diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index a2e4fb33c9..10ae7a26fb 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -2,8 +2,6 @@ NOTE: this repository uses a "Merge Forward" strategy
 
 Changes should be made in the earliest applicable branch, and
 merged forward through subsequent branches.
-1. Create a PR into the oldest branch (`ubuntu-<short_name>`)
-2. After this PR has been merged create a `merge-to-<next_short_name>` branch
-3. Merge `ubuntu-<short_name>` into `merge-to-<next_short_name>`
-4. Create a PR to merge `merge-to-<next_short_name>` into `ubuntu-<next_short_name>`
-5. Repeat as needed for subsequent branches
+1. PR should be created against the oldest stemcell branch, ex: `ubuntu-<short_name-N>`
+2. After this PR has been merged create a PR to merge `ubuntu-<short_name-N>` into `ubuntu-<short_name-N+1>`
+3. Repeat as needed for subsequent stemcell line branches
diff --git a/bosh-stemcell/lib/shellout_types/service.rb b/bosh-stemcell/lib/shellout_types/service.rb
index ef80fa174d..476b7b4ada 100644
--- a/bosh-stemcell/lib/shellout_types/service.rb
+++ b/bosh-stemcell/lib/shellout_types/service.rb
@@ -27,7 +27,7 @@ def check_service_enabled(runlevel)
       stdout, stderr, status = @chroot.run("cat", "/etc/*release")
       raise stderr.to_s if status != 0
 
-      raise "Cannot determine Linux distribution: #{stdout}" unless /Ubuntu|CentOS|openSUSE/.match?(stdout)
+      raise "Cannot determine Linux distribution: #{stdout}" unless /Ubuntu|openSUSE/.match?(stdout)
 
       check_is_enabled_systemctl
     end
diff --git a/bosh-stemcell/spec/support/stemcell_shared_examples.rb b/bosh-stemcell/spec/support/stemcell_shared_examples.rb
index 232c596366..477a1a7329 100644
--- a/bosh-stemcell/spec/support/stemcell_shared_examples.rb
+++ b/bosh-stemcell/spec/support/stemcell_shared_examples.rb
@@ -160,13 +160,5 @@
         end
       end
     end
-
-    describe "default su directive" do
-      describe file("/etc/logrotate.d/default_su_directive") do
-        it "does `su root root` after any leading comments" do
-          expect(subject.content).to match(/\A(#.*\n)*su root root\Z/)
-        end
-      end
-    end
   end
 end
diff --git a/ci/tasks/build.sh b/ci/tasks/build.sh
index d69d2b5cdc..c8ae18bcac 100755
--- a/ci/tasks/build.sh
+++ b/ci/tasks/build.sh
@@ -77,13 +77,16 @@ chown -R ubuntu:ubuntu "${REPO_PARENT}/bosh-linux-stemcell-builder"
 chown -R ubuntu:ubuntu /mnt
 sudo chmod u+s "$(which sudo)"
 
-sudo --preserve-env --set-home --user ubuntu -- /bin/bash --login -i <<SUDO
+# pass SHLVL or '~ubuntu/.bash_logout' will exit 1
+sudo --set-home --user ubuntu \
+  --preserve-env=GEM_HOME,SHLVL,UBUNTU_ADVANTAGE_TOKEN,UBUNTU_FIPS_USE_IAAS_KERNEL \
+  -- /bin/bash --login <<SUDO
 set -e
 
 cd "${REPO_PARENT}/bosh-linux-stemcell-builder"
 bundle install
 
-bundle exec rake stemcell:build[${IAAS},${HYPERVISOR},${OS_NAME},${OS_VERSION},${OS_IMAGE},${CANDIDATE_BUILD_NUMBER}]
+bundle exec rake "stemcell:build[${IAAS},${HYPERVISOR},${OS_NAME},${OS_VERSION},${OS_IMAGE},${CANDIDATE_BUILD_NUMBER}]"
 SUDO
 
