diff --git a/.gitignore b/.gitignore
index 3b17f94..20df2b2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.19.tar.gz
+SOURCES/scap-security-guide-0.1.25.tar.gz
diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata
index 511f55a..7038a45 100644
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@@ -1 +1 @@
-f7257eb00ab18acda843d41851a430268d6bba30 SOURCES/scap-security-guide-0.1.19.tar.gz
+1dc2e85ad80098968485bc75050697abc40143d4 SOURCES/scap-security-guide-0.1.25.tar.gz
diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch
deleted file mode 100644
index 8e4ee57..0000000
--- a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch
+++ /dev/null
@@ -1,38 +0,0 @@
---- scap-security-guide-0.1.19/RHEL/7/input/system/selinux.xml.orig	2014-09-29 06:19:27.427097200 -0400
-+++ scap-security-guide-0.1.19/RHEL/7/input/system/selinux.xml	2014-09-29 06:20:14.703998808 -0400
-@@ -117,23 +117,6 @@ targeted for exploitation, such as netwo
- <tested by="DS" on="20121024"/>
- </Rule>
- 
--<Rule id="service_restorecond_enabled">
--<title>Enable the SELinux Context Restoration Service (restorecond)</title>
--<description>The <tt>restorecond</tt> service utilizes <tt>inotify</tt> to look
--for the creation of new files listed in the
--<tt>/etc/selinux/restorecond.conf</tt> configuration file. When a file is
--created, <tt>restorecond</tt> ensures the file receives the proper SELinux
--security context.
--<service-enable-macro service="restorecond" />
--</description>
--<rationale>The <tt>restorecond</tt> service helps ensure that the default SELinux
--file context is applied to files. This allows automatic correction
--of file contexts created by some programs.</rationale>
--<ident cce="RHEL7-CCE-TBD" />
--<oval id="service_restorecond_enabled" />
--<ref nist="AC-3,AC-3(3),AC-4,AC-6,AU-9" />
--</Rule>
--
- <Rule id="package_setroubleshoot_removed">
- <title>Uninstall setroubleshoot Package</title>
- <description>The SETroubleshoot service notifies desktop users of SELinux
---- scap-security-guide-0.1.19/RHEL/7/input/fixes/bash/service_restorecond_enabled.sh	2014-09-28 07:55:58.000000000 -0400
-+++ /dev/null	2014-09-29 05:45:02.862000000 -0400
-@@ -1,9 +0,0 @@
--#
--# Enable restorecond.service for all systemd targets
--#
--systemctl enable restorecond.service
--
--#
--# Start restorecond.service if not currently running
--#
--systemctl start restorecond.service
diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch
deleted file mode 100644
index b34822c..0000000
--- a/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- scap-security-guide-0.1.19/RHEL/7/input/guide.xslt.orig	2014-09-29 07:55:24.154151816 -0400
-+++ scap-security-guide-0.1.19/RHEL/7/input/guide.xslt	2014-09-29 07:56:48.376190494 -0400
-@@ -8,10 +8,7 @@
-       <xsl:copy-of select="@*|node()" />
- 
-        <!-- adding profiles here -->
--		<xsl:apply-templates select="document('profiles/test.xml')" />
--		<xsl:apply-templates select="document('profiles/rht-ccp.xml')" />
--		<xsl:apply-templates select="document('profiles/common.xml')" />
--		<xsl:apply-templates select="document('profiles/stig-rhel7-server-upstream.xml')" />
-+                <xsl:apply-templates select="document('profiles/rht-ccp.xml')" />
- 
-        <Value id="conditional_clause" type="string" operator="equals">
-                  <title>A conditional clause for check statements.</title>
diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch
deleted file mode 100644
index 7cc9038..0000000
--- a/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch
+++ /dev/null
@@ -1,89 +0,0 @@
---- scap-security-guide-0.1.19/RHEL/7/input/system/accounts/pam.xml.orig	2014-09-29 08:53:24.078751294 -0400
-+++ scap-security-guide-0.1.19/RHEL/7/input/system/accounts/pam.xml	2014-09-29 08:59:28.963638607 -0400
-@@ -81,33 +81,28 @@ and gives them an opportunity to notify
- 
- <Group id="password_quality">
- <title>Set Password Quality Requirements</title>
--<description>The default <tt>pam_cracklib</tt> PAM module provides strength
-+<description>The default <tt>pam_pwquality</tt> PAM module provides strength
- checking for passwords. It performs a number of checks, such as
- making sure passwords are not similar to dictionary words, are of
- at least a certain length, are not the previous password reversed,
- and are not simply a change of case from the previous password. It
- can also require passwords to be in certain character classes.
- <br /><br />
--The <tt>pam_passwdqc</tt> PAM module also provides the ability to enforce
--stringent password strength requirements. It is provided
--in an RPM of the same name.
--<br /><br />
--The man pages <tt>pam_cracklib(8)</tt> and <tt>pam_passwdqc(8)</tt>
--provide information on the capabilities and configuration of
--each.</description>
-+The man page <tt>pam_pwquality(8)</tt> provide further information
-+on the capabilities and configuration.</description>
- 
- <Group id="password_quality_pamcracklib">
- <title>Set Password Quality Requirements, if using
--pam_cracklib</title>
--<description>The <tt>pam_cracklib</tt> PAM module can be configured to meet
-+ pam_pwquality</title>
-+<description>The <tt>pam_pwquality</tt> PAM module can be configured to meet
- requirements for a variety of policies.
- <br /><br />
--For example, to configure <tt>pam_cracklib</tt> to require at least one uppercase
-+For example, to configure <tt>pam_pwquality</tt> to require at least one uppercase
- character, lowercase character, digit, and other (special)
- character, locate the following line in <tt>/etc/pam.d/system-auth</tt>:
--<pre>password requisite pam_cracklib.so try_first_pass retry=3</pre>
-+<pre>password requisite pam_pwquality.so try_first_pass retry=3</pre>
- and then alter it to read:
--<pre>password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4</pre>
-+<pre>password required pam_pwquality.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4</pre>
- If no such line exists, add one as the first line of the password section in <tt>/etc/pam.d/system-auth</tt>.
- The arguments can be modified to ensure compliance with
- your organization's security policy. Discussion of each parameter follows.
-@@ -268,14 +263,14 @@ is different from account lockout, which
- 
- <Rule id="accounts_password_pam_cracklib_maxrepeat">
- <title>Set Password to Maximum of Three Consecutive Repeating Characters</title>
--<description>The pam_cracklib module's <tt>maxrepeat</tt> parameter controls requirements for
-+<description>The pam_pwquality module's <tt>maxrepeat</tt> parameter controls requirements for
- consecutive repeating characters. When set to a positive number, it will reject passwords
- which contain more than that number of consecutive characters. Add <tt>maxrepeat=3</tt>
--after pam_cracklib.so to prevent a run of four or more identical characters.
-+after pam_pwquality.so to prevent a run of four or more identical characters.
- </description>
- <ocil clause="maxrepeat is not found or not set to the required value">
- To check the maximum value for consecutive repeating characters, run the following command:
--<pre>$ grep pam_cracklib /etc/pam.d/system-auth</pre>
-+<pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
- Look for the value of the <tt>maxrepeat</tt> parameter. The DoD requirement is 3.
- </ocil>
- <rationale>
-@@ -413,7 +408,7 @@ Note that passwords which are changed on
- 
- <Rule id="accounts_password_pam_cracklib_minclass">
- <title>Set Password Strength Minimum Different Categories</title>
--<description>The pam_cracklib module's <tt>minclass</tt> parameter controls requirements for
-+<description>The pam_pwquality module's <tt>minclass</tt> parameter controls requirements for
- usage of different character classes, or types, of character that must exist in a password
- before it is considered valid. For example, setting this value to three (3) requires that
- any password must have characters from at least three different categories in order to be
-@@ -425,7 +420,7 @@ four categories available:
- * Digits
- * Special characters (for example, punctuation)
- </pre>
--Add <tt>minclass=<i>NUM</i></tt> after pam_cracklib.so entry into the
-+Add <tt>minclass=<i>NUM</i></tt> after pam_pwquality.so entry into the
- <tt>/etc/pam.d/system-auth</tt> file in order to require differing categories of
- characters when changing passwords, substituting <i>NUM</i> appropriately (for example to
- require at least three character classes to be used in password, use <tt>minclass=3</tt>).
