feat: add rule to check root user is member of group root

This rule makes sure that the assumptions of user `root` being uid=0 is
the sole member of group `root` with gid=0 are true. This prevents
access to any root-owned files by non-privileged users.

Signed-off-by: Claudius Heine <ch@denx.de>

Author: cmhe

controls/os_spec.rb

@@ -312,3 +312,17 @@
     end
   end
 end
+
+control 'os-16' do
+  impact 1.0
+  title 'User \'root\' should be member of group \'root\' with gid \'0\''
+  desc 'This prevents root-owned files and directories to be accessible to non-privileged users'
+  describe passwd.uids(0) do
+    its('users') { should cmp 'root' }
+    its('gids') { should cmp 0 }
+  end
+  describe etc_group.where(gid: 0) do
+    its('groups') { should cmp 'root' }
+    its('users') { should be_empty }
+  end
+end