From 9c64d10fe983e4071424613c740999d1bd6a820c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 01 2017 03:43:29 +0000
Subject: import scap-security-guide-0.1.33-5.el7


---

diff --git a/.gitignore b/.gitignore
index ea97346..7a06ebd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.30.tar.gz
+SOURCES/scap-security-guide-0.1.33.tar.bz2
diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata
index 2d6f46b..ec8edd4 100644
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@@ -1 +1 @@
-6630e157fce94380bc4610538b1fb8cccfaf5f57 SOURCES/scap-security-guide-0.1.30.tar.gz
+165667e0ac14d568b3544e42170d16761b637b3b SOURCES/scap-security-guide-0.1.33.tar.bz2
diff --git a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch b/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch
deleted file mode 100644
index cda0a9d..0000000
--- a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/C2S.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/C2S.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/C2S.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/C2S.xml	2016-11-15 16:20:21.101599393 +0000
-@@ -1,10 +1,10 @@
- <Profile id="C2S">
--<title>C2S for Red Hat Enterprise Linux 7</title>
-+<title>C2S for CentOS Linux 7</title>
- <description>This profile demonstrates compliance against the
- U.S. Government Commercial Cloud Services (C2S) baseline.
- 
- This baseline was inspired by the Center for Internet Security
--(CIS) Red Hat Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015.
-+(CIS) CentOS Linux 7 Benchmark, v1.1.0 - 04-02-2015.
- For the SCAP Security Guide project to remain in compliance with
- CIS' terms and conditions, specifically Restrictions(8), note
- there is no representation or claim that the C2S profile will
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/nist-CL-IL-AL.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/nist-CL-IL-AL.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/nist-CL-IL-AL.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/nist-CL-IL-AL.xml	2016-11-15 18:30:22.535473255 +0000
-@@ -1,5 +1,5 @@
- <Profile id="nist-cl-il-al" extends="common">
--<title override="true">CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 7</title>
-+<title override="true">CNSSI 1253 Low/Low/Low Control Baseline for CentOS Linux 7</title>
- <description override="true">This profile follows the Committee on National Security Systems Instruction
- (CNSSI) No. 1253, "Security Categorization and Control Selection for National Security
- Systems" on security controls to meet low confidentiality, low integrity, and low
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/ospp-rhel7-server.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/ospp-rhel7-server.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/ospp-rhel7-server.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/ospp-rhel7-server.xml	2016-11-15 18:30:44.136480430 +0000
-@@ -1,6 +1,6 @@
- <Profile id="ospp-rhel7-server">
- <title>United States Government Configuration Baseline (USGCB / STIG)</title>
--<description override="true">This is a *draft* profile for NIAP OSPP v4.0. This profile is being developed under the National Information Assurance Partnership. The scope of this profile is to configure Red Hat Enteprise Linux 7 against the NIAP Protection Profile for General Purpose Operating Systems v4.0. The NIAP OSPP profile also serves as a working draft for USGCB submission against RHEL7 Server.</description>
-+<description override="true">This is a *draft* profile for NIAP OSPP v4.0. This profile is being developed under the National Information Assurance Partnership. The scope of this profile is to configure CentOS Linux 7 against the NIAP Protection Profile for General Purpose Operating Systems v4.0. The NIAP OSPP profile also serves as a working draft for USGCB submission against CentOS7 Server.</description>
- 
- <!-- OSPP v4.0 is available here:
-      https://www.niap-ccevs.org/pp/PP_OS_v4.0/ 
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/pci-dss.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml	2016-11-15 18:35:12.316574543 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/pci-dss.xml	2016-11-15 18:31:03.287486842 +0000
-@@ -1,5 +1,5 @@
- <Profile id="pci-dss" xmlns="http://checklists.nist.gov/xccdf/1.1">
--<title>PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7</title>
-+<title>PCI-DSS v3 Control Baseline for CentOS Linux 7</title>
- <description>This is a *draft* profile for PCI-DSS v3</description>
- 
- <refine-value idref="var_password_pam_unix_remember" selector="4" />
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule scap-security-guide-0.1.30.new/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/pci-dss.xml.rhel7_pcidss_drop_rpm_verify_permissions_rule	2016-11-15 18:31:24.039493843 +0000
-@@ -1,5 +1,5 @@
- <Profile id="pci-dss" xmlns="http://checklists.nist.gov/xccdf/1.1">
--<title>PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7</title>
-+<title>PCI-DSS v3 Control Baseline for CentOS Linux 7</title>
- <description>This is a *draft* profile for PCI-DSS v3</description>
- 
- <refine-value idref="var_password_pam_unix_remember" selector="4" />
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/rht-ccp.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/rht-ccp.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/rht-ccp.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/rht-ccp.xml	2016-11-15 18:32:04.251507569 +0000
-@@ -98,11 +98,11 @@
- <select idref="sysctl_kernel_ipv6_disable" selected="true"/>
- <select idref="service_ip6tables_enabled" selected="true"/>
- 
--This requirement does not apply against Red Hat Enterprise Linux 7:
-+This requirement does not apply against CentOS Linux 7:
- see: https://github.com/OpenSCAP/scap-security-guide/issues/66 for details.
