diff --git a/.gitignore b/.gitignore
index 20df2b2..ea97346 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.25.tar.gz
+SOURCES/scap-security-guide-0.1.30.tar.gz
diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata
index 7038a45..2d6f46b 100644
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@@ -1 +1 @@
-1dc2e85ad80098968485bc75050697abc40143d4 SOURCES/scap-security-guide-0.1.25.tar.gz
+6630e157fce94380bc4610538b1fb8cccfaf5f57 SOURCES/scap-security-guide-0.1.30.tar.gz
diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch
deleted file mode 100644
index fac759b..0000000
--- a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch
+++ /dev/null
@@ -1,26 +0,0 @@
---- scap-security-guide-0.1.19/RHEL/7/input/services/base.xml.orig	2014-09-29 07:29:50.979356661 -0400
-+++ scap-security-guide-0.1.19/RHEL/7/input/services/base.xml	2014-09-29 07:30:23.749395788 -0400
-@@ -91,23 +91,6 @@ service is not necessary.
- <ref nist="CM-7" />
- </Rule>
- 
--<Rule id="service_cpuspeed_disabled">
--<title>Disable CPU Speed (cpuspeed)</title>
--<description>The <tt>cpuspeed</tt> service can adjust the clock speed of supported CPUs based upon
--the current processing load thereby conserving power and reducing heat.
--<service-disable-macro service="cpuspeed" />
--</description>
--<ocil><service-disable-check-macro service="cpuspeed" /></ocil>
--<rationale>The <tt>cpuspeed</tt> service is only necessary if adjusting the CPU clock speed
--provides benefit. Traditionally this has included laptops (to enhance battery life),
--but may also apply to server or desktop environments where conserving power is
--highly desirable or necessary.
--</rationale>
--<ident cce="RHEL7-CCE-TBD" />
--<oval id="service_cpuspeed_disabled" />
--<ref nist="CM-7" />
--</Rule>
--
- <Rule id="service_irqbalance_enabled">
- <title>Enable IRQ Balance (irqbalance)</title>
- <description>The <tt>irqbalance</tt> service optimizes the balance between
diff --git a/SOURCES/scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch b/SOURCES/scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch
deleted file mode 100644
index b0b28d6..0000000
--- a/SOURCES/scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From bb68e10170f532fed47277d76eb74f4fad498039 Mon Sep 17 00:00:00 2001
-From: Jan Lieskovsky <jlieskov@redhat.com>
-Date: Fri, 24 Jul 2015 16:21:04 +0200
-Subject: [PATCH] [Enhancement] [RHEL/7] New RHEL-7 audit time remediations for
- following rules: * audit_rules_time_adjtimex, *
- audit_rules_time_settimeofday, and * audit_rules_time_stime
-
-Testing report:
---------------
-Verified manually on RHEL-7 host the changes are working fine (in both
-scenarios, expected rule not at all present in audit.rules configuration,
-or expected rule partially present in audit.rules configuration)
----
- .../input/fixes/bash/audit_rules_time_adjtimex.sh  | 32 ++++++++++++++++++++++
- .../fixes/bash/audit_rules_time_settimeofday.sh    | 32 ++++++++++++++++++++++
- RHEL/7/input/fixes/bash/audit_rules_time_stime.sh  | 32 ++++++++++++++++++++++
- 3 files changed, 96 insertions(+)
- create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh
- create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh
- create mode 100644 RHEL/7/input/fixes/bash/audit_rules_time_stime.sh
-
-diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh
-new file mode 100644
-index 0000000..43fdfbb
---- /dev/null
-+++ b/RHEL/7/input/fixes/bash/audit_rules_time_adjtimex.sh
-@@ -0,0 +1,32 @@
-+
-+# Include source function library.
-+. /usr/share/scap-security-guide/remediation_functions
-+
-+# Perform the remediation for the syscall rule
-+# Retrieve hardware architecture of the underlying system
-+[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
-+
-+for ARCH in "${RULE_ARCHS[@]}"
-+do
-+
-+	PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
-+
-+	# Create expected audit group and audit rule form for particular system call & architecture
-+	if [ ${ARCH} = "b32" ]
-+	then
-+		# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
-+		# so append it to the list of time group system calls to be audited
-+		GROUP="\(adjtimex\|settimeofday\|stime\)"
-+		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
-+	elif [ ${ARCH} = "b64" ]
-+	then
-+		# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
-+		# therefore don't add it to the list of time group system calls to be audited
-+		GROUP="\(adjtimex\|settimeofday\)"
-+		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
-+	fi
-+
-+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-+	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
-+	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
-+done
-diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh
-new file mode 100644
-index 0000000..43fdfbb
---- /dev/null
-+++ b/RHEL/7/input/fixes/bash/audit_rules_time_settimeofday.sh
-@@ -0,0 +1,32 @@
-+
-+# Include source function library.
-+. /usr/share/scap-security-guide/remediation_functions
-+
-+# Perform the remediation for the syscall rule
-+# Retrieve hardware architecture of the underlying system
-+[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
-+
-+for ARCH in "${RULE_ARCHS[@]}"
-+do
-+
-+	PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
-+
-+	# Create expected audit group and audit rule form for particular system call & architecture
-+	if [ ${ARCH} = "b32" ]
-+	then
-+		# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
-+		# so append it to the list of time group system calls to be audited
-+		GROUP="\(adjtimex\|settimeofday\|stime\)"
-+		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
-+	elif [ ${ARCH} = "b64" ]
-+	then
-+		# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
-+		# therefore don't add it to the list of time group system calls to be audited
-+		GROUP="\(adjtimex\|settimeofday\)"
-+		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
-+	fi
-+
-+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-+	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
-+	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
-+done
-diff --git a/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh
-new file mode 100644
-index 0000000..43fdfbb
---- /dev/null
-+++ b/RHEL/7/input/fixes/bash/audit_rules_time_stime.sh
-@@ -0,0 +1,32 @@
-+
-+# Include source function library.
