controls/cis_debian13: Complete and correct section 1 controls

[israel-villar]

Verified all section 1 controls against CIS Debian Linux 13 Benchmark v1.0.0 PDF and applied the following changes on top of upstream:

Corrections to existing controls:

• 1.1.1.6: fix title (overlayfs -> overlay)
• 1.1.1.7: fix related_rules -> rules
• 1.1.2.1.1: fix title (add 'tmpfs or' to partition description)
• 1.2.1.2: convert pending to automated (apt_disable_weak_dependencies)
• 1.2.1.3-1.2.1.9: convert pending to automated with apt file/dir rules
• 1.2.1.4: fix title (add missing '(Automated)' suffix)
• 1.3.1.1: fix title (AppArmor packages)
• 1.3.1.2: fix title (AppArmor is enabled)
• 1.3.1.4: convert pending to automated (apparmor sysctl rule)
• 1.5.6: replace disable_prelink with package_prelink_removed
• 1.5.7: convert pending to automated (service_apport_disabled)

New controls (not yet in upstream):

• 1.6.2-1.6.6: banner content and access controls
• 1.7.1-1.7.11: GDM/display manager controls

Description:

• Completes section 1 of the controls/cis_debian13.yml mapping for the CIS Debian Linux 13 Benchmark v1.0.0. The upstream file currently stops at control 1.6.1. This PR adds the remaining section 1 controls (1.6.2–1.7.11) and corrects several existing controls that had wrong titles, used related_rules instead of rules, referenced non-existent rules, or remained in pending status despite having available rules.

Rationale:

• All changes were cross-referenced against the CIS Debian Linux 13 Benchmark v1.0.0 PDF to ensure titles, levels, and rule mappings are accurate.

Review Hints:

• The easiest way to review is section by section: first the corrections to existing controls (1.1.x–1.5.x), then the new controls (1.6.2–1.7.11).
• To verify the build: ./build_product debian13 --datastream

[openshift-ci]

Hi @israel-villar. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.