fix: cis regressions — re-apply /etc/issue banners + comprehensive logfile permissions for scan VM

[djsly]

Problem

Multiple CIS rules are regressing on Ubuntu VHD builds, blocking every PR on pipeline 119535:

• CIS 1.6.2/1.6.3 (login banners): apt_get_dist_upgrade --force-confnew overwrites custom /etc/issue and /etc/issue.net banners when base-files package upgrades
• CIS 6.1.3.1 (22.04) / 6.1.4.1 (24.04) (logfile permissions): Scan VM boot-time daemons (syslog, journal) create new log files with default permissions/ownership that violate CIS rules

Root Causes

/etc/issue (1.6.2/1.6.3)

1. copyPackerFiles() in pre-install-dependencies.sh copies custom banners early in the build
2. apt_get_dist_upgrade() runs with --force-confnew, overwriting conffiles with maintainer versions
3. Custom banners are replaced with default Ubuntu content containing \n \l escape sequences

Logfile permissions (6.1.3.1/6.1.4.1)

1. cis.sh fixes log permissions during VHD build (runs last among config scripts)
2. VHD is captured and scan VM boots from it
3. Boot-time daemons create new log files with wrong permissions/group ownership
4. CIS benchmark requires: file perms ≤ 0640, dir perms ≤ 0750, group ∈ {root, adm}, owner ∈ {root, syslog}
5. Previous fix incorrectly treated syslog as a valid group — CIS only allows root or adm

Fixes

Banner fix: Re-copy banners in post-install-dependencies.sh

reapplyBanners() function in packer_source.sh re-copies custom login banners from the packer staging area after all apt operations complete, ensuring banners survive any base-files upgrade.

Logfile fix: Comprehensive permission/ownership fix in cis-report.sh

Runs on the scan VM before the CIS assessor, fixing all four dimensions the benchmark checks:

• File permissions: at most 0640 (clear execute, group-write, other-all, setuid/setgid/sticky)
• Directory permissions: at most 0750 (clear group-write, other-all, setuid/setgid/sticky)
• Group ownership: must be root or adm only (files with other groups like syslog, utmp → adm)
• File ownership: must be root or syslog only (files owned by other users → root)

Impact

• Fixes CIS 1.6.2, 1.6.3, 6.1.3.1 (22.04), and 6.1.4.1 (24.04) regressions
• No impact on Azure Linux/Mariner (CIS scan only runs for Ubuntu)
• No runtime/CSE impact — changes only affect VHD build and scan time
• Supersedes PRs fix: remove leading newline from login banner files for CIS 1.6.2/1.6.3 #8297 and fix: ensure log file permissions and ownership for CIS 6.1.3.1/6.1.4.1 #8299 (both closed)

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Re-applies custom /etc/issue and /etc/issue.net login banners after Ubuntu apt operations to prevent CIS 1.6.2/1.6.3 regressions caused by base-files conffile overwrites during dist-upgrade.

Changes:

• Adds a post-apt step in post-install-dependencies.sh to copy the custom local and remote login banners back into place.
• Documents why apt_get_dist_upgrade --force-confnew can revert the banner files.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

[awesomenix]

something changed to downgrade here is that expected?