diff --git a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch b/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch
deleted file mode 100644
index e6e0e41..0000000
--- a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/C2S.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/C2S.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/C2S.xml 2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/C2S.xml 2016-11-15 16:20:21.101599393 +0000
-@@ -1,10 +1,10 @@
-
--C2S for Red Hat Enterprise Linux 7
-+C2S for CentOS Linux 7
- This profile demonstrates compliance against the
- U.S. Government Commercial Cloud Services (C2S) baseline.
-
- This baseline was inspired by the Center for Internet Security
--(CIS) Red Hat Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015.
-+(CIS) CentOS Linux 7 Benchmark, v1.1.0 - 04-02-2015.
- For the SCAP Security Guide project to remain in compliance with
- CIS' terms and conditions, specifically Restrictions(8), note
- there is no representation or claim that the C2S profile will
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/cjis-rhel7-server.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/cjis-rhel7-server.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/cjis-rhel7-server.xml 2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/cjis-rhel7-server.xml 2016-11-15 18:29:47.554461773 +0000
-@@ -1,6 +1,6 @@
-
- Criminal Justice Information Services (CJIS) Security Policy
--This is a *draft* profile for CJIS v5.4. The scope of this profile is to configure Red Hat Enteprise Linux 7 against the U. S. Department of Justice, FBI CJIS Security Policy.
-+This is a *draft* profile for CJIS v5.4. The scope of this profile is to configure CentOS Linux 7 against the U. S. Department of Justice, FBI CJIS Security Policy.
-
-
-
--
-+
-
-
-
-@@ -141,4 +141,4 @@
-
-
-
--
-\ No newline at end of file
-+
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/nist-CL-IL-AL.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/nist-CL-IL-AL.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/nist-CL-IL-AL.xml 2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/nist-CL-IL-AL.xml 2016-11-15 18:30:22.535473255 +0000
-@@ -1,5 +1,5 @@
-
--CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 7
-+CNSSI 1253 Low/Low/Low Control Baseline for CentOS Linux 7
- This profile follows the Committee on National Security Systems Instruction
- (CNSSI) No. 1253, "Security Categorization and Control Selection for National Security
- Systems" on security controls to meet low confidentiality, low integrity, and low
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/ospp-rhel7-server.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/ospp-rhel7-server.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/ospp-rhel7-server.xml 2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/ospp-rhel7-server.xml 2016-11-15 18:30:44.136480430 +0000
-@@ -1,6 +1,6 @@
-
- United States Government Configuration Baseline (USGCB / STIG)
--This is a *draft* profile for NIAP OSPP v4.0. This profile is being developed under the National Information Assurance Partnership. The scope of this profile is to configure Red Hat Enteprise Linux 7 against the NIAP Protection Profile for General Purpose Operating Systems v4.0. The NIAP OSPP profile also serves as a working draft for USGCB submission against RHEL7 Server.
-+This is a *draft* profile for NIAP OSPP v4.0. This profile is being developed under the National Information Assurance Partnership. The scope of this profile is to configure CentOS Linux 7 against the NIAP Protection Profile for General Purpose Operating Systems v4.0. The NIAP OSPP profile also serves as a working draft for USGCB submission against CentOS7 Server.
-
-
-+
-
-
-
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml 2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml 2016-11-15 18:32:48.434522900 +0000
-@@ -1,5 +1,5 @@
-
--STIG for Red Hat Enterprise Linux 7 Server Running GUIs
-+STIG for CentOS Linux 7 Server Running GUIs
- This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.
-
-
- The purpose of this guidance is to provide security configuration
--recommendations and baselines for the Red Hat Enterprise Linux (RHEL) 7 operating
-+recommendations and baselines for the CentOS Linux 7 operating
- system. The guidance provided here should be applicable to all variants
- (Desktop, Server, Advanced Platform) of the product. Recommended
- settings for the basic operating system are provided, as well as for many
-@@ -33,7 +33,7 @@ to passive monitoring. Whenever practica
- such data exist, they should be applied. Even if data is expected to
- be transmitted only over a local network, it should still be encrypted.