-@@ -433,7 +428,7 @@ require at least three character classes
- <ocil clause="minclass is not found or not set to the required value">
- To check how many categories of characters must be used in password during a password change,
- run the following command:
--<pre>$ grep pam_cracklib /etc/pam.d/system-auth</pre>
-+<pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
- The <tt>minclass</tt> parameter will indicate how many character classes must be used. If
- the requirement was for the password to contain characters from three different categories,
- then this would appear as <tt>minclass=3</tt>.
diff --git a/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch b/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch
deleted file mode 100644
index 5395704..0000000
--- a/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch
+++ /dev/null
@@ -1,109 +0,0 @@
---- scap-security-guide-0.1.19/RHEL/6/input/auxiliary/scap-security-guide.8.orig	2014-10-21 09:26:33.048661043 -0400
-+++ scap-security-guide-0.1.19/RHEL/6/input/auxiliary/scap-security-guide.8	2014-10-21 09:29:18.031611398 -0400
-@@ -1,4 +1,4 @@
--.TH scap-security-guide 8 "26 Jan 2013" "version 1"
-+.TH scap-security-guide 8 "29 Sep 2014" "version 1"
- 
- .SH NAME
- SCAP Security Guide - Delivers security guidance, baselines, and 
-@@ -23,59 +23,24 @@ https://fedorahosted.org/scap-security-g
- 
- 
- .SH PROFILES
--The SSG content is broken into 'profiles,' groupings of security settings that correlate to a known policy. Available profiles are:
-+The SSG content is broken into 'profiles,' groupings of security settings that
-+correlate to a known policy. Available profiles are:
- 
--.I stig-rhel6-server-upstream
-+.I rht-cpp
- .RS
--The Security Technical Implementation Guides (STIGs) and the NSA Guides are the
--configuration standards for DOD IA and IA-enabled devices/systems. Since 1998,
--DISA Field Security Operations (FSO) has played a critical role enhancing the
--security posture of DoD's security systems by providing the Security Technical
--Implementation Guides (STIGs). This profile was created as a collaboration
--effort between the National Security Agency, DISA FSO, and Red Hat.
--
--As a result of the upstream/downstream relationship between the SCAP Security
--Guide project and the official DISA FSO STIG baseline, users should expect
--variance between SSG and DISA FSO content. For additional information relating
--to STIGs, please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/
--
--While this profile is packaged by Red Hat as part of the SCAP Security Guide
--package, please note that commercial support of this SCAP content is NOT
--available. This profile is provided as example SCAP content with no
--endorsement for suitability or production readiness. Support for this profile
--is provided by the upstream SCAP Security Guide community on a best-effort
--basis. The upstream project homepage is https://fedorahosted.org/scap-security-guide/.
--
--.RE
--.I usgcb-rhel6-server
--.RS
--The purpose of the United States Government Configuration Baseline (USGCB)
--initiative is to create security configuration baselines for Information
--Technology products widely deployed across the federal agencies. The USGCB
--baseline evolved from the Federal Desktop Core Configuration mandate. The
--USGCB is a Federal government-wide initiative that provides guidance to
--agencies on what should be done to improve and maintain an effective
--configuration settings focusing primarily on security.
--
--.B "NOTE: "
--While the current content maps to USGCB requirements, it has NOT
--been validated by NIST as of yet. This content should be considered
--draft, we are highly interested in feedback.
--
--For additional information relating to USGCB, please refer to the NIST
--webpage at http://usgcb.nist.gov/usgcb_content.html.
-+Red Hat Corporate Profile for Certified Cloud Providers (RH CCP). This is a
-+*draft* SCAP profile for Red Hat Certified Cloud Providers.
- .RE
- 
--
- .SH EXAMPLES
- To scan your system utilizing the OpenSCAP utility against the
--stig-rhel6-server-upstream profile:
-+rht-ccp profile:
- 
--oscap  xccdf eval --profile stig-rhel6-server-upstream \ 
-+oscap  xccdf eval --profile rht-ccp \ 
- --results /tmp/`hostname`-ssg-results.xml \
- --report /tmp/`hostname`-ssg-results.html \
----cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \
--/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
-+--cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml \
-+/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
- .PP
- Additional details can be found on the projects wiki page:
- https://fedorahosted.org/scap-security-guide/wiki/usageguide
-@@ -99,15 +64,10 @@ ssg-{profile}-oval.xml
- ssg-{profile}-xccdf.xml
- .RE
- 
--.I /usr/share/xml/scap/ssg/guides/
--.RS
--HTML versions of SSG profiles.
--.RE
--
--.I /usr/share/xml/scap/ssg/policytables/
-+.I /usr/share/doc/scap-security-guide-0.1.19
- .RS
--HTML tables reflecting which institutionalized policy a particular SSG rule
--conforms to.
-+Contains HTML versions of the SSG profiles and also HTML tables reflecting which
-+institutionalized policy a particular SSG rule conforms to.
- .RE
- 
- .SH STATEMENT OF SUPPORT
-@@ -116,9 +76,9 @@ and the NSA, provides XCCDF and OVAL con
- source project, community participation extends into U.S. Department of Defense 
- agencies, civilian agencies, academia, and other industrial partners.
- 
--SCAP Security Guide is provided to consumers through Red Hat's Extended
--Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security Guide
--content is considered "vendor provided."
-+SCAP Security Guide is provided to consumers through Red Hat's system and content
-+management services (Red Hat Network Classic or Red Hat Subscription Management).
-+As such, SCAP Security Guide content is considered "vendor provided."
- 
- Note that while Red Hat hosts the infrastructure for this project and
- Red Hat engineers are involved as maintainers and leaders, there is no
diff --git a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch
deleted file mode 100644
index 65b59a6..0000000
--- a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch
+++ /dev/null
@@ -1,472 +0,0 @@
-diff --git a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml
-index a00fc16..dc1b249 100644
---- a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml
-+++ b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml
-@@ -99,7 +99,7 @@ upstream project homepage is https://fedorahosted.org/scap-security-guide/.
- <refine-value idref="var_accounts_passwords_pam_faillock_fail_interval" selector="900"/>
- 
- <!-- from inherited Rule, accounts_password_pam_unix_remember -->
--<refine-value idref="var_password_pam_unix_remember" selector="24"/>
-+<refine-value idref="var_password_pam_unix_remember" selector="5"/>
- 
- <refine-value idref="var_accounts_maximum_age_login_defs" selector="60"/>
- <refine-value idref="var_accounts_minimum_age_login_defs" selector="1"/>
-diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml
-index adf0aaf..b2da2a4 100644
---- a/RHEL/6/input/system/accounts/pam.xml
-+++ b/RHEL/6/input/system/accounts/pam.xml
-@@ -48,7 +48,7 @@ operator="equals" interactive="0">
- <tt>/etc/security/opasswd</tt> in order to force password change history and
- keep the user from alternating between the same password too
- frequently.</description>
--<value selector="">24</value>
-+<value selector="">5</value>
- <value selector="0">0</value>
- <value selector="5">5</value>
- <value selector="10">10</value>
-@@ -342,7 +342,7 @@ more difficult by ensuring a larger search space.
- usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
- contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional
- length credit for each special character.
--Add <tt>ocredit=-1</tt> after pam_cracklib.so to require use of a special character in passwords.
-+Add <tt>ocredit=<sub idref="var_password_pam_ocredit" /></tt> after pam_cracklib.so to require use of a special character in passwords.
- </description>
- <ocil clause="ocredit is not found or not set to the required value">
- To check how many special characters are required in a password, run the following command:
-@@ -357,7 +357,7 @@ more difficult by ensuring a larger search space.
