The power_abuse rule is broken after recent change

[as9k1]

Hi, The change made in this merged pull request (issue 125) in January unfortunately broke the power_abuse rule.

The rule does not work anymore because now it requires auid to be both 0 and >=1000 at the same time, which is impossible.

Merged version (since January):

## Privilege Abuse
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
-a always,exit -F dir=/home -F auid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse

Original version (before January):

## Privilege Abuse
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse

How to fix: My suggestion would be to revert back to the original version of the rule.

Tests done: I tested the original and the merged version in an Ubuntu 22.04 VM. As expected, the merged version does not log the behavior, whereas the original version does. Also, the error message mentioned by the original pull request author did not occur for me.

[Neo23x0]

Thanks for texting it - I fixed that line