Add Debian 13 support to NTP/chrony rules

[israel-villar]

• chronyd_run_as_chrony_user: add bash/debian.sh that sets the chrony user to _chrony (Debian uses _chrony, not chrony); extend OVAL condition from ubuntu-only to all Debian products to check /etc/chrony/chrony.conf.
• service_chronyd_disabled: extend the service_disabled_guard_var condition from ubuntu-only to all Debian products. Remove now-dead servicename@ubuntu2204 and servicename@debian12 overrides from the service_disabled branch (those products now use service_disabled_guard_var).
• service_timesyncd_disabled: extend service_disabled_guard_var condition to all Debian products.
• service_timesyncd_configured: fix platform from package[systemd] to package[systemd-timesyncd] (the timesyncd package is split on Debian).
• package_timesyncd_installed: extend package_installed_guard_var condition from ubuntu-only to all Debian products.
• chronyd_configure_pool_and_server: fix OVAL and Ansible regexps to allow options after the server/pool address (e.g. "iburst", "maxpoll"); add two test scenarios covering pool/server entries with options.

Description:

Extend NTP and chrony rules to support Debian 13:

• chronyd_run_as_chrony_user: add bash/debian.sh that sets the
  runtime user to _chrony (Debian convention); extend OVAL condition
  from ubuntu-only to all Debian products to read /etc/chrony/chrony.conf.
• service_chronyd_disabled: extend the service_disabled_guard_var
  condition from ubuntu-only to all Debian products; remove now-dead
  servicename@ubuntu2204 and servicename@debian12 overrides.
• service_timesyncd_disabled: extend service_disabled_guard_var
  condition to all Debian products.
• service_timesyncd_configured: fix platform from package[systemd]
  to package[systemd-timesyncd] (timesyncd is a split package on Debian).
• package_timesyncd_installed: extend package_installed_guard_var
  condition from ubuntu-only to all Debian products.
• chronyd_configure_pool_and_server: fix OVAL and Ansible regexps to
  allow options after the server/pool address (e.g. iburst, maxpoll);
  add two test scenarios covering pool/server entries with options.

Rationale:

Debian 13 uses _chrony as the chrony runtime user (not chrony),
systemd-timesyncd is packaged separately, and chrony configuration
accepts options on the same line as server/pool directives that
the previous regexp did not match.

Review Hints:

• chronyd_run_as_chrony_user/bash/debian.sh: new file, sets _chrony.
• chronyd_configure_pool_and_server: regexp change — old pattern
  required end-of-line immediately after the address; new pattern allows
  optional trailing content (([[:space:]].*)?$).
• The two new test scenarios (pool_with_options.pass.sh,
  server_with_options.pass.sh) verify the fixed regexp.

[openshift-ci]

Hi @israel-villar. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jan-cerny]

Test scenarios for chronyd_configure_pool_and_server pass on RHEL 10.

jcerny@fedora:~/work/git/scap-security-guide (pr/14780)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 chronyd_configure_pool_and_server
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2026-06-09-1352/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_chronyd_configure_pool_and_server
INFO - Script correct_chrony_configuration.pass.sh using profile (all) OK
INFO - Script file_empty.fail.sh using profile (all) OK
INFO - Script file_missing.fail.sh using profile (all) OK
INFO - Script incorrect_line1.fail.sh using profile (all) OK
INFO - Script incorrect_line2.fail.sh using profile (all) OK
INFO - Script incorrect_line3.fail.sh using profile (all) OK
INFO - Script incorrect_line4.fail.sh using profile (all) OK
INFO - Script multiple_servers.pass.sh using profile (all) OK
INFO - Script multiple_servers_single_pool.pass.sh using profile (all) OK
INFO - Script pool_with_options.pass.sh using profile (all) OK
INFO - Script server_with_options.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/14780)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 --remediate-using ansible chronyd_configure_pool_and_server
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2026-06-09-1403/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_chronyd_configure_pool_and_server
INFO - Script correct_chrony_configuration.pass.sh using profile (all) OK
INFO - Script file_empty.fail.sh using profile (all) OK
INFO - Script file_missing.fail.sh using profile (all) OK
INFO - Script incorrect_line1.fail.sh using profile (all) OK
INFO - Script incorrect_line2.fail.sh using profile (all) OK
INFO - Script incorrect_line3.fail.sh using profile (all) OK
INFO - Script incorrect_line4.fail.sh using profile (all) OK
INFO - Script multiple_servers.pass.sh using profile (all) OK
INFO - Script multiple_servers_single_pool.pass.sh using profile (all) OK
INFO - Script pool_with_options.pass.sh using profile (all) OK
INFO - Script server_with_options.pass.sh using profile (all) OK