- </rationale>
- <ident cce="26409-3" />
- <oval id="accounts_password_pam_ocredit" value="var_password_pam_ocredit"/>
--<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="1619" />
-+<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="1619" srg="266" />
- <tested by="DS" on="20121024"/>
- </Rule>
- 
-@@ -551,7 +551,7 @@ be accomplished by using the <tt>remember</tt> option for the <tt>pam_unix</tt>
- module.  In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember=<sub idref="var_password_pam_unix_remember" /></tt> to the
- line which refers to the <tt>pam_unix.so</tt> module, as shown:
- <pre>password sufficient pam_unix.so <i>existing_options</i> remember=<sub idref="var_password_pam_unix_remember" /></pre>
--The DoD and FISMA requirement is 24 passwords.</description>
-+The DoD STIG requirement is 5 passwords.</description>
- <ocil clause="it does not">
- To verify the password reuse setting is compliant, run the following command:
- <pre>$ grep remember /etc/pam.d/system-auth</pre>
-diff --git a/RHEL/6/input/system/accounts/restrictions/password_expiration.xml b/RHEL/6/input/system/accounts/restrictions/password_expiration.xml
-index e4af5aa..a8e90c2 100644
---- a/RHEL/6/input/system/accounts/restrictions/password_expiration.xml
-+++ b/RHEL/6/input/system/accounts/restrictions/password_expiration.xml
-@@ -159,7 +159,7 @@ increases the risk of users writing down the password in a convenient
- location subject to physical compromise.</rationale>
- <ident cce="26985-2" />
- <oval id="accounts_maximum_age_login_defs" value="var_accounts_maximum_age_login_defs"/>
--<ref nist="IA-5(f),IA-5(g),IA-5(1)(d)" disa="180,199" />
-+<ref nist="IA-5(f),IA-5(g),IA-5(1)(d)" disa="180,199" srg="76" />
- <tested by="DS" on="20121026"/>
- </Rule>
- 
-diff --git a/RHEL/7/input/checks/accounts_password_pam_minlen.xml b/RHEL/7/input/checks/accounts_password_pam_minlen.xml
-new file mode 100644
-index 0000000..77f89af
---- /dev/null
-+++ b/RHEL/7/input/checks/accounts_password_pam_minlen.xml
-@@ -0,0 +1,40 @@
-+<def-group>
-+  <definition class="compliance" id="accounts_password_pam_minlen" version="1">
-+    <metadata>
-+      <title>Set Password minlen Requirements</title>
-+      <affected family="unix">
-+        <platform>Red Hat Enterprise Linux 7</platform>
-+      </affected>
-+      <description>The password minlen should meet minimum requirements</description>
-+      <reference source="swells" ref_id="20140926" ref_url="test_attestation" />
-+    </metadata>
-+    <criteria operator="AND" comment="system is RHEL7 with pam_pwquality configured">
-+      <extend_definition comment="RHEL7 installed" definition_ref="installed_OS_is_rhel7" />
-+      <criterion comment="rhel7 pam_pwquality" test_ref="test_password_pam_pwquality_minlen" />
-+    </criteria>
-+  </definition>
-+
-+  <!-- RHEL 7 check -->
-+  <ind:textfilecontent54_test check="all"
-+  comment="check the configuration of /etc/pam.d/system-auth pwquality"
-+  id="test_password_pam_pwquality_minlen" version="1">
-+    <ind:object object_ref="obj_password_pam_pwquality_minlen" />
-+    <ind:state state_ref="state_password_pam_minlen" />
-+  </ind:textfilecontent54_test>
-+
-+  <ind:textfilecontent54_object id="obj_password_pam_pwquality_minlen"
-+  version="1">
-+    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
-+    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*minlen=(-?\d+)(?:[\s]|$)</ind:pattern>
-+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-+  </ind:textfilecontent54_object>
-+
-+  <!-- OVAL variables -->
-+  <ind:textfilecontent54_state id="state_password_pam_minlen" version="1">
-+    <ind:instance datatype="int">1</ind:instance>
-+    <ind:subexpression datatype="int" operation="greater than or equal" var_ref="var_password_pam_minlen" />
-+  </ind:textfilecontent54_state>
-+
-+  <external_variable comment="External variable for pam_cracklib minlen" datatype="int" id="var_password_pam_minlen" version="1" />
-+
-+</def-group>
-diff --git a/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh b/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh
-new file mode 100644
-index 0000000..5bc5b0f
---- /dev/null
-+++ b/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh
-@@ -0,0 +1,8 @@
-+source ./templates/support.sh
-+populate var_password_pam_minlen
-+
-+if grep -q "minlen=" /etc/pam.d/system-auth; then   
-+	sed -i --follow-symlink "s/\(minlen *= *\).*/\1$var_password_pam_minlen/" /etc/pam.d/system-auth
-+else
-+	sed -i --follow-symlink "/pam_pwquality.so/ s/$/ minlen=$var_password_pam_minlen/" /etc/pam.d/system-auth
-+fi
-diff --git a/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml b/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml
-index ef079b4..19a06b3 100644
---- a/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml
-+++ b/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml
-@@ -2,6 +2,36 @@
- <title>Pre-release Draft STIG for RHEL 7 Server</title>
- <description>This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
- 
-+<!-- STIG refinement values. Note these are set by DISA FSO,
-+     and should not be manipulated -->
-+<refine-value idref="var_password_pam_unix_remember" selector="5" />
-+<refine-value idref="var_accounts_maximum_age_login_defs" selector="60" />
-+<refine-value idref="var_password_pam_ocredit" selector="1" />
-+<refine-value idref="var_password_pam_ucredit" selector="1" />
-+<refine-value idref="var_password_pam_lcredit" selector="1" />
-+<refine-value idref="var_password_pam_dcredit" selector="1" />
-+<refine-value idref="var_password_pam_minlen" selector="15" />
-+<refine-value idref="var_password_pam_difok" selector="15" />
-+<refine-value idref="var_accounts_minimum_age_login_defs" selector="1" />
-+<refine-value idref="var_accounts_passwords_pam_faillock_fail_interval" selector="900" />
-+<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="3" />
-+
-+<!-- BEGIN STIG RULE SELECTION -->
-+
-+<!-- Disk Partitioning -->
- <select idref="encrypt_partitions" selected="true"/>
- 
-+<!-- Password Requirements -->
-+<select idref="accounts_maximum_age_login_defs" selected="true" />
-+<select idref="accounts_password_pam_unix_remember" selected="true" />
-+<select idref="accounts_password_pam_ocredit" selected="true" />
-+<select idref="accounts_password_pam_ucredit" selected="true" />
-+<select idref="accounts_password_pam_lcredit" selected="true" />
-+<select idref="accounts_password_pam_dcredit" selected="true" />
-+<select idref="accounts_password_pam_minlen" selected="true" />
-+<select idref="accounts_password_pam_difok" selected="true" />
-+<select idref="accounts_minimum_age_login_defs" selected="true" />
-+<select idref="accounts_passwords_pam_fail_interval" selected="true" />
-+<select idref="accounts_passwords_pam_faillock_deny" selected="true" />
-+
- </Profile>
-diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml
-index 3cdd433..f5d9cdf 100644
---- a/RHEL/7/input/system/accounts/pam.xml
-+++ b/RHEL/7/input/system/accounts/pam.xml
-@@ -48,7 +48,7 @@ operator="equals" interactive="0">
- <tt>/etc/security/opasswd</tt> in order to force password change history and
- keep the user from alternating between the same password too
- frequently.</description>
--<value selector="">24</value>
-+<value selector="">5</value>
- <value selector="0">0</value>
- <value selector="5">5</value>
- <value selector="10">10</value>
-@@ -137,13 +137,14 @@ reason.</warning>
- <Value id="var_password_pam_minlen" type="number" operator="equals" interactive="0">
- <title>minlen</title>
- <description>Minimum number of characters in password</description>
--<value selector="">14</value>
-+<value selector="">15</value>
- <value selector="6">6</value>
- <!-- NIST 800-53 requires 1 in a million using brute force which translates to six numbers -->
- <value selector="8">8</value>
- <value selector="10">10</value>
- <value selector="12">12</value>
- <value selector="14">14</value>
-+<!-- DoD STIG requires 15 -->
- <value selector="15">15</value>
- </Value>
- 
-@@ -190,11 +191,12 @@ password</description>
- password</description>
- <warning category="general">Keep this high for short
- passwords</warning>
--<value selector="">4</value>
-+<value selector="">15</value>
- <value selector="2">2</value>
- <value selector="3">3</value>
- <value selector="4">4</value>
- <value selector="5">5</value>
-+<value selector="15">15</value>
- </Value>
- 
- <Value id="var_password_pam_minclass" type="number" operator="equals" interactive="0">
-@@ -306,10 +308,34 @@ search space.
- </rationale>
- <ident cce="27163-5" />
- <oval id="accounts_password_pam_dcredit" value="var_password_pam_dcredit"/>
--<ref nist="IA-5(b),IA-5(c),194" disa=""/>
-+<ref nist="IA-5(b),IA-5(c),194" disa="194" srg="71"/>
- <tested by="DS" on="20121024"/>
- </Rule>
- 
-+<Rule id="accounts_password_pam_minlen">
-+<title>Set Password Minimum Length</title>
-+<description>The pam_pwquality module's <tt>minlen</tt> parameter controls requirements for
-+minimum characters required in a password. Add <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>
-+after pam_pwquality to set minimum password length requirements.
-+</description>
-+<ocil clause="minlen is not found or not set to the required value (or higher)">
-+To check how many characters are required in a password, run the following command:
-+<pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
-+Your output should contain <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>
-+</ocil>
-+<rationale>
-+Password length is one factor of several that helps to determine
-+strength and how long it takes to crack a password. Use of more characters in
-+a password helps to exponentially increase the time and/or resources
-+required to compromise the password.