-+. /usr/share/scap-security-guide/remediation_functions
-+
-+# Perform the remediation for the syscall rule
-+# Retrieve hardware architecture of the underlying system
-+[ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
-+
-+for ARCH in "${RULE_ARCHS[@]}"
-+do
-+
-+	PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
-+
-+	# Create expected audit group and audit rule form for particular system call & architecture
-+	if [ ${ARCH} = "b32" ]
-+	then
-+		# stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
-+		# so append it to the list of time group system calls to be audited
-+		GROUP="\(adjtimex\|settimeofday\|stime\)"
-+		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
-+	elif [ ${ARCH} = "b64" ]
-+	then
-+		# stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
-+		# therefore don't add it to the list of time group system calls to be audited
-+		GROUP="\(adjtimex\|settimeofday\)"
-+		FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
-+	fi
-+
-+	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
-+	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
-+	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
-+done
diff --git a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch b/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch
deleted file mode 100644
index f4b2d39..0000000
--- a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch
+++ /dev/null
@@ -1,249 +0,0 @@
-diff -uNrp scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/pci-dss.xml scap-security-guide-0.1.25/RHEL/7/input/profiles/pci-dss.xml
---- scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/pci-dss.xml	2015-12-08 07:06:53.929233818 -0600
-+++ scap-security-guide-0.1.25/RHEL/7/input/profiles/pci-dss.xml	2015-12-08 07:30:17.747857532 -0600
-@@ -1,5 +1,5 @@
- <Profile id="pci-dss" xmlns="http://checklists.nist.gov/xccdf/1.1">
--<title>Draft PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7</title>
-+<title>Draft PCI-DSS v3 Control Baseline for CentOS Linux 7</title>
- <description>This is a *draft* profile for PCI-DSS v3</description>
- 
- <refine-value idref="var_password_pam_unix_remember" selector="4" />
-@@ -54,20 +54,20 @@
- <select idref="audit_rules_kernel_module_loading" selected="true"/>
- <!-- <select idref="audit_rules_immutable" selected="true"/> reason: Missing remediation -->
- <select idref="service_chronyd_or_ntpd_enabled" selected="true"/>
--<!-- <select idref="chronyd_specify_remote_server" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
--<!-- <select idref="chronyd_specify_multiple_servers" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
-+<!-- <select idref="chronyd_specify_remote_server" selected="true"/> reason: needs to be implemented for CentOS-7 for chronyd service -->
-+<!-- <select idref="chronyd_specify_multiple_servers" selected="true"/> reason: needs to be implemented for CentOS-7 for chronyd service -->
- <select idref="rpm_verify_hashes" selected="true"/>
--<!-- <select idref="install_hids" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
--<!-- <select idref="rsyslog_file_permissions" selected="true"/> reason: needs to be implemented for RHEL-7 -->
--<!-- <select idref="userowner_rsyslog_files" selected="true"/> reason: needs to be implemented for RHEL-7 -->
--<!-- <select idref="groupowner_rsyslog_files" selected="true"/> reason: needs to be implemented for RHEL-7 -->
-+<!-- <select idref="install_hids" selected="true"/> reason: needs to be implemented for both CentOS-6 & CentOS-7 -->
-+<!-- <select idref="rsyslog_file_permissions" selected="true"/> reason: needs to be implemented for CentOS-7 -->
-+<!-- <select idref="userowner_rsyslog_files" selected="true"/> reason: needs to be implemented for CentOS-7 -->
-+<!-- <select idref="groupowner_rsyslog_files" selected="true"/> reason: needs to be implemented for CentOS-7 -->
- <select idref="ensure_logrotate_activated" selected="true"/>
- <select idref="package_aide_installed" selected="true"/>
- <select idref="disable_prelink" selected="true"/>
--<!-- <select idref="aide_build_database" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
-+<!-- <select idref="aide_build_database" selected="true"/> reason: needs to be implemented for both CentOS-6 & CentOS-7 -->
- <select idref="aide_periodic_cron_checking" selected="true"/>
--<!-- <select idref="account_unique_name" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
--<!-- <select idref="gid_passwd_group_same" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
-+<!-- <select idref="account_unique_name" selected="true"/> reason: needs to be implemented for both CentOS-6 & CentOS-7 -->
-+<!-- <select idref="gid_passwd_group_same" selected="true"/> reason: needs to be implemented for both CentOS-6 & CentOS-7 -->
- <select idref="accounts_password_all_shadowed" selected="true"/>
- <select idref="no_empty_passwords" selected="true"/>
- <select idref="display_login_attempts" selected="true"/>
-@@ -77,19 +77,19 @@
- <!-- <select idref="dconf_gnome_screensaver_idle_delay" selected="true"/> reason: Missing remediation -->
- <!-- <select idref="dconf_gnome_screensaver_idle_activation_enabled" selected="true"/> reason: Missing remediation -->
- <!-- <select idref="dconf_gnome_screensaver_lock_enabled" selected="true"/> reason: Missing remediation -->
--<!-- <select idref="dconf_gnome_screensaver_mode_blank" selected="true"/> reason: needs to be created for RHEL-7 -->
-+<!-- <select idref="dconf_gnome_screensaver_mode_blank" selected="true"/> reason: needs to be created for CentOS-7 -->
- <select idref="sshd_set_idle_timeout" selected="true"/>
- <select idref="accounts_password_pam_minlen" selected="true"/>
- <select idref="accounts_password_pam_dcredit" selected="true"/>
- <select idref="accounts_password_pam_ucredit" selected="true"/>
- <select idref="accounts_password_pam_lcredit" selected="true"/>
--<!-- <select idref="accounts_password_pam_unix_remember" selected="true"/> reason: needs to be ported to RHEL-7 -->
-+<!-- <select idref="accounts_password_pam_unix_remember" selected="true"/> reason: needs to be ported to CentOS-7 -->
- <select idref="accounts_maximum_age_login_defs" selected="true"/>
- <select idref="ensure_redhat_gpgkey_installed" selected="true"/>
- <select idref="ensure_gpgcheck_globally_activated" selected="true"/>
- <select idref="ensure_gpgcheck_never_disabled" selected="true"/>
- <select idref="security_patches_up_to_date" selected="true"/>
--<!-- <select idref="smartcard_auth" selected="true"/> reason: needs to be ported to RHEL-7 -->
-+<!-- <select idref="smartcard_auth" selected="true"/> reason: needs to be ported to CentOS-7 -->
- <select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
- <select idref="set_password_hashing_algorithm_logindefs" selected="true"/>
- <select idref="set_password_hashing_algorithm_libuserconf" selected="true"/>
-diff -uNrp scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_downstream_disabled scap-security-guide-0.1.25/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_downstream_disabled
---- scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_downstream_disabled	2015-08-19 10:54:02.000000000 -0500
-+++ scap-security-guide-0.1.25/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_downstream_disabled	2015-12-08 07:31:08.882743495 -0600
-@@ -1,5 +1,5 @@
- <Profile id="pci-dss" xmlns="http://checklists.nist.gov/xccdf/1.1">
--<title>Draft PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7</title>
-+<title>Draft PCI-DSS v3 Control Baseline for CentOS Linux 7</title>
- <description>This is a *draft* profile for PCI-DSS v3</description>
- 
- <refine-value idref="var_password_pam_unix_remember" selector="4" />
-@@ -54,21 +54,21 @@
- <select idref="audit_rules_kernel_module_loading" selected="true"/>
- <select idref="audit_rules_immutable" selected="true"/>
- <select idref="service_chronyd_or_ntpd_enabled" selected="true"/>
--<!-- <select idref="chronyd_specify_remote_server" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
--<!-- <select idref="chronyd_specify_multiple_servers" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
-+<!-- <select idref="chronyd_specify_remote_server" selected="true"/> reason: needs to be implemented for CentOS-7 for chronyd service -->
-+<!-- <select idref="chronyd_specify_multiple_servers" selected="true"/> reason: needs to be implemented for CentOS-7 for chronyd service -->
- <select idref="rpm_verify_permissions" selected="true"/>
- <select idref="rpm_verify_hashes" selected="true"/>
--<!-- <select idref="install_hids" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
--<!-- <select idref="rsyslog_file_permissions" selected="true"/> reason: needs to be implemented for RHEL-7 -->
--<!-- <select idref="userowner_rsyslog_files" selected="true"/> reason: needs to be implemented for RHEL-7 -->
--<!-- <select idref="groupowner_rsyslog_files" selected="true"/> reason: needs to be implemented for RHEL-7 -->
-+<!-- <select idref="install_hids" selected="true"/> reason: needs to be implemented for both CentOS-6 & CentOS-7 -->
-+<!-- <select idref="rsyslog_file_permissions" selected="true"/> reason: needs to be implemented for CentOS-7 -->
-+<!-- <select idref="userowner_rsyslog_files" selected="true"/> reason: needs to be implemented for CentOS-7 -->
-+<!-- <select idref="groupowner_rsyslog_files" selected="true"/> reason: needs to be implemented for CentOS-7 -->
- <select idref="ensure_logrotate_activated" selected="true"/>
- <select idref="package_aide_installed" selected="true"/>