- Encrypting authentication data, such as passwords, is particularly
--important. Networks of Red Hat Enterprise Linux 7 machines can and should be configured
-+important. Networks of CentOS Linux 7 machines can and should be configured
- so that no unencrypted authentication data is ever transmitted between
- machines.
-
-@@ -44,7 +44,7 @@ machines.
- Minimize Software to Minimize Vulnerability
-
- The simplest way to avoid vulnerabilities in software is to avoid
--installing that software. On RHEL, the RPM Package Manager (originally
-+installing that software. On CentOS, the RPM Package Manager (originally
- Red Hat Package Manager, abbreviated RPM) allows for careful management of
- the set of software packages installed on a system. Installed software
- contributes to system vulnerability in several ways. Packages that
diff --git a/SOURCES/scap-security-guide-0.1.30-zstream-rhbz#1415152.patch b/SOURCES/scap-security-guide-0.1.30-zstream-rhbz#1415152.patch
new file mode 100644
index 0000000..648d7d2
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.30-zstream-rhbz#1415152.patch
@@ -0,0 +1,42 @@
+diff --git a/shared/remediations/bash/templates/remediation_functions b/shared/remediations/bash/templates/remediation_functions
+index 1ef7e19..40d8ad3 100644
+--- a/shared/remediations/bash/templates/remediation_functions
++++ b/shared/remediations/bash/templates/remediation_functions
+@@ -774,7 +774,7 @@ function replace_or_append {
+
+ # Strip any search characters in the key arg so that the key can be replaced without
+ # adding any search characters to the config file.
+- stripped_key=${key//[!a-zA-Z]/}
++ stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)
+
+ # If there is no print format specified in the last arg, use the default format.
+ if ! [ "x$format" = x ] ; then
+diff --git a/shared/remediations/bash/sshd_use_approved_macs.sh b/shared/remediations/bash/sshd_use_approved_macs.sh
+index c6e1c29..b93809a 100644
+--- a/shared/remediations/bash/sshd_use_approved_macs.sh
++++ b/shared/remediations/bash/sshd_use_approved_macs.sh
+@@ -1,6 +1,6 @@
+ # platform = multi_platform_rhel
+-grep -qi ^MACs /etc/ssh/sshd_config && \
+- sed -i "s/MACs.*/MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1/gI" /etc/ssh/sshd_config
+-if ! [ $? -eq 0 ]; then
+- echo "MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1" >> /etc/ssh/sshd_config
+-fi
++
++# Include source function library.
++. /usr/share/scap-security-guide/remediation_functions
++
++replace_or_append '/etc/ssh/sshd_config' '^MACs' 'hmac-sha2-512,hmac-sha2-256,hmac-sha1' 'CCENUM' '%s %s'
+diff --git a/shared/xccdf/remediation_functions.xml b/shared/xccdf/remediation_functions.xml
+index dc14346..f2f2e62 100644
+--- a/shared/xccdf/remediation_functions.xml
++++ b/shared/xccdf/remediation_functions.xml
+@@ -1152,7 +1152,7 @@ function replace_or_append {
+
+ # Strip any search characters in the key arg so that the key can be replaced without
+ # adding any search characters to the config file.
+- stripped_key=${key//[!a-zA-Z]/}
++ stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)
+
+ # If there is no print format specified in the last arg, use the default format.
