Add APT repository security rules (CIS 1.3.x)

[israel-villar]

Add 23 new rules covering ownership, group ownership, and permissions for APT configuration directories and files:

Directories (owner root, group root, mode 0755):

• directory_owner/groupowner/permissions_apt_sources_list_d
• directory_owner/groupowner/permissions_apt_auth_conf_d
• directory_owner/groupowner/permissions_apt_trusted_gpg_d
• directory_owner/groupowner/permissions_usr_share_keyrings

Files (owner root, group root, mode 0644):

• file_owner/groupowner/permissions_apt_sources_list_d
• file_owner/groupowner/permissions_apt_auth_conf_d
• file_owner/groupowner/permissions_apt_gpg_keys (for /usr/share/keyrings/)

Additional:

• apt_disable_weak_dependencies: ensure APT::Install-Recommends and APT::Install-Suggests are set to "0" in apt.conf.d/

All ownership and permission rules use the file_owner, file_groupowner, file_permissions, directory_owner, directory_groupowner, and directory_permissions templates. Map all new rules to the apt component.

Description:

• Add 23 new rules covering ownership, group ownership, and permissions
  for APT configuration directories and files:
  • Directories (owner root, group root, mode 0755):
    directory_owner/groupowner/permissions_apt_sources_list_d,
    directory_owner/groupowner/permissions_apt_auth_conf_d,
    directory_owner/groupowner/permissions_apt_trusted_gpg_d,
    directory_owner/groupowner/permissions_usr_share_keyrings
  • Files (owner root, group root, mode 0644):
    file_owner/groupowner/permissions_apt_sources_list_d,
    file_owner/groupowner/permissions_apt_auth_conf_d,
    file_owner/groupowner/permissions_apt_gpg_keys
    (covers files under /usr/share/keyrings/)
  • apt_disable_weak_dependencies: ensure APT::Install-Recommends
    and APT::Install-Suggests are set to "0" in apt.conf.d/
• Map all new rules to the apt component.

Rationale:

• APT configuration files and GPG keyrings must be owned by root and
  have restrictive permissions to prevent unauthorized modification of
  package sources or trust anchors.
• These rules did not previously exist for any product. They provide
  reusable coverage for any Debian-based system.

Review Hints:

• All ownership and permission rules use the file_owner,
  file_groupowner, file_permissions, directory_owner,
  directory_groupowner, and directory_permissions templates.
• apt_disable_weak_dependencies uses a custom OVAL that scans
  /etc/apt/apt.conf and /etc/apt/apt.conf.d/ for the relevant
  directives.
• Build to verify: ./build_product debian13 --datastream-only

[openshift-ci]

Hi @israel-villar. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jan-cerny]

Please add tests scenarios for this rule.

[jan-cerny]

The regex needs to be improved to match a dot, avoid matching any name ending with gpg (eg. notakeygpg).

[jan-cerny]

dtto