feat: add control to check for legacy NIS entries in account files

'+' and '-' where prepended to lines in account files (/etc/passwd,
/etc/group, /etc/shadow) to signify if fields should be overwritten or
inserted from a NIS server. Since NIS is a insecure and legacy
technology, that is replaced by other software, this check makes sure
that no such entries exist anymore.

Signed-off-by: Claudius Heine <[email protected]>

Author: cmhe

controls/os_spec.rb

@@ -326,3 +326,18 @@
     its('users') { should be_empty }
   end
 end
+
+control 'os-17' do
+  impact 1.0
+  title 'Prevent + or - fields in passwd an related files used by NIS'
+  desc 'NIS is insecure and should not be used'
+  describe file('/etc/passwd') do
+    its('content') { should_not match(/^[+-]/) }
+  end
+  describe file('/etc/shadow') do
+    its('content') { should_not match(/^[+-]/) }
+  end
+  describe file('/etc/group') do
+    its('content') { should_not match(/^[+-]/) }
+  end
+end