feat: add FIM, comprehensive audit logging, SSH client-only for CIS/FedRAMP/CMMC

Security enhancements for tier0 infrastructure access:
- Add AIDE for file integrity monitoring (CIS 1.4, FedRAMP AU-7, CMMC AU.3.059)
- Add comprehensive audit rules covering identity, network, boot, and privilege escalation
- Remove SSH server (openssh-server), add SSH client only (openssh-client)
- Add audispd-plugins for audit event processing
- Update security-hardening.sh with configure_fim() and configure_ssh_client()
- Update compliance tests for FIM, audit, and client-only architecture

Package changes:
- Remove: openssh-server, iptables
- Add: openssh-client, aide, aide-common, audispd-plugins

No inbound services - outbound VPN/SSH/RDP only for accessing privileged workstation.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

config/package-lists/knel-football.list.chroot

@@ -27,15 +27,19 @@ wireguard-tools
 zbar-tools
 pcmanfm
 
-# System utilities
+# Network utilities (client only - NO inbound services)
+openssh-client
+wireguard
+wireguard-tools
 nftables
-iptables
-openssh-server
-sudo
 
 # Security tools
 auditd
+audispd-plugins
+aide
+aide-common
 rsyslog
+sudo
 
 # Filesystem support
 e2fsprogs