From 721d24fb3493dfda52785c0348f30b2f62b52d45 Mon Sep 17 00:00:00 2001
From: Johnny Hughes <johnny@centos.org>
Date: Mar 03 2017 10:43:44 +0000
Subject: Manual CentOS Debranding


---

diff --git a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch b/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch
new file mode 100644
index 0000000..cda0a9d
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch
@@ -0,0 +1,151 @@
+diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/C2S.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/C2S.xml
+--- scap-security-guide-0.1.30/RHEL/7/input/profiles/C2S.xml	2016-06-22 12:56:46.000000000 +0000
++++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/C2S.xml	2016-11-15 16:20:21.101599393 +0000
+@@ -1,10 +1,10 @@
+ <Profile id="C2S">
+-<title>C2S for Red Hat Enterprise Linux 7</title>
++<title>C2S for CentOS Linux 7</title>
+ <description>This profile demonstrates compliance against the
+ U.S. Government Commercial Cloud Services (C2S) baseline.
+ 
+ This baseline was inspired by the Center for Internet Security
+-(CIS) Red Hat Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015.
++(CIS) CentOS Linux 7 Benchmark, v1.1.0 - 04-02-2015.
+ For the SCAP Security Guide project to remain in compliance with
+ CIS' terms and conditions, specifically Restrictions(8), note
+ there is no representation or claim that the C2S profile will
+diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/nist-CL-IL-AL.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/nist-CL-IL-AL.xml
+--- scap-security-guide-0.1.30/RHEL/7/input/profiles/nist-CL-IL-AL.xml	2016-06-22 12:56:46.000000000 +0000
++++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/nist-CL-IL-AL.xml	2016-11-15 18:30:22.535473255 +0000
+@@ -1,5 +1,5 @@
+ <Profile id="nist-cl-il-al" extends="common">
+-<title override="true">CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 7</title>
++<title override="true">CNSSI 1253 Low/Low/Low Control Baseline for CentOS Linux 7</title>
+ <description override="true">This profile follows the Committee on National Security Systems Instruction
+ (CNSSI) No. 1253, "Security Categorization and Control Selection for National Security
+ Systems" on security controls to meet low confidentiality, low integrity, and low
+diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/ospp-rhel7-server.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/ospp-rhel7-server.xml
+--- scap-security-guide-0.1.30/RHEL/7/input/profiles/ospp-rhel7-server.xml	2016-06-22 12:56:46.000000000 +0000
++++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/ospp-rhel7-server.xml	2016-11-15 18:30:44.136480430 +0000
+@@ -1,6 +1,6 @@
+ <Profile id="ospp-rhel7-server">
+ <title>United States Government Configuration Baseline (USGCB / STIG)</title>
+-<description override="true">This is a *draft* profile for NIAP OSPP v4.0. This profile is being developed under the National Information Assurance Partnership. The scope of this profile is to configure Red Hat Enteprise Linux 7 against the NIAP Protection Profile for General Purpose Operating Systems v4.0. The NIAP OSPP profile also serves as a working draft for USGCB submission against RHEL7 Server.</description>
++<description override="true">This is a *draft* profile for NIAP OSPP v4.0. This profile is being developed under the National Information Assurance Partnership. The scope of this profile is to configure CentOS Linux 7 against the NIAP Protection Profile for General Purpose Operating Systems v4.0. The NIAP OSPP profile also serves as a working draft for USGCB submission against CentOS7 Server.</description>
+ 
+ <!-- OSPP v4.0 is available here:
+      https://www.niap-ccevs.org/pp/PP_OS_v4.0/ 
+diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/pci-dss.xml
+--- scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml	2016-11-15 18:35:12.316574543 +0000
++++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/pci-dss.xml	2016-11-15 18:31:03.287486842 +0000
+@@ -1,5 +1,5 @@
+ <Profile id="pci-dss" xmlns="http://checklists.nist.gov/xccdf/1.1">
+-<title>PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7</title>
++<title>PCI-DSS v3 Control Baseline for CentOS Linux 7</title>
+ <description>This is a *draft* profile for PCI-DSS v3</description>
+ 
+ <refine-value idref="var_password_pam_unix_remember" selector="4" />
+diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule scap-security-guide-0.1.30.new/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule
+--- scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule	2016-06-22 12:56:46.000000000 +0000
++++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule	2016-11-15 18:31:24.039493843 +0000
+@@ -1,5 +1,5 @@
+ <Profile id="pci-dss" xmlns="http://checklists.nist.gov/xccdf/1.1">
+-<title>PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7</title>
++<title>PCI-DSS v3 Control Baseline for CentOS Linux 7</title>
+ <description>This is a *draft* profile for PCI-DSS v3</description>
+ 
+ <refine-value idref="var_password_pam_unix_remember" selector="4" />
+diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/rht-ccp.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/rht-ccp.xml
+--- scap-security-guide-0.1.30/RHEL/7/input/profiles/rht-ccp.xml	2016-06-22 12:56:46.000000000 +0000
++++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/rht-ccp.xml	2016-11-15 18:32:04.251507569 +0000
