From 7a35c86e298ad9f37396f3d6b9d2e6633529d38d Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 02 2017 15:24:52 +0000
Subject: import scap-security-guide-0.1.30-5.el7_3


---

diff --git a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch b/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch
deleted file mode 100644
index e6e0e41..0000000
--- a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/C2S.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/C2S.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/C2S.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/C2S.xml	2016-11-15 16:20:21.101599393 +0000
-@@ -1,10 +1,10 @@
- <Profile id="C2S">
--<title>C2S for Red Hat Enterprise Linux 7</title>
-+<title>C2S for CentOS Linux 7</title>
- <description>This profile demonstrates compliance against the
- U.S. Government Commercial Cloud Services (C2S) baseline.
- 
- This baseline was inspired by the Center for Internet Security
--(CIS) Red Hat Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015.
-+(CIS) CentOS Linux 7 Benchmark, v1.1.0 - 04-02-2015.
- For the SCAP Security Guide project to remain in compliance with
- CIS' terms and conditions, specifically Restrictions(8), note
- there is no representation or claim that the C2S profile will
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/cjis-rhel7-server.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/cjis-rhel7-server.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/cjis-rhel7-server.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/cjis-rhel7-server.xml	2016-11-15 18:29:47.554461773 +0000
-@@ -1,6 +1,6 @@
- <Profile id="cjis-rhel7-server">
- <title>Criminal Justice Information Services (CJIS) Security Policy</title>
--<description override="true">This is a *draft* profile for CJIS v5.4. The scope of this profile is to configure Red Hat Enteprise Linux 7 against the U. S. Department of Justice, FBI CJIS Security Policy.
-+<description override="true">This is a *draft* profile for CJIS v5.4. The scope of this profile is to configure CentOS Linux 7 against the U. S. Department of Justice, FBI CJIS Security Policy.
- </description>
- 
- <!-- CJIS v5.4 is available here:
-@@ -118,7 +118,7 @@
- <select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true" />
- 
- <!-- 5.10.1.2 Encryption -->
--<!-- How can I make RHEL 6 or RHEL 7 FIPS 140-2 compliant? https://access.redhat.com/solutions/137833 -->
-+<!-- How can I make CentOS 6 or CentOS 7 FIPS 140-2 compliant? https://access.redhat.com/solutions/137833 -->
- <refine-value idref="var_password_pam_ocredit" selector="1" />
- <refine-value idref="var_password_pam_dcredit" selector="1" />
- <refine-value idref="var_password_pam_ucredit" selector="1" />
-@@ -141,4 +141,4 @@
- <!-- 5.13.1.3 Bluetooth -->
- <select idref="kernel_module_bluetooth_disabled" selected="true"/>
- 
--</Profile>
-\ No newline at end of file
-+</Profile>
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/nist-CL-IL-AL.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/nist-CL-IL-AL.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/nist-CL-IL-AL.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/nist-CL-IL-AL.xml	2016-11-15 18:30:22.535473255 +0000
-@@ -1,5 +1,5 @@
- <Profile id="nist-cl-il-al" extends="common">
--<title override="true">CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 7</title>
-+<title override="true">CNSSI 1253 Low/Low/Low Control Baseline for CentOS Linux 7</title>
- <description override="true">This profile follows the Committee on National Security Systems Instruction
- (CNSSI) No. 1253, "Security Categorization and Control Selection for National Security
- Systems" on security controls to meet low confidentiality, low integrity, and low
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/ospp-rhel7-server.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/ospp-rhel7-server.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/ospp-rhel7-server.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/ospp-rhel7-server.xml	2016-11-15 18:30:44.136480430 +0000
-@@ -1,6 +1,6 @@
- <Profile id="ospp-rhel7-server">
- <title>United States Government Configuration Baseline (USGCB / STIG)</title>
--<description override="true">This is a *draft* profile for NIAP OSPP v4.0. This profile is being developed under the National Information Assurance Partnership. The scope of this profile is to configure Red Hat Enteprise Linux 7 against the NIAP Protection Profile for General Purpose Operating Systems v4.0. The NIAP OSPP profile also serves as a working draft for USGCB submission against RHEL7 Server.</description>
