fix: cis regressions — re-apply /etc/issue banners + comprehensive logfile permissions for scan VM

vhdbuilder/packer/cis-report.sh

@@ -56,8 +56,31 @@ pushd "$(dirname "$CISASSESSOR_TARBALL_PATH")" || exit 1
 
 # Disable GuestConfig agent to avoid interference with CIS checks
 systemctl disable --now gcd.service || true
-# Fix permissions of log files
-find /var/log -type f -exec chmod 640 {} \;
+# CIS 6.1.3.1 (22.04) / 6.1.4.1 (24.04): Fix log file permissions and ownership.
+# The scan VM boots from the VHD, and boot-time daemons (syslog, journal, etc.) may create
+# new log files with default permissions that violate CIS rules. Fix comprehensively here
+# before the CIS assessor runs: file perms ≤ 0640, dir perms ≤ 0750, group ∈ {root, adm, syslog}.
+find /var/log -type f -perm /7137 -exec chmod 'u-x,g-wx,o-rwx,a-s,-t' {} +
+find /var/log -type d -perm /7027 -exec chmod 'g-w,o-rwx,a-s,-t' {} +
+
+allowed_log_groups=""
+target_log_group="root"
+if getent group adm >/dev/null 2>&1; then
+    allowed_log_groups="${allowed_log_groups} ! -group adm"
+    target_log_group="adm"
+fi
+if getent group syslog >/dev/null 2>&1; then
+    allowed_log_groups="${allowed_log_groups} ! -group syslog"
+    # prefer adm over syslog when both exist, as adm is the conventional log group
+    if [ "${target_log_group}" = "root" ]; then
+        target_log_group="syslog"
+    fi
+fi
+
+# shellcheck disable=SC2086
+find /var/log -type f ! -group root ${allowed_log_groups} -exec chgrp "${target_log_group}" {} +
+# shellcheck disable=SC2086
+find /var/log -type d ! -group root ${allowed_log_groups} -exec chgrp "${target_log_group}" {} +
 
 tar xzf "$CISASSESSOR_TARBALL_PATH"
 

vhdbuilder/packer/packer_source.sh

@@ -494,3 +494,16 @@ cpAndMode() {
   mode=$3
   DIR=$(dirname "$dest") && mkdir -p ${DIR} && cp $src $dest && chmod $mode $dest || exit $ERR_PACKER_COPY_FILE
 }
+
+# Re-apply custom login banners to /etc/issue and /etc/issue.net.
+# apt_get_dist_upgrade uses --force-confnew which overwrites these files
+# with default content from the base-files package whenever it is upgraded.
+# Call this after any apt operations that may trigger conffile replacement.
+reapplyBanners() {
+  local etc_issue_src=/home/packer/etc-issue
+  local etc_issue_dest=/etc/issue
+  local etc_issue_net_src=/home/packer/etc-issue.net
+  local etc_issue_net_dest=/etc/issue.net
+  cpAndMode "$etc_issue_src" "$etc_issue_dest" 644
+  cpAndMode "$etc_issue_net_src" "$etc_issue_net_dest" 644
+}

vhdbuilder/packer/post-install-dependencies.sh

@@ -5,6 +5,7 @@ UBUNTU_OS_NAME="UBUNTU"
 FLATCAR_OS_NAME="FLATCAR"
 ACL_OS_NAME="AZURECONTAINERLINUX"
 
+source /home/packer/packer_source.sh
 source /home/packer/provision_installs.sh
 source /home/packer/provision_installs_distro.sh
 source /home/packer/provision_source.sh
@@ -47,6 +48,11 @@ if [ $OS = $UBUNTU_OS_NAME ]; then
   retrycmd_if_failure 10 2 60 apt-get -y autoclean || exit 1
   retrycmd_if_failure 10 2 60 apt-get -y autoremove --purge || exit 1
   retrycmd_if_failure 10 2 60 apt-get -y clean || exit 1
+
+  # Re-apply custom login banners after all apt operations.
+  # apt_get_dist_upgrade uses --force-confnew which overwrites /etc/issue and /etc/issue.net
+  # with the default content from the base-files package whenever it is upgraded.
+  reapplyBanners
   capture_benchmark "${SCRIPT_NAME}_purge_ubuntu_kernels_and_packages"
 
   # Final step, FIPS, log ua status, detach UA and clean up