-+</rationale>
-+<ident cce="26615-5" />
-+<oval id="accounts_password_pam_minlen" value="var_password_pam_minlen" />
-+<ref nist="IA-5(1)(a)" disa="205" srg="78" />
-+<tested by="swells" on="20140928" />
-+</Rule>
-+
-+
- <Rule id="accounts_password_pam_ucredit">
- <title>Set Password Strength Minimum Uppercase Characters</title>
- <description>The pam_pwquality module's <tt>ucredit=</tt> parameter controls requirements for
-@@ -331,18 +357,18 @@ more difficult by ensuring a larger search space.
- </rationale>
- <ident cce="26988-6" />
- <oval id="accounts_password_pam_ucredit" value="var_password_pam_ucredit"/>
--<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="" />
-+<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="192" srg="69" />
- <tested by="DS" on="20121024"/>
- </Rule>
- 
- <Rule id="accounts_password_pam_ocredit">
- <title>Set Password Strength Minimum Special Characters</title>
- <description>The pam_pwquality module's <tt>ocredit=</tt> parameter controls requirements for
--usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
-+usage of special (or "other") characters in a password. When set to a negative number, any password will be required to
- contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional
- length credit for each special character.
--Add <tt>ocredit=-1</tt> after pam_pwquality.so to require use of a special character in passwords.
--</description>
-+Add <tt>ocredit=<sub idref="var_password_pam_ocredit" /></tt> after pam_pwquality.so to 
-+require use of a special character in passwords.</description>
- <ocil clause="ocredit is not found or not set to the required value">
- To check how many special characters are required in a password, run the following command:
- <pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
-@@ -356,7 +382,7 @@ more difficult by ensuring a larger search space.
- </rationale>
- <ident cce="27151-0" />
- <oval id="accounts_password_pam_ocredit" value="var_password_pam_ocredit"/>
--<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="" />
-+<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="1619" srg="266" />
- <tested by="DS" on="20121024"/>
- </Rule>
- 
-@@ -381,7 +407,7 @@ more difficult by ensuring a larger search space.
- </rationale>
- <ident cce="27111-4" />
- <oval id="accounts_password_pam_lcredit" value="var_password_pam_lcredit"/>
--<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="" />
-+<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="193" srg="70" />
- <tested by="DS" on="20121024"/>
- </Rule>
- 
-@@ -391,14 +417,14 @@ more difficult by ensuring a larger search space.
- usage of different characters during a password change.
- Add <tt>difok=<i>NUM</i></tt> after pam_pwquality.so to require differing
- characters when changing passwords, substituting <i>NUM</i> appropriately.
--The DoD requirement is <tt>4</tt>.
-+The DoD requirement is <tt>15</tt>.
- </description>
- <ocil clause="difok is not found or not set to the required value">
- To check how many characters must differ during a password change, run the following command:
- <pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
- The <tt>difok</tt> parameter will indicate how many characters must differ.
--The DoD requires four characters differ during a password change.
--This would appear as <tt>difok=4</tt>.
-+The DoD requires 15 characters differ during a password change.
-+This would appear as <tt>difok=15</tt>.
- </ocil>
- <rationale>
- Requiring a minimum number of different characters during password changes ensures that
-@@ -407,7 +433,7 @@ Note that passwords which are changed on compromised systems will still be compr
- </rationale>
- <ident cce="26631-2" />
- <oval id="accounts_password_pam_difok" value="var_password_pam_difok"/>
--<ref nist="IA-5(b),IA-5(c),IA-5(1)(b)" disa=""/>
-+<ref nist="IA-5(b),IA-5(c),IA-5(1)(b)" disa="195" srg="72" />
- <tested by="DS" on="20121024"/>
- </Rule>
- 
-@@ -476,13 +502,13 @@ attempts using <tt>pam_faillock.so</tt>:
- <br /><br />
- Add the following lines immediately below the <tt>pam_unix.so</tt> statement in <tt>AUTH</tt> section of
- both <tt>/etc/pam.d/system-auth</tt> and /etc/pam.d/password-auth:
--<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</pre>
--<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</pre>
-+<pre>auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
-+<pre>auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
- </description>
- <ocil clause="that is not the case">
- To ensure the failed password attempt policy is configured correctly, run the following command:
- <pre>$ grep pam_faillock /etc/pam.d/system-auth</pre>
--The output should show <tt>deny=3</tt>.
-+The output should show <tt>deny=<id subref="var_accounts_passwords_pam_faillock_deny" /></tt>.
- </ocil>
- <rationale>
- Locking out user accounts after a number of incorrect attempts
-@@ -490,7 +516,7 @@ prevents direct password guessing attacks.
- </rationale>
- <ident cce="26891-2" />
- <oval id="accounts_passwords_pam_faillock_deny" value="var_accounts_passwords_pam_faillock_deny"/>
--<ref nist="AC-7(a)" disa="" />
-+<ref nist="AC-7(a)" disa="44" srg="21" />
- </Rule>
- 
- <Rule id="accounts_passwords_pam_faillock_unlock_time" severity="medium">
-@@ -500,8 +526,8 @@ To configure the system to lock out accounts after a number of incorrect login
- attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>:
- <br /><br />
- Add the following lines immediately below the <tt>pam_env.so</tt> statement in <tt>/etc/pam.d/system-auth</tt>:
--<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</pre>
--<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</pre>
-+<pre>auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
-+<pre>auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
- </description>
- <ocil clause="that is not the case">
- To ensure the failed password attempt policy is configured correctly, run the following command:
-@@ -527,43 +553,46 @@ attempts.
- <br /><br />
- Add the following <tt>fail_interval</tt> directives to <tt>pam_faillock.so</tt> immediately below the <tt>pam_env.so</tt> statement in
- <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>:
--<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</pre>
--<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</pre>
-+<pre>auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
-+<pre>auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
- </description>
- <ocil clause="that is not the case">
- To ensure the failed password attempt policy is configured correctly, run the following command:
- <pre>$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth</pre>
--For each file, the output should show <tt>fail_interval=&lt;interval-in-seconds&gt;</tt> where <tt>interval-in-seconds</tt> is 900 (15 minutes) or greater.  If the <tt>fail_interval</tt> parameter is not set, the default setting of 900 seconds is acceptable.
-+For each file, the output should show <tt>fail_interval=&lt;interval-in-seconds&gt;</tt> where <tt>interval-in-seconds</tt> is 
-+<tt><id subref="var_accounts_passwords_pam_faillock_fail_interval" /></tt>  or greater. 
-+If the <tt>fail_interval</tt> parameter is not set, the default setting of 900 seconds is acceptable.
- </ocil>
- <rationale>
- Locking out user accounts after a number of incorrect attempts within a
- specific period of time prevents direct password guessing attacks.
- </rationale>
--<ident cce="RHEL7-CCE-TBD" />
-+<ident cce="26763-3" />
- <oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/>
--<ref nist="AC-7(a)" disa="1452" />
-+<ref nist="AC-7(a)" disa="44" srg="21" />
- </Rule>
- 
- <Rule id="accounts_password_pam_unix_remember" severity="medium">
- <title>Limit Password Reuse</title>
- <description>Do not allow users to reuse recent passwords. This can
- be accomplished by using the <tt>remember</tt> option for the <tt>pam_unix</tt> PAM
--module.  In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember=24</tt> to the 
-+module.  In the file <tt>/etc/pam.d/system-auth</tt>, append
-+<tt>remember=<sub idref="var_password_pam_unix_remember" /></tt> to the 
- line which refers to the <tt>pam_unix.so</tt> module, as shown:
--<pre>password sufficient pam_unix.so <i>existing_options</i> remember=24</pre>
--The DoD and FISMA requirement is 24 passwords.</description>
-+<pre>password sufficient pam_unix.so <i>existing_options</i> remember=<sub idref="var_password_pam_unix_remember" /></pre>
-+The DoD STIG requirement is 5 passwords.</description>
- <ocil clause="it does not">
- To verify the password reuse setting is compliant, run the following command:
- <pre>$ grep remember /etc/pam.d/system-auth</pre>
- The output should show the following at the end of the line:
--<pre>remember=24</pre>
-+<pre>remember=<sub idref="var_password_pam_unix_rememer" /></pre>
- </ocil>
- <rationale>
- Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
- </rationale>
- <ident cce="26923-3" />
- <oval id="accounts_password_pam_unix_remember" value="var_password_pam_unix_remember" />
--<ref nist="IA-5(f),IA-5(1)(e)" disa="" />
-+<ref nist="IA-5(f),IA-5(1)(e)" disa="200" srg="77" />
- <tested by="DS" on="20121024"/>
- </Rule>
- </Group>
-diff --git a/RHEL/7/input/system/accounts/restrictions/password_expiration.xml b/RHEL/7/input/system/accounts/restrictions/password_expiration.xml
-index d79c4a8..9e56b9d 100644
---- a/RHEL/7/input/system/accounts/restrictions/password_expiration.xml
-+++ b/RHEL/7/input/system/accounts/restrictions/password_expiration.xml
-@@ -60,8 +60,8 @@ age, and 7 day warning period with the following command:
- <value selector="">7</value>
- <value selector="7">7</value>
- <value selector="5">5</value>
--<value selector="1">1</value>
- <value selector="2">2</value>
-+<value selector="1">1</value>
- <value selector="0">0</value>
- </Value>
- 
-@@ -131,7 +131,7 @@ after satisfying the password reuse requirement.