-+<description override="true">This is a *draft* profile for NIAP OSPP v4.0. This profile is being developed under the National Information Assurance Partnership. The scope of this profile is to configure CentOS Linux 7 against the NIAP Protection Profile for General Purpose Operating Systems v4.0. The NIAP OSPP profile also serves as a working draft for USGCB submission against CentOS7 Server.</description>
- 
- <!-- OSPP v4.0 is available here:
-      https://www.niap-ccevs.org/pp/PP_OS_v4.0/ 
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/pci-dss.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml	2016-11-15 18:35:12.316574543 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/pci-dss.xml	2016-11-15 18:31:03.287486842 +0000
-@@ -1,5 +1,5 @@
- <Profile id="pci-dss" xmlns="http://checklists.nist.gov/xccdf/1.1">
--<title>PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7</title>
-+<title>PCI-DSS v3 Control Baseline for CentOS Linux 7</title>
- <description>This is a *draft* profile for PCI-DSS v3</description>
- 
- <refine-value idref="var_password_pam_unix_remember" selector="4" />
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule scap-security-guide-0.1.30.new/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule	2016-11-15 18:31:24.039493843 +0000
-@@ -1,5 +1,5 @@
- <Profile id="pci-dss" xmlns="http://checklists.nist.gov/xccdf/1.1">
--<title>PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7</title>
-+<title>PCI-DSS v3 Control Baseline for CentOS Linux 7</title>
- <description>This is a *draft* profile for PCI-DSS v3</description>
- 
- <refine-value idref="var_password_pam_unix_remember" selector="4" />
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/rht-ccp.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/rht-ccp.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/rht-ccp.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/rht-ccp.xml	2016-11-15 18:32:04.251507569 +0000
-@@ -98,11 +98,11 @@
- <select idref="sysctl_kernel_ipv6_disable" selected="true"/>
- <select idref="service_ip6tables_enabled" selected="true"/>
- 
--This requirement does not apply against Red Hat Enterprise Linux 7:
-+This requirement does not apply against CentOS Linux 7:
- see: https://github.com/OpenSCAP/scap-security-guide/issues/66 for details.
- <select idref="kernel_module_rds_disabled" selected="true"/>
- 
--This requirement does not apply against Red Hat Enterprise Linux 7:
-+This requirement does not apply against CentOS Linux 7:
- see: https://github.com/OpenSCAP/scap-security-guide/issues/67 for details.
- <select idref="kernel_module_tipc_disabled" selected="true"/>
- 
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/standard.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/standard.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/standard.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/standard.xml	2016-11-15 18:32:32.999517516 +0000
-@@ -1,6 +1,6 @@
- <Profile id="standard">
- <title>Standard System Security Profile</title>
--<description>This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system.
-+<description>This profile contains rules to ensure standard security baseline of CentOS Linux 7 system.
- Regardless of your system's workload all of these checks should pass.</description>
- 
- <select idref="ensure_redhat_gpgkey_installed" selected="true" />
-@@ -14,7 +14,7 @@ Regardless of your system's workload all
- <select idref="accounts_root_path_dirs_no_write" selected="true"/>
- <select idref="dir_perms_world_writable_sticky_bits" selected="true" />
- 
--<!-- The following rules currently returns 'notapplicable' on RHEL-7 container -->
-+<!-- The following rules currently returns 'notapplicable' on CentOS-7 container -->
- <!-- Investigate why, fix the issues, and re-enable back once fixed -->
- <!-- <select idref="accounts_password_all_shadowed" selected="true"/> -->
- <!-- <select idref="root_path_no_dot" selected="true"/> -->
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml	2016-11-15 18:32:48.434522900 +0000
-@@ -1,5 +1,5 @@
- <Profile id="stig-rhel7-server-gui-upstream" extends="stig-rhel7-server-upstream">
--<title override="true">STIG for Red Hat Enterprise Linux 7 Server Running GUIs</title>
