Adding Debian 13 CIS controls to the benchmark

[scdarva]

Description:

As currently Debian 13 has missing CIS benchmarks from this project, pull request is specifically to add initial set of CIS controls

Rationale:

To start populating Debian 13 CIS controls. Adding them all in one go is a quite of a task, especially as it does require generate new checks

Review Hints:

• If the scope of the pull request is too small, please comment and then it can be increased, otherwise I didn't want to make a pull request that is adding a huge block of code, that is problematic to review

[openshift-ci]

Hi @scdarva. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jan-cerny]

missing new line character at the end of file

[scdarva]

Thanks for noticing, added it.

Also added more controls. Those that are commented out and have TODO are not implemented, as they need to be implemented later on.

[jan-cerny]

I think the CI fail is legit, you need to update the product stability data with the CIS reference:

diff --git a/tests/data/product_stability/debian13.yml b/tests/data/product_stability/debian13.yml
index e96a439170..23007ed4bf 100644
--- a/tests/data/product_stability/debian13.yml
+++ b/tests/data/product_stability/debian13.yml
@@ -81,6 +81,7 @@ reference_uris:
   app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers
   app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security
   bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf
+  cis: https://www.cisecurity.org/cis-benchmarks/
   cis-csc: https://www.cisecurity.org/controls/
   cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf
   cobit5: https://www.isaca.org/resources/cobit

[scdarva]

Added test adjustment as suggested, had no idea about their functionalities

[jan-cerny]

The rule disable_weak_deps is specific to the dnf package manager which isn't used in Debian. Therefore, it doesn't make sense to add this rule to Debian's security content. Debian uses apt instead. I suggest marking this control as manual or pending until a new rule covering apt is created.

[jan-cerny]

trailing spaces

[jan-cerny]

Another trailing spaces. Trailing spaces occur frequently in the file.

[jan-cerny]

This is a duplicate of 1.5.3. Most likely a copy-paste problem?

[jan-cerny]

Consider adding notes for commented-out controls: Rather than leaving large commented-out YAML blocks with bare # TODO markers, consider using proper status: pending entries with notes: explaining what's needed. This makes the work queue visible to tooling (e.g., list_unmapped_requirements). Example:

  - id: 1.2.1.3
    title: Ensure access to gpg key files are configured (Automated)
    levels:
        - l1_server
        - l1_workstation
    status: pending
    notes: |-
        Needs a new Debian-specific rule for GPG key file access checks.