Remove duplicate SSG audit rules and work-around SSG bugs

[ghost]

A duplicate audit rule can cause rule loading to abort and leave important events unaudited. In particular we first noticed that a duplicate MAC-policy watch on /etc/selinux (one created by the supplemental script and one from the SSG) was halting rule processing after loading only about 80% of the configured rules.

So, we removed from the supplemental script all audit rules that were covered by the SSG remediation scripts (as of 0.1.33) which just left the various file watches as all the syscall rules seemed to be covered by the SSG. The list of S?ID binaries was also covered by the SSG, but I left the find command in but filter it to remove duplicates just in case (in testing, it is not finding any additional binaries at the moment).

Here we also work around a couple of bugs in the SSG remediation scripts:

1. Some rules have simple typos EACCESS instead of EACCES and EPRM instead of EPERM. A fix for this has been merged upstream and should be in the next SSG release (0.1.34).
2. Some remediation scripts use "-k" and some us "-F key=" to specify the search key for a rule; this mismatch manifests itself in at least two problems: A. If two different remediation scripts added the same rule once each with "-k" and "-F," the resulting rules file would fail to load because of the duplication. B. If a remediation script added a rule using the "-F" syntax, the rule would be added to the wrong file and would be excluded from the resulting rules file.

[fcaviggia]

Thanks Frank - starting to check these out here shortly - the SSG is really sloppy when it comes to audit rules and it's regular expressions. I want to play with these a bit before committing them.