control characters (C0 control characters except \t, \n)
    * non-ASCII (ambiguous UTF) characters
  * [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml)

---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->