diff --git a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml

index a00fc16..dc1b249 100644

--- a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml

+++ b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml

@@ -99,7 +99,7 @@ upstream project homepage is https://fedorahosted.org/scap-security-guide/.

 <refine-value idref="var_accounts_passwords_pam_faillock_fail_interval" selector="900"/>

-<refine-value idref="var_password_pam_unix_remember" selector="24"/>

+<refine-value idref="var_password_pam_unix_remember" selector="5"/>

 <refine-value idref="var_accounts_maximum_age_login_defs" selector="60"/>

 <refine-value idref="var_accounts_minimum_age_login_defs" selector="1"/>

diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml

index adf0aaf..b2da2a4 100644

--- a/RHEL/6/input/system/accounts/pam.xml

+++ b/RHEL/6/input/system/accounts/pam.xml

@@ -48,7 +48,7 @@ operator="equals" interactive="0">

 <tt>/etc/security/opasswd</tt> in order to force password change history and

 keep the user from alternating between the same password too

 frequently.</description>

-<value selector="">24</value>

+<value selector="">5</value>

 <value selector="0">0</value>

 <value selector="5">5</value>

 <value selector="10">10</value>

@@ -342,7 +342,7 @@ more difficult by ensuring a larger search space.

 usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to

 contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional

 length credit for each special character.

-Add <tt>ocredit=-1</tt> after pam_cracklib.so to require use of a special character in passwords.

+Add <tt>ocredit=<sub idref="var_password_pam_ocredit" /></tt> after pam_cracklib.so to require use of a special character in passwords.

 </description>

 <ocil clause="ocredit is not found or not set to the required value">

 To check how many special characters are required in a password, run the following command:

@@ -357,7 +357,7 @@ more difficult by ensuring a larger search space.

 </rationale>

 <ident cce="26409-3" />

 <oval id="accounts_password_pam_ocredit" value="var_password_pam_ocredit"/>

-<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="1619" />

+<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="1619" srg="266" />

 <tested by="DS" on="20121024"/>

 </Rule>

@@ -551,7 +551,7 @@ be accomplished by using the <tt>remember</tt> option for the <tt>pam_unix</tt>

 module.  In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember=<sub idref="var_password_pam_unix_remember" /></tt> to the

 line which refers to the <tt>pam_unix.so</tt> module, as shown:

 
password sufficient pam_unix.so existing_options remember=<sub idref="var_password_pam_unix_remember" />

-The DoD and FISMA requirement is 24 passwords.</description>

+The DoD STIG requirement is 5 passwords.</description>

 <ocil clause="it does not">

 To verify the password reuse setting is compliant, run the following command:

 
$ grep remember /etc/pam.d/system-auth

diff --git a/RHEL/6/input/system/accounts/restrictions/password_expiration.xml b/RHEL/6/input/system/accounts/restrictions/password_expiration.xml

index e4af5aa..a8e90c2 100644

--- a/RHEL/6/input/system/accounts/restrictions/password_expiration.xml

+++ b/RHEL/6/input/system/accounts/restrictions/password_expiration.xml

@@ -159,7 +159,7 @@ increases the risk of users writing down the password in a convenient

 location subject to physical compromise.</rationale>

 <ident cce="26985-2" />

 <oval id="accounts_maximum_age_login_defs" value="var_accounts_maximum_age_login_defs"/>

-<ref nist="IA-5(f),IA-5(g),IA-5(1)(d)" disa="180,199" />

+<ref nist="IA-5(f),IA-5(g),IA-5(1)(d)" disa="180,199" srg="76" />

 <tested by="DS" on="20121026"/>

 </Rule>

diff --git a/RHEL/7/input/checks/accounts_password_pam_minlen.xml b/RHEL/7/input/checks/accounts_password_pam_minlen.xml

new file mode 100644

index 0000000..77f89af

--- /dev/null

+++ b/RHEL/7/input/checks/accounts_password_pam_minlen.xml

@@ -0,0 +1,40 @@

+<def-group>

+  <definition class="compliance" id="accounts_password_pam_minlen" version="1">

+    <metadata>

+      <title>Set Password minlen Requirements</title>

+      <affected family="unix">

+        <platform>Red Hat Enterprise Linux 7</platform>

+      </affected>

+      <description>The password minlen should meet minimum requirements</description>

+      <reference source="swells" ref_id="20140926" ref_url="test_attestation" />

+    </metadata>

+    <criteria operator="AND" comment="system is RHEL7 with pam_pwquality configured">