 #
diff --git a/ci/tasks/os-images/build.sh b/ci/tasks/os-images/build.sh
index f14be5d0b6..5b55f27f79 100755
--- a/ci/tasks/os-images/build.sh
+++ b/ci/tasks/os-images/build.sh
@@ -35,11 +35,14 @@ chown -R ubuntu:ubuntu "${REPO_PARENT}/bosh-linux-stemcell-builder"
 chown -R ubuntu:ubuntu /mnt
 sudo chmod u+s "$(which sudo)"
 
-sudo --preserve-env --set-home --user ubuntu -- /bin/bash --login -i <<SUDO
+# pass SHLVL or '~ubuntu/.bash_logout' will exit 1
+sudo --set-home --user ubuntu \
+  --preserve-env=GEM_HOME,SHLVL,BUILD_TIME,UBUNTU_ADVANTAGE_TOKEN,UBUNTU_DEBOOTSTRAP_MIRROR \
+  -- /bin/bash --login <<SUDO
 set -e
 
 cd "${REPO_PARENT}/bosh-linux-stemcell-builder"
 bundle install
 
-bundle exec rake stemcell:build_os_image[$OPERATING_SYSTEM_NAME,$OPERATING_SYSTEM_VERSION,$OS_IMAGE]
+bundle exec rake "stemcell:build_os_image[${OPERATING_SYSTEM_NAME},${OPERATING_SYSTEM_VERSION},${OS_IMAGE}]"
 SUDO
diff --git a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
index 7b39b27a6f..b6bc4fa826 100644
--- a/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
+++ b/image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4
@@ -1,22 +1,22 @@
 <metalink xmlns="urn:ietf:params:xml:ns:metalink">
   <file name="ubuntu-jammy.tgz">
-    <hash type="sha-512">aea9d114124dd96611935299222b29b9ad03537e90c4c0e0d41205012fc97b140113e8ed972d376a6da9b44fc8bab0f60bd1d92b51adbf29ed6cb241bbaf12d3</hash>
-    <hash type="sha-256">d93c7bb07f9d429772f8cb9386bf8d147b3d3a631fa1f9a578643faba9177f2a</hash>
-    <hash type="sha-1">3b14ab2843defa3355adea3f5f44381cec1af0af</hash>
-    <hash type="md5">b113324e19a4d450a7cf8c3d8e9efbe8</hash>
-    <size>435212632</size>
+    <hash type="sha-512">5b7967ee8bc8a99bdc33e3ae1e88ba37977fae0a8ce4f89ce75bc7ac0997fb7a6e0cea144455eb20d27b993fba500eb3b1d60e74990a1fa9ffa5a7ec0f63913a</hash>
+    <hash type="sha-256">8cc94158a3a4862baeb39936d59cf3669d7774874bff05d49b28064ad260671d</hash>
+    <hash type="sha-1">d065fdcf010830156559211b261592a2d6ce1317</hash>
+    <hash type="md5">776f517428e1ea9d840f252cb9eed3ee</hash>
+    <size>435209924</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/ubuntu-jammy.tgz</url>
-    <version>1082.0.0</version>
+    <version>1086.0.0</version>
   </file>
   <file name="usn-log.json">
-    <hash type="sha-512">be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09</hash>
-    <hash type="sha-256">01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b</hash>
-    <hash type="sha-1">adc83b19e793491b1c6ea0fd8b46cd9f32e592fc</hash>
-    <hash type="md5">68b329da9893e34099c7d8ad5cb9c940</hash>
-    <size>1</size>
+    <hash type="sha-512">04c6305dd88f1f0fdb8c052c3161682a0320751c96e6e5b6bc0b948bd3c0745d250ff57be25a11e69c1cbc1faf49d6e4dbd9f16163ccdc6ee61f6bdb89e13732</hash>
+    <hash type="sha-256">52256f7644d5e043f59cd3799675e5b76577fc57b7ccac248349ec4a382b2643</hash>
+    <hash type="sha-1">17fb83a8835fffe0fa223470bd10451554cf9ca9</hash>
+    <hash type="md5">d6447fb301e142d191d4d2ce0a39ae2b</hash>
+    <size>8289</size>
     <url>https://storage.googleapis.com/bosh-os-images/ubuntu-jammy/usn-log.json</url>
-    <version>1082.0.0</version>
+    <version>1086.0.0</version>
   </file>
   <generator>metalink-repository-resource/0.0.0</generator>
-  <published>2026-06-09T19:33:14.185742096Z</published>
+  <published>2026-06-10T21:52:23.610214379Z</published>
 </metalink>
diff --git a/stemcell_builder/stages/bosh_audit_centos/apply.sh b/stemcell_builder/stages/bosh_audit_centos/apply.sh
deleted file mode 100755
index 21614455c6..0000000000
--- a/stemcell_builder/stages/bosh_audit_centos/apply.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-base_dir=$(readlink -nf $(dirname $0)/../..)
-source $base_dir/stages/bosh_audit/shared_functions.bash
-source $base_dir/lib/prelude_bosh.bash
-
-pkg_mgr install audit
-
-run_in_bosh_chroot $chroot "systemctl disable auditd.service"
-
-write_shared_audit_rules
-
-echo '
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/openssh/ssh-keysign -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/krb5_child -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/ldap_child -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/p11_child -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/proxy_child -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/selinux_child -k privileged
--a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/utempter/utempter -k privileged
-' >> $chroot/etc/audit/rules.d/audit.rules
-
-# for stig V-38663: brings file permissions in aligment with what is declared by the RPM database
-# this is techinically not necessary as per the stig definition, but our tests are not as lenient as the stig is
-chmod 640 $chroot/etc/audit/rules.d/audit.rules
-
-record_use_of_privileged_binaries
-
-override_default_audit_variables
diff --git a/stemcell_builder/stages/image_install_grub/apply.sh b/stemcell_builder/stages/image_install_grub/apply.sh
index 470122f7d1..af271b0496 100755
--- a/stemcell_builder/stages/image_install_grub/apply.sh
+++ b/stemcell_builder/stages/image_install_grub/apply.sh
@@ -37,15 +37,15 @@ add_on_exit "umount ${image_mount_point}"
 # == Guide to variables in this script (all paths are defined relative to the real root dir, not the chroot)
 