- </rationale>
- <ident cce="27002-5" />
- <oval id="accounts_minimum_age_login_defs" value="var_accounts_minimum_age_login_defs"/>
--<ref nist="IA-5(f),IA-5(1)(d)" disa=""/>
-+<ref nist="IA-5(f),IA-5(1)(d)" disa="198" srg="75" />
- <tested by="DS" on="20121026"/>
- </Rule>
- 
-@@ -145,7 +145,7 @@ and add or correct the following line, replacing <i>DAYS</i> appropriately:
- A value of 180 days is sufficient for many environments. 
- The DoD requirement is 60.
- </description>
--<ocil clause="it is not set to the required value">
-+<ocil clause="PASS_MAX_DAYS is not set to the required value">
- To check the maximum password age, run the command:
- <pre>$ grep PASS_MAX_DAYS /etc/login.defs</pre>
- The DoD and FISMA requirement is 60.
-@@ -157,9 +157,9 @@ periodically change their passwords. This could possibly decrease
- the utility of a stolen password. Requiring shorter password lifetimes
- increases the risk of users writing down the password in a convenient
- location subject to physical compromise.</rationale>
--<ident cce="RHEL7-CCE-TBD" />
-+<ident cce="27051-2" />
- <oval id="accounts_maximum_age_login_defs" value="var_accounts_maximum_age_login_defs"/>
--<ref nist="IA-5(f),IA-5(g),IA-5(1)(d)" disa="180,199" />
-+<ref nist="IA-5(f),IA-5(g),IA-5(1)(d)" disa="180,199" srg="76" />
- <tested by="DS" on="20121026"/>
- </Rule>
- 
-diff --git a/shared/.gitignore b/shared/.gitignore
-index d7b3ccb..39328cf 100644
---- a/shared/.gitignore
-+++ b/shared/.gitignore
-@@ -1,3 +1,4 @@
- # files not to track in git
- *.pyc
- *.ini
-+*.swp
-diff --git a/shared/references/cce-rhel-avail.txt b/shared/references/cce-rhel-avail.txt
-index 381d3da..41dc47e 100644
---- a/shared/references/cce-rhel-avail.txt
-+++ b/shared/references/cce-rhel-avail.txt
-@@ -1,6 +1,3 @@
--CCE-27051-2
--CCE-26615-5
--CCE-26763-3
- CCE-26436-6
- CCE-26989-4
- CCE-26992-8
diff --git a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch
deleted file mode 100644
index 5bc5cc7..0000000
--- a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml
-index b2da2a4..29fa69f 100644
---- a/RHEL/6/input/system/accounts/pam.xml
-+++ b/RHEL/6/input/system/accounts/pam.xml
-@@ -472,12 +472,17 @@ and a second to use unlock_time and set it to a Value
- <title>Set Deny For Failed Password Attempts</title>
- <description>
- To configure the system to lock out accounts after a number of incorrect login
--attempts using <tt>pam_faillock.so</tt>:
-+attempts using <tt>pam_faillock.so</tt>, modify the content of both
-+<tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
- <br /><br />
--Add the following lines immediately below the <tt>pam_unix.so</tt> statement in <tt>AUTH</tt> section of
--both <tt>/etc/pam.d/system-auth</tt> and /etc/pam.d/password-auth:
--<pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=900</pre>
--<pre>auth required pam_faillock.so authsucc deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=900</pre>
-+<ul>
-+<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
-+<p><pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
-+<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
-+<p><pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
-+<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
-+<p><pre>account required pam_faillock.so</pre></p></li>
-+</ul>
- </description>
- <ocil clause="that is not the case">
- To ensure the failed password attempt policy is configured correctly, run the following command:
-@@ -497,11 +502,17 @@ prevents direct password guessing attacks.
- <title>Set Lockout Time For Failed Password Attempts</title>
- <description>
- To configure the system to lock out accounts after a number of incorrect login
--attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>:
-+attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>,
-+modify the content of both <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
- <br /><br />
--Add the following lines immediately below the <tt>pam_env.so</tt> statement in <tt>/etc/pam.d/system-auth</tt>:
--<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=900</pre>
--<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=900</pre>
-+<ul>
-+<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
-+<p><pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
-+<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
-+<p><pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
-+<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
-+<p><pre>account required pam_faillock.so</pre></p></li>
-+</ul>
- </description>
- <ocil clause="that is not the case">
- To ensure the failed password attempt policy is configured correctly, run the following command:
-@@ -523,12 +534,16 @@ situations.
- <title>Set Interval For Counting Failed Password Attempts</title>
- <description>
- Utilizing <tt>pam_faillock.so</tt>, the <tt>fail_interval</tt> directive configures the system to lock out accounts after a number of incorrect login
--attempts.
-+attempts. Modify the content of both <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
- <br /><br />
--Add the following <tt>fail_interval</tt> directives to <tt>pam_faillock.so</tt> immediately below the <tt>pam_env.so</tt> statement in
--<tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>:
--<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
--<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
-+<ul>
-+<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
-+<p><pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
-+<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
-+<p><pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
-+<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
-+<p><pre>account required pam_faillock.so</pre></p></li>
-+</ul>
- </description>
- <ocil clause="that is not the case">
- To ensure the failed password attempt policy is configured correctly, run the following command:
-diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml
-index f5d9cdf..e6bcd60 100644
---- a/RHEL/7/input/system/accounts/pam.xml
-+++ b/RHEL/7/input/system/accounts/pam.xml
-@@ -498,12 +498,17 @@ and a second to use unlock_time and set it to a Value
- <title>Set Deny For Failed Password Attempts</title>
- <description>
- To configure the system to lock out accounts after a number of incorrect login
--attempts using <tt>pam_faillock.so</tt>:
-+attempts using <tt>pam_faillock.so</tt>, modify the content of both
-+<tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
- <br /><br />
--Add the following lines immediately below the <tt>pam_unix.so</tt> statement in <tt>AUTH</tt> section of
--both <tt>/etc/pam.d/system-auth</tt> and /etc/pam.d/password-auth:
--<pre>auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
--<pre>auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
-+<ul>
-+<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
-+<p><pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
-+<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
-+<p><pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
-+<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
-+<p><pre>account required pam_faillock.so</pre></p></li>
-+</ul>
- </description>
- <ocil clause="that is not the case">
- To ensure the failed password attempt policy is configured correctly, run the following command:
-@@ -523,11 +528,17 @@ prevents direct password guessing attacks.
- <title>Set Lockout Time For Failed Password Attempts</title>
- <description>
- To configure the system to lock out accounts after a number of incorrect login
--attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>:
-+attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>,
-+modify the content of both <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
- <br /><br />
--Add the following lines immediately below the <tt>pam_env.so</tt> statement in <tt>/etc/pam.d/system-auth</tt>:
--<pre>auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
--<pre>auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
-+<ul>
-+<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
-+<p><pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
-+<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
-+<p><pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
-+<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
-+<p><pre>account required pam_faillock.so</pre></p></li>
-+</ul>
- </description>
- <ocil clause="that is not the case">
- To ensure the failed password attempt policy is configured correctly, run the following command:
-@@ -549,12 +560,16 @@ situations.
- <title>Set Interval For Counting Failed Password Attempts</title>
- <description>
- Utilizing <tt>pam_faillock.so</tt>, the <tt>fail_interval</tt> directive configures the system to lock out accounts after a number of incorrect login
--attempts.