+      <extend_definition comment="RHEL7 installed" definition_ref="installed_OS_is_rhel7" />

+      <criterion comment="rhel7 pam_pwquality" test_ref="test_password_pam_pwquality_minlen" />

+    </criteria>

+  </definition>

+

+  

+  

+  comment="check the configuration of /etc/pam.d/system-auth pwquality"

+  id="test_password_pam_pwquality_minlen" version="1">

+    <ind:object object_ref="obj_password_pam_pwquality_minlen" />

+    <ind:state state_ref="state_password_pam_minlen" />

+  </ind:textfilecontent54_test>

+

+  

+  version="1">

+    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>

+    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*minlen=(-?\d+)(?:[\s]|$)</ind:pattern>

+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+  

+  <ind:textfilecontent54_state id="state_password_pam_minlen" version="1">

+    <ind:instance datatype="int">1</ind:instance>

+    <ind:subexpression datatype="int" operation="greater than or equal" var_ref="var_password_pam_minlen" />

+  </ind:textfilecontent54_state>

+

+  <external_variable comment="External variable for pam_cracklib minlen" datatype="int" id="var_password_pam_minlen" version="1" />

+

+</def-group>

diff --git a/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh b/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh

new file mode 100644

index 0000000..5bc5b0f

--- /dev/null

+++ b/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh

@@ -0,0 +1,8 @@

+source ./templates/support.sh

+populate var_password_pam_minlen

+

+if grep -q "minlen=" /etc/pam.d/system-auth; then   

+	sed -i --follow-symlink "s/\(minlen *= *\).*/\1$var_password_pam_minlen/" /etc/pam.d/system-auth

+else

+	sed -i --follow-symlink "/pam_pwquality.so/ s/$/ minlen=$var_password_pam_minlen/" /etc/pam.d/system-auth

+fi

diff --git a/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml b/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml

index ef079b4..19a06b3 100644

--- a/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml

+++ b/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml

@@ -2,6 +2,36 @@

 <title>Pre-release Draft STIG for RHEL 7 Server</title>

 <description>This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>

+

+     and should not be manipulated -->

+<refine-value idref="var_password_pam_unix_remember" selector="5" />

+<refine-value idref="var_accounts_maximum_age_login_defs" selector="60" />

+<refine-value idref="var_password_pam_ocredit" selector="1" />

+<refine-value idref="var_password_pam_ucredit" selector="1" />

+<refine-value idref="var_password_pam_lcredit" selector="1" />

+<refine-value idref="var_password_pam_dcredit" selector="1" />

+<refine-value idref="var_password_pam_minlen" selector="15" />

+<refine-value idref="var_password_pam_difok" selector="15" />

+<refine-value idref="var_accounts_minimum_age_login_defs" selector="1" />

+<refine-value idref="var_accounts_passwords_pam_faillock_fail_interval" selector="900" />

+<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="3" />

+

+

+

+

 <select idref="encrypt_partitions" selected="true"/>

+

+<select idref="accounts_maximum_age_login_defs" selected="true" />

+<select idref="accounts_password_pam_unix_remember" selected="true" />

+<select idref="accounts_password_pam_ocredit" selected="true" />

+<select idref="accounts_password_pam_ucredit" selected="true" />

+<select idref="accounts_password_pam_lcredit" selected="true" />

+<select idref="accounts_password_pam_dcredit" selected="true" />

+<select idref="accounts_password_pam_minlen" selected="true" />

+<select idref="accounts_password_pam_difok" selected="true" />

+<select idref="accounts_minimum_age_login_defs" selected="true" />

+<select idref="accounts_passwords_pam_fail_interval" selected="true" />

+<select idref="accounts_passwords_pam_faillock_deny" selected="true" />

+

 </Profile>

diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml

index 3cdd433..f5d9cdf 100644

--- a/RHEL/7/input/system/accounts/pam.xml

+++ b/RHEL/7/input/system/accounts/pam.xml

@@ -48,7 +48,7 @@ operator="equals" interactive="0">

 <tt>/etc/security/opasswd</tt> in order to force password change history and

 keep the user from alternating between the same password too

 frequently.</description>

-<value selector="">24</value>

+<value selector="">5</value>

 <value selector="0">0</value>

 <value selector="5">5</value>

 <value selector="10">10</value>

@@ -137,13 +137,14 @@ reason.</warning>

 <Value id="var_password_pam_minlen" type="number" operator="equals" interactive="0">