- <select idref="disable_prelink" selected="true"/>
--<!-- <select idref="aide_build_database" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
-+<!-- <select idref="aide_build_database" selected="true"/> reason: needs to be implemented for both CentOS-6 & CentOS-7 -->
- <select idref="aide_periodic_cron_checking" selected="true"/>
--<!-- <select idref="account_unique_name" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
--<!-- <select idref="gid_passwd_group_same" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
-+<!-- <select idref="account_unique_name" selected="true"/> reason: needs to be implemented for both CentOS-6 & CentOS-7 -->
-+<!-- <select idref="gid_passwd_group_same" selected="true"/> reason: needs to be implemented for both CentOS-6 & CentOS-7 -->
- <select idref="accounts_password_all_shadowed" selected="true"/>
- <select idref="no_empty_passwords" selected="true"/>
- <select idref="display_login_attempts" selected="true"/>
-@@ -78,19 +78,19 @@
- <select idref="dconf_gnome_screensaver_idle_delay" selected="true"/>
- <select idref="dconf_gnome_screensaver_idle_activation_enabled" selected="true"/>
- <select idref="dconf_gnome_screensaver_lock_enabled" selected="true"/>
--<!-- <select idref="dconf_gnome_screensaver_mode_blank" selected="true"/> reason: needs to be created for RHEL-7 -->
-+<!-- <select idref="dconf_gnome_screensaver_mode_blank" selected="true"/> reason: needs to be created for CentOS-7 -->
- <select idref="sshd_set_idle_timeout" selected="true"/>
- <select idref="accounts_password_pam_minlen" selected="true"/>
- <select idref="accounts_password_pam_dcredit" selected="true"/>
- <select idref="accounts_password_pam_ucredit" selected="true"/>
- <select idref="accounts_password_pam_lcredit" selected="true"/>
--<!-- <select idref="accounts_password_pam_unix_remember" selected="true"/> reason: needs to be ported to RHEL-7 -->
-+<!-- <select idref="accounts_password_pam_unix_remember" selected="true"/> reason: needs to be ported to CentOS-7 -->
- <select idref="accounts_maximum_age_login_defs" selected="true"/>
- <select idref="ensure_redhat_gpgkey_installed" selected="true"/>
- <select idref="ensure_gpgcheck_globally_activated" selected="true"/>
- <select idref="ensure_gpgcheck_never_disabled" selected="true"/>
- <select idref="security_patches_up_to_date" selected="true"/>
--<!-- <select idref="smartcard_auth" selected="true"/> reason: needs to be ported to RHEL-7 -->
-+<!-- <select idref="smartcard_auth" selected="true"/> reason: needs to be ported to CentOS-7 -->
- <select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
- <select idref="set_password_hashing_algorithm_logindefs" selected="true"/>
- <select idref="set_password_hashing_algorithm_libuserconf" selected="true"/>
-diff -uNrp scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule scap-security-guide-0.1.25/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule
---- scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule	2015-12-08 07:06:53.928233822 -0600
-+++ scap-security-guide-0.1.25/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule	2015-12-08 07:31:31.811691561 -0600
-@@ -1,5 +1,5 @@
- <Profile id="pci-dss" xmlns="http://checklists.nist.gov/xccdf/1.1">
--<title>Draft PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7</title>
-+<title>Draft PCI-DSS v3 Control Baseline for CentOS Linux 7</title>
- <description>This is a *draft* profile for PCI-DSS v3</description>
- 
- <refine-value idref="var_password_pam_unix_remember" selector="4" />
-@@ -54,21 +54,21 @@
- <select idref="audit_rules_kernel_module_loading" selected="true"/>
- <!-- <select idref="audit_rules_immutable" selected="true"/> reason: Missing remediation -->
- <select idref="service_chronyd_or_ntpd_enabled" selected="true"/>
--<!-- <select idref="chronyd_specify_remote_server" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
--<!-- <select idref="chronyd_specify_multiple_servers" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
-+<!-- <select idref="chronyd_specify_remote_server" selected="true"/> reason: needs to be implemented for CentOS-7 for chronyd service -->
-+<!-- <select idref="chronyd_specify_multiple_servers" selected="true"/> reason: needs to be implemented for CentOS-7 for chronyd service -->
- <select idref="rpm_verify_permissions" selected="true"/>
- <select idref="rpm_verify_hashes" selected="true"/>
--<!-- <select idref="install_hids" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
--<!-- <select idref="rsyslog_file_permissions" selected="true"/> reason: needs to be implemented for RHEL-7 -->
--<!-- <select idref="userowner_rsyslog_files" selected="true"/> reason: needs to be implemented for RHEL-7 -->
--<!-- <select idref="groupowner_rsyslog_files" selected="true"/> reason: needs to be implemented for RHEL-7 -->
-+<!-- <select idref="install_hids" selected="true"/> reason: needs to be implemented for both CentOS-6 & CentOS-7 -->
-+<!-- <select idref="rsyslog_file_permissions" selected="true"/> reason: needs to be implemented for CentOS-7 -->
-+<!-- <select idref="userowner_rsyslog_files" selected="true"/> reason: needs to be implemented for CentOS-7 -->
-+<!-- <select idref="groupowner_rsyslog_files" selected="true"/> reason: needs to be implemented for CentOS-7 -->
- <select idref="ensure_logrotate_activated" selected="true"/>
- <select idref="package_aide_installed" selected="true"/>
- <select idref="disable_prelink" selected="true"/>
--<!-- <select idref="aide_build_database" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
-+<!-- <select idref="aide_build_database" selected="true"/> reason: needs to be implemented for both CentOS-6 & CentOS-7 -->
- <select idref="aide_periodic_cron_checking" selected="true"/>
--<!-- <select idref="account_unique_name" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
--<!-- <select idref="gid_passwd_group_same" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
-+<!-- <select idref="account_unique_name" selected="true"/> reason: needs to be implemented for both CentOS-6 & CentOS-7 -->
-+<!-- <select idref="gid_passwd_group_same" selected="true"/> reason: needs to be implemented for both CentOS-6 & CentOS-7 -->
- <select idref="accounts_password_all_shadowed" selected="true"/>
- <select idref="no_empty_passwords" selected="true"/>
- <select idref="display_login_attempts" selected="true"/>
-@@ -78,19 +78,19 @@
- <!-- <select idref="dconf_gnome_screensaver_idle_delay" selected="true"/> reason: Missing remediation -->
- <!-- <select idref="dconf_gnome_screensaver_idle_activation_enabled" selected="true"/> reason: Missing remediation -->
- <!-- <select idref="dconf_gnome_screensaver_lock_enabled" selected="true"/> reason: Missing remediation -->
--<!-- <select idref="dconf_gnome_screensaver_mode_blank" selected="true"/> reason: needs to be created for RHEL-7 -->
-+<!-- <select idref="dconf_gnome_screensaver_mode_blank" selected="true"/> reason: needs to be created for CentOS-7 -->
- <select idref="sshd_set_idle_timeout" selected="true"/>
- <select idref="accounts_password_pam_minlen" selected="true"/>
- <select idref="accounts_password_pam_dcredit" selected="true"/>
- <select idref="accounts_password_pam_ucredit" selected="true"/>
- <select idref="accounts_password_pam_lcredit" selected="true"/>
--<!-- <select idref="accounts_password_pam_unix_remember" selected="true"/> reason: needs to be ported to RHEL-7 -->
-+<!-- <select idref="accounts_password_pam_unix_remember" selected="true"/> reason: needs to be ported to CentOS-7 -->
- <select idref="accounts_maximum_age_login_defs" selected="true"/>
- <select idref="ensure_redhat_gpgkey_installed" selected="true"/>
- <select idref="ensure_gpgcheck_globally_activated" selected="true"/>
- <select idref="ensure_gpgcheck_never_disabled" selected="true"/>
- <select idref="security_patches_up_to_date" selected="true"/>
--<!-- <select idref="smartcard_auth" selected="true"/> reason: needs to be ported to RHEL-7 -->
-+<!-- <select idref="smartcard_auth" selected="true"/> reason: needs to be ported to CentOS-7 -->
- <select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
- <select idref="set_password_hashing_algorithm_logindefs" selected="true"/>
- <select idref="set_password_hashing_algorithm_libuserconf" selected="true"/>
-diff -uNrp scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/rht-ccp.xml scap-security-guide-0.1.25/RHEL/7/input/profiles/rht-ccp.xml
---- scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/rht-ccp.xml	2015-08-19 10:54:02.000000000 -0500
-+++ scap-security-guide-0.1.25/RHEL/7/input/profiles/rht-ccp.xml	2015-12-08 07:33:09.162465695 -0600
-@@ -1,6 +1,6 @@
- <Profile id="rht-ccp" xmlns="http://checklists.nist.gov/xccdf/1.1">
--<title>Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)</title>
--<description>This is a *draft* SCAP profile for Red Hat Certified Cloud Providers</description>
-+<title>CentOS Profile for Cloud Providers (CPCP)</title>
-+<description>This is a *draft* SCAP profile for CentOS Cloud Providers</description>
- <!-- CONFIGURATION OPTIONS -->
- <refine-value idref="var_selinux_state" selector="enforcing"/>
- <refine-value idref="var_selinux_policy_name" selector="targeted"/>
-@@ -98,11 +98,11 @@
- <select idref="kernel_module_ipv6_option_disabled" selected="true"/>
- <select idref="service_ip6tables_enabled" selected="true"/>
- 
--This requirement does not apply against Red Hat Enterprise Linux 7:
-+This requirement does not apply against CentOS Linux 7:
- see: https://github.com/OpenSCAP/scap-security-guide/issues/66 for details.