-+attempts. Modify the content of both <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
- <br /><br />
--Add the following <tt>fail_interval</tt> directives to <tt>pam_faillock.so</tt> immediately below the <tt>pam_env.so</tt> statement in
--<tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>:
--<pre>auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
--<pre>auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
-+<ul>
-+<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
-+<p><pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
-+<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
-+<p><pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
-+<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
-+<p><pre>account required pam_faillock.so</pre></p></li>
-+</ul>
- </description>
- <ocil clause="that is not the case">
- To ensure the failed password attempt policy is configured correctly, run the following command:
diff --git a/SOURCES/scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch b/SOURCES/scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch
deleted file mode 100644
index 2b77b38..0000000
--- a/SOURCES/scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff --git a/RHEL/7/input/profiles/rht-ccp.xml b/RHEL/7/input/profiles/rht-ccp.xml
-index e611421..5236ffa 100644
---- a/RHEL/7/input/profiles/rht-ccp.xml
-+++ b/RHEL/7/input/profiles/rht-ccp.xml
-@@ -18,7 +18,7 @@
- <refine-value idref="var_password_pam_ocredit" selector="2"/>
- <refine-value idref="var_password_pam_lcredit" selector="2"/>
- <refine-value idref="var_password_pam_difok" selector="3"/>
--<refine-value idref="var_password_history_retain_limit" selector="5"/>
-+<refine-value idref="var_password_pam_unix_remember" selector="5"/>
- <refine-value idref="var_accounts_user_umask" selector="077"/>
- <refine-value idref="login_banner_text" selector="usgcb_default"/>
- 
-diff --git a/shared/fixes/bash/accounts_password_pam_unix_remember.sh b/shared/fixes/bash/accounts_password_pam_unix_remember.sh
-index 04e0767..98aecef 100644
---- a/shared/fixes/bash/accounts_password_pam_unix_remember.sh
-+++ b/shared/fixes/bash/accounts_password_pam_unix_remember.sh
-@@ -4,5 +4,5 @@ populate var_password_pam_unix_remember
- if grep -q "remember=" /etc/pam.d/system-auth; then   
- 	sed -i --follow-symlink "s/\(remember *= *\).*/\1$var_password_pam_unix_remember/" /etc/pam.d/system-auth
- else
--	sed -i --follow-symlink "/^password[\s]sufficient[\s]pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
-+	sed -i --follow-symlink "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
- fi
diff --git a/SOURCES/scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch b/SOURCES/scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch
deleted file mode 100644
index 03cdfd6..0000000
--- a/SOURCES/scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff --git a/RHEL/7/Makefile b/RHEL/7/Makefile
-index c3be98b..0f15c1d 100644
---- a/RHEL/7/Makefile
-+++ b/RHEL/7/Makefile
-@@ -44,11 +44,12 @@ checks:
- 
- guide: shorthand2xccdf
- #	remove auxiliary Groups which are only for use in tables, and not guide output.
--#	specifying a nonexistent profile, "allrules," to make oscap print all Rules
- 	xsltproc -o $(OUT)/unlinked-rhel7-xccdf-guide.xml $(TRANS)/xccdf-removeaux.xslt $(OUT)/unlinked-rhel7-xccdf.xml
- 	xsltproc -o $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml $(TRANS)/xccdf-removetested.xslt $(OUT)/unlinked-rhel7-xccdf-guide.xml
--	oscap xccdf generate guide --profile allrules $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml > $(OUT)/rhel7-guide.html
--	xsltproc -o $(OUT)/rhel7-guide-custom.html $(TRANS)/xccdf2html.xslt $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml
-+#       OpenSCAP-1.1.1 expects exact profile name in order to include also rules into guide
-+#       Create guide for RHT-CCP profile
-+	oscap xccdf generate guide --profile rht-ccp $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml > $(OUT)/rhel7-ccp-guide.html
-+	xsltproc -o $(OUT)/rhel7-ccp-guide-custom.html $(TRANS)/xccdf2html.xslt $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml
- 
- # example, if needed: for converting XCCDF into shorthand
- #xccdf2shorthand:
diff --git a/SOURCES/scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch b/SOURCES/scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch
deleted file mode 100644
index e88e7a4..0000000
--- a/SOURCES/scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-diff --git a/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh b/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh
-index ca11120..b1dbd3a 100644
---- a/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh
-+++ b/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh
-@@ -1,18 +1,36 @@
- source ./templates/support.sh
- populate var_accounts_passwords_pam_faillock_deny
- 
--for pamFile in "/etc/pam.d/system-auth /etc/pam.d/password-auth"
--do
-+AUTH_FILES[0]="/etc/pam.d/system-auth"
-+AUTH_FILES[1]="/etc/pam.d/password-auth"
- 
--	if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then
--		sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
--	else
--		sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
--	fi
-+for pamFile in "${AUTH_FILES[@]}"
-+do
- 	
--	if grep -q "^auth.*[default=die].*pam_faillock.so.*authsucc.*deny=" /etc/pam.d/system-auth; then
--	        sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authsucc.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
-+	# pam_faillock.so already present?
-+	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then
-+
-+		# pam_faillock.so present, deny directive present?
-+		if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then
-+
-+			# both pam_faillock.so & deny present, just correct deny directive value
-+			sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
-+			sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
-+
-+		# pam_faillock.so present, but deny directive not yet
-+		else
-+
-+			# append correct deny value to appropriate places
-+			sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
-+			sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
-+		fi
-+
-+	# pam_faillock.so not present yet
- 	else
--	        sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authsucc/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
-+
-+		# insert pam_faillock.so preauth & authfail rows with proper value of the 'deny' option
-+		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
-+		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
-+		sed -i --follow-symlink "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
- 	fi
- done
diff --git a/SOURCES/scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch b/SOURCES/scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch
new file mode 100644
index 0000000..b0b28d6
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch
@@ -0,0 +1,135 @@
+From bb68e10170f532fed47277d76eb74f4fad498039 Mon Sep 17 00:00:00 2001
+From: Jan Lieskovsky <jlieskov@redhat.com>
+Date: Fri, 24 Jul 2015 16:21:04 +0200
+Subject: [PATCH] [Enhancement] [RHEL/7] New RHEL-7 audit time remediations for
+ following rules: * audit_rules_time_adjtimex, *
+ audit_rules_time_settimeofday, and * audit_rules_time_stime
+
+Testing report:
+--------------
+Verified manually on RHEL-7 host the changes are working fine (in both
+scenarios, expected rule not at all present in audit.rules configuration,
+or expected rule partially present in audit.rules configuration)
+---
+ .../input/fixes/bash/audit_rules_time_adjtimex.sh  | 32 ++++++++++++++++++++++
+ .../fixes/bash/audit_rules_time_settimeofday.sh    | 32 ++++++++++++++++++++++
+ RHEL/7/input/fixes/bash/audit_rules_time_stime.sh  | 32 ++++++++++++++++++++++
+ 3 files changed, 96 insertions(+)
+ create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh
+ create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh
+ create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_stime.sh
+
+diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh
+new file mode 100644
+index 0000000..43fdfbb
+--- /dev/null
++++ b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh
+@@ -0,0 +1,32 @@
++
++# Include source function library.
++. /usr/share/scap-security-guide/remediation_functions
++
++# Perform the remediation for the syscall rule
++# Retrieve hardware architecture of the underlying system
++[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
++
++for ARCH in "${RULE_ARCHS[@]}"
++do
++
++	PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
++
++	# Create expected audit group and audit rule form for particular system call & architecture
++	if [ ${ARCH} = "b32" ]
++	then
++		# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
++		# so append it to the list of time group system calls to be audited
++		GROUP="\(adjtimex\|settimeofday\|stime\)"
++		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
++	elif [ ${ARCH} = "b64" ]
++	then
++		# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
++		# therefore don't add it to the list of time group system calls to be audited
++		GROUP="\(adjtimex\|settimeofday\)"
++		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
++	fi
++
++	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
++	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
++	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
++done
+diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh
+new file mode 100644
+index 0000000..43fdfbb
+--- /dev/null
++++ b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh
+@@ -0,0 +1,32 @@
++
++# Include source function library.
++. /usr/share/scap-security-guide/remediation_functions
++
++# Perform the remediation for the syscall rule
++# Retrieve hardware architecture of the underlying system
++[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
++
++for ARCH in "${RULE_ARCHS[@]}"
++do
++
++	PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
++
++	# Create expected audit group and audit rule form for particular system call & architecture
++	if [ ${ARCH} = "b32" ]
++	then
++		# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
++		# so append it to the list of time group system calls to be audited
++		GROUP="\(adjtimex\|settimeofday\|stime\)"
++		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
++	elif [ ${ARCH} = "b64" ]
++	then
++		# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
++		# therefore don't add it to the list of time group system calls to be audited
++		GROUP="\(adjtimex\|settimeofday\)"
++		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
++	fi
++
++	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
++	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
++	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
++done
+diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh
+new file mode 100644
+index 0000000..43fdfbb
+--- /dev/null
++++ b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh
+@@ -0,0 +1,32 @@
++
++# Include source function library.