 <title>minlen</title>

 <description>Minimum number of characters in password</description>

-<value selector="">14</value>

+<value selector="">15</value>

 <value selector="6">6</value>

 <value selector="8">8</value>

 <value selector="10">10</value>

 <value selector="12">12</value>

 <value selector="14">14</value>

+

 <value selector="15">15</value>

 </Value>

@@ -190,11 +191,12 @@ password</description>

 password</description>

 <warning category="general">Keep this high for short

 passwords</warning>

-<value selector="">4</value>

+<value selector="">15</value>

 <value selector="2">2</value>

 <value selector="3">3</value>

 <value selector="4">4</value>

 <value selector="5">5</value>

+<value selector="15">15</value>

 </Value>

 <Value id="var_password_pam_minclass" type="number" operator="equals" interactive="0">

@@ -306,10 +308,34 @@ search space.

 </rationale>

 <ident cce="27163-5" />

 <oval id="accounts_password_pam_dcredit" value="var_password_pam_dcredit"/>

-<ref nist="IA-5(b),IA-5(c),194" disa=""/>

+<ref nist="IA-5(b),IA-5(c),194" disa="194" srg="71"/>

 <tested by="DS" on="20121024"/>

 </Rule>

+<Rule id="accounts_password_pam_minlen">

+<title>Set Password Minimum Length</title>

+<description>The pam_pwquality module's <tt>minlen</tt> parameter controls requirements for

+minimum characters required in a password. Add <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>

+after pam_pwquality to set minimum password length requirements.

+</description>

+<ocil clause="minlen is not found or not set to the required value (or higher)">

+To check how many characters are required in a password, run the following command:

+
$ grep pam_pwquality /etc/pam.d/system-auth

+Your output should contain <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>

+</ocil>

+<rationale>

+Password length is one factor of several that helps to determine

+strength and how long it takes to crack a password. Use of more characters in

+a password helps to exponentially increase the time and/or resources

+required to compromise the password.

+</rationale>

+<ident cce="26615-5" />

+<oval id="accounts_password_pam_minlen" value="var_password_pam_minlen" />

+<ref nist="IA-5(1)(a)" disa="205" srg="78" />

+<tested by="swells" on="20140928" />

+</Rule>

+

+

 <Rule id="accounts_password_pam_ucredit">

 <title>Set Password Strength Minimum Uppercase Characters</title>

 <description>The pam_pwquality module's <tt>ucredit=</tt> parameter controls requirements for

@@ -331,18 +357,18 @@ more difficult by ensuring a larger search space.

 </rationale>

 <ident cce="26988-6" />

 <oval id="accounts_password_pam_ucredit" value="var_password_pam_ucredit"/>

-<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="" />

+<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="192" srg="69" />

 <tested by="DS" on="20121024"/>

 </Rule>

 <Rule id="accounts_password_pam_ocredit">

 <title>Set Password Strength Minimum Special Characters</title>

 <description>The pam_pwquality module's <tt>ocredit=</tt> parameter controls requirements for

-usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to

+usage of special (or "other") characters in a password. When set to a negative number, any password will be required to

 contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional

 length credit for each special character.

-Add <tt>ocredit=-1</tt> after pam_pwquality.so to require use of a special character in passwords.

-</description>

+Add <tt>ocredit=<sub idref="var_password_pam_ocredit" /></tt> after pam_pwquality.so to 

+require use of a special character in passwords.</description>

 <ocil clause="ocredit is not found or not set to the required value">

 To check how many special characters are required in a password, run the following command:

 
$ grep pam_pwquality /etc/pam.d/system-auth

@@ -356,7 +382,7 @@ more difficult by ensuring a larger search space.

 </rationale>

 <ident cce="27151-0" />

 <oval id="accounts_password_pam_ocredit" value="var_password_pam_ocredit"/>

-<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="" />

+<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="1619" srg="266" />

 <tested by="DS" on="20121024"/>

 </Rule>

@@ -381,7 +407,7 @@ more difficult by ensuring a larger search space.

 </rationale>

 <ident cce="27111-4" />

 <oval id="accounts_password_pam_lcredit" value="var_password_pam_lcredit"/>

-<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="" />

+<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="193" srg="70" />

 <tested by="DS" on="20121024"/>

 </Rule>

@@ -391,14 +417,14 @@ more difficult by ensuring a larger search space.

 usage of different characters during a password change.

 Add <tt>difok=NUM</tt> after pam_pwquality.so to require differing

 characters when changing passwords, substituting NUM appropriately.