-+<title override="true">STIG for CentOS Linux 7 Server Running GUIs</title>
- <description override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
- 
- <!-- DISA FSO REFINEMENT VALUES
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml	2016-11-15 18:33:07.232529497 +0000
-@@ -1,5 +1,5 @@
- <Profile id="stig-rhel7-server-upstream" extends="ospp-rhel7-server">
--<title override="true">STIG for Red Hat Enterprise Linux 7 Server</title>
-+<title override="true">STIG for CentOS Linux 7 Server</title>
- <description override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
- 
- <!-- DISA FSO REFINEMENT VALUES
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-workstation-upstream.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-workstation-upstream.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-workstation-upstream.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-workstation-upstream.xml	2016-11-15 18:33:34.107539010 +0000
-@@ -1,5 +1,5 @@
- <Profile id="stig-rhel7-workstation-upstream" extends="stig-rhel7-server-gui-upstream">
--<title override="true">STIG for Red Hat Enterprise Linux 7 Workstation</title>
-+<title override="true">STIG for CentOS Linux 7 Workstation</title>
- <description override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
- 
- <!-- DISA FSO REFINEMENT VALUES
diff --git a/SOURCES/scap-security-guide-0.1.30-centos-menu-branding-2.patch b/SOURCES/scap-security-guide-0.1.30-centos-menu-branding-2.patch
deleted file mode 100644
index 53798c8..0000000
--- a/SOURCES/scap-security-guide-0.1.30-centos-menu-branding-2.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-diff -uNrp scap-security-guide-0.1.30.orig/RHEL/7/input/guide.xml scap-security-guide-0.1.30/RHEL/7/input/guide.xml
---- scap-security-guide-0.1.30.orig/RHEL/7/input/guide.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30/RHEL/7/input/guide.xml	2016-12-04 12:58:05.537287951 +0000
-@@ -2,9 +2,9 @@
- <Benchmark xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="RHEL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" style="SCAP_1.1" resolved="false" xml:lang="en-US" >
- 
- <status date="2011-12-20">draft</status>
--<title>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title>
-+<title>Guide to the Secure Configuration of CentOS Linux 7</title>
- <description>This guide presents a catalog of security-relevant
--configuration settings for Red Hat Enterprise Linux 7 formatted in the
-+configuration settings for CentOS Linux 7 formatted in the
- eXtensible Configuration Checklist Description Format (XCCDF).  
- <br/>
- <br/>
-@@ -22,7 +22,7 @@ providing baselines that meet a diverse
- XCCDF <i>Profiles</i>, which are selections of items that form checklists and
- can be used as baselines, are available with this guide.  They can be
- processed, in an automated fashion, with tools that support the Security
--Content Automation Protocol (SCAP).  The DISA STIG for Red Hat Enterprise Linux 7 is one example of
-+Content Automation Protocol (SCAP).  The DISA STIG for CentOS Linux 7 is one example of
- a baseline created from this guidance.
- </description>
- <notice id="terms_of_use">Do not attempt to implement any of the settings in
-@@ -32,7 +32,7 @@ other parties, and makes no guarantees,
- quality, reliability, or any other characteristic.</notice>
- 
- <front-matter>The SCAP Security Guide Project<br/>https://fedorahosted.org/scap-security-guide</front-matter>
--<rear-matter>Red Hat and Red Hat Enterprise Linux are either registered
-+<rear-matter>Red Hat and Red Hat Enterprise  Linux are either registered
- trademarks or trademarks of Red Hat, Inc. in the United States and other
- countries. All other names are registered trademarks or trademarks of their
- respective companies.</rear-matter>
-diff -uNrp scap-security-guide-0.1.30.orig/RHEL/7/input/intro/intro.xml scap-security-guide-0.1.30/RHEL/7/input/intro/intro.xml
---- scap-security-guide-0.1.30.orig/RHEL/7/input/intro/intro.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30/RHEL/7/input/intro/intro.xml	2016-12-04 13:02:13.903282198 +0000
-@@ -3,7 +3,7 @@
- <description>
- <!-- purpose and scope of guidance -->
- The purpose of this guidance is to provide security configuration
--recommendations and baselines for the Red Hat Enterprise Linux (RHEL) 7 operating
-+recommendations and baselines for the CentOS Linux 7 operating
- system. The guidance provided here should be applicable to all variants