- <select idref="kernel_module_rds_disabled" selected="true"/>
- 
--This requirement does not apply against Red Hat Enterprise Linux 7:
-+This requirement does not apply against CentOS Linux 7:
- see: https://github.com/OpenSCAP/scap-security-guide/issues/67 for details.
- <select idref="kernel_module_tipc_disabled" selected="true"/>
- 
-diff -uNrp scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/standard.xml scap-security-guide-0.1.25/RHEL/7/input/profiles/standard.xml
---- scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/standard.xml	2015-08-19 10:54:02.000000000 -0500
-+++ scap-security-guide-0.1.25/RHEL/7/input/profiles/standard.xml	2015-12-08 07:27:34.453179300 -0600
-@@ -1,6 +1,6 @@
- <Profile id="standard">
- <title>Standard System Security Profile</title>
--<description>This profile contains rules to ensure standard security base of Red Hat Enterprise Linux 7 system.</description>
-+<description>This profile contains rules to ensure standard security base of CentOS Linux 7 system.</description>
- 
- <!-- STANDARD SYSTEM SECURITY CHECKS -->
- <select idref="security_patches_up_to_date" selected="true"/>
-diff -uNrp scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml scap-security-guide-0.1.25/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml
---- scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml	2015-08-19 10:54:02.000000000 -0500
-+++ scap-security-guide-0.1.25/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml	2015-12-08 07:33:44.930380583 -0600
-@@ -1,5 +1,5 @@
- <Profile id="stig-rhel7-server-upstream" extends="common">
--<title override="true">Pre-release Draft STIG for Red Hat Enterprise Linux 7 Server</title>
-+<title override="true">Pre-release Draft STIG for CentOS Linux 7 Server</title>
- <description override="true">This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
- 
- <!-- STIG refinement values. Note these are set by DISA FSO,
-diff -uNrp scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/usgcb-rhel7-server.xml scap-security-guide-0.1.25/RHEL/7/input/profiles/usgcb-rhel7-server.xml
---- scap-security-guide-0.1.25.orig/RHEL/7/input/profiles/usgcb-rhel7-server.xml	2015-08-19 10:54:02.000000000 -0500
-+++ scap-security-guide-0.1.25/RHEL/7/input/profiles/usgcb-rhel7-server.xml	2015-12-08 07:34:34.081261816 -0600
-@@ -1,6 +1,6 @@
- <Profile id="usgcb-rhel7-server">
- <title>United States Government Configuration Baseline (USGCB)</title>
--<description>This profile is a working draft for a USGCB submission against RHEL7 Server.</description>
-+<description>This profile is a working draft for a USGCB submission against CentOS-7 Server.</description>
- 
- <refine-value idref="var_password_pam_unix_remember" selector="5" />
- <refine-value idref="var_accounts_maximum_age_login_defs" selector="60" />
diff --git a/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-disable-selected-rules.patch b/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-disable-selected-rules.patch
deleted file mode 100644
index 40bc76a..0000000
--- a/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-disable-selected-rules.patch
+++ /dev/null
@@ -1,34 +0,0 @@
---- scap-security-guide-0.1.24/RHEL/7/input/profiles/pci-dss.xml.orig	2015-08-03 21:07:57.312866056 +0200
-+++ scap-security-guide-0.1.24/RHEL/7/input/profiles/pci-dss.xml	2015-08-03 21:14:25.502325114 +0200
-@@ -46,15 +46,15 @@
- <select idref="audit_rules_dac_modification_lsetxattr" selected="true"/>
- <select idref="audit_rules_dac_modification_removexattr" selected="true"/>
- <select idref="audit_rules_dac_modification_setxattr" selected="true"/>
--<select idref="audit_rules_login_events" selected="true"/>
-+<!-- <select idref="audit_rules_login_events" selected="true"/> reason: Incorrect OVAL, see: https://github.com/OpenSCAP/scap-security-guide/issues/607 -->
- <select idref="audit_rules_session_events" selected="true"/>
- <select idref="audit_rules_unsuccessful_file_modification" selected="true"/>
--<select idref="audit_rules_privileged_commands" selected="true"/>
-+<!-- <select idref="audit_rules_privileged_commands" selected="true"/> reason: Missing remediation -->
- <select idref="audit_rules_media_export" selected="true"/>
- <select idref="audit_rules_file_deletion_events" selected="true"/>
- <select idref="audit_rules_sysadmin_actions" selected="true"/>
- <select idref="audit_rules_kernel_module_loading" selected="true"/>
--<select idref="audit_rules_immutable" selected="true"/>
-+<!-- <select idref="audit_rules_immutable" selected="true"/> reason: Missing remediation -->
- <select idref="service_chronyd_or_ntpd_enabled" selected="true"/>
- <!-- <select idref="chronyd_specify_remote_server" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
- <!-- <select idref="chronyd_specify_multiple_servers" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
-@@ -77,9 +77,9 @@
- <select idref="account_disable_post_pw_expiration" selected="true"/>
- <select idref="accounts_passwords_pam_faillock_deny" selected="true"/>
- <select idref="accounts_passwords_pam_faillock_unlock_time" selected="true"/>
--<select idref="dconf_gnome_screensaver_idle_delay" selected="true"/>
--<select idref="dconf_gnome_screensaver_idle_activation_enabled" selected="true"/>
--<select idref="dconf_gnome_screensaver_lock_enabled" selected="true"/>
-+<!-- <select idref="dconf_gnome_screensaver_idle_delay" selected="true"/> reason: Missing remediation -->
-+<!-- <select idref="dconf_gnome_screensaver_idle_activation_enabled" selected="true"/> reason: Missing remediation -->
-+<!-- <select idref="dconf_gnome_screensaver_lock_enabled" selected="true"/> reason: Missing remediation -->
- <!-- <select idref="dconf_gnome_screensaver_mode_blank" selected="true"/> reason: needs to be created for RHEL-7 -->
- <select idref="sshd_set_idle_timeout" selected="true"/>
- <select idref="accounts_password_pam_minlen" selected="true"/>
diff --git a/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch b/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
deleted file mode 100644
index 5a1c0f9..0000000
--- a/SOURCES/scap-security-guide-0.1.25-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- scap-security-guide-0.1.25/RHEL/7/input/profiles/pci-dss.xml.orig	2015-10-02 10:52:46.420297787 +0200
-+++ scap-security-guide-0.1.25/RHEL/7/input/profiles/pci-dss.xml	2015-10-02 10:54:06.309879851 +0200
-@@ -56,7 +56,6 @@
- <select idref="service_chronyd_or_ntpd_enabled" selected="true"/>
- <!-- <select idref="chronyd_specify_remote_server" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
- <!-- <select idref="chronyd_specify_multiple_servers" selected="true"/> reason: needs to be implemented for RHEL-7 for chronyd service -->
--<select idref="rpm_verify_permissions" selected="true"/>
- <select idref="rpm_verify_hashes" selected="true"/>
- <!-- <select idref="install_hids" selected="true"/> reason: needs to be implemented for both RHEL-6 & RHEL-7 -->
- <!-- <select idref="rsyslog_file_permissions" selected="true"/> reason: needs to be implemented for RHEL-7 -->
