Add service disable rules for Kea DHCP server (CIS 2.1.3)

[israel-villar]

Add three new rules to disable the Kea DHCP server services:

• service_kea_dhcp4_server_disabled
• service_kea_dhcp6_server_disabled
• service_kea_dhcp_ddns_server_disabled

Kea is the ISC successor to ISC DHCP and ships as the default DHCP server on Debian 13. CIS Debian Linux 13 Benchmark v1.0.0 section 2.1.3 requires these services to be disabled on systems that do not act as DHCP servers. All three rules use the service_disabled template. Map the new rules to the existing kea component.

Description:

• Add three new rules to disable the Kea DHCP server services:
  service_kea_dhcp4_server_disabled, service_kea_dhcp6_server_disabled,
  and service_kea_dhcp_ddns_server_disabled.
• Map the new rules to the existing kea component.

Rationale:

• Kea is the ISC successor to ISC DHCP and ships as the default DHCP server
  on Debian 13. Systems that do not act as DHCP servers should have these
  services disabled to reduce the attack surface.
• Unmanaged or unintentionally activated DHCP servers may provide faulty
  information to clients, interfering with the operation of a legitimate
  site DHCP server.
• All three rules use the service_disabled template, consistent with the
  existing service_dhcpd_disabled and service_dhcpd6_disabled rules.

Review Hints:

• Three new rule directories under
  linux_os/guide/services/dhcp/disabling_dhcp_server/, each with a
  single rule.yml using the service_disabled template.
• Build to verify: ./build_product debian13 --datastream-only

[openshift-ci]

Hi @israel-villar. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jan-cerny]

Please resolve the failing tests, the fail is legit:

102/261 Test #100: components .......................................................***Failed    0.81 sec
Rule 'service_kea_dhcp_ddns_server_disabled' must be in component 'dhcp' because it's a member of 'disabling_dhcp_server' group.
Rule 'service_kea_dhcp4_server_disabled' must be in component 'dhcp' because it's a member of 'disabling_dhcp_server' group.
Rule 'service_kea_dhcp6_server_disabled' must be in component 'dhcp' because it's a member of 'disabling_dhcp_server' group.

Either add the rules also to the dhcp component or remove the disabling_dhcp_server group from the dhcp component.