- (Desktop, Server, Advanced Platform) of the product. Recommended
- settings for the basic operating system are provided, as well as for many
-@@ -33,7 +33,7 @@ to passive monitoring. Whenever practica
- such data exist, they should be applied. Even if data is expected to
- be transmitted only over a local network, it should still be encrypted.
- Encrypting authentication data, such as passwords, is particularly
--important. Networks of Red Hat Enterprise Linux 7 machines can and should be configured
-+important. Networks of CentOS Linux 7 machines can and should be configured
- so that no unencrypted authentication data is ever transmitted between
- machines.
- </description>
-@@ -44,7 +44,7 @@ machines.
- <title>Minimize Software to Minimize Vulnerability</title>
- <description>
- The simplest way to avoid vulnerabilities in software is to avoid
--installing that software. On RHEL, the RPM Package Manager (originally
-+installing that software. On CentOS, the RPM Package Manager (originally
- Red Hat Package Manager, abbreviated RPM) allows for careful management of
- the set of software packages installed on a system. Installed software
- contributes to system vulnerability in several ways. Packages that
diff --git a/SOURCES/scap-security-guide-0.1.30-zstream-rhbz#1415152.patch b/SOURCES/scap-security-guide-0.1.30-zstream-rhbz#1415152.patch
new file mode 100644
index 0000000..648d7d2
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.30-zstream-rhbz#1415152.patch
@@ -0,0 +1,42 @@
+diff --git a/shared/remediations/bash/templates/remediation_functions b/shared/remediations/bash/templates/remediation_functions
+index 1ef7e19..40d8ad3 100644
+--- a/shared/remediations/bash/templates/remediation_functions
++++ b/shared/remediations/bash/templates/remediation_functions
+@@ -774,7 +774,7 @@ function replace_or_append {
+ 
+   # Strip any search characters in the key arg so that the key can be replaced without
+   # adding any search characters to the config file.
+-  stripped_key=${key//[!a-zA-Z]/}
++  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)
+ 
+   # If there is no print format specified in the last arg, use the default format.
+   if ! [ "x$format" = x ] ; then
+diff --git a/shared/remediations/bash/sshd_use_approved_macs.sh b/shared/remediations/bash/sshd_use_approved_macs.sh
+index c6e1c29..b93809a 100644
+--- a/shared/remediations/bash/sshd_use_approved_macs.sh
++++ b/shared/remediations/bash/sshd_use_approved_macs.sh
+@@ -1,6 +1,6 @@
+ # platform = multi_platform_rhel
+-grep -qi ^MACs /etc/ssh/sshd_config && \
+-  sed -i "s/MACs.*/MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1/gI" /etc/ssh/sshd_config
+-if ! [ $? -eq 0 ]; then
+-    echo "MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1" >> /etc/ssh/sshd_config
+-fi
++
++# Include source function library.
++. /usr/share/scap-security-guide/remediation_functions
++
++replace_or_append '/etc/ssh/sshd_config' '^MACs' 'hmac-sha2-512,hmac-sha2-256,hmac-sha1' 'CCENUM' '%s %s'
+diff --git a/shared/xccdf/remediation_functions.xml b/shared/xccdf/remediation_functions.xml
+index dc14346..f2f2e62 100644
+--- a/shared/xccdf/remediation_functions.xml
++++ b/shared/xccdf/remediation_functions.xml
+@@ -1152,7 +1152,7 @@ function replace_or_append {
+ 
+   # Strip any search characters in the key arg so that the key can be replaced without
+   # adding any search characters to the config file.
+-  stripped_key=${key//[!a-zA-Z]/}
++  stripped_key=$(sed "s/[\^=\$,;+]*//g" &lt;&lt;&lt; $key)
+ 
+   # If there is no print format specified in the last arg, use the default format.
+   if ! [ "x$format" = x ] ; then
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index e1859b5..1d9e0a9 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -2,7 +2,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.%{redhatssgversion}
-Release:	3%{?dist}.0.3
+Release:	5%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 
 Group:		System Environment/Base
@@ -15,8 +15,7 @@ Patch3:		scap-security-guide-0.1.30-rhbz#1351541.patch
 Patch4:		scap-security-guide-0.1.30-rhbz#1344581.patch
 Patch5:		scap-security-guide-0.1.30-rhbz#1351751.patch
 Patch6:		scap-security-guide-0.1.30-downstream-rhbz#1357019.patch
-Patch99:	scap-security-guide-0.1.25-centos-menu-branding.patch
-Patch100:	scap-security-guide-0.1.30-centos-menu-branding-2.patch
+Patch7:		scap-security-guide-0.1.30-zstream-rhbz#1415152.patch
 BuildArch:	noarch
 
