fix: CIS regressions — re-apply /etc/issue banners + comprehensive logfile permissions for scan VM

[djsly]

Problem

Multiple CIS rules are regressing on Ubuntu VHD builds, blocking every PR on pipeline 119535:

• CIS 1.6.2/1.6.3 (login banners): apt_get_dist_upgrade --force-confnew overwrites custom /etc/issue and /etc/issue.net banners when base-files package upgrades
• CIS 6.1.3.1 (22.04) / 6.1.4.1 (24.04) (logfile permissions): Scan VM boot-time daemons (syslog, journal) create new log files with default permissions/ownership that violate CIS rules

Root Causes

/etc/issue (1.6.2/1.6.3)

1. copyPackerFiles() in pre-install-dependencies.sh copies custom banners early in the build
2. apt_get_dist_upgrade() runs with --force-confnew, overwriting conffiles with maintainer versions
3. Custom banners are replaced with default Ubuntu content containing \n \l escape sequences

Logfile permissions (6.1.3.1/6.1.4.1)

1. cis.sh fixes log permissions during VHD build (runs last among config scripts)
2. VHD is captured and scan VM boots from it
3. Boot-time daemons create new log files with wrong permissions/group ownership
4. The previous scan-time fix (chmod 640) only handled file mode, not directory perms or group ownership

Fixes

Commit 1: Re-copy banners in post-install-dependencies.sh

Re-copy custom login banners from the packer staging area after all apt operations complete. This ensures banners survive any base-files upgrade.

Commit 2: Comprehensive logfile fix in cis-report.sh

Replace the simple find /var/log -type f -exec chmod 640 {} \; with comprehensive treatment matching cis.sh:

• File permissions: at most 0640 (clear execute, group-write, other-all, setuid/setgid/sticky)
• Directory permissions: at most 0750 (clear group-write, other-all)
• Group ownership: must be root, adm, or syslog

This supersedes PR #8299 which attempted to fix the logfile issue but removed the scan-time fix, making things worse.

Impact

• Fixes CIS 1.6.2, 1.6.3, 6.1.3.1 (22.04), and 6.1.4.1 (24.04) regressions
• No impact on Azure Linux/Mariner (CIS scan only runs for Ubuntu)
• No runtime/CSE impact — changes only affect VHD build and scan time

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Re-applies custom /etc/issue and /etc/issue.net login banners after Ubuntu apt operations to prevent CIS 1.6.2/1.6.3 regressions caused by base-files conffile overwrites during dist-upgrade.

Changes:

• Adds a post-apt step in post-install-dependencies.sh to copy the custom local and remote login banners back into place.
• Documents why apt_get_dist_upgrade --force-confnew can revert the banner files.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[github-actions]

PR Title Lint Failed ❌

Current Title: fix: CIS regressions — re-apply /etc/issue banners + comprehensive logfile permissions for scan VM

Your PR title doesn't follow the expected format. Please update your PR title to follow one of these patterns:

Conventional Commits Format:

• feat: add new feature - for new features
• fix: resolve bug in component - for bug fixes
• docs: update README - for documentation changes
• refactor: improve code structure - for refactoring
• test: add unit tests - for test additions
• chore: remove dead code - for maintenance tasks
• chore(deps): update dependencies - for updating dependencies
• ci: update build pipeline - for CI/CD changes

Guidelines:

• Use lowercase for the type and description
• Keep the description concise but descriptive
• Use imperative mood (e.g., "add" not "adds" or "added")
• Don't end with a period

Examples:

• ✅ feat(windows): add secure TLS bootstrapping for Windows nodes
• ✅ fix: resolve kubelet certificate rotation issue
• ✅ docs: update installation guide
• ❌ Added new feature
• ❌ Fix bug.
• ❌ Update docs

Please update your PR title and the lint check will run again automatically.