 # work: the base working directory outside the chroot
-#      eg: /mnt/stemcells/aws/xen/centos/work/work
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work
 # disk_image: path to the stemcell disk image
-#      eg: /mnt/stemcells/aws/xen/centos/work/work/aws-xen-centos.raw
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/aws-xen-ubuntu.raw
 # device: path to the loopback devide mapped to the entire disk image
 #      eg: /dev/loop0
 # loopback_dev: device node mapped to the main partition in disk_image
 #      eg: /dev/mapper/loop0p1
 # image_mount_point: place where loopback_dev is mounted as a filesystem
-#      eg: /mnt/stemcells/aws/xen/centos/work/work/mnt
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/mnt
 
 # Generate random password
 random_password=$(tr -dc A-Za-z0-9_ < /dev/urandom | head -c 16)
diff --git a/stemcell_builder/stages/image_install_grub_efi/apply.sh b/stemcell_builder/stages/image_install_grub_efi/apply.sh
index 01a23c2125..9c18196db0 100755
--- a/stemcell_builder/stages/image_install_grub_efi/apply.sh
+++ b/stemcell_builder/stages/image_install_grub_efi/apply.sh
@@ -38,9 +38,9 @@ add_on_exit "umount ${image_mount_point}/boot/efi"
 # == Guide to variables in this script (all paths are defined relative to the real root dir, not the chroot)
 
