Update file controls to support more restrictive modes allowed by certain CIS criteria

[jrbeilke]

Certain CIS criteria note that file permissions should be "### or more restrictive", but the InSpec controls only support the listed mode, for example:

• CIS 6.1.3 "verify Access is 640 or more restrictive", InSpec control requires exactly 0640 or fails
• CIS 6.1.7 "verify Access is 600 or more restrictive", InSpec control requires exactly 0600 or fails

These are just two examples but I'm sure there are other CIS criteria that are also affected.

Seems like this would be a matter of updating these controls to remove the should be_X conditions, right?

ie. for CIS 6.1.7

  describe file('/etc/shadow-') do
    it { should exist }
    #it { should be_readable.by 'owner' }
    #it { should be_writable.by 'owner' }
    it { should_not be_executable.by 'owner' }
    it { should_not be_readable.by 'group' }
    it { should_not be_writable.by 'group' }
    it { should_not be_executable.by 'group' }
    it { should_not be_readable.by 'other' }
    it { should_not be_writable.by 'other' }
    it { should_not be_executable.by 'other' }
    its(:uid) { should cmp 0 }
    its(:gid) { should cmp 0 }
    its(:sticky) { should equal false }
    its(:suid) { should equal false }
    its(:sgid) { should equal false }
  end

[veetow]

6.1.5 as well.

[rarenerd]

I think you're right about this and I will accept PRs for this change. At the moment I'm a bit limited in time to pick this up myself.