diff --git a/SOURCES/scap-security-guide-0.1.30-downstream-rhbz#1357019.patch b/SOURCES/scap-security-guide-0.1.30-downstream-rhbz#1357019.patch
new file mode 100644
index 0000000..a3129fa
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.30-downstream-rhbz#1357019.patch
@@ -0,0 +1,108 @@
+From bfaac3332c7e06b4252746f6da514fd44e74b0e6 Mon Sep 17 00:00:00 2001
+From: Jan Lieskovsky <jlieskov@redhat.com>
+Date: Wed, 10 Aug 2016 15:47:58 +0200
+Subject: [PATCH] [BugFix] [RHEL/7] Rewrite RHEL-7 remediation for
+ 'smartcard_auth' rule since per downstream bug:  
+ https://bugzilla.redhat.com/show_bug.cgi?id=1357019
+
+we can't use 'authconfig' binary direct call, because it will
+discard the changes as performed and required by other remediation
+scripts also touching /etc/pam.d/system-auth{,-ac} file
+
+Therefore return to previous version updating necessary files
+directly via 'sed' tool (rather than using 'authconfig' binary)
+
+Note: While on the rule also update XCCDF link providing further
+info how to setup smartcard auth (since the current one returns
+HTTP 404 Not Found)
+---
+ RHEL/7/input/xccdf/system/accounts/physical.xml |  2 +-
+ RHEL/7/input/remediations/bash/smartcard_auth.sh  | 61 +++++++++++++++++++++++--
+ 2 files changed, 58 insertions(+), 5 deletions(-)
+
+diff --git a/RHEL/7/input/xccdf/system/accounts/physical.xml b/RHEL/7/input/xccdf/system/accounts/physical.xml
+index b3ac250..d229469 100644
+--- a/RHEL/7/input/xccdf/system/accounts/physical.xml
++++ b/RHEL/7/input/xccdf/system/accounts/physical.xml
+@@ -375,7 +375,7 @@ is not enabled by default and must be enabled in the system settings.
+ <description>
+ To enable smart card authentication, consult the documentation at:
+ <ul>
+-<li><b>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#authconfig-smartcard</b></li>
++<li><b>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards</b></li>
+ </ul>
+ For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:
+ <ul>
+diff --git a/RHEL/7/input/remediations/bash/smartcard_auth.sh b/RHEL/7/input/remediations/bash/smartcard_auth.sh
+index 6292515..2fe5cc8 100644
+--- a/RHEL/7/input/remediations/bash/smartcard_auth.sh
++++ b/RHEL/7/input/remediations/bash/smartcard_auth.sh
+@@ -8,11 +8,64 @@ package_command install pam_pkcs11
+ # Enable pcscd.socket systemd activation socket
+ service_command enable pcscd.socket
+ 
+-# Enable smartcard authentication (but allow also other ways
+-# to login not to possibly cut off the system in question)
+-/usr/sbin/authconfig --enablesmartcard --updateall
++# Configure the expected /etc/pam.d/system-auth{,-ac} settings directly
++#
++# The code below will configure system authentication in the way smart card
++# logins will be enabled, but also user login(s) via other method to be allowed
++#
++# NOTE: It is not possible to use the 'authconfig' command to perform the
++#       remediation for us, because call of 'authconfig' would discard changes
++#       for other remediations (see RH BZ#1357019 for details)
++#
++#	Therefore we need to configure the necessary settings directly.
++#
+ 
+-# Define constants to be reused below
++# Define system-auth config location
++SYSTEM_AUTH_CONF="/etc/pam.d/system-auth"
++# Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF
++PAM_ENV_SO="auth.*required.*pam_env.so"
++
++# Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF
++SYSTEM_AUTH_PAM_SUCCEED="\
++auth        \[success=1 default=ignore\] pam_succeed_if.so service notin \
++login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid"
++# Define 'pam_pkcs11.so' row to be appended past $SYSTEM_AUTH_PAM_SUCCEED
++# row into SYSTEM_AUTH_CONF file
++SYSTEM_AUTH_PAM_PKCS11="\
++auth        \[success=done authinfo_unavail=ignore ignore=ignore default=die\] \
++pam_pkcs11.so nodebug"
++
++# Define smartcard-auth config location
++SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth"
++# Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF
++SMARTCARD_AUTH_SECTION="\
++auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only"
++# Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF
++PAM_PERMIT_SO="account.*required.*pam_permit.so"
++# Define 'pam_pkcs11.so' password section
++SMARTCARD_PASSWORD_SECTION="\
++password    required      pam_pkcs11.so"
++
++# First Correct the SYSTEM_AUTH_CONF configuration
++if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF"
++then
++	# Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file
++	sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SYSTEM_AUTH_PAM_SUCCEED" "$SYSTEM_AUTH_CONF"
++	# Append (expected) pam_pkcs11.so row past the pam_succeed_if.so into SYSTEM_AUTH_CONF file
++	sed -i --follow-symlinks -e '/^'"$SYSTEM_AUTH_PAM_SUCCEED"'/a '"$SYSTEM_AUTH_PAM_PKCS11" "$SYSTEM_AUTH_CONF"
++fi
++
++# Then also correct the SMARTCARD_AUTH_CONF
++if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF"
++then
++	# Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file
++	sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF"
++	# Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file
++	sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF"
++fi
++
++# Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below
++# Define selected constants for later reuse
+ SP="[:space:]"
+ PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf"
+ 
diff --git a/SOURCES/scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch b/SOURCES/scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
new file mode 100644
index 0000000..0fc79df
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
@@ -0,0 +1,10 @@
+--- scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml.orig	2016-06-22 16:59:38.965107812 +0200
++++ scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml	2016-06-22 17:00:06.538687935 +0200
+@@ -57,7 +57,6 @@
+ <select idref="service_chronyd_or_ntpd_enabled" selected="true"/>
+ <select idref="chronyd_or_ntpd_specify_remote_server" selected="true"/>
+ <select idref="chronyd_or_ntpd_specify_multiple_servers" selected="true"/>
+-<select idref="rpm_verify_permissions" selected="true"/>
+ <select idref="rpm_verify_hashes" selected="true"/>
+ <select idref="install_hids" selected="true"/>
+ <select idref="rsyslog_files_permissions" selected="true"/>
diff --git a/SOURCES/scap-security-guide-0.1.30-rhbz#1344581.patch b/SOURCES/scap-security-guide-0.1.30-rhbz#1344581.patch
new file mode 100644
index 0000000..e9d4f21
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.30-rhbz#1344581.patch
@@ -0,0 +1,96 @@
+From 2276972999ecb8c54ddea8ad40bdc15a7ea86a3a Mon Sep 17 00:00:00 2001
+From: Jan Lieskovsky <jlieskov@redhat.com>
+Date: Fri, 1 Jul 2016 15:02:12 +0200
+Subject: [PATCH] [BugFix] Enhance the OVAL checks for: *
+ accounts_passwords_pam_faillock_deny_root *
+ accounts_passwords_pam_faillock_deny
+
+rules to work properly also in case sssd package is installed
+and sssd daemon is running
+
+Fixes downstream: https://bugzilla.redhat.com/show_bug.cgi?id=1344581
+---
+ RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml | 8 ++++----
+ shared/oval/accounts_passwords_pam_faillock_deny.xml            | 8 ++++----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml b/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml
+index 50f2e5a..7b60d22 100644
+--- a/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml
++++ b/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml
+@@ -34,7 +34,7 @@
+     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+     <!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
+          pam_unix.so module in auth section -->
+-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
++    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
+     <!-- Check only the first instance -->
+     <ind:instance datatype="int" operation="equals">1</ind:instance>
+   </ind:textfilecontent54_object>
+@@ -51,7 +51,7 @@
+     <ind:behaviors singleline="true" />
+     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+     <!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
+-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n]</ind:pattern>
++    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n]</ind:pattern>
+     <!-- Check only the first instance -->
+     <ind:instance datatype="int" operation="equals">1</ind:instance>
+   </ind:textfilecontent54_object>
+@@ -69,7 +69,7 @@
+     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
+     <!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
+          pam_unix.so module in auth section -->
+-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
++    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
+     <!-- Check only the first instance -->
+     <ind:instance datatype="int" operation="equals">1</ind:instance>
+   </ind:textfilecontent54_object>
+@@ -86,7 +86,7 @@
+     <ind:behaviors singleline="true" />
+     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
+     <!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
+-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n]</ind:pattern>
++    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n]</ind:pattern>
+     <!-- Check only the first instance -->
+     <ind:instance datatype="int" operation="equals">1</ind:instance>
+   </ind:textfilecontent54_object>
+diff --git a/shared/oval/accounts_passwords_pam_faillock_deny.xml b/shared/oval/accounts_passwords_pam_faillock_deny.xml
+index 96b5043..0923dc9 100644
+--- a/shared/oval/accounts_passwords_pam_faillock_deny.xml
++++ b/shared/oval/accounts_passwords_pam_faillock_deny.xml
+@@ -51,7 +51,7 @@
+     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+     <!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
+          pam_unix.so module in auth section -->
+-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
++    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
+     <!-- Check only the first instance -->
+     <ind:instance datatype="int" operation="equals">1</ind:instance>
+   </ind:textfilecontent54_object>
+@@ -69,7 +69,7 @@
+     <ind:behaviors singleline="true" />
+     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+     <!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
+-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]</ind:pattern>
++    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]</ind:pattern>
+     <!-- Check only the first instance -->
+     <ind:instance datatype="int" operation="equals">1</ind:instance>
+   </ind:textfilecontent54_object>
+@@ -106,7 +106,7 @@
+     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
+     <!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
+          pam_unix.so module in auth section -->
+-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
++    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
+     <!-- Check only the first instance -->
+     <ind:instance datatype="int" operation="equals">1</ind:instance>
+   </ind:textfilecontent54_object>
+@@ -124,7 +124,7 @@
+     <ind:behaviors singleline="true" />
+     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
+     <!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
+-    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]</ind:pattern>
++    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]</ind:pattern>
+     <!-- Check only the first instance -->
+     <ind:instance datatype="int" operation="equals">1</ind:instance>
+   </ind:textfilecontent54_object>
diff --git a/SOURCES/scap-security-guide-0.1.30-rhbz#1351541.patch b/SOURCES/scap-security-guide-0.1.30-rhbz#1351541.patch
new file mode 100644
index 0000000..f775f47
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.30-rhbz#1351541.patch
@@ -0,0 +1,22 @@
+From e4d8a19ff626f416a4972344b529ff9fd5bc1c6f Mon Sep 17 00:00:00 2001
+From: Jan Lieskovsky <jlieskov@redhat.com>
+Date: Thu, 30 Jun 2016 14:30:52 +0200
+Subject: [PATCH] [BugFix] [RHEL/6] Make the title of the RHEL-6
+ stig-rhel6-server-gui-upstream profile consistent with its RHEL-7 equivalent
+
+Fixes #1319
+---
+ RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml
+index 669ac2b..d5351d8 100644
+--- a/RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml
++++ b/RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml
+@@ -1,5 +1,5 @@
+ <Profile id="stig-rhel6-server-gui-upstream" extends="stig-rhel6-server-upstream">
+-<title override="true">Upstream STIG for Red Hat Enterprise Linux 6 Server</title>
++<title override="true">Upstream STIG for Red Hat Enterprise Linux 6 Server Running GUIs</title>
+ <description override="true">This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process,
+ serving as the upstream development environment for the Red Hat Enterprise Linux 6 Server STIG.
+ 
diff --git a/SOURCES/scap-security-guide-0.1.30-rhbz#1351751.patch b/SOURCES/scap-security-guide-0.1.30-rhbz#1351751.patch
new file mode 100644
index 0000000..862fd9d
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.30-rhbz#1351751.patch
@@ -0,0 +1,144 @@
+From 989cb130cb7d03f27294313c3ee2f1f4d61568db Mon Sep 17 00:00:00 2001
+From: Jan Lieskovsky <jlieskov@redhat.com>
+Date: Tue, 28 Jun 2016 13:04:24 +0200
+Subject: [PATCH 1/2] [Enhancement] [RHEL/6] [RHEL/7] Include the generated
+ HTML tables for RHEL-6 and RHEL-7 products into the produced RPM package
+
+Part of #1297
+---
+ RHEL/6/Makefile             |  5 +++--
+ RHEL/7/Makefile             |  2 ++
+ scap-security-guide.spec.in | 36 +++++++++++++++++++++++-------------
+ 3 files changed, 28 insertions(+), 15 deletions(-)
+
+diff --git a/RHEL/6/Makefile b/RHEL/6/Makefile
+index 782d0f7..ac7d74e 100644
+--- a/RHEL/6/Makefile
++++ b/RHEL/6/Makefile
+@@ -69,8 +69,7 @@ table-stigs: $(OUT)/xccdf-unlinked-final.xml table-srgmap checks
+ 		$(TRANS)/xccdf-apply-overlay-stig.xslt $<
+ 	xsltproc -o $(OUT)/table-$(PROD)-stig.html $(TRANS)/xccdf2table-stig.xslt $(OUT)/unlinked-stig-$(PROD)-xccdf.xml
+ 
+-tables: table-refs table-idents table-stigs
+-#tables: table-refs table-idents table-srgmap table-stigs
