diff --git a/.gitignore b/.gitignore
index 3b17f94..20df2b2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.19.tar.gz
+SOURCES/scap-security-guide-0.1.25.tar.gz
diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata
index 511f55a..7038a45 100644
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@@ -1 +1 @@
-f7257eb00ab18acda843d41851a430268d6bba30 SOURCES/scap-security-guide-0.1.19.tar.gz
+1dc2e85ad80098968485bc75050697abc40143d4 SOURCES/scap-security-guide-0.1.25.tar.gz
diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch
deleted file mode 100644
index 8e4ee57..0000000
--- a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch
+++ /dev/null
@@ -1,38 +0,0 @@
---- scap-security-guide-0.1.19/RHEL/7/input/system/selinux.xml.orig 2014-09-29 06:19:27.427097200 -0400
-+++ scap-security-guide-0.1.19/RHEL/7/input/system/selinux.xml 2014-09-29 06:20:14.703998808 -0400
-@@ -117,23 +117,6 @@ targeted for exploitation, such as netwo
-
-
-
--
--Enable the SELinux Context Restoration Service (restorecond)
--The restorecond service utilizes inotify to look
--for the creation of new files listed in the
--/etc/selinux/restorecond.conf configuration file. When a file is
--created, restorecond ensures the file receives the proper SELinux
--security context.
--
--
--The restorecond service helps ensure that the default SELinux
--file context is applied to files. This allows automatic correction
--of file contexts created by some programs.
--
--
--
--
--
-
- Uninstall setroubleshoot Package
- The SETroubleshoot service notifies desktop users of SELinux
---- scap-security-guide-0.1.19/RHEL/7/input/fixes/bash/service_restorecond_enabled.sh 2014-09-28 07:55:58.000000000 -0400
-+++ /dev/null 2014-09-29 05:45:02.862000000 -0400
-@@ -1,9 +0,0 @@
--#
--# Enable restorecond.service for all systemd targets
--#
--systemctl enable restorecond.service
--
--#
--# Start restorecond.service if not currently running
--#
--systemctl start restorecond.service
diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch
deleted file mode 100644
index b34822c..0000000
--- a/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- scap-security-guide-0.1.19/RHEL/7/input/guide.xslt.orig 2014-09-29 07:55:24.154151816 -0400
-+++ scap-security-guide-0.1.19/RHEL/7/input/guide.xslt 2014-09-29 07:56:48.376190494 -0400
-@@ -8,10 +8,7 @@
-
-
-
--
--
--
--
-+
-
-
- A conditional clause for check statements.
diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch
deleted file mode 100644
index 7cc9038..0000000
--- a/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch
+++ /dev/null
@@ -1,89 +0,0 @@
---- scap-security-guide-0.1.19/RHEL/7/input/system/accounts/pam.xml.orig 2014-09-29 08:53:24.078751294 -0400
-+++ scap-security-guide-0.1.19/RHEL/7/input/system/accounts/pam.xml 2014-09-29 08:59:28.963638607 -0400
-@@ -81,33 +81,28 @@ and gives them an opportunity to notify
-
-
- Set Password Quality Requirements
--The default pam_cracklib PAM module provides strength
-+The default pam_pwquality PAM module provides strength
- checking for passwords. It performs a number of checks, such as
- making sure passwords are not similar to dictionary words, are of
- at least a certain length, are not the previous password reversed,
- and are not simply a change of case from the previous password. It
- can also require passwords to be in certain character classes.
-
--The pam_passwdqc PAM module also provides the ability to enforce
--stringent password strength requirements. It is provided
--in an RPM of the same name.
--
--The man pages pam_cracklib(8) and pam_passwdqc(8)
--provide information on the capabilities and configuration of
--each.
-+The man page pam_pwquality(8) provide further information
-+on the capabilities and configuration.
-
-
- Set Password Quality Requirements, if using
--pam_cracklib
--The pam_cracklib PAM module can be configured to meet
-+ pam_pwquality
-+The pam_pwquality PAM module can be configured to meet
- requirements for a variety of policies.