- <select idref="kernel_module_rds_disabled" selected="true"/>
- 
--This requirement does not apply against Red Hat Enterprise Linux 7:
-+This requirement does not apply against CentOS Linux 7:
- see: https://github.com/OpenSCAP/scap-security-guide/issues/67 for details.
- <select idref="kernel_module_tipc_disabled" selected="true"/>
- 
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/standard.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/standard.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/standard.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/standard.xml	2016-11-15 18:32:32.999517516 +0000
-@@ -1,6 +1,6 @@
- <Profile id="standard">
- <title>Standard System Security Profile</title>
--<description>This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system.
-+<description>This profile contains rules to ensure standard security baseline of CentOS Linux 7 system.
- Regardless of your system's workload all of these checks should pass.</description>
- 
- <select idref="ensure_redhat_gpgkey_installed" selected="true" />
-@@ -14,7 +14,7 @@ Regardless of your system's workload all
- <select idref="accounts_root_path_dirs_no_write" selected="true"/>
- <select idref="dir_perms_world_writable_sticky_bits" selected="true" />
- 
--<!-- The following rules currently returns 'notapplicable' on RHEL-7 container -->
-+<!-- The following rules currently returns 'notapplicable' on CentOS-7 container -->
- <!-- Investigate why, fix the issues, and re-enable back once fixed -->
- <!-- <select idref="accounts_password_all_shadowed" selected="true"/> -->
- <!-- <select idref="root_path_no_dot" selected="true"/> -->
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml	2016-11-15 18:32:48.434522900 +0000
-@@ -1,5 +1,5 @@
- <Profile id="stig-rhel7-server-gui-upstream" extends="stig-rhel7-server-upstream">
--<title override="true">STIG for Red Hat Enterprise Linux 7 Server Running GUIs</title>
-+<title override="true">STIG for CentOS Linux 7 Server Running GUIs</title>
- <description override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
- 
- <!-- DISA FSO REFINEMENT VALUES
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml	2016-11-15 18:33:07.232529497 +0000
-@@ -1,5 +1,5 @@
- <Profile id="stig-rhel7-server-upstream" extends="ospp-rhel7-server">
--<title override="true">STIG for Red Hat Enterprise Linux 7 Server</title>
-+<title override="true">STIG for CentOS Linux 7 Server</title>
- <description override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
- 
- <!-- DISA FSO REFINEMENT VALUES
-diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-workstation-upstream.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-workstation-upstream.xml
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-workstation-upstream.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-workstation-upstream.xml	2016-11-15 18:33:34.107539010 +0000
-@@ -1,5 +1,5 @@
- <Profile id="stig-rhel7-workstation-upstream" extends="stig-rhel7-server-gui-upstream">
--<title override="true">STIG for Red Hat Enterprise Linux 7 Workstation</title>
-+<title override="true">STIG for CentOS Linux 7 Workstation</title>
- <description override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
- 
- <!-- DISA FSO REFINEMENT VALUES
-diff -uNrp scap-security-guide-0.1.30.orig/RHEL/7/input/profiles/cjis-rhel7-server.xml scap-security-guide-0.1.30/RHEL/7/input/profiles/cjis-rhel7-server.xml
---- scap-security-guide-0.1.30.orig/RHEL/7/input/profiles/cjis-rhel7-server.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30/RHEL/7/input/profiles/cjis-rhel7-server.xml	2017-03-03 10:31:09.864377323 +0000
-@@ -1,6 +1,6 @@
- <Profile id="cjis-rhel7-server">
- <title>Criminal Justice Information Services (CJIS) Security Policy</title>
--<description override="true">This is a *draft* profile for CJIS v5.4. The scope of this profile is to configure Red Hat Enteprise Linux 7 against the U. S. Department of Justice, FBI CJIS Security Policy.