++tables: table-refs table-idents table-srgmap table-stigs
+ 
+ content: $(OUT)/xccdf-unlinked-final.xml checks
+ 	cp $< $(OUT)/unlinked-$(PROD)-xccdf.xml
+@@ -180,6 +179,8 @@ dist: tables guide content
+ 	cp $(OUT)/$(ID)-$(PROD)-cpe-dictionary.xml $(DIST)/content
+ 	cp $(OUT)/$(ID)-$(PROD)-cpe-oval.xml $(DIST)/content
+ 	cp $(OUT)/$(ID)-$(PROD)-ds.xml $(DIST)/content
++	mkdir -p $(DIST)/tables
++	cp $(OUT)/table-*.{x,}html $(DIST)/tables
+ 	mkdir -p $(DIST)/guide
+ 	cp $(OUT)/*-guide-*.html $(DIST)/guide
+ 	cp $(OUT)/$(ID)-centos6-xccdf.xml $(DIST)/content
+diff --git a/RHEL/7/Makefile b/RHEL/7/Makefile
+index fc9f284..0cafa7c 100644
+--- a/RHEL/7/Makefile
++++ b/RHEL/7/Makefile
+@@ -183,6 +183,8 @@ dist: tables guide content
+ 	cp $(OUT)/$(ID)-$(PROD)-cpe-dictionary.xml $(DIST)/content
+ 	cp $(OUT)/$(ID)-$(PROD)-cpe-oval.xml $(DIST)/content
+ 	cp $(OUT)/$(ID)-$(PROD)-ds.xml $(DIST)/content
++	mkdir -p $(DIST)/tables
++	cp $(OUT)/table-*.{x,}html $(DIST)/tables
+ 	mkdir -p $(DIST)/guide
+ 	cp $(OUT)/*-guide-*.html $(DIST)/guide
+ 	cp $(OUT)/$(ID)-centos7-xccdf.xml $(DIST)/content
+diff --git a/scap-security-guide.spec.in b/scap-security-guide.spec.in
+index ae3cc05..6fbb800 100644
+--- a/scap-security-guide.spec.in
++++ b/scap-security-guide.spec.in
+@@ -82,30 +82,40 @@ rm %{buildroot}%{_datadir}/xml/scap/ssg/content/*-cpe-dictionary.xml
+ # We do this after the filtering on Fedora because we don't ship JBossEAP5 datastreams
+ cp -a JBossEAP5/eap5-* %{buildroot}%{_datadir}/xml/scap/ssg/content/
+ 
+-# Docs
+-mkdir -p %{buildroot}/%{_docdir}/%{name}/guides
+-cp -a RHEL/6/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
+-cp -a RHEL/7/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
+-cp -a Firefox/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
+-cp -a JRE/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
++# Add in HTML tables for selected products
++mkdir -p %{buildroot}/%{_docdir}/%{name}-%{version}/tables
++cp -a RHEL/6/dist/tables/* %{buildroot}/%{_docdir}/%{name}-%{version}/tables
++cp -a RHEL/7/dist/tables/* %{buildroot}/%{_docdir}/%{name}-%{version}/tables
++
++# Add in LICENSE and README.md
++cp -a LICENSE README.md %{buildroot}/%{_docdir}/%{name}-%{version}
++
++# scap-security-guide-doc subpackage contains just HTML guides for supported products
++mkdir -p %{buildroot}/%{_docdir}/%{name}-%{version}/guides
++cp -a RHEL/6/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
++cp -a RHEL/7/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
++cp -a Firefox/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
++cp -a JRE/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
+ # outside of the normal build system, different guide
+-cp -a JBossEAP5/docs/JBossEAP5_Guide.html %{buildroot}/%{_docdir}/%{name}/guides
++cp -a JBossEAP5/docs/JBossEAP5_Guide.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
+ 
+ %if 0%{?fedora}
+-cp -a Fedora/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
+-cp -a Chromium/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
+-#cp -a Webmin/output/*-guide-*.html %{buildroot}/%{_defaultdocdir}/%{name}/guides
++cp -a Fedora/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
++cp -a Chromium/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
++#cp -a Webmin/output/*-guide-*.html %{buildroot}/%{_defaultdocdir}/%{name}-%{version}/guides
+ %endif
+ 
+ %files
+ %{_datadir}/xml/scap
+ %{_datadir}/%{name}
+ %lang(en) %{_mandir}/en/man8/scap-security-guide.8.*
+-%doc LICENSE
+-%doc README.md
++%doc %{_docdir}/%{name}-%{version}/tables/*.html
++%doc %{_docdir}/%{name}-%{version}/tables/*.xhtml
++%doc %{_docdir}/%{name}-%{version}/LICENSE
++%doc %{_docdir}/%{name}-%{version}/README.md
+ 
+ %files doc
+-%doc %{_docdir}/%{name}/guides/*.html
++%doc %{_docdir}/%{name}-%{version}/guides/*.html
+ 
+ %changelog
+ * __DATE__ __REL_MANAGER__ <__REL_MANAGER_MAIL__> __VERSION__-__RELEASE__
+
+From 33ea7d73d7a53b465c15ac6289fe8833749622dc Mon Sep 17 00:00:00 2001
+From: Jan Lieskovsky <jlieskov@redhat.com>
+Date: Tue, 28 Jun 2016 18:50:17 +0200
+Subject: [PATCH 2/2] [Enhancement][RHEL/6][RHEL/7] Provide currently available
+ RHEL-6 and RHEL-7 kickstart files in the produced RPM package
+
+Fixes (together with previous commit): #1297
+---
+ scap-security-guide.spec.in | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/scap-security-guide.spec.in b/scap-security-guide.spec.in
+index 6fbb800..056e84c 100644
+--- a/scap-security-guide.spec.in
++++ b/scap-security-guide.spec.in
+@@ -90,6 +90,11 @@ cp -a RHEL/7/dist/tables/* %{buildroot}/%{_docdir}/%{name}-%{version}/tables
+ # Add in LICENSE and README.md
+ cp -a LICENSE README.md %{buildroot}/%{_docdir}/%{name}-%{version}
+ 
++# Add in kickstart files for selected products
++mkdir -p %{buildroot}%{_datadir}/%{name}/kickstart
++cp -a RHEL/6/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart
++cp -a RHEL/7/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart
++
+ # scap-security-guide-doc subpackage contains just HTML guides for supported products
+ mkdir -p %{buildroot}/%{_docdir}/%{name}-%{version}/guides
+ cp -a RHEL/6/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
+@@ -107,7 +112,7 @@ cp -a Chromium/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/
+ 
+ %files
+ %{_datadir}/xml/scap
+-%{_datadir}/%{name}
++%{_datadir}/%{name}/kickstart
+ %lang(en) %{_mandir}/en/man8/scap-security-guide.8.*
+ %doc %{_docdir}/%{name}-%{version}/tables/*.html
+ %doc %{_docdir}/%{name}-%{version}/tables/*.xhtml
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index 38b27ba..8fa6808 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -1,20 +1,20 @@
-%global		redhatssgversion	25
+%global		redhatssgversion	30
 
 Name:		scap-security-guide
 Version:	0.1.%{redhatssgversion}
-Release:	3%{?dist}.0.1
+Release:	3%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 
 Group:		System Environment/Base
 License:	Public Domain
 URL:		https://github.com/OpenSCAP/scap-security-guide
 Source0:	%{name}-%{version}.tar.gz
-Patch1:		scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch
-Patch2:		scap-security-guide-0.1.25-update-upstream-manual-page.patch
-Patch3:		scap-security-guide-0.1.25-add-adjtimex-settimeofday-stime-rhel7-remediation.patch
-Patch4:		scap-security-guide-0.1.25-downstream-rhel7-pci-dss-disable-selected-rules.patch
-Patch5:		scap-security-guide-0.1.25-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
-Patch99:	scap-security-guide-0.1.25-centos-menu-branding.patch
+Patch1:		scap-security-guide-0.1.25-update-upstream-manual-page.patch
+Patch2:		scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
+Patch3:		scap-security-guide-0.1.30-rhbz#1351541.patch
+Patch4:		scap-security-guide-0.1.30-rhbz#1344581.patch
+Patch5:		scap-security-guide-0.1.30-rhbz#1351751.patch
+Patch6:		scap-security-guide-0.1.30-downstream-rhbz#1357019.patch
 BuildArch:	noarch
 
 BuildRequires:	libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml
@@ -42,28 +42,23 @@ been generated from XCCDF benchmarks present in %{name} package.