-
--For example, to configure pam_cracklib to require at least one uppercase
-+For example, to configure pam_pwquality to require at least one uppercase
- character, lowercase character, digit, and other (special)
- character, locate the following line in /etc/pam.d/system-auth:
--
- If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth.
- The arguments can be modified to ensure compliance with
- your organization's security policy. Discussion of each parameter follows.
-@@ -268,14 +263,14 @@ is different from account lockout, which
-
-
- Set Password to Maximum of Three Consecutive Repeating Characters
--The pam_cracklib module's maxrepeat parameter controls requirements for
-+The pam_pwquality module's maxrepeat parameter controls requirements for
- consecutive repeating characters. When set to a positive number, it will reject passwords
- which contain more than that number of consecutive characters. Add maxrepeat=3
--after pam_cracklib.so to prevent a run of four or more identical characters.
-+after pam_pwquality.so to prevent a run of four or more identical characters.
-
-
- To check the maximum value for consecutive repeating characters, run the following command:
--
$ grep pam_cracklib /etc/pam.d/system-auth
-+
$ grep pam_pwquality /etc/pam.d/system-auth
- Look for the value of the maxrepeat parameter. The DoD requirement is 3.
-
-
-@@ -413,7 +408,7 @@ Note that passwords which are changed on
-
-
- Set Password Strength Minimum Different Categories
--The pam_cracklib module's minclass parameter controls requirements for
-+The pam_pwquality module's minclass parameter controls requirements for
- usage of different character classes, or types, of character that must exist in a password
- before it is considered valid. For example, setting this value to three (3) requires that
- any password must have characters from at least three different categories in order to be
-@@ -425,7 +420,7 @@ four categories available:
- * Digits
- * Special characters (for example, punctuation)
-
--Add minclass=NUM after pam_cracklib.so entry into the
-+Add minclass=NUM after pam_pwquality.so entry into the
- /etc/pam.d/system-auth file in order to require differing categories of
- characters when changing passwords, substituting NUM appropriately (for example to
- require at least three character classes to be used in password, use minclass=3).
-@@ -433,7 +428,7 @@ require at least three character classes
-
- To check how many categories of characters must be used in password during a password change,
- run the following command:
--
$ grep pam_cracklib /etc/pam.d/system-auth
-+
$ grep pam_pwquality /etc/pam.d/system-auth
- The minclass parameter will indicate how many character classes must be used. If
- the requirement was for the password to contain characters from three different categories,
- then this would appear as minclass=3.
diff --git a/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch b/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch
deleted file mode 100644
index 5395704..0000000
--- a/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch
+++ /dev/null
@@ -1,109 +0,0 @@
---- scap-security-guide-0.1.19/RHEL/6/input/auxiliary/scap-security-guide.8.orig 2014-10-21 09:26:33.048661043 -0400
-+++ scap-security-guide-0.1.19/RHEL/6/input/auxiliary/scap-security-guide.8 2014-10-21 09:29:18.031611398 -0400
-@@ -1,4 +1,4 @@
--.TH scap-security-guide 8 "26 Jan 2013" "version 1"
-+.TH scap-security-guide 8 "29 Sep 2014" "version 1"
-
- .SH NAME
- SCAP Security Guide - Delivers security guidance, baselines, and
-@@ -23,59 +23,24 @@ https://fedorahosted.org/scap-security-g
-
-
- .SH PROFILES
--The SSG content is broken into 'profiles,' groupings of security settings that correlate to a known policy. Available profiles are:
-+The SSG content is broken into 'profiles,' groupings of security settings that
-+correlate to a known policy. Available profiles are:
-
--.I stig-rhel6-server-upstream
-+.I rht-cpp
- .RS
--The Security Technical Implementation Guides (STIGs) and the NSA Guides are the
--configuration standards for DOD IA and IA-enabled devices/systems. Since 1998,
--DISA Field Security Operations (FSO) has played a critical role enhancing the
--security posture of DoD's security systems by providing the Security Technical
--Implementation Guides (STIGs). This profile was created as a collaboration
--effort between the National Security Agency, DISA FSO, and Red Hat.