 BuildRequires:	libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml
@@ -61,12 +60,15 @@ been generated from XCCDF benchmarks present in %{name} package.
 # to different location already). The rest of the change (except the path)
 # is identical with upstream form
 %patch6 -p1 -b .rhbz#1357019
-
-%patch99 -p1 -b .centos
-%patch100 -p1 -b .centos
-
-# Remove the RHEL Certified Cloud Provider profile for debranding purposes
-%{__rm} RHEL/7/input/profiles/rht-ccp.xml
+# Z-stream fix for RHBZ#1415152
+# Patch consists of upstream
+# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1555.diff
+# and modified version of upstream
+# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1471.diff
+# Patch for PR 1471 was modified to remove unrelated changes, and remediations files got
+# moved to different location. Also, changes in 'sshd_use_approved_macs.sh' are slightly
+# different due to commit c6730b867f6760b94ec193e95484a16054b27f48a).
+%patch7 -p1 -b .rhbz#1415152
 
 %build
 (cd RHEL/7 && make dist)
@@ -82,12 +84,12 @@ mkdir -p %{buildroot}%{_mandir}/en/man8/
 # Add in RHEL-7 core content (SCAP)
 cp -a RHEL/7/dist/content/ssg-rhel7-cpe-dictionary.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
 cp -a RHEL/7/dist/content/ssg-rhel7-cpe-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-cp -a RHEL/7/dist/content/ssg-centos7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-rhel7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
 cp -a RHEL/7/dist/content/ssg-rhel7-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-cp -a RHEL/7/dist/content/ssg-centos7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
+cp -a RHEL/7/dist/content/ssg-rhel7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
 
 # Add in RHEL-6 datastream (SCAP)
-cp -a RHEL/6/dist/content/ssg-centos6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
+cp -a RHEL/6/dist/content/ssg-rhel6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
 
 # Add in Firefox datastream (SCAP)
 cp -a Firefox/dist/content/ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
@@ -117,22 +119,18 @@ cp -a docs/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-gu
 
 %files doc
 %defattr(-,root,root,-)
-%doc RHEL/6/output/ssg-centos6-guide-*.html
-%doc RHEL/7/output/ssg-centos7-guide-*.html
+%doc RHEL/6/output/ssg-rhel6-guide-*.html
+%doc RHEL/7/output/ssg-rhel7-guide-*.html
 %doc JRE/output/ssg-jre-guide-*.html
 %doc Firefox/output/ssg-firefox-guide-*.html
 
 %changelog
-* Fri Dec 02 2016 brian@bstinson.com 0.1.-3.0.3
-- Remove the Red Hat Certified Cloud Provider profile
-- add 2nd branding patch
-
-* Thu Dec  1 2016 Johnny Hughes <johnny@centos.org> 0.1.30-3.0.2
-- fix branding issue on ospp-rhel7-server.xml 
+* Tue Feb 14 2017 Watson Sato <wsato@redhat.com> 0.1.30-5
+- Fix template remediation function used by SSHD remediation
+- Reduce scope of patch that fixes SSHD remediation (RH BZ#1415152)
 
-* Tue Nov 15 2016 Johnny Hughes <johnny@centos.org> 0.1.30-3
-- Use the CentOS SCAP content
-- scap-security-guide-0.1.25-centos-menu-branding.patch
+* Tue Jan 31 2017 Jan Watson Sato <wsato@redhat.com> 0.1.30-4
+- Correct remediation for SSHD which caused it not to start (RH BZ#1415152)
 
 * Wed Aug 10 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-3
 - Correct the remediation script for 'Enable Smart Card Login' rule