 
 %prep
 %setup -q -n %{name}-%{version}
-# Drop cpuspeed rule since obsoleted in Fedora-16 by cpupower from kernel-tools RPM
-# http://marc.info/?l=fedora-devel-list&m=131107769617369&w=2
-%patch1 -p1 -b .drop-cpuspeed
 # Update manual page to drop the part dedicated to Fedora content
-%patch2 -p1 -b .man_page_update
-# Downstream -- Add RHEL-7 remediation for 'audit_rules_time_adjtimex', 'audit_rules_time_settimeofday', and
-# 'audit_rules_time_stime' rules
-%patch3 -p1 -b .adjtimex_settimeofday_stime
-# Downstream
-# RHEL-7 PCI-DSS profile disable selected rules:
-# * dconf_gnome_screensaver_idle_delay -- missing RHEL-7 remediation
-# * dconf_gnome_screensaver_idle_activation -- missing RHEL-7 remediation
-# * dconf_gnome_screensaver_lock_enabled -- missing RHEL-7 remediation
-# * audit_rules_login_events -- incorrect OVAL, see https://github.com/OpenSCAP/scap-security-guide/issues/607
-# * audit_rules_privileged_commands -- missing RHEL-7 remediation, and
-# * audit_rules_immutable -- missing RHEL-7 remediation
-%patch4 -p1 -b .rhel7_pcidss_downstream_disabled
+%patch1 -p1 -b .man_page_update
 # Temporarily drop "Verify and Correct File Permissions with RPM"
 # rule from RHEL-7's PCI-DSS profile (RH BZ#1267861)
-%patch5 -p1 -b .rhel7_pcidss_drop_rpm_verify_permissions_rule
-
-%patch99 -p1 -b .centos
+%patch2 -p1 -b .rhel7_pcidss_drop_rpm_verify_permissions_rule
+# Fix for RHBZ#1351541
+%patch3 -p1 -b .rhbz#1351541
+# Fix for RHBZ#1344581
+%patch4 -p1 -b .rhbz#1344581
+# Fix for RHBZ#1351751
+%patch5 -p1 -b .rhbz#1351751
+# Downstream fix for RHBZ#1357019 (slightly differs from upstream
+# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1388.patch
+# version because 'smartcard-auth.sh' remediation in upstream got moved
+# to different location already). The rest of the change (except the path)
+# is identical with upstream form
+%patch6 -p1 -b .rhbz#1357019
 
 %build
 (cd RHEL/7 && make dist)
@@ -79,12 +74,12 @@ mkdir -p %{buildroot}%{_mandir}/en/man8/
 # Add in RHEL-7 core content (SCAP)
 cp -a RHEL/7/dist/content/ssg-rhel7-cpe-dictionary.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
 cp -a RHEL/7/dist/content/ssg-rhel7-cpe-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-cp -a RHEL/7/dist/content/ssg-centos7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-rhel7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
 cp -a RHEL/7/dist/content/ssg-rhel7-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-cp -a RHEL/7/dist/content/ssg-centos7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-rhel7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
 
 # Add in RHEL-6 datastream (SCAP)
-cp -a RHEL/6/dist/content/ssg-centos6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
+cp -a RHEL/6/dist/content/ssg-rhel6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
 
 # Add in Firefox datastream (SCAP)
 cp -a Firefox/dist/content/ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
@@ -92,16 +87,10 @@ cp -a Firefox/dist/content/ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/s
 # Add in Java Runtime Environment (JRE) datastream (SCAP)
 cp -a JRE/dist/content/ssg-jre-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
 
-# Add in library for remediations
-mkdir -p %{buildroot}%{_datadir}/%{name}
-cp -a shared/fixes/bash/templates/remediation_functions %{buildroot}%{_datadir}/%{name}/remediation_functions
-
-# Add in RHEL-6 kickstart files
+# Add in currently available kickstart files
 mkdir -p %{buildroot}%{_datadir}/%{name}/kickstart
-cp -a RHEL/6/kickstart/ssg-rhel6-stig-ks.cfg  %{buildroot}%{_datadir}/%{name}/kickstart/
-cp -a RHEL/6/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart/
-# Add in RHEL-7 kickstart files
-cp -a RHEL/7/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart/
+cp -a RHEL/6/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart
+cp -a RHEL/7/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart
 
 # Add in manpage
 cp -a docs/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-guide.8
@@ -111,16 +100,46 @@ cp -a docs/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-gu
 %{_datadir}/xml/scap
 %{_datadir}/%{name}
 %lang(en) %{_mandir}/en/man8/scap-security-guide.8.gz
-%doc ./LICENSE RHEL/6/output/table-rhel6-cces.html RHEL/7/output/table-rhel7-cces.html RHEL/6/output/table-rhel6-nistrefs-common.html RHEL/6/output/table-rhel6-nistrefs.html RHEL/6/output/table-rhel6-srgmap-flat.html RHEL/6/output/table-rhel6-srgmap-flat.xhtml RHEL/6/output/table-rhel6-srgmap.html RHEL/6/output/table-rhel6-stig.html RHEL/6/input/auxiliary/DISCLAIMER
+%doc RHEL/6/dist/tables/*.html
+%doc RHEL/6/dist/tables/*.xhtml
+%doc RHEL/7/dist/tables/*.html
+%doc RHEL/7/dist/tables/*.xhtml
+%doc ./LICENSE
+%doc RHEL/6/input/auxiliary/DISCLAIMER
 
 %files doc
 %defattr(-,root,root,-)
-%doc RHEL/6/output/ssg-centos6-guide-*.html RHEL/7/output/ssg-centos7-guide-*.html JRE/output/ssg-jre-guide-*.html Firefox/output/ssg-firefox-guide-*.html
+%doc RHEL/6/output/ssg-rhel6-guide-*.html
+%doc RHEL/7/output/ssg-rhel7-guide-*.html
+%doc JRE/output/ssg-jre-guide-*.html
+%doc Firefox/output/ssg-firefox-guide-*.html
 
 %changelog
-* Wed Nov 25 2015 brian@bstinson.com 0.1.25-3.centos.0.1
-- Use the CentOS SCAP content 
-- scap-security-guide-0.1.25-centos-menu-branding.patch
+* Wed Aug 10 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-3
+- Correct the remediation script for 'Enable Smart Card Login' rule
+  for Red Hat Enterprise Linux 7 (RH BZ#1357019)
+
+* Thu Jul 14 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-2
+- Fix issue of two STIG profiles for Red Hat Enterprise Linux 6 benchmark
+  having the identical title (RH BZ#1351541)
+- Enhance the shared OVAL check for 'Set Deny For Failed Password Attempts'
+  rule and also Red Hat Enterprise Linux 7 OVAL check for 'Configure the root
+  Account for Failed Password Attempts' rule to report correct system status
+  WRT to these requirements also in the case the SSSD daemon is used
+  (RH BZ#1344581)
+- Include currently available kickstart files and produced HTML tables for
+  Red Hat Enterprise Linux 6 and 7 products into the produced RPM package
+  (RH BZ#1351751)
+
+* Wed Jun 22 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-1
+- Update to upstream's 0.1.30 release:
+  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
+  (RH BZ#1289533)
+- Drop remediation functions library since starting from 0.1.30 release
+  remediation scripts are part of the benchmarks directly
+- Drop three patches that have been accepted upstream in the meantime
+- Update drop-rpm-verify-permissions-rule patch to work properly against
+  0.1.30 release
 
 * Fri Oct 02 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-3
 - Drop "Verify and Correct File Permissions with RPM" rule from the PCI-DSS