--
--As a result of the upstream/downstream relationship between the SCAP Security
--Guide project and the official DISA FSO STIG baseline, users should expect
--variance between SSG and DISA FSO content. For additional information relating
--to STIGs, please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/
--
--While this profile is packaged by Red Hat as part of the SCAP Security Guide
--package, please note that commercial support of this SCAP content is NOT
--available. This profile is provided as example SCAP content with no
--endorsement for suitability or production readiness. Support for this profile
--is provided by the upstream SCAP Security Guide community on a best-effort
--basis. The upstream project homepage is https://fedorahosted.org/scap-security-guide/.
--
--.RE
--.I usgcb-rhel6-server
--.RS
--The purpose of the United States Government Configuration Baseline (USGCB)
--initiative is to create security configuration baselines for Information
--Technology products widely deployed across the federal agencies. The USGCB
--baseline evolved from the Federal Desktop Core Configuration mandate. The
--USGCB is a Federal government-wide initiative that provides guidance to
--agencies on what should be done to improve and maintain an effective
--configuration settings focusing primarily on security.
--
--.B "NOTE: "
--While the current content maps to USGCB requirements, it has NOT
--been validated by NIST as of yet. This content should be considered
--draft, we are highly interested in feedback.
--
--For additional information relating to USGCB, please refer to the NIST
--webpage at http://usgcb.nist.gov/usgcb_content.html.
-+Red Hat Corporate Profile for Certified Cloud Providers (RH CCP). This is a
-+*draft* SCAP profile for Red Hat Certified Cloud Providers.
- .RE
-
--
- .SH EXAMPLES
- To scan your system utilizing the OpenSCAP utility against the
--stig-rhel6-server-upstream profile:
-+rht-ccp profile:
-
--oscap xccdf eval --profile stig-rhel6-server-upstream \
-+oscap xccdf eval --profile rht-ccp \
- --results /tmp/`hostname`-ssg-results.xml \
- --report /tmp/`hostname`-ssg-results.html \
----cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \
--/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
-+--cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml \
-+/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
- .PP
- Additional details can be found on the projects wiki page:
- https://fedorahosted.org/scap-security-guide/wiki/usageguide
-@@ -99,15 +64,10 @@ ssg-{profile}-oval.xml
- ssg-{profile}-xccdf.xml
- .RE
-
--.I /usr/share/xml/scap/ssg/guides/
--.RS
--HTML versions of SSG profiles.
--.RE
--
--.I /usr/share/xml/scap/ssg/policytables/
-+.I /usr/share/doc/scap-security-guide-0.1.19
- .RS
--HTML tables reflecting which institutionalized policy a particular SSG rule
--conforms to.
-+Contains HTML versions of the SSG profiles and also HTML tables reflecting which
-+institutionalized policy a particular SSG rule conforms to.
- .RE
-
- .SH STATEMENT OF SUPPORT
-@@ -116,9 +76,9 @@ and the NSA, provides XCCDF and OVAL con
- source project, community participation extends into U.S. Department of Defense
- agencies, civilian agencies, academia, and other industrial partners.
-
--SCAP Security Guide is provided to consumers through Red Hat's Extended
--Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security Guide
--content is considered "vendor provided."
-+SCAP Security Guide is provided to consumers through Red Hat's system and content
-+management services (Red Hat Network Classic or Red Hat Subscription Management).
-+As such, SCAP Security Guide content is considered "vendor provided."
-
- Note that while Red Hat hosts the infrastructure for this project and
- Red Hat engineers are involved as maintainers and leaders, there is no
diff --git a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch
deleted file mode 100644
index 65b59a6..0000000
--- a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch
+++ /dev/null
@@ -1,472 +0,0 @@
-diff --git a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml
-index a00fc16..dc1b249 100644
---- a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml
-+++ b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml
-@@ -99,7 +99,7 @@ upstream project homepage is https://fedorahosted.org/scap-security-guide/.
-
-
-
--
-+
-
-
-
-diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml
-index adf0aaf..b2da2a4 100644
---- a/RHEL/6/input/system/accounts/pam.xml
-+++ b/RHEL/6/input/system/accounts/pam.xml
-@@ -48,7 +48,7 @@ operator="equals" interactive="0">
- /etc/security/opasswd in order to force password change history and
- keep the user from alternating between the same password too
- frequently.