 # work: the base working directory outside the chroot
-#      eg: /mnt/stemcells/aws/xen/centos/work/work
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work
 # disk_image: path to the stemcell disk image
-#      eg: /mnt/stemcells/aws/xen/centos/work/work/aws-xen-centos.raw
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/aws-xen-ubuntu.raw
 # device: path to the loopback devide mapped to the entire disk image
 #      eg: /dev/loop0
 # loopback_efi_dev: device node mapped to the EFI boot ("/boot/efi") partition in disk_image
@@ -48,7 +48,7 @@ add_on_exit "umount ${image_mount_point}/boot/efi"
 # loopback_root_dev: device node mapped to the root partition ("/") in disk_image
 #      eg: /dev/mapper/loop0p2
 # image_mount_point: place where loopback_dev is mounted as a filesystem
-#      eg: /mnt/stemcells/aws/xen/centos/work/work/mnt
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/mnt
 
 # Generate random password
 random_password=$(tr -dc A-Za-z0-9_ < /dev/urandom | head -c 16)
diff --git a/stemcell_builder/stages/image_install_grub_softlayer_two_partitions/apply.sh b/stemcell_builder/stages/image_install_grub_softlayer_two_partitions/apply.sh
index 094911477b..184c836ab7 100755
--- a/stemcell_builder/stages/image_install_grub_softlayer_two_partitions/apply.sh
+++ b/stemcell_builder/stages/image_install_grub_softlayer_two_partitions/apply.sh
@@ -42,15 +42,15 @@ add_on_exit "umount ${image_mount_point}/boot"
 # == Guide to variables in this script (all paths are defined relative to the real root dir, not the chroot)
 
 # work: the base working directory outside the chroot
-#      eg: /mnt/stemcells/aws/xen/centos/work/work
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work
 # disk_image: path to the stemcell disk image
-#      eg: /mnt/stemcells/aws/xen/centos/work/work/aws-xen-centos.raw
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/aws-xen-ubuntu.raw
 # device: path to the loopback devide mapped to the entire disk image
 #      eg: /dev/loop0
 # loopback_dev: device node mapped to the main partition in disk_image
 #      eg: /dev/mapper/loop0p1
 # image_mount_point: place where loopback_dev is mounted as a filesystem
-#      eg: /mnt/stemcells/aws/xen/centos/work/work/mnt
+#      eg: /mnt/stemcells/aws/xen/ubuntu/work/work/mnt
 
 # Generate random password
 random_password=$(tr -dc A-Za-z0-9_ < /dev/urandom | head -c 16)
diff --git a/stemcell_builder/stages/logrotate_config/apply.sh b/stemcell_builder/stages/logrotate_config/apply.sh
index 9d0dccc124..91058a9d70 100755
--- a/stemcell_builder/stages/logrotate_config/apply.sh
+++ b/stemcell_builder/stages/logrotate_config/apply.sh
@@ -32,15 +32,10 @@ install_logrotate_cron_script() {
   sed -i -e 's/^\s*\(\/usr\/sbin\/logrotate\)\b/nice -n 19 ionice -c3 \1/' "$chroot/usr/bin/logrotate-cron"
 }
 
-install_default_su_directive() {
-  cp -f "$assets_dir/default_su_directive" "$chroot/etc/logrotate.d/default_su_directive"
-}
-
 install_logrotate_conf
 install_setup_logrotate_script
 seed_default_logrotate_cronjob
 install_logrotate_cron_script
-install_default_su_directive
 
