Fix pam_pwquality bash remediation for Debian products

[israel-villar]

Two related fixes:

1. accounts_password/bash.template: remove debian13 from the ubuntu2404 guard that calls bash_pam_pwquality_enable() for parameter rules. This was introduced by commit 86030e2 (add debian13 support for rule package_pam_pwquality_installed) which incorrectly copied the ubuntu2404 approach. debian12 was not affected; its support was added correctly without this guard (commit e6f0f0d).

2. accounts_password_pam_pwquality_enabled/bash/shared.sh: extend the SLE condition to all Debian products so that bash_ensure_pam_module_configuration is used (direct PAM file edit) instead of bash_pam_pwquality_enable(). The latter creates a pam-auth-update config with Conflicts: pwquality that removes the active pam_pwquality.so entry from /etc/pam.d/common-password, causing all downstream accounts_password_pam_* OVAL checks to fail.

Description:

• accounts_password_pam_pwquality_enabled/bash/shared.sh: extend the
  platform line to multi_platform_debian and use
  bash_ensure_pam_module_configuration (direct PAM file edit) instead
  of bash_pam_pwquality_enable() for all Debian products.
• shared/templates/accounts_password/bash.template: remove debian13
  from the ubuntu2404 guard that calls bash_pam_pwquality_enable()
  for password parameter rules.

Rationale:

• bash_pam_pwquality_enable() creates a pam-auth-update config with
  Conflicts: pwquality and calls pam-auth-update, which removes the
  active pam_pwquality.so entry from /etc/pam.d/common-password.
  This causes all downstream accounts_password_pam_* OVAL checks to fail.
• The debian13 entry in the bash.template guard was introduced by
  commit 86030e2 alongside package_pam_pwquality_installed support.
  debian12 was not affected — its support was added correctly without
  this guard (commit e6f0f0d).

Review Hints:

• Two passes of remediation are required on a clean Debian 13 VM: the
  first installs libpam-pwquality, the second configures the parameters
  (OpenSCAP CPE session limitation, not a content bug).
• After two passes, all accounts_password_pam_* rules should pass.

[openshift-ci]

Hi @israel-villar. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New data stream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_enabled'.