+@@ -98,11 +98,11 @@
+ <select idref="sysctl_kernel_ipv6_disable" selected="true"/>
+ <select idref="service_ip6tables_enabled" selected="true"/>
+ 
+-This requirement does not apply against Red Hat Enterprise Linux 7:
++This requirement does not apply against CentOS Linux 7:
+ see: https://github.com/OpenSCAP/scap-security-guide/issues/66 for details.
+ <select idref="kernel_module_rds_disabled" selected="true"/>
+ 
+-This requirement does not apply against Red Hat Enterprise Linux 7:
++This requirement does not apply against CentOS Linux 7:
+ see: https://github.com/OpenSCAP/scap-security-guide/issues/67 for details.
+ <select idref="kernel_module_tipc_disabled" selected="true"/>
+ 
+diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/standard.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/standard.xml
+--- scap-security-guide-0.1.30/RHEL/7/input/profiles/standard.xml	2016-06-22 12:56:46.000000000 +0000
++++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/standard.xml	2016-11-15 18:32:32.999517516 +0000
+@@ -1,6 +1,6 @@
+ <Profile id="standard">
+ <title>Standard System Security Profile</title>
+-<description>This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system.
++<description>This profile contains rules to ensure standard security baseline of CentOS Linux 7 system.
+ Regardless of your system's workload all of these checks should pass.</description>
+ 
+ <select idref="ensure_redhat_gpgkey_installed" selected="true" />
+@@ -14,7 +14,7 @@ Regardless of your system's workload all
+ <select idref="accounts_root_path_dirs_no_write" selected="true"/>
+ <select idref="dir_perms_world_writable_sticky_bits" selected="true" />
+ 
+-<!-- The following rules currently returns 'notapplicable' on RHEL-7 container -->
++<!-- The following rules currently returns 'notapplicable' on CentOS-7 container -->
+ <!-- Investigate why, fix the issues, and re-enable back once fixed -->
+ <!-- <select idref="accounts_password_all_shadowed" selected="true"/> -->
+ <!-- <select idref="root_path_no_dot" selected="true"/> -->
+diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml
+--- scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml	2016-06-22 12:56:46.000000000 +0000
++++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml	2016-11-15 18:32:48.434522900 +0000
+@@ -1,5 +1,5 @@
+ <Profile id="stig-rhel7-server-gui-upstream" extends="stig-rhel7-server-upstream">
+-<title override="true">STIG for Red Hat Enterprise Linux 7 Server Running GUIs</title>
++<title override="true">STIG for CentOS Linux 7 Server Running GUIs</title>
+ <description override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
+ 
+ <!-- DISA FSO REFINEMENT VALUES
+diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml
+--- scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml	2016-06-22 12:56:46.000000000 +0000
++++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml	2016-11-15 18:33:07.232529497 +0000
+@@ -1,5 +1,5 @@
+ <Profile id="stig-rhel7-server-upstream" extends="ospp-rhel7-server">
+-<title override="true">STIG for Red Hat Enterprise Linux 7 Server</title>
++<title override="true">STIG for CentOS Linux 7 Server</title>
+ <description override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
+ 
+ <!-- DISA FSO REFINEMENT VALUES
+diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-workstation-upstream.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-workstation-upstream.xml
+--- scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-workstation-upstream.xml	2016-06-22 12:56:46.000000000 +0000
++++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-workstation-upstream.xml	2016-11-15 18:33:34.107539010 +0000
+@@ -1,5 +1,5 @@
+ <Profile id="stig-rhel7-workstation-upstream" extends="stig-rhel7-server-gui-upstream">
+-<title override="true">STIG for Red Hat Enterprise Linux 7 Workstation</title>
++<title override="true">STIG for CentOS Linux 7 Workstation</title>
+ <description override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
+ 
+ <!-- DISA FSO REFINEMENT VALUES
+diff -uNrp scap-security-guide-0.1.30.orig/RHEL/7/input/profiles/cjis-rhel7-server.xml scap-security-guide-0.1.30/RHEL/7/input/profiles/cjis-rhel7-server.xml
+--- scap-security-guide-0.1.30.orig/RHEL/7/input/profiles/cjis-rhel7-server.xml	2016-06-22 12:56:46.000000000 +0000
++++ scap-security-guide-0.1.30/RHEL/7/input/profiles/cjis-rhel7-server.xml	2017-03-03 10:31:09.864377323 +0000
+@@ -1,6 +1,6 @@
+ <Profile id="cjis-rhel7-server">
+ <title>Criminal Justice Information Services (CJIS) Security Policy</title>
+-<description override="true">This is a *draft* profile for CJIS v5.4. The scope of this profile is to configure Red Hat Enteprise Linux 7 against the U. S. Department of Justice, FBI CJIS Security Policy.
++<description override="true">This is a *draft* profile for CJIS v5.4. The scope of this profile is to configure CentOS Linux 7 against the U. S. Department of Justice, FBI CJIS Security Policy.
+ </description>
+ 
+ <!-- CJIS v5.4 is available here:
+@@ -118,7 +118,7 @@
+ <select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true" />
+ 
+ <!-- 5.10.1.2 Encryption -->
+-<!-- How can I make RHEL 6 or RHEL 7 FIPS 140-2 compliant? https://access.redhat.com/solutions/137833 -->
