feat: re-enable build time CIS scanning

[jepio]

What this PR does / why we need it:

• Reenable CIS scanning at build time for Ubuntu images
• Scan for both L1 and L2
• Update baselines to which we compare for 22.04 and 24.04

No changes to node configuration.

Which issue(s) this PR fixes:

Fixes #

[Copilot]

Pull request overview

Re-enables build-time CIS scanning for Ubuntu VHD builds by running both CIS Level 1 and Level 2 assessments, then comparing results against updated Ubuntu 22.04/24.04 baselines to detect regressions.

Changes:

• Default CIS scanning to enabled (SKIP_CIS now defaults to false) and generate a combined CIS report annotated with [L1]/[L2].
• Update CIS scanning to produce and upload separate L1 and L2 text reports (plus L2 HTML) and then assemble them into the existing cis-report.txt artifact format.
• Refresh CIS baseline files for Ubuntu 22.04 and 24.04.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
vhdbuilder/packer/vhd-scanning.sh	Enables CIS scanning by default; downloads L1/L2 reports and assembles a combined cis-report.txt for baseline comparison.
vhdbuilder/packer/cis-report.sh	Runs CIS assessor twice (L1 and L2) and uploads both text reports plus the L2 HTML report.
vhdbuilder/packer/cis/baselines/ubuntu/22.04.txt	Updates stored baseline output to match the new combined report format and current results.
vhdbuilder/packer/cis/baselines/ubuntu/24.04.txt	Updates stored baseline output to match the new combined report format and current results.
.pipelines/templates/.builder-release-template.yaml	Bumps the downloaded cisassessor universal package version used during builds.

[awesomenix]

PR #7876 Review: Re-enable Build-Time CIS Scanning

✅ No Configuration Changes — Confirmed Safe

This PR does NOT make any configuration or remediation changes to the VHD.
The cis-report.sh script is purely a read-only scanner that:

1. Downloads the CIS assessor tool
2. Runs it (L1 + L2 scans) to generate reports
3. Uploads reports to blob storage
4. That's it — no sed, passwd, sysctl, systemctl enable, or any system
   modification

The only two pre-scan commands (systemctl disable gcd.service and chmod 640
/var/log/*) are for scan accuracy on the test VM, not the VHD itself. This
script runs on a scanning VM via az vm run-command invoke, not during VHD
build provisioning.

⚠️ Items Worth Noting (Not Breaking, But Worth Awareness)

1. SKIP_CIS default flipped from true → false — This is the main behavioral
   change. CIS scanning is now on by default for Ubuntu. If the scanner or
   cisassessor tool is broken/misconfigured, it will fail the VHD build
   pipeline. There's an escape hatch (SKIP_CIS=true pipeline variable).
2. Rule
   5.4.2.4 (Root Password) — The old 22.04 baseline said "Ensure root
   password is set" (pass). The new baseline says "Ensure root account access
   is controlled" (pass). This is a rule name change from the newer CIS
   benchmark version, not a status change. Root access is still passing — no
   concern here.
3. Rules
   5.4.1.1 and 5.4.1.5 went from pass → fail in the new baselines (password
   expiration + inactive password lock). These are accepted known failures in
   the baseline — the baseline intentionally records them as fail so the
   regression checker won't alert on them. Since these are accepted in the
   baseline file, no pipeline failure will occur.
4. Many new L2 fail rules — These are all expected. The old scanner only
   ran L1; now L2 is included, exposing additional rules (audit, firewall,
   partitioning) that AKS nodes intentionally don't comply with. All are
   recorded in the baseline as accepted.
5. cisassessor version bump 0.0.17 → 0.0.141 — Major jump. This is the CIS
   benchmark tool itself. The new version likely uses CIS Benchmark v4.x (rule
   IDs and names changed). The baselines have been updated to match.

🟢 Verdict: Safe to Merge

No system configuration is being applied. This is a scan-only change with
updated baselines. The root password / root access rule (5.4.2.4) remains
pass in both old and new baselines. No Sev1 risk from this PR.