+ if ! [ "x$format" = x ] ; then
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index e1859b5..1d9e0a9 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -2,7 +2,7 @@
Name: scap-security-guide
Version: 0.1.%{redhatssgversion}
-Release: 3%{?dist}.0.3
+Release: 5%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: System Environment/Base
@@ -15,8 +15,7 @@ Patch3: scap-security-guide-0.1.30-rhbz#1351541.patch
Patch4: scap-security-guide-0.1.30-rhbz#1344581.patch
Patch5: scap-security-guide-0.1.30-rhbz#1351751.patch
Patch6: scap-security-guide-0.1.30-downstream-rhbz#1357019.patch
-Patch99: scap-security-guide-0.1.25-centos-menu-branding.patch
-Patch100: scap-security-guide-0.1.30-centos-menu-branding-2.patch
+Patch7: scap-security-guide-0.1.30-zstream-rhbz#1415152.patch
BuildArch: noarch
BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml
@@ -61,12 +60,15 @@ been generated from XCCDF benchmarks present in %{name} package.
# to different location already). The rest of the change (except the path)
# is identical with upstream form
%patch6 -p1 -b .rhbz#1357019
-
-%patch99 -p1 -b .centos
-%patch100 -p1 -b .centos
-
-# Remove the RHEL Certified Cloud Provider profile for debranding purposes
-%{__rm} RHEL/7/input/profiles/rht-ccp.xml
+# Z-stream fix for RHBZ#1415152
+# Patch consists of upstream
+# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1555.diff
+# and modified version of upstream
+# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1471.diff
+# Patch for PR 1471 was modified to remove unrelated changes, and remediations files got
+# moved to different location. Also, changes in 'sshd_use_approved_macs.sh' are slightly
+# different due to commit c6730b867f6760b94ec193e95484a16054b27f48a).
+%patch7 -p1 -b .rhbz#1415152
%build
(cd RHEL/7 && make dist)
@@ -82,12 +84,12 @@ mkdir -p %{buildroot}%{_mandir}/en/man8/
# Add in RHEL-7 core content (SCAP)
cp -a RHEL/7/dist/content/ssg-rhel7-cpe-dictionary.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
cp -a RHEL/7/dist/content/ssg-rhel7-cpe-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-cp -a RHEL/7/dist/content/ssg-centos7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-rhel7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
cp -a RHEL/7/dist/content/ssg-rhel7-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-cp -a RHEL/7/dist/content/ssg-centos7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-rhel7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
# Add in RHEL-6 datastream (SCAP)
-cp -a RHEL/6/dist/content/ssg-centos6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
+cp -a RHEL/6/dist/content/ssg-rhel6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
# Add in Firefox datastream (SCAP)
cp -a Firefox/dist/content/ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
@@ -117,22 +119,18 @@ cp -a docs/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-gu
%files doc
%defattr(-,root,root,-)
-%doc RHEL/6/output/ssg-centos6-guide-*.html
-%doc RHEL/7/output/ssg-centos7-guide-*.html
+%doc RHEL/6/output/ssg-rhel6-guide-*.html
+%doc RHEL/7/output/ssg-rhel7-guide-*.html
%doc JRE/output/ssg-jre-guide-*.html
%doc Firefox/output/ssg-firefox-guide-*.html
%changelog
-* Fri Dec 02 2016 brian@bstinson.com 0.1.-3.0.3
-- Remove the Red Hat Certified Cloud Provider profile
-- add 2nd branding patch
-
-* Thu Dec 1 2016 Johnny Hughes 0.1.30-3.0.2
-- fix branding issue on ospp-rhel7-server.xml
+* Tue Feb 14 2017 Watson Sato 0.1.30-5
+- Fix template remediation function used by SSHD remediation
+- Reduce scope of patch that fixes SSHD remediation (RH BZ#1415152)
-* Tue Nov 15 2016 Johnny Hughes 0.1.30-3
-- Use the CentOS SCAP content
-- scap-security-guide-0.1.25-centos-menu-branding.patch
+* Tue Jan 31 2017 Jan Watson Sato 0.1.30-4
+- Correct remediation for SSHD which caused it not to start (RH BZ#1415152)
* Wed Aug 10 2016 Jan iankko Lieskovsky 0.1.30-3
- Correct the remediation script for 'Enable Smart Card Login' rule