-+<description override="true">This is a *draft* profile for CJIS v5.4. The scope of this profile is to configure CentOS Linux 7 against the U. S. Department of Justice, FBI CJIS Security Policy.
- </description>
- 
- <!-- CJIS v5.4 is available here:
-@@ -118,7 +118,7 @@
- <select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true" />
- 
- <!-- 5.10.1.2 Encryption -->
--<!-- How can I make RHEL 6 or RHEL 7 FIPS 140-2 compliant? https://access.redhat.com/solutions/137833 -->
-+<!-- How can I make CentOS 6 or CentOS 7 FIPS 140-2 compliant? https://access.redhat.com/solutions/137833 -->
- <refine-value idref="var_password_pam_ocredit" selector="1" />
- <refine-value idref="var_password_pam_dcredit" selector="1" />
- <refine-value idref="var_password_pam_ucredit" selector="1" />
-@@ -141,4 +141,4 @@
- <!-- 5.13.1.3 Bluetooth -->
- <select idref="kernel_module_bluetooth_disabled" selected="true"/>
- 
--</Profile>
-\ No newline at end of file
-+</Profile>
diff --git a/SOURCES/scap-security-guide-0.1.25-update-upstream-manual-page.patch b/SOURCES/scap-security-guide-0.1.25-update-upstream-manual-page.patch
deleted file mode 100644
index 5c25653..0000000
--- a/SOURCES/scap-security-guide-0.1.25-update-upstream-manual-page.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- scap-security-guide-0.1.25/docs/scap-security-guide.8.orig	2015-08-19 18:58:32.408884940 +0200
-+++ scap-security-guide-0.1.25/docs/scap-security-guide.8	2015-08-19 18:59:13.201694420 +0200
-@@ -105,17 +105,6 @@ The  common  profile is intended to be u
- scanning of general-purpose Red Hat Enterprise Linux systems.
- .RE
- 
--.SH Fedora PROFILES
--The Fedora SSG content is broken into 'profiles,' groupings of security settings that
--correlate to a known policy. Currently available profile:
--
--.I common
--.RS
--The common profile is intended to be used as a base, universal profile for
--scanning of general-purpose Fedora systems.
--.RE
--
--
- .SH EXAMPLES
- To scan your system utilizing the OpenSCAP utility against the
- stig-rhel6-server-upstream profile:
diff --git a/SOURCES/scap-security-guide-0.1.30-centos-menu-branding-2.patch b/SOURCES/scap-security-guide-0.1.30-centos-menu-branding-2.patch
deleted file mode 100644
index 53798c8..0000000
--- a/SOURCES/scap-security-guide-0.1.30-centos-menu-branding-2.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-diff -uNrp scap-security-guide-0.1.30.orig/RHEL/7/input/guide.xml scap-security-guide-0.1.30/RHEL/7/input/guide.xml
---- scap-security-guide-0.1.30.orig/RHEL/7/input/guide.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30/RHEL/7/input/guide.xml	2016-12-04 12:58:05.537287951 +0000
-@@ -2,9 +2,9 @@
- <Benchmark xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="RHEL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" style="SCAP_1.1" resolved="false" xml:lang="en-US" >
- 
- <status date="2011-12-20">draft</status>
--<title>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title>
-+<title>Guide to the Secure Configuration of CentOS Linux 7</title>
- <description>This guide presents a catalog of security-relevant
--configuration settings for Red Hat Enterprise Linux 7 formatted in the
-+configuration settings for CentOS Linux 7 formatted in the
- eXtensible Configuration Checklist Description Format (XCCDF).  
- <br/>
- <br/>
-@@ -22,7 +22,7 @@ providing baselines that meet a diverse
- XCCDF <i>Profiles</i>, which are selections of items that form checklists and
- can be used as baselines, are available with this guide.  They can be
- processed, in an automated fashion, with tools that support the Security
--Content Automation Protocol (SCAP).  The DISA STIG for Red Hat Enterprise Linux 7 is one example of
-+Content Automation Protocol (SCAP).  The DISA STIG for CentOS Linux 7 is one example of
- a baseline created from this guidance.