--24
-+5
- 0
- 5
- 10
-@@ -342,7 +342,7 @@ more difficult by ensuring a larger search space.
- usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
- contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional
- length credit for each special character.
--Add ocredit=-1 after pam_cracklib.so to require use of a special character in passwords.
-+Add ocredit= after pam_cracklib.so to require use of a special character in passwords.
-
-
- To check how many special characters are required in a password, run the following command:
-@@ -357,7 +357,7 @@ more difficult by ensuring a larger search space.
-
-
-
--
-+
-
-
-
-@@ -551,7 +551,7 @@ be accomplished by using the remember option for the pam_unix
- module. In the file /etc/pam.d/system-auth, append remember= to the
- line which refers to the pam_unix.so module, as shown:
-
--The DoD and FISMA requirement is 24 passwords.
-+The DoD STIG requirement is 5 passwords.
-
- To verify the password reuse setting is compliant, run the following command:
-
Pre-release Draft STIG for RHEL 7 Server
- This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.
-
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-
-
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-+
-
-diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml
-index 3cdd433..f5d9cdf 100644
---- a/RHEL/7/input/system/accounts/pam.xml
-+++ b/RHEL/7/input/system/accounts/pam.xml
-@@ -48,7 +48,7 @@ operator="equals" interactive="0">
- /etc/security/opasswd in order to force password change history and
- keep the user from alternating between the same password too
- frequently.
--24
-+5
- 0
- 5
- 10
-@@ -137,13 +137,14 @@ reason.
-
- minlen
- Minimum number of characters in password
--14
-+15
- 6
-
- 8
- 10
- 12
- 14
-+
- 15
-
-
-@@ -190,11 +191,12 @@ password
- password
- Keep this high for short
- passwords
--4
-+15
- 2
- 3
- 4
- 5
-+15
-
-
-
-@@ -306,10 +308,34 @@ search space.
-
-
-
--
-+
-
-
-
-+
-+Set Password Minimum Length
-+The pam_pwquality module's minlen parameter controls requirements for
-+minimum characters required in a password. Add minlen=
-+after pam_pwquality to set minimum password length requirements.
-+
-+
-+To check how many characters are required in a password, run the following command:
-+
$ grep pam_pwquality /etc/pam.d/system-auth
-+Your output should contain minlen=
-+
-+
-+Password length is one factor of several that helps to determine
-+strength and how long it takes to crack a password. Use of more characters in
-+a password helps to exponentially increase the time and/or resources
-+required to compromise the password.
-+
-+
-+
-+
-+
-+
-+
-+
-
- Set Password Strength Minimum Uppercase Characters
- The pam_pwquality module's ucredit= parameter controls requirements for
-@@ -331,18 +357,18 @@ more difficult by ensuring a larger search space.
-
-
-
--
-+
-
-
-
-
- Set Password Strength Minimum Special Characters
- The pam_pwquality module's ocredit= parameter controls requirements for
--usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
-+usage of special (or "other") characters in a password. When set to a negative number, any password will be required to
- contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional
- length credit for each special character.
--Add ocredit=-1 after pam_pwquality.so to require use of a special character in passwords.
--
-+Add ocredit= after pam_pwquality.so to
-+require use of a special character in passwords.
-
- To check how many special characters are required in a password, run the following command:
-
$ grep pam_pwquality /etc/pam.d/system-auth
-@@ -356,7 +382,7 @@ more difficult by ensuring a larger search space.
-
-
-
--
-+
-
-
-
-@@ -381,7 +407,7 @@ more difficult by ensuring a larger search space.
-
-
-
--
-+
-
-
-
-@@ -391,14 +417,14 @@ more difficult by ensuring a larger search space.
- usage of different characters during a password change.
- Add difok=NUM after pam_pwquality.so to require differing
- characters when changing passwords, substituting NUM appropriately.
--The DoD requirement is 4.
-+The DoD requirement is 15.
-
-
- To check how many characters must differ during a password change, run the following command:
-
$ grep pam_pwquality /etc/pam.d/system-auth
- The difok parameter will indicate how many characters must differ.
