minor reorg linux rules and logic

[williballenthin]

as discussed in #442, minor proposed reorganization of linux rules and logic. most importantly, @TcM1911 what do you think?

things i noticed along the way:

• when to use os: ... versus assume windows? here's what i found myself doing naturally:
  • if the rule is a linux rule, include the term
  • if there is mixed logic, include the terms
  • otherwise, implied windows? this isnt great because its inconsistent. maybe we should go back at some point and fixup existing rules.
• we should try to use match: namespace rather than match: rule name when describing behavior. for example match: host-interaction/file-system/file/write rather than match: write file because we can easily split up existing rules into "...on Windows" and "...on Linux" or "...via FOO".
  • should update the documentation/guidance to recommend this
  • should audit our existing match: .... statements and rules

[williballenthin]

CI tests fail because CI pulls the latest release from GH which doesn't support os: yet. hmm.

[TcM1911]

I think the old rules can be left for now. It can either be fixed when FPs are detect or improving the rule to support both Windows and Linux. Since the initial rules for Linux doesn't have the same coverage as the current for Windows, there is plenty of room to add or expand the rule set. This can be a good time to update the rule and take advantage of the new rule feature.