feat(seharden): add crypto_policy, logging, ssh enforcers and expand CIS reinforce coverage

[rain-Qing]

Summary

This PR adds three new seharden enforcers (crypto_policy, logging, ssh)
and significantly expands the CIS Alinux 3 reinforce profile coverage.

New Enforcers

• crypto_policy – enforce system-wide cryptographic policy via
  update-crypto-policies and manage policy module files.
• logging – fix file permissions and ownership on /var/log log files
  according to CIS baseline requirements.
• ssh – remove disallowed key-exchange, cipher, and MAC algorithms from
  the SSH daemon configuration.

Enforcer Expansions

• audit – add ensure_syscall_rule (with comparisons, fields, exit
  values, auid defaults), ensure_path_exec_rule,
  ensure_privileged_command_rules, reload_rules, and ensure_directive.
• users – add set_password_defaults, fix_future_password_changes,
  lock_nologin_accounts, lock_root_account,
  disable_system_account_shells, and fix_dotfiles. All functions that
  construct shell commands validate usernames with is_safe_username().
• permissions – add fix_bootloader_config and fix_sshd_config_access
  with directory traversal and Include-directive tracking.
• file / packages – extend existing functions for broader CIS coverage.

Probe Updates

• probes/audit – expand syscall-rule and directive inspection capabilities.
• probes/crypto_policy – align probe output with the new enforcer contract.

Profile

• cis_alinux_3.yml – large-scale expansion covering additional CIS
  Alinux 3 Level-1 and Level-2 controls.

Tests

• Add comprehensive unit tests for all new and expanded enforcer functions
  in tests/unit/seharden/test_seharden_enforcers.lua, including
  unsafe-username rejection, idempotency, and error propagation cases.

Checklist

• All new enforcers follow the dependency-injection pattern
• All new enforcers are idempotent
• Unit tests cover happy-path, idempotent, and error scenarios
• Shell-command inputs are validated before use (e.g. is_safe_username,
  is_safe_key, is_safe_path, arch/syscall regex patterns)
• Signed-off-by in commit message