Invert the secure TLS forwarding logic

The cluster logging operator added a bunch of new forwarding
implementations that allow users to ship their logs to various platforms
and components. Some ClusterLogForwarders use a url, others use a host.
In cases where we can inspect the url, we want to check to make sure
it's not using an insecure protocol (http, tcp, udp). In other cases,
where the forwarder is shipping logs to a dedicated service (like
AzureMonitor), we can't actually inspect the protocol because the Azure
forwarding configuration only exposes a `host` attribute, which doesn't
use a protocol as part of the host string. Instead, it's baked into the
forwarding implementation.

This adds complexity to the rule because we need to:

 - Check that at least one ClusterLogForwarder exists
 - Each ClusterLogForwarder is configured to encrypt traffic to the
   forwarding endpoint
 - Short-circuit the check for special case forwarders, like
   AzureMonitor, that don't specify the protocol in the endpoint
   url/host

Instead of looking for secure endpoints in each forwarder, which aren't
implemented consistently, this commit reverses the logic so that it
asserts no "insecure" endpoints are in a forwarding configuration. This
works better for cases like AzureMonitor because if the rule doesn't
find a `url` in the forwarder, is has nothing to compare the protocol
check to, which means it passes. If a forwarder is configured to use
plain old `http`, it will fail because the check asserts none exist
against regular expression modeling unencrypted protocols. At the same
time, we're maintaining the behavior where the rule fails is no
forwarders exist at all.

I believe this is ultimately due to the fact that "any_exists" OVAL
checks will PASS if no pattern matches are made (filtering a log
forwarder with url=http://example.com will not match a regular
expression only looking for secure protocols, resuling in a PASS when it
should actually fail due to how "any_exists" handles non-existent
matches).

Author: rhmdnd

applications/openshift/logging/audit_log_forwarding_uses_tls_observability_api/oval/shared.xml

@@ -43,8 +43,8 @@
   </ind:yamlfilecontent_object>
 
 
-  <ind:yamlfilecontent_test id="test_audit_log_forwarding_uses_tls_observability_api" check="all" check_existence="any_exist"
-     comment="In the file {{{ clf_path }}}; find only one object at path &#39;[:]&#39;." version="1">
+  <ind:yamlfilecontent_test id="test_audit_log_forwarding_uses_tls_observability_api" check="all" check_existence="none_exist"
+     comment="In the file {{{ clf_path }}}; ensure no insecure protocols are used at path &#39;[:]&#39;." version="1">
     <ind:object object_ref="object_audit_log_forwarding_uses_tls_observability_api"/>
     <ind:state state_ref="state_audit_log_forwarding_uses_tls_observability_api"/>
   </ind:yamlfilecontent_test>
@@ -56,7 +56,7 @@
 
   <ind:yamlfilecontent_state id="state_audit_log_forwarding_uses_tls_observability_api" version="1">
     <ind:value datatype="record" entity_check="all">
-      <field  name="#" operation="pattern match" entity_check="all">^(https|tls)://.*$</field>
+      <field  name="#" operation="pattern match" entity_check="all">^(http|tcp|udp)://.*$</field>
     </ind:value>
   </ind:yamlfilecontent_state>