- </description>
- <notice id="terms_of_use">Do not attempt to implement any of the settings in
-@@ -32,7 +32,7 @@ other parties, and makes no guarantees,
- quality, reliability, or any other characteristic.</notice>
- 
- <front-matter>The SCAP Security Guide Project<br/>https://fedorahosted.org/scap-security-guide</front-matter>
--<rear-matter>Red Hat and Red Hat Enterprise Linux are either registered
-+<rear-matter>Red Hat and Red Hat Enterprise  Linux are either registered
- trademarks or trademarks of Red Hat, Inc. in the United States and other
- countries. All other names are registered trademarks or trademarks of their
- respective companies.</rear-matter>
-diff -uNrp scap-security-guide-0.1.30.orig/RHEL/7/input/intro/intro.xml scap-security-guide-0.1.30/RHEL/7/input/intro/intro.xml
---- scap-security-guide-0.1.30.orig/RHEL/7/input/intro/intro.xml	2016-06-22 12:56:46.000000000 +0000
-+++ scap-security-guide-0.1.30/RHEL/7/input/intro/intro.xml	2016-12-04 13:02:13.903282198 +0000
-@@ -3,7 +3,7 @@
- <description>
- <!-- purpose and scope of guidance -->
- The purpose of this guidance is to provide security configuration
--recommendations and baselines for the Red Hat Enterprise Linux (RHEL) 7 operating
-+recommendations and baselines for the CentOS Linux 7 operating
- system. The guidance provided here should be applicable to all variants
- (Desktop, Server, Advanced Platform) of the product. Recommended
- settings for the basic operating system are provided, as well as for many
-@@ -33,7 +33,7 @@ to passive monitoring. Whenever practica
- such data exist, they should be applied. Even if data is expected to
- be transmitted only over a local network, it should still be encrypted.
- Encrypting authentication data, such as passwords, is particularly
--important. Networks of Red Hat Enterprise Linux 7 machines can and should be configured
-+important. Networks of CentOS Linux 7 machines can and should be configured
- so that no unencrypted authentication data is ever transmitted between
- machines.
- </description>
-@@ -44,7 +44,7 @@ machines.
- <title>Minimize Software to Minimize Vulnerability</title>
- <description>
- The simplest way to avoid vulnerabilities in software is to avoid
--installing that software. On RHEL, the RPM Package Manager (originally
-+installing that software. On CentOS, the RPM Package Manager (originally
- Red Hat Package Manager, abbreviated RPM) allows for careful management of
- the set of software packages installed on a system. Installed software
- contributes to system vulnerability in several ways. Packages that
diff --git a/SOURCES/scap-security-guide-0.1.30-downstream-rhbz#1357019.patch b/SOURCES/scap-security-guide-0.1.30-downstream-rhbz#1357019.patch
deleted file mode 100644
index a3129fa..0000000
--- a/SOURCES/scap-security-guide-0.1.30-downstream-rhbz#1357019.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From bfaac3332c7e06b4252746f6da514fd44e74b0e6 Mon Sep 17 00:00:00 2001
-From: Jan Lieskovsky <jlieskov@redhat.com>
-Date: Wed, 10 Aug 2016 15:47:58 +0200
-Subject: [PATCH] [BugFix] [RHEL/7] Rewrite RHEL-7 remediation for
- 'smartcard_auth' rule since per downstream bug:  
- https://bugzilla.redhat.com/show_bug.cgi?id=1357019
-
-we can't use 'authconfig' binary direct call, because it will
-discard the changes as performed and required by other remediation
-scripts also touching /etc/pam.d/system-auth{,-ac} file
-
-Therefore return to previous version updating necessary files
-directly via 'sed' tool (rather than using 'authconfig' binary)
-
-Note: While on the rule also update XCCDF link providing further
-info how to setup smartcard auth (since the current one returns
-HTTP 404 Not Found)
----
- RHEL/7/input/xccdf/system/accounts/physical.xml |  2 +-
- RHEL/7/input/remediations/bash/smartcard_auth.sh  | 61 +++++++++++++++++++++++--
- 2 files changed, 58 insertions(+), 5 deletions(-)
-
-diff --git a/RHEL/7/input/xccdf/system/accounts/physical.xml b/RHEL/7/input/xccdf/system/accounts/physical.xml
-index b3ac250..d229469 100644
---- a/RHEL/7/input/xccdf/system/accounts/physical.xml
-+++ b/RHEL/7/input/xccdf/system/accounts/physical.xml
-@@ -375,7 +375,7 @@ is not enabled by default and must be enabled in the system settings.