--The DoD requires four characters differ during a password change.
--This would appear as difok=4.
-+The DoD requires 15 characters differ during a password change.
-+This would appear as difok=15.
-
-
- Requiring a minimum number of different characters during password changes ensures that
-@@ -407,7 +433,7 @@ Note that passwords which are changed on compromised systems will still be compr
-
-
-
--
-+
-
-
-
-@@ -476,13 +502,13 @@ attempts using pam_faillock.so:
-
- Add the following lines immediately below the pam_unix.so statement in AUTH section of
- both /etc/pam.d/system-auth and /etc/pam.d/password-auth:
--
-
-
- To ensure the failed password attempt policy is configured correctly, run the following command:
-
$ grep pam_faillock /etc/pam.d/system-auth
--The output should show deny=3.
-+The output should show deny=.
-
-
- Locking out user accounts after a number of incorrect attempts
-@@ -490,7 +516,7 @@ prevents direct password guessing attacks.
-
-
-
--
-+
-
-
-
-@@ -500,8 +526,8 @@ To configure the system to lock out accounts after a number of incorrect login
- attempts and require an administrator to unlock the account using pam_faillock.so:
-
- Add the following lines immediately below the pam_env.so statement in /etc/pam.d/system-auth:
--
-
-
- To ensure the failed password attempt policy is configured correctly, run the following command:
-@@ -527,43 +553,46 @@ attempts.
-
- Add the following fail_interval directives to pam_faillock.so immediately below the pam_env.so statement in
- /etc/pam.d/system-auth and /etc/pam.d/password-auth:
--
--For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is 900 (15 minutes) or greater. If the fail_interval parameter is not set, the default setting of 900 seconds is acceptable.
-+For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is
-+ or greater.
-+If the fail_interval parameter is not set, the default setting of 900 seconds is acceptable.
-
-
- Locking out user accounts after a number of incorrect attempts within a
- specific period of time prevents direct password guessing attacks.
-
--
-+
-
--
-+
-
-
-
- Limit Password Reuse
- Do not allow users to reuse recent passwords. This can
- be accomplished by using the remember option for the pam_unix PAM
--module. In the file /etc/pam.d/system-auth, append remember=24 to the
-+module. In the file /etc/pam.d/system-auth, append
-+remember= to the
- line which refers to the pam_unix.so module, as shown:
--
-+The DoD STIG requirement is 5 passwords.
-
- To verify the password reuse setting is compliant, run the following command:
-
$ grep remember /etc/pam.d/system-auth
- The output should show the following at the end of the line:
--
remember=24
-+
remember=
-
-
- Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
-
-
-
--
-+
-
-
-
-diff --git a/RHEL/7/input/system/accounts/restrictions/password_expiration.xml b/RHEL/7/input/system/accounts/restrictions/password_expiration.xml
-index d79c4a8..9e56b9d 100644
---- a/RHEL/7/input/system/accounts/restrictions/password_expiration.xml
-+++ b/RHEL/7/input/system/accounts/restrictions/password_expiration.xml
-@@ -60,8 +60,8 @@ age, and 7 day warning period with the following command:
- 7
- 7
- 5
--1
- 2
-+1
- 0
-
-
-@@ -131,7 +131,7 @@ after satisfying the password reuse requirement.
-
-
-
--
-+
-
-
-
-@@ -145,7 +145,7 @@ and add or correct the following line, replacing DAYS appropriately:
- A value of 180 days is sufficient for many environments.
- The DoD requirement is 60.
-
--
-+
- To check the maximum password age, run the command:
-
$ grep PASS_MAX_DAYS /etc/login.defs
- The DoD and FISMA requirement is 60.
-@@ -157,9 +157,9 @@ periodically change their passwords. This could possibly decrease
- the utility of a stolen password. Requiring shorter password lifetimes
- increases the risk of users writing down the password in a convenient
- location subject to physical compromise.
