Add audit rule to log sudo/privilege escalations

[everton-dematos]

Description of Changes

https://jira.tii.ae/browse/SSRCSP-7275

• Added an audit rule to log human-initiated privilege escalations
• Captures sudo/root execs from users and logs them in Grafana via key=privileged-sudo

Type of Change

• New Feature
• Bug Fix
• Improvement / Refactor

Related Issues / Tickets

Checklist

• Clear summary in PR description
• Detailed and meaningful commit message(s)
• Commits are logically organized and squashed if appropriate
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• Author has run make-checks and it passes
• All automatic GitHub Action checks pass - see actions
• Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

• Orin AGX aarch64
• Orin NX aarch64
• Lenovo X1 x86_64
• Dell Latitude x86_64
• System 76 x86_64

Installation Method

• Requires full re-installation
• Can be updated with nixos-rebuild ... switch
• Other:

Test Steps To Verify:

1. Enable Audit at https://github.com/everton-dematos/ghaf/blob/pr_privileged-sudo/modules/reference/profiles/mvp-user-trial.nix#L105
2. Run any command with sudo, e.g.: [ghaf@net-vm:~]$ sudo ipset list
3. Check that journalctl logs show the command: journalctl | grep sudo
4. Check that the log is visible in Grafana with the following query: {machine="device-id"} |= privileged-execve