Add Debian 13 PAM support to existing rules

[israel-villar]

Add Debian-specific bash remediations and OVAL checks for PAM rules that previously lacked Debian support:

• accounts_password_pam_pwhistory_remember: add bash/debian.sh and oval/debian.xml using /etc/pam.d/common-password directly.
• accounts_password_pam_pwhistory_use_authtok: add bash/debian.sh.
• accounts_password_pam_unix_authtok: add bash/debian.sh.
• accounts_password_pam_pwquality_enabled: add oval/debian.xml checking pam_pwquality.so in /etc/pam.d/common-password.

Extend existing shared remediations to cover Debian:

• accounts_password_pam_unix_enabled/bash/shared.sh: add multi_platform_debian.
• accounts_password_pam_pwhistory_enabled/bash/shared.sh: add multi_platform_debian.
• accounts_passwords_pam_faillock_enabled/bash/shared.sh: add multi_platform_debian.
• accounts_password_pam_unix_no_remember/bash/shared.sh: add multi_platform_debian.
• no_empty_passwords_unix/bash/shared.sh: add fallback that removes nullok directly from /etc/pam.d/common-* files in case pam-auth-update is blocked by local modifications.

Add CIS Debian 13 options to password hashing algorithm variables:

• var_password_hashing_algorithm.var: add cis_debian13=YESCRYPT|SHA512
• var_password_hashing_algorithm_pam.var: add cis_debian13=yescrypt|sha512

Description:

Add Debian-specific bash remediations and OVAL checks for PAM rules that
previously lacked Debian support:

• accounts_password_pam_pwhistory_remember: add bash/debian.sh and
  oval/debian.xml using /etc/pam.d/common-password directly.
• accounts_password_pam_pwhistory_use_authtok: add bash/debian.sh.
• accounts_password_pam_unix_authtok: add bash/debian.sh.
• accounts_password_pam_pwquality_enabled: add oval/debian.xml
  checking pam_pwquality.so in /etc/pam.d/common-password.

Extend existing shared remediations to cover Debian:

• accounts_password_pam_unix_enabled/bash/shared.sh: add multi_platform_debian.
• accounts_password_pam_pwhistory_enabled/bash/shared.sh: add multi_platform_debian.
• accounts_passwords_pam_faillock_enabled/bash/shared.sh: add multi_platform_debian.
• accounts_password_pam_unix_no_remember/bash/shared.sh: add multi_platform_debian.
• no_empty_passwords_unix/bash/shared.sh: add fallback that removes
  nullok directly from /etc/pam.d/common-* files when pam-auth-update
  is blocked by local modifications.

Add CIS Debian 13 options to password hashing algorithm variables:

• var_password_hashing_algorithm.var: add cis_debian13=YESCRYPT|SHA512
• var_password_hashing_algorithm_pam.var: add cis_debian13=yescrypt|sha512

Rationale:

Debian uses /etc/pam.d/common-* files managed by pam-auth-update.
Rules that previously only had RHEL/SLE remediations needed Debian-specific
implementations that edit these files directly. The nullok fallback is
needed because pam-auth-update may refuse to run when local modifications
are detected.

Review Hints:

• This PR is complementary to fix/debian-pam-pwquality-remediation
  (already open), which fixes accounts_password_pam_pwquality_enabled/bash/shared.sh
  and shared/templates/accounts_password/bash.template. No file overlap.
• Debian uses yescrypt as the default password hashing algorithm
  (Debian 13 default); SHA512 is the legacy fallback allowed by CIS.

[openshift-ci]

Hi @israel-villar. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.