--
-+
-
--
-+
-
-
-
-diff --git a/shared/.gitignore b/shared/.gitignore
-index d7b3ccb..39328cf 100644
---- a/shared/.gitignore
-+++ b/shared/.gitignore
-@@ -1,3 +1,4 @@
- # files not to track in git
- *.pyc
- *.ini
-+*.swp
-diff --git a/shared/references/cce-rhel-avail.txt b/shared/references/cce-rhel-avail.txt
-index 381d3da..41dc47e 100644
---- a/shared/references/cce-rhel-avail.txt
-+++ b/shared/references/cce-rhel-avail.txt
-@@ -1,6 +1,3 @@
--CCE-27051-2
--CCE-26615-5
--CCE-26763-3
- CCE-26436-6
- CCE-26989-4
- CCE-26992-8
diff --git a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch
deleted file mode 100644
index 5bc5cc7..0000000
--- a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml
-index b2da2a4..29fa69f 100644
---- a/RHEL/6/input/system/accounts/pam.xml
-+++ b/RHEL/6/input/system/accounts/pam.xml
-@@ -472,12 +472,17 @@ and a second to use unlock_time and set it to a Value
- Set Deny For Failed Password Attempts
-
- To configure the system to lock out accounts after a number of incorrect login
--attempts using pam_faillock.so:
-+attempts using pam_faillock.so, modify the content of both
-+/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
-
--Add the following lines immediately below the pam_unix.so statement in AUTH section of
--both /etc/pam.d/system-auth and /etc/pam.d/password-auth:
--
add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
-+
account required pam_faillock.so
-+
-
-
- To ensure the failed password attempt policy is configured correctly, run the following command:
-@@ -497,11 +502,17 @@ prevents direct password guessing attacks.
- Set Lockout Time For Failed Password Attempts
-
- To configure the system to lock out accounts after a number of incorrect login
--attempts and require an administrator to unlock the account using pam_faillock.so:
-+attempts and require an administrator to unlock the account using pam_faillock.so,
-+modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
-
--Add the following lines immediately below the pam_env.so statement in /etc/pam.d/system-auth:
--
add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
-+
account required pam_faillock.so
-+
-
-
- To ensure the failed password attempt policy is configured correctly, run the following command:
-@@ -523,12 +534,16 @@ situations.
- Set Interval For Counting Failed Password Attempts
-
- Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out accounts after a number of incorrect login
--attempts.
-+attempts. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
-
--Add the following fail_interval directives to pam_faillock.so immediately below the pam_env.so statement in
--/etc/pam.d/system-auth and /etc/pam.d/password-auth:
--
add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
-+
account required pam_faillock.so
-+
-
-
- To ensure the failed password attempt policy is configured correctly, run the following command:
-diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml
-index f5d9cdf..e6bcd60 100644
---- a/RHEL/7/input/system/accounts/pam.xml
-+++ b/RHEL/7/input/system/accounts/pam.xml
-@@ -498,12 +498,17 @@ and a second to use unlock_time and set it to a Value
- Set Deny For Failed Password Attempts
-
- To configure the system to lock out accounts after a number of incorrect login
--attempts using pam_faillock.so:
-+attempts using pam_faillock.so, modify the content of both
-+/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
-
--Add the following lines immediately below the pam_unix.so statement in AUTH section of
--both /etc/pam.d/system-auth and /etc/pam.d/password-auth:
--
add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
-+
account required pam_faillock.so
-+
-
-
- To ensure the failed password attempt policy is configured correctly, run the following command:
-@@ -523,11 +528,17 @@ prevents direct password guessing attacks.
- Set Lockout Time For Failed Password Attempts
-
- To configure the system to lock out accounts after a number of incorrect login
--attempts and require an administrator to unlock the account using pam_faillock.so:
-+attempts and require an administrator to unlock the account using pam_faillock.so,
-+modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
-
--Add the following lines immediately below the pam_env.so statement in /etc/pam.d/system-auth:
--
add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
-+
account required pam_faillock.so
-+
-
-
- To ensure the failed password attempt policy is configured correctly, run the following command:
-@@ -549,12 +560,16 @@ situations.
- Set Interval For Counting Failed Password Attempts
-
- Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out accounts after a number of incorrect login
--attempts.
-+attempts. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:
-
--Add the following fail_interval directives to pam_faillock.so immediately below the pam_env.so statement in
--/etc/pam.d/system-auth and /etc/pam.d/password-auth:
--