feat: Rocky Linux / AlmaLinux (RHEL-based) support

[davidwhittington]

Summary

Add support for Rocky Linux 9 and AlmaLinux 9 as a Phase 3 effort after Debian 12 support (Phase 2).

Scope of changes

RHEL-based distros require significant script changes — this is not a simple port.

Package management

• apt-get → dnf
• unattended-upgrades → dnf-automatic
• Package names differ: ufw not available (use firewalld or nftables)

Firewall

• ufw is not available; RHEL uses firewalld by default
• Core hardening script 01-immediate-hardening.sh would need a firewalld code path
• scripts/core/audit/firewall-check.sh is UFW-specific throughout

Security tooling

• AppArmor not available; RHEL uses SELinux (fundamentally different model)
• apparmor-check.sh would need a SELinux equivalent or be excluded from RHEL baseline
• auditd is the same (already installed by default on RHEL — 05-auditd-setup.sh may need less setup)
• fail2ban available via EPEL
• rkhunter available via EPEL

Service names

• ssh service is sshd on RHEL (most scripts handle both already)
• Apache is httpd not apache2; mod_security package is mod_security

Recommended approach

Add a DISTRO_FAMILY detection variable (debian|rhel) and use it to branch within scripts, rather than maintaining separate script trees.

Prerequisites

• Debian 12 support (feat: Debian 12 (Bookworm) full support #100) complete first
• Distro detection helper in lib/ established

Phase

Phase 3 — after core toolkit is stable and Debian 12 is tested.