feat: add rule to check for password change dates in the past

A password changed date in the future could be used to circumvent
password expiration dates. This rule checks that any password change
dates are in the past.

Signed-off-by: Claudius Heine <ch@denx.de>

Author: cmhe

controls/os_spec.rb

@@ -282,3 +282,12 @@
     end
   end
 end
+
+control 'os-14' do
+  impact 1.0
+  title 'All password change dates are in the past'
+  desc 'The password change date is used to detect expired passwords. Entering future dates might circumvent that.'
+  describe shadow.where { last_change.to_i > (Date.today - Date.new(1970, 1, 1)).to_i } do
+    its('users') { should be_empty }
+  end
+end