++<!-- How can I make CentOS 6 or CentOS 7 FIPS 140-2 compliant? https://access.redhat.com/solutions/137833 -->
+ <refine-value idref="var_password_pam_ocredit" selector="1" />
+ <refine-value idref="var_password_pam_dcredit" selector="1" />
+ <refine-value idref="var_password_pam_ucredit" selector="1" />
+@@ -141,4 +141,4 @@
+ <!-- 5.13.1.3 Bluetooth -->
+ <select idref="kernel_module_bluetooth_disabled" selected="true"/>
+ 
+-</Profile>
+\ No newline at end of file
++</Profile>
diff --git a/SOURCES/scap-security-guide-0.1.30-centos-menu-branding-2.patch b/SOURCES/scap-security-guide-0.1.30-centos-menu-branding-2.patch
new file mode 100644
index 0000000..53798c8
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.30-centos-menu-branding-2.patch
@@ -0,0 +1,63 @@
+diff -uNrp scap-security-guide-0.1.30.orig/RHEL/7/input/guide.xml scap-security-guide-0.1.30/RHEL/7/input/guide.xml
+--- scap-security-guide-0.1.30.orig/RHEL/7/input/guide.xml	2016-06-22 12:56:46.000000000 +0000
++++ scap-security-guide-0.1.30/RHEL/7/input/guide.xml	2016-12-04 12:58:05.537287951 +0000
+@@ -2,9 +2,9 @@
+ <Benchmark xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="RHEL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" style="SCAP_1.1" resolved="false" xml:lang="en-US" >
+ 
+ <status date="2011-12-20">draft</status>
+-<title>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title>
++<title>Guide to the Secure Configuration of CentOS Linux 7</title>
+ <description>This guide presents a catalog of security-relevant
+-configuration settings for Red Hat Enterprise Linux 7 formatted in the
++configuration settings for CentOS Linux 7 formatted in the
+ eXtensible Configuration Checklist Description Format (XCCDF).  
+ <br/>
+ <br/>
+@@ -22,7 +22,7 @@ providing baselines that meet a diverse
+ XCCDF <i>Profiles</i>, which are selections of items that form checklists and
+ can be used as baselines, are available with this guide.  They can be
+ processed, in an automated fashion, with tools that support the Security
+-Content Automation Protocol (SCAP).  The DISA STIG for Red Hat Enterprise Linux 7 is one example of
++Content Automation Protocol (SCAP).  The DISA STIG for CentOS Linux 7 is one example of
+ a baseline created from this guidance.
+ </description>
+ <notice id="terms_of_use">Do not attempt to implement any of the settings in
+@@ -32,7 +32,7 @@ other parties, and makes no guarantees,
+ quality, reliability, or any other characteristic.</notice>
+ 
+ <front-matter>The SCAP Security Guide Project<br/>https://fedorahosted.org/scap-security-guide</front-matter>
+-<rear-matter>Red Hat and Red Hat Enterprise Linux are either registered
++<rear-matter>Red Hat and Red Hat Enterprise  Linux are either registered
+ trademarks or trademarks of Red Hat, Inc. in the United States and other
+ countries. All other names are registered trademarks or trademarks of their
+ respective companies.</rear-matter>
+diff -uNrp scap-security-guide-0.1.30.orig/RHEL/7/input/intro/intro.xml scap-security-guide-0.1.30/RHEL/7/input/intro/intro.xml
+--- scap-security-guide-0.1.30.orig/RHEL/7/input/intro/intro.xml	2016-06-22 12:56:46.000000000 +0000
++++ scap-security-guide-0.1.30/RHEL/7/input/intro/intro.xml	2016-12-04 13:02:13.903282198 +0000
+@@ -3,7 +3,7 @@
+ <description>
+ <!-- purpose and scope of guidance -->
+ The purpose of this guidance is to provide security configuration
+-recommendations and baselines for the Red Hat Enterprise Linux (RHEL) 7 operating
++recommendations and baselines for the CentOS Linux 7 operating
+ system. The guidance provided here should be applicable to all variants
+ (Desktop, Server, Advanced Platform) of the product. Recommended
+ settings for the basic operating system are provided, as well as for many
+@@ -33,7 +33,7 @@ to passive monitoring. Whenever practica
+ such data exist, they should be applied. Even if data is expected to
+ be transmitted only over a local network, it should still be encrypted.
+ Encrypting authentication data, such as passwords, is particularly
+-important. Networks of Red Hat Enterprise Linux 7 machines can and should be configured
++important. Networks of CentOS Linux 7 machines can and should be configured
+ so that no unencrypted authentication data is ever transmitted between
+ machines.
+ </description>
+@@ -44,7 +44,7 @@ machines.
+ <title>Minimize Software to Minimize Vulnerability</title>
+ <description>
+ The simplest way to avoid vulnerabilities in software is to avoid
+-installing that software. On RHEL, the RPM Package Manager (originally
++installing that software. On CentOS, the RPM Package Manager (originally
+ Red Hat Package Manager, abbreviated RPM) allows for careful management of
+ the set of software packages installed on a system. Installed software
+ contributes to system vulnerability in several ways. Packages that
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index 1d9e0a9..a75ac4d 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -16,6 +16,8 @@ Patch4:		scap-security-guide-0.1.30-rhbz#1344581.patch
 Patch5:		scap-security-guide-0.1.30-rhbz#1351751.patch
 Patch6:		scap-security-guide-0.1.30-downstream-rhbz#1357019.patch
 Patch7:		scap-security-guide-0.1.30-zstream-rhbz#1415152.patch
+Patch99:        scap-security-guide-0.1.25-centos-menu-branding.patch
+Patch100:       scap-security-guide-0.1.30-centos-menu-branding-2.patch
 BuildArch:	noarch
 