-The DoD requirement is <tt>4</tt>.

+The DoD requirement is <tt>15</tt>.

 </description>

 <ocil clause="difok is not found or not set to the required value">

 To check how many characters must differ during a password change, run the following command:

 
$ grep pam_pwquality /etc/pam.d/system-auth

 The <tt>difok</tt> parameter will indicate how many characters must differ.

-The DoD requires four characters differ during a password change.

-This would appear as <tt>difok=4</tt>.

+The DoD requires 15 characters differ during a password change.

+This would appear as <tt>difok=15</tt>.

 </ocil>

 <rationale>

 Requiring a minimum number of different characters during password changes ensures that

@@ -407,7 +433,7 @@ Note that passwords which are changed on compromised systems will still be compr

 </rationale>

 <ident cce="26631-2" />

 <oval id="accounts_password_pam_difok" value="var_password_pam_difok"/>

-<ref nist="IA-5(b),IA-5(c),IA-5(1)(b)" disa=""/>

+<ref nist="IA-5(b),IA-5(c),IA-5(1)(b)" disa="195" srg="72" />

 <tested by="DS" on="20121024"/>

 </Rule>

@@ -476,13 +502,13 @@ attempts using <tt>pam_faillock.so</tt>:

 Add the following lines immediately below the <tt>pam_unix.so</tt> statement in <tt>AUTH</tt> section of

 both <tt>/etc/pam.d/system-auth</tt> and /etc/pam.d/password-auth:

-
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900

-
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

+
auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" />

+
auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" />

 </description>

 <ocil clause="that is not the case">

 To ensure the failed password attempt policy is configured correctly, run the following command:

 
$ grep pam_faillock /etc/pam.d/system-auth

-The output should show <tt>deny=3</tt>.

+The output should show <tt>deny=<id subref="var_accounts_passwords_pam_faillock_deny" /></tt>.

 </ocil>

 <rationale>

 Locking out user accounts after a number of incorrect attempts

@@ -490,7 +516,7 @@ prevents direct password guessing attacks.

 </rationale>

 <ident cce="26891-2" />

 <oval id="accounts_passwords_pam_faillock_deny" value="var_accounts_passwords_pam_faillock_deny"/>

-<ref nist="AC-7(a)" disa="" />

+<ref nist="AC-7(a)" disa="44" srg="21" />

 </Rule>

 <Rule id="accounts_passwords_pam_faillock_unlock_time" severity="medium">

@@ -500,8 +526,8 @@ To configure the system to lock out accounts after a number of incorrect login

 attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>:

 Add the following lines immediately below the <tt>pam_env.so</tt> statement in <tt>/etc/pam.d/system-auth</tt>:

-
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900

-
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

+
auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" />

+
auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" />

 </description>

 <ocil clause="that is not the case">

 To ensure the failed password attempt policy is configured correctly, run the following command:

@@ -527,43 +553,46 @@ attempts.

 Add the following <tt>fail_interval</tt> directives to <tt>pam_faillock.so</tt> immediately below the <tt>pam_env.so</tt> statement in

 <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>:

-
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900

-
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

+
auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" />

+
auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" />

 </description>

 <ocil clause="that is not the case">

 To ensure the failed password attempt policy is configured correctly, run the following command:

 
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth

-For each file, the output should show <tt>fail_interval=<interval-in-seconds></tt> where <tt>interval-in-seconds</tt> is 900 (15 minutes) or greater.  If the <tt>fail_interval</tt> parameter is not set, the default setting of 900 seconds is acceptable.

+For each file, the output should show <tt>fail_interval=<interval-in-seconds></tt> where <tt>interval-in-seconds</tt> is 

+<tt><id subref="var_accounts_passwords_pam_faillock_fail_interval" /></tt>  or greater. 

+If the <tt>fail_interval</tt> parameter is not set, the default setting of 900 seconds is acceptable.

 </ocil>

 <rationale>

 Locking out user accounts after a number of incorrect attempts within a

 specific period of time prevents direct password guessing attacks.