++. /usr/share/scap-security-guide/remediation_functions
++
++# Perform the remediation for the syscall rule
++# Retrieve hardware architecture of the underlying system
++[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
++
++for ARCH in "${RULE_ARCHS[@]}"
++do
++
++	PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
++
++	# Create expected audit group and audit rule form for particular system call & architecture
++	if [ ${ARCH} = "b32" ]
++	then
++		# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
++		# so append it to the list of time group system calls to be audited
++		GROUP="\(adjtimex\|settimeofday\|stime\)"
++		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
++	elif [ ${ARCH} = "b64" ]
++	then
++		# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
++		# therefore don't add it to the list of time group system calls to be audited
++		GROUP="\(adjtimex\|settimeofday\)"
++		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
++	fi
++
++	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
++	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
++	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
++done
diff --git a/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-disable-selected-rules.patch b/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-disable-selected-rules.patch
new file mode 100644
index 0000000..40bc76a
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-disable-selected-rules.patch
@@ -0,0 +1,34 @@
+--- scap-security-guide-0.1.24/RHEL/7/input/profiles/pci-dss.xml.orig	2015-08-03 21:07:57.312866056 +0200
++++ scap-security-guide-0.1.24/RHEL/7/input/profiles/pci-dss.xml	2015-08-03 21:14:25.502325114 +0200
+@@ -46,15 +46,15 @@
+ <select idref="audit_rules_dac_modification_lsetxattr" selected="true"/>
+ <select idref="audit_rules_dac_modification_removexattr" selected="true"/>
+ <select idref="audit_rules_dac_modification_setxattr" selected="true"/>
+-<select idref="audit_rules_login_events" selected="true"/>
++<!-- <select idref="audit_rules_login_events" selected="true"/> reason: Incorrect OVAL, see: https://github.com/OpenSCAP/scap-security-guide/issues/607 -->
+ <select idref="audit_rules_session_events" selected="true"/>
+ <select idref="audit_rules_unsuccessful_file_modification" selected="true"/>
+-<select idref="audit_rules_privileged_commands" selected="true"/>
++<!-- <select idref="audit_rules_privileged_commands" selected="true"/> reason: Missing remediation -->
+ <select idref="audit_rules_media_export" selected="true"/>
+ <select idref="audit_rules_file_deletion_events" selected="true"/>
+ <select idref="audit_rules_sysadmin_actions" selected="true"/>
+ <select idref="audit_rules_kernel_module_loading" selected="true"/>
+-<select idref="audit_rules_immutable" selected="true"/>
++<!-- <select idref="audit_rules_immutable" selected="true"/> reason: Missing remediation -->
+ <select idref="service_chronyd_or_ntpd_enabled" selected="true"/>
+ <!-- <select idref="chronyd_specify_remote_server" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
+ <!-- <select idref="chronyd_specify_multiple_servers" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
+@@ -77,9 +77,9 @@
+ <select idref="account_disable_post_pw_expiration" selected="true"/>
+ <select idref="accounts_passwords_pam_faillock_deny" selected="true"/>
+ <select idref="accounts_passwords_pam_faillock_unlock_time" selected="true"/>
+-<select idref="dconf_gnome_screensaver_idle_delay" selected="true"/>
+-<select idref="dconf_gnome_screensaver_idle_activation_enabled" selected="true"/>
+-<select idref="dconf_gnome_screensaver_lock_enabled" selected="true"/>
++<!-- <select idref="dconf_gnome_screensaver_idle_delay" selected="true"/> reason: Missing remediation -->
++<!-- <select idref="dconf_gnome_screensaver_idle_activation_enabled" selected="true"/> reason: Missing remediation -->
++<!-- <select idref="dconf_gnome_screensaver_lock_enabled" selected="true"/> reason: Missing remediation -->
+ <!-- <select idref="dconf_gnome_screensaver_mode_blank" selected="true"/> reason: needs to be created for RHEL-7 -->
+ <select idref="sshd_set_idle_timeout" selected="true"/>
+ <select idref="accounts_password_pam_minlen" selected="true"/>
diff --git a/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch b/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
new file mode 100644
index 0000000..5a1c0f9
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
@@ -0,0 +1,10 @@
+--- scap-security-guide-0.1.25/RHEL/7/input/profiles/pci-dss.xml.orig	2015-10-02 10:52:46.420297787 +0200
++++ scap-security-guide-0.1.25/RHEL/7/input/profiles/pci-dss.xml	2015-10-02 10:54:06.309879851 +0200
+@@ -56,7 +56,6 @@
+ <select idref="service_chronyd_or_ntpd_enabled" selected="true"/>
+ <!-- <select idref="chronyd_specify_remote_server" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
+ <!-- <select idref="chronyd_specify_multiple_servers" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
+-<select idref="rpm_verify_permissions" selected="true"/>
+ <select idref="rpm_verify_hashes" selected="true"/>
+ <!-- <select idref="install_hids" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
+ <!-- <select idref="rsyslog_file_permissions" selected="true"/> reason: needs to be implemented for RHEL-7 -->
diff --git a/SOURCES/scap-security-guide-0.1.25-update-upstream-manual-page.patch b/SOURCES/scap-security-guide-0.1.25-update-upstream-manual-page.patch
new file mode 100644
index 0000000..5c25653
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.25-update-upstream-manual-page.patch
@@ -0,0 +1,20 @@
+--- scap-security-guide-0.1.25/docs/scap-security-guide.8.orig	2015-08-19 18:58:32.408884940 +0200
++++ scap-security-guide-0.1.25/docs/scap-security-guide.8	2015-08-19 18:59:13.201694420 +0200
+@@ -105,17 +105,6 @@ The  common  profile is intended to be u
+ scanning of general-purpose Red Hat Enterprise Linux systems.
+ .RE
+ 
+-.SH Fedora PROFILES
+-The Fedora SSG content is broken into 'profiles,' groupings of security settings that
+-correlate to a known policy. Currently available profile:
+-
+-.I common
+-.RS
+-The common profile is intended to be used as a base, universal profile for
+-scanning of general-purpose Fedora systems.
+-.RE
+-
+-
+ .SH EXAMPLES
+ To scan your system utilizing the OpenSCAP utility against the
+ stig-rhel6-server-upstream profile:
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index ce8bb89..aa2cc05 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -1,29 +1,23 @@
-%global		redhatssgversion	19
+%global		redhatssgversion	25
 
 Name:		scap-security-guide
 Version:	0.1.%{redhatssgversion}
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 
 Group:		System Environment/Base
 License:	Public Domain
-URL:		https://fedorahosted.org/scap-security-guide/
-
-Source0:	http://repos.ssgproject.org/sources/%{name}-%{version}.tar.gz
-Patch1:		scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch
-Patch2:		scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch
-Patch3:		scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch
-Patch4:		scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch
-Patch5:		scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch
-Patch6:		scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch
-Patch7:		scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch
-Patch8:		scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch
-Patch9:		scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch
-Patch10:	scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch
+URL:		https://github.com/OpenSCAP/scap-security-guide
+Source0:	%{name}-%{version}.tar.gz
+Patch1:		scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch
+Patch2:		scap-security-guide-0.1.25-update-upstream-manual-page.patch
+Patch3:		scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch
+Patch4:		scap-security-guide-0.1.25-downstream-rhel7-pci-dss-disable-selected-rules.patch
+Patch5:		scap-security-guide-0.1.25-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
 BuildArch:	noarch
 
-BuildRequires:	libxslt, expat, python, openscap-scanner >= 1.1.1, python-lxml
-Requires:	xml-common, openscap-scanner >= 1.1.1
+BuildRequires:	libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml
+Requires:	xml-common, openscap-scanner >= 1.2.5
 
 %description
 The scap-security-guide project provides a guide for configuration of the
@@ -36,31 +30,43 @@ Enterprise Linux 7 system administrator can use the oscap command-line tool
 from the openscap-utils package to verify that the system conforms to provided
 guideline. Refer to scap-security-guide(8) manual page for further information.
 
+%package	doc
+Summary:	HTML formatted documents containing security guides generated from XCCDF benchmarks.
+Group:		System Environment/Base
+Requires:	%{name} = %{version}-%{release}
+
+%description	doc
+The %{name}-doc package contains HTML formatted documents containing security guides that have
+been generated from XCCDF benchmarks present in %{name} package.