 BuildRequires:	libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml
@@ -69,6 +71,11 @@ been generated from XCCDF benchmarks present in %{name} package.
 # moved to different location. Also, changes in 'sshd_use_approved_macs.sh' are slightly
 # different due to commit c6730b867f6760b94ec193e95484a16054b27f48a).
 %patch7 -p1 -b .rhbz#1415152
+%patch99 -p1
+%patch100 -p1
+
+# Remove the RHEL Certified Cloud Provider profile for debranding purposes
+%{__rm} RHEL/7/input/profiles/rht-ccp.xml
 
 %build
 (cd RHEL/7 && make dist)
@@ -84,12 +91,12 @@ mkdir -p %{buildroot}%{_mandir}/en/man8/
 # Add in RHEL-7 core content (SCAP)
 cp -a RHEL/7/dist/content/ssg-rhel7-cpe-dictionary.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
 cp -a RHEL/7/dist/content/ssg-rhel7-cpe-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-cp -a RHEL/7/dist/content/ssg-rhel7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-centos7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
 cp -a RHEL/7/dist/content/ssg-rhel7-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-cp -a RHEL/7/dist/content/ssg-rhel7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-centos7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
 
 # Add in RHEL-6 datastream (SCAP)
-cp -a RHEL/6/dist/content/ssg-rhel6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
+cp -a RHEL/6/dist/content/ssg-centos6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
 
 # Add in Firefox datastream (SCAP)
 cp -a Firefox/dist/content/ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
@@ -119,12 +126,15 @@ cp -a docs/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-gu
 
 %files doc
 %defattr(-,root,root,-)
-%doc RHEL/6/output/ssg-rhel6-guide-*.html
-%doc RHEL/7/output/ssg-rhel7-guide-*.html
+%doc RHEL/6/output/ssg-centos6-guide-*.html
+%doc RHEL/7/output/ssg-centos7-guide-*.html
 %doc JRE/output/ssg-jre-guide-*.html
 %doc Firefox/output/ssg-firefox-guide-*.html
 
 %changelog
+* Fri Mar  3 2017 Johnny Hughes <johnny@centos.org> 0.1.30-5
+- Manual CentOS Debranding
+
 * Tue Feb 14 2017 Watson Sato <wsato@redhat.com> 0.1.30-5
 - Fix template remediation function used by SSHD remediation
 - Reduce scope of patch that fixes SSHD remediation (RH BZ#1415152)