🐛 normalize -k flag into fields array in audtid (#6933)

* fix(auditd): normalize -k flag into fields array

The audit rule parser stored -k (key name) only in the 'keyname' field
of auditd.rule.syscall, but did not add it to the 'fields' array.
This meant -k and -F key= produced different resource representations
despite being semantically identical (per auditctl(8), -k is shorthand
for -F key=).

Policy queries that check fields.where(key == "key") would only match
rules using -F key=value, silently missing rules using -k value. Since
-k is the standard form used in CIS benchmark remediation steps and
most audit rule examples, this caused false failures on correctly
configured systems.

Fix: when the parser encounters -k, also append "key="+value to
rawFields so it appears in the fields array alongside other -F entries.
The keyname field is still set for backward compatibility.

* chore(os): bump provider version to 13.2.2

* 🟢 add test for -k flag normalization into fields

Add a regression test verifying that the -k flag is normalized into the
fields array as key=<value>, so queries don't need to check both
representations. Update the test recording to match.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Tim Smith <tsmith84@proton.me>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 3 people

providers-sdk/v1/testutils/testdata/arch.json

@@ -1757,6 +1757,11 @@
                   "key": "auid",
                   "op": "!=",
                   "value": "unset"
+                },
+                {
+                  "key": "key",
+                  "op": "=",
+                  "value": "priv_escalation"
                 }
               ]
             },

providers/os/resources/auditd.go

@@ -303,6 +303,9 @@ func (s *mqlAuditdRules) parse(content string, errors *multierr.Errors) {
 
 			case "-k":
 				args["keyname"] = llx.StringData(v)
+				// -k is shorthand for -F key=; normalize into fields so queries
+				// don't need to check both representations.
+				rawFields = append(rawFields, "key="+v)
 
 			case "-p":
 				args["permissions"] = llx.StringData(v)

providers/os/resources/auditd_test.go

@@ -72,6 +72,19 @@ func TestResource_AuditdRules(t *testing.T) {
 		})
 	})
 
+	t.Run("-k flag normalized into fields", func(t *testing.T) {
+		// The -k flag is shorthand for -F key=<value>. Verify that the
+		// parser normalizes it into the fields array so queries don't
+		// need to check both representations.
+		x.TestSimple(t, []testutils.SimpleTest{
+			{
+				Code:        `auditd.rules.syscalls.where(keyname == "priv_escalation")[0].fields.where(key == "key" && value == "priv_escalation").length`,
+				ResultIndex: 0,
+				Expectation: int64(1),
+			},
+		})
+	})
+
 	t.Run("auditd comparisons field", func(t *testing.T) {
 		x.TestSimple(t, []testutils.SimpleTest{
 			// Test that rules with -C have populated comparisons