 </rationale>

-<ident cce="RHEL7-CCE-TBD" />

+<ident cce="26763-3" />

 <oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/>

-<ref nist="AC-7(a)" disa="1452" />

+<ref nist="AC-7(a)" disa="44" srg="21" />

 </Rule>

 <Rule id="accounts_password_pam_unix_remember" severity="medium">

 <title>Limit Password Reuse</title>

 <description>Do not allow users to reuse recent passwords. This can

 be accomplished by using the <tt>remember</tt> option for the <tt>pam_unix</tt> PAM

-module.  In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember=24</tt> to the 

+module.  In the file <tt>/etc/pam.d/system-auth</tt>, append

+<tt>remember=<sub idref="var_password_pam_unix_remember" /></tt> to the 

 line which refers to the <tt>pam_unix.so</tt> module, as shown:

-
password sufficient pam_unix.so existing_options remember=24

-The DoD and FISMA requirement is 24 passwords.</description>

+
password sufficient pam_unix.so existing_options remember=<sub idref="var_password_pam_unix_remember" />

+The DoD STIG requirement is 5 passwords.</description>

 <ocil clause="it does not">

 To verify the password reuse setting is compliant, run the following command:

 
$ grep remember /etc/pam.d/system-auth

 The output should show the following at the end of the line:

-
remember=24

+
remember=<sub idref="var_password_pam_unix_rememer" />

 </ocil>

 <rationale>

 Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.

 </rationale>

 <ident cce="26923-3" />

 <oval id="accounts_password_pam_unix_remember" value="var_password_pam_unix_remember" />

-<ref nist="IA-5(f),IA-5(1)(e)" disa="" />

+<ref nist="IA-5(f),IA-5(1)(e)" disa="200" srg="77" />

 <tested by="DS" on="20121024"/>

 </Rule>

 </Group>

diff --git a/RHEL/7/input/system/accounts/restrictions/password_expiration.xml b/RHEL/7/input/system/accounts/restrictions/password_expiration.xml

index d79c4a8..9e56b9d 100644

--- a/RHEL/7/input/system/accounts/restrictions/password_expiration.xml

+++ b/RHEL/7/input/system/accounts/restrictions/password_expiration.xml

@@ -60,8 +60,8 @@ age, and 7 day warning period with the following command:

 <value selector="">7</value>

 <value selector="7">7</value>

 <value selector="5">5</value>

-<value selector="1">1</value>

 <value selector="2">2</value>

+<value selector="1">1</value>

 <value selector="0">0</value>

 </Value>

@@ -131,7 +131,7 @@ after satisfying the password reuse requirement.

 </rationale>

 <ident cce="27002-5" />

 <oval id="accounts_minimum_age_login_defs" value="var_accounts_minimum_age_login_defs"/>

-<ref nist="IA-5(f),IA-5(1)(d)" disa=""/>

+<ref nist="IA-5(f),IA-5(1)(d)" disa="198" srg="75" />

 <tested by="DS" on="20121026"/>

 </Rule>

@@ -145,7 +145,7 @@ and add or correct the following line, replacing DAYS appropriately:

 A value of 180 days is sufficient for many environments. 

 The DoD requirement is 60.

 </description>

-<ocil clause="it is not set to the required value">

+<ocil clause="PASS_MAX_DAYS is not set to the required value">

 To check the maximum password age, run the command:

 
$ grep PASS_MAX_DAYS /etc/login.defs

 The DoD and FISMA requirement is 60.

@@ -157,9 +157,9 @@ periodically change their passwords. This could possibly decrease

 the utility of a stolen password. Requiring shorter password lifetimes

 increases the risk of users writing down the password in a convenient

 location subject to physical compromise.</rationale>

-<ident cce="RHEL7-CCE-TBD" />

+<ident cce="27051-2" />

 <oval id="accounts_maximum_age_login_defs" value="var_accounts_maximum_age_login_defs"/>

-<ref nist="IA-5(f),IA-5(g),IA-5(1)(d)" disa="180,199" />

+<ref nist="IA-5(f),IA-5(g),IA-5(1)(d)" disa="180,199" srg="76" />

 <tested by="DS" on="20121026"/>

 </Rule>

diff --git a/shared/.gitignore b/shared/.gitignore

index d7b3ccb..39328cf 100644

--- a/shared/.gitignore

+++ b/shared/.gitignore

@@ -1,3 +1,4 @@

 # files not to track in git

 *.pyc

 *.ini

+*.swp

diff --git a/shared/references/cce-rhel-avail.txt b/shared/references/cce-rhel-avail.txt

index 381d3da..41dc47e 100644

--- a/shared/references/cce-rhel-avail.txt

+++ b/shared/references/cce-rhel-avail.txt

@@ -1,6 +1,3 @@

-CCE-27051-2

-CCE-26615-5

-CCE-26763-3

 CCE-26436-6

 CCE-26989-4

 CCE-26992-8