nist_800_53: fix duplicate variables and ordering in sync, add missing rules

[ggbecker]

Description:

• This is a continuation of: nist_800_53: fix sync script variable lookup and complete CIS→NIST mappings #14785

• Fix duplicate variable entries and non-deterministic ordering in utils/nist_sync/sync_nist_split.py. When cis_nist_mappings.json contains both a bare key (var_x) and a full assignment (var_x=value) for the same variable, both strip to the same name and extend() would add the same assignment multiple times. Fixed by collecting into a set before sorting, ensuring stable, deduplicated output on every run.

• Add rsyslog_filecreatemode to the ac-3 block in products/rhel9/controls/nist_800_53/ac.yml and products/rhel10/controls/nist_800_53/ac.yml. The rule was present in cis_nist_mappings.json but missing from the human-maintained product control files, causing a non-empty CIS - CIS_NIST diff.

• Regenerate shared/references/controls/nist_800_53_cis_reference_{rhel8,rhel9,rhel10}/ with the fixed script to reflect both the deduplication fix and the CIS→NIST mapping additions from fab8d57.

Rationale:

• The duplicate variable bug caused the generated NIST reference files to contain repeated entries (e.g. var_auditd_space_left_action=cis_rhel9 appearing 2–3 times in the same control block), making diffs noisy and the output non-idempotent across runs.
• The missing rsyslog_filecreatemode in the product control files caused the CIS-NIST workflow to report that CIS-NIST did not fully cover CIS for rhel9 and rhel10.

Review Hints:

• All three products (rhel8, rhel9, rhel10) pass the CIS vs CIS-NIST profile comparison with zero differences after this fix. To verify locally:

  ./build_product rhel8 rhel9 rhel10 --datastream-only
  cd utils/nist_sync && ./generate_cis_nist_workflow.sh --products "rhel8 rhel9 rhel10" --skip-build

• The reference file changes under shared/references/controls/ are deduplication + sort order fixes plus the rsyslog_filecreatemode additions; no rules were removed.
• The sync_nist_split.py fix is in generate_controls() around line 474: replaces extend() on a loop over a set with set.update() + sorted().

[openshift-ci]

@ggbecker: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	c5de10a	link	true	/test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.