 ## TODO: either remove /etc/logrotate.d/{wtmp,btmp}
 ## or remove it from logrotate.conf and copy over the default created wtmp,btmp files
diff --git a/stemcell_builder/stages/logrotate_config/assets/centos-logrotate.conf b/stemcell_builder/stages/logrotate_config/assets/centos-logrotate.conf
deleted file mode 100644
index d7b4e4d00f..0000000000
--- a/stemcell_builder/stages/logrotate_config/assets/centos-logrotate.conf
+++ /dev/null
@@ -1,58 +0,0 @@
-# see "man logrotate" for details
-# rotate log files weekly
-weekly
-
-# keep 4 weeks worth of backlogs
-rotate 4
-
-# create new (empty) log files after rotating old ones
-create
-
-# use date as a suffix of the rotated file
-dateext
-
-# uncomment this if you want your log files compressed
-#compress
-
-# RPM packages drop log rotation information into this directory
-include /etc/logrotate.d
-
-## no packages own wtmp and btmp -- we'll rotate them here
-#/var/log/wtmp {
-#    monthly
-#    create 0664 root utmp
-#	  minsize 1M
-#    rotate 1
-#}
-#
-#/var/log/btmp {
-#    missingok
-#    monthly
-#    create 0600 root utmp
-#    rotate 1
-#}
-
-# no packages own wtmp and btmp -- we'll rotate them here
-/var/log/wtmp {
-    missingok
-    create 0664 root utmp
-    rotate 4
-    nodateext
-    size 5M
-    notifempty
-    compress
-    delaycompress
-}
-
-/var/log/btmp {
-    missingok
-    create 0600 root utmp
-    rotate 4
-    nodateext
-    size 5M
-    notifempty
-    compress
-    delaycompress
-}
-
-# system-specific logs may be also be configured here.
\ No newline at end of file
diff --git a/stemcell_builder/stages/logrotate_config/assets/default_su_directive b/stemcell_builder/stages/logrotate_config/assets/default_su_directive
deleted file mode 100644
index 0e7331f8be..0000000000
--- a/stemcell_builder/stages/logrotate_config/assets/default_su_directive
+++ /dev/null
@@ -1,5 +0,0 @@
-# logrotate on CentOS refuses to rotate logs in /var/log because the
-# directory is owned by root:syslog and not root:root.
-# logrotate is placated by the su directive, telling syslog what user:group
-# to rotate files with. Defaulting to root:root
-su root root
diff --git a/stemcell_builder/stages/password_policies/assets/centos/password-auth.patch b/stemcell_builder/stages/password_policies/assets/centos/password-auth.patch
deleted file mode 100644
index 9de29cdd99..0000000000
--- a/stemcell_builder/stages/password_policies/assets/centos/password-auth.patch
+++ /dev/null
@@ -1,6 +0,0 @@
-5c5,7
-< auth        sufficient    pam_unix.so try_first_pass
----
-> auth        [success=1 default=bad] pam_unix.so try_first_pass
-> auth        [default=die] pam_faillock.so authfail deny=5 unlock_time=900 fail_interval=900
-> auth        sufficient    pam_faillock.so authsucc deny=5 unlock_time=900 fail_interval=900
diff --git a/stemcell_builder/stages/password_policies/assets/centos/system-auth.patch b/stemcell_builder/stages/password_policies/assets/centos/system-auth.patch
deleted file mode 100644
index 73f091439b..0000000000
--- a/stemcell_builder/stages/password_policies/assets/centos/system-auth.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-5c5,7
-< auth        sufficient    pam_unix.so try_first_pass
----
-> auth        [success=1 default=bad] pam_unix.so try_first_pass
-> auth        [default=die] pam_faillock.so authfail deny=5 unlock_time=900 fail_interval=900
-> auth        sufficient    pam_faillock.so authsucc deny=5 unlock_time=900 fail_interval=900
-11c13,14
-< password    sufficient    pam_unix.so try_first_pass use_authtok  sha512 shadow
----
-> password    required      pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
-> password    sufficient    pam_unix.so try_first_pass use_authtok  sha512 shadow remember=24 minlen=14
-18a19
-> session     required      pam_lastlog.so showfailed
diff --git a/stemcell_builder/stages/system_open_vm_tools/apply.sh b/stemcell_builder/stages/system_open_vm_tools/apply.sh
index d2adf6a224..e11b27ff5e 100755
--- a/stemcell_builder/stages/system_open_vm_tools/apply.sh
+++ b/stemcell_builder/stages/system_open_vm_tools/apply.sh
@@ -6,7 +6,6 @@ base_dir=$(readlink -nf $(dirname $0)/../..)
 source $base_dir/lib/prelude_apply.bash
 source $base_dir/lib/prelude_bosh.bash
 
-# Installation on CentOS requires v7
 pkg_mgr install open-vm-tools
 
 # open-vm-tools installs unwanted fusermount binary