+
 %prep
 %setup -q -n %{name}-%{version}
-# For RHEL-7 include only RHT-CCP profile
-%patch1 -p1 -b .rht-ccp-only
-# Drop restorecond due to https://github.com/OpenSCAP/scap-security-guide/issues/258
-%patch2 -p1 -E -b .drop-restorecond
 # Drop cpuspeed rule since obsoleted in Fedora-16 by cpupower from kernel-tools RPM
 # http://marc.info/?l=fedora-devel-list&m=131107769617369&w=2
-%patch3 -p1 -b .drop-cpuspeed
-# Update manual page to be more appropriate against RHEL-7
-%patch4 -p1 -b .manual-page
-# Update pam.xml to use pam_pwquality instead of pam_cracklib
-%patch5 -p1 -b .replace-pam_cracklib
-# Fix 'Limit Password Reuse' remediation error
-%patch6 -p1 -b .reuse
-# Fix 'Set Deny For Failed Password Attempts' remediation error
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1 -b .set-deny
-# Specify exact profile name when generating RHEL-7 HTML guide
-%patch10 -p1 -b .exact-profile
+%patch1 -p1 -b .drop-cpuspeed
+# Update manual page to drop the part dedicated to Fedora content
+%patch2 -p1 -b .man_page_update
+# Downstream -- Add RHEL-7 remediation for 'audit_rules_time_adjtimex', 'audit_rules_time_settimeofday', and
+# 'audit_rules_time_stime' rules
+%patch3 -p1 -b .adjtimex_settimeofday_stime
+# Downstream
+# RHEL-7 PCI-DSS profile disable selected rules:
+# * dconf_gnome_screensaver_idle_delay -- missing RHEL-7 remediation
+# * dconf_gnome_screensaver_idle_activation -- missing RHEL-7 remediation
+# * dconf_gnome_screensaver_lock_enabled -- missing RHEL-7 remediation
+# * audit_rules_login_events -- incorrect OVAL, see https://github.com/OpenSCAP/scap-security-guide/issues/607
+# * audit_rules_privileged_commands -- missing RHEL-7 remediation, and
+# * audit_rules_immutable -- missing RHEL-7 remediation
+%patch4 -p1 -b .rhel7_pcidss_downstream_disabled
+# Temporarily drop "Verify and Correct File Permissions with RPM"
+# rule from RHEL-7's PCI-DSS profile (RH BZ#1267861)
+%patch5 -p1 -b .rhel7_pcidss_drop_rpm_verify_permissions_rule
 
 %build
-(cd RHEL/6 && make dist)
 (cd RHEL/7 && make dist)
+(cd RHEL/6 && make dist)
+(cd Firefox && make dist)
+(cd JRE && make dist)
 
 %install
 
@@ -68,21 +74,110 @@ mkdir -p %{buildroot}%{_datadir}/xml/scap/ssg/content
 mkdir -p %{buildroot}%{_mandir}/en/man8/
 
 # Add in RHEL-7 core content (SCAP)
-cp -a RHEL/7/dist/content/* %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-rhel7-cpe-dictionary.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-rhel7-cpe-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-rhel7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-rhel7-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-rhel7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
 
 # Add in RHEL-6 datastream (SCAP)
 cp -a RHEL/6/dist/content/ssg-rhel6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
 
+# Add in Firefox datastream (SCAP)
+cp -a Firefox/dist/content/ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
+
+# Add in Java Runtime Environment (JRE) datastream (SCAP)
+cp -a JRE/dist/content/ssg-jre-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
+
+# Add in library for remediations
+mkdir -p %{buildroot}%{_datadir}/%{name}
+cp -a shared/fixes/bash/templates/remediation_functions %{buildroot}%{_datadir}/%{name}/remediation_functions
+
+# Add in RHEL-6 kickstart files
+mkdir -p %{buildroot}%{_datadir}/%{name}/kickstart
+cp -a RHEL/6/kickstart/ssg-rhel6-stig-ks.cfg  %{buildroot}%{_datadir}/%{name}/kickstart/
+cp -a RHEL/6/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart/
+# Add in RHEL-7 kickstart files
+cp -a RHEL/7/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart/
+
 # Add in manpage
-cp -a RHEL/6/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-guide.8
+cp -a docs/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-guide.8
 
 %files
 %defattr(-,root,root,-)
 %{_datadir}/xml/scap
+%{_datadir}/%{name}
 %lang(en) %{_mandir}/en/man8/scap-security-guide.8.gz
-%doc RHEL/6/LICENSE RHEL/6/output/rhel6-guide.html RHEL/7/output/rhel7-ccp-guide.html RHEL/6/output/table-rhel6-cces.html RHEL/7/output/table-rhel7-cces.html RHEL/6/output/table-rhel6-nistrefs-common.html RHEL/6/output/table-rhel6-nistrefs.html RHEL/6/output/table-rhel6-srgmap-flat.html RHEL/6/output/table-rhel6-srgmap-flat.xhtml RHEL/6/output/table-rhel6-srgmap.html RHEL/6/output/table-rhel6-stig.html RHEL/6/input/auxiliary/DISCLAIMER
+%doc ./LICENSE RHEL/6/output/table-rhel6-cces.html RHEL/7/output/table-rhel7-cces.html RHEL/6/output/table-rhel6-nistrefs-common.html RHEL/6/output/table-rhel6-nistrefs.html RHEL/6/output/table-rhel6-srgmap-flat.html RHEL/6/output/table-rhel6-srgmap-flat.xhtml RHEL/6/output/table-rhel6-srgmap.html RHEL/6/output/table-rhel6-stig.html RHEL/6/input/auxiliary/DISCLAIMER
+
+%files doc
+%defattr(-,root,root,-)
+%doc RHEL/6/output/ssg-rhel6-guide-*.html RHEL/7/output/ssg-rhel7-guide-*.html JRE/output/ssg-jre-guide-*.html Firefox/output/ssg-firefox-guide-*.html
 
 %changelog
+* Fri Oct 02 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-3
+- Drop "Verify and Correct File Permissions with RPM" rule from the PCI-DSS
+  profile for Red Hat Enterprise Linux 7 (RH BZ#1267861)
+
+* Wed Sep 09 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-2
+- Update R and BR for the openscap-scanner package to 1.2.5 per RHBZ#1202762#c7
+
+* Wed Aug 19 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-1
+- Rebase to upstream 0.1.25 release
+
+* Tue Aug 04 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-4
+- Fix false-positive in OVAL check for 'accounts_passwords_pam_faillock_deny'
+  rule
+
+* Mon Aug 03 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-3
+- Add remediation script for 'accounts_passwords_pam_faillock_unlock_time' rule
+  for Red Hat Enterprise Linux 7 product
+- Override title and description for all existing profiles for Red Hat
+  Enterprise Linux 6 product that are extending another SCAP profile
+  (RHBZ#1246529)
+- Correct various issues in the included Oscap Anaconda Addon PCI-DSS profile
+  kickstart file for Red Hat Enterprise Linux 7 product
+- Add remediation script for 'audit_rules_time_clock_settime' rule for
+  Red Hat Enterprise Linux 7 product
+- Add remediation scripts for 'audit_rules_time_adjtimex',
+  'audit_rules_time_settimeofday', and 'audit_rules_time_stime' rules for
+  Red Hat Enterprise Linux 7 product
+- Tag current PCI-DSS profile for Red Hat Enterprise Linux 7 product with
+  "Draft" label
+- Disable the following rules in the PCI-DSS profile for the Red Hat Enterprise
+  Linux 7 product:
+  * dconf_gnome_screensaver_idle_delay -- missing remediation script,
+  * dconf_gnome_screensaver_idle_activation -- missing remediation script,
+  * dconf_gnome_screensaver_lock_enabled -- missing remediation script,
+  * audit_rules_login_events -- incorrect OVAL check (upstream issue #607),
+  * audit_rules_privileged_commands -- missing remediation script, and
+  * audit_rules_immutable -- missing remediation script.
+
+* Mon Aug 03 2015 Martin Preisler <mpreisle@redhat.com> 0.1.24-2
+- Break-down firewalld rule description for Red Hat Enterprise Linux 7 product
+  into multiple lines, prevents HTML guide UX issues
+
+* Tue Jul 07 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-1
+- Rebase to upstream scap-security-guide-0.1.24 version
+- Start producing the -doc subpackage to provide the HTML formatted
+  documents containing security guides generated from shipped XCCDF benchmarks
+
+* Mon Jun 22 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.23-1
+- Rebase to upstream scap-security-guide-0.1.23 version
+- Update upstream tarball source URL to GitHub archive location
+- Drop the following patches that have been accepted upstream:
+  * scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch
+  * scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch
+  * scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch
+  * scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch
+  * scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch
+  * scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch
+  * scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch
+  * scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch
+  * scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch
+- Include the datastream versions of Firefox and Java Runtime Environment (JRE) benchmarks
+- Include USGCB and DISA STIG profile kickstart files for Red Hat Enterprise Linux 6
+
 * Tue Oct 21 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.19-2
 - Fix Limit Password Reuse remediation script error
 - Fix Set Deny For Failed Password Attempts remediation script error