- <description>
- To enable smart card authentication, consult the documentation at:
- <ul>
--<li><b>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#authconfig-smartcard</b></li>
-+<li><b>https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html#authconfig-smartcards</b></li>
- </ul>
- For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:
- <ul>
-diff --git a/RHEL/7/input/remediations/bash/smartcard_auth.sh b/RHEL/7/input/remediations/bash/smartcard_auth.sh
-index 6292515..2fe5cc8 100644
---- a/RHEL/7/input/remediations/bash/smartcard_auth.sh
-+++ b/RHEL/7/input/remediations/bash/smartcard_auth.sh
-@@ -8,11 +8,64 @@ package_command install pam_pkcs11
- # Enable pcscd.socket systemd activation socket
- service_command enable pcscd.socket
- 
--# Enable smartcard authentication (but allow also other ways
--# to login not to possibly cut off the system in question)
--/usr/sbin/authconfig --enablesmartcard --updateall
-+# Configure the expected /etc/pam.d/system-auth{,-ac} settings directly
-+#
-+# The code below will configure system authentication in the way smart card
-+# logins will be enabled, but also user login(s) via other method to be allowed
-+#
-+# NOTE: It is not possible to use the 'authconfig' command to perform the
-+#       remediation for us, because call of 'authconfig' would discard changes
-+#       for other remediations (see RH BZ#1357019 for details)
-+#
-+#	Therefore we need to configure the necessary settings directly.
-+#
- 
--# Define constants to be reused below
-+# Define system-auth config location
-+SYSTEM_AUTH_CONF="/etc/pam.d/system-auth"
-+# Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF
-+PAM_ENV_SO="auth.*required.*pam_env.so"
-+
-+# Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF
-+SYSTEM_AUTH_PAM_SUCCEED="\
-+auth        \[success=1 default=ignore\] pam_succeed_if.so service notin \
-+login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid"
-+# Define 'pam_pkcs11.so' row to be appended past $SYSTEM_AUTH_PAM_SUCCEED
-+# row into SYSTEM_AUTH_CONF file
-+SYSTEM_AUTH_PAM_PKCS11="\
-+auth        \[success=done authinfo_unavail=ignore ignore=ignore default=die\] \
-+pam_pkcs11.so nodebug"
-+
-+# Define smartcard-auth config location
-+SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth"
-+# Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF
-+SMARTCARD_AUTH_SECTION="\
-+auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only"
-+# Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF
-+PAM_PERMIT_SO="account.*required.*pam_permit.so"
-+# Define 'pam_pkcs11.so' password section
-+SMARTCARD_PASSWORD_SECTION="\
-+password    required      pam_pkcs11.so"
-+
-+# First Correct the SYSTEM_AUTH_CONF configuration
-+if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF"
-+then
-+	# Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file
-+	sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SYSTEM_AUTH_PAM_SUCCEED" "$SYSTEM_AUTH_CONF"
-+	# Append (expected) pam_pkcs11.so row past the pam_succeed_if.so into SYSTEM_AUTH_CONF file
-+	sed -i --follow-symlinks -e '/^'"$SYSTEM_AUTH_PAM_SUCCEED"'/a '"$SYSTEM_AUTH_PAM_PKCS11" "$SYSTEM_AUTH_CONF"
-+fi
-+
-+# Then also correct the SMARTCARD_AUTH_CONF
-+if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF"
-+then
-+	# Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file
-+	sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF"
-+	# Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file
-+	sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF"
-+fi
-+
-+# Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below
-+# Define selected constants for later reuse
- SP="[:space:]"
- PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf"
- 
diff --git a/SOURCES/scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch b/SOURCES/scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
deleted file mode 100644
index 0fc79df..0000000
--- a/SOURCES/scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml.orig	2016-06-22 16:59:38.965107812 +0200
-+++ scap-security-guide-0.1.30/RHEL/7/input/profiles/pci-dss.xml	2016-06-22 17:00:06.538687935 +0200
-@@ -57,7 +57,6 @@
- <select idref="service_chronyd_or_ntpd_enabled" selected="true"/>
- <select idref="chronyd_or_ntpd_specify_remote_server" selected="true"/>
- <select idref="chronyd_or_ntpd_specify_multiple_servers" selected="true"/>
--<select idref="rpm_verify_permissions" selected="true"/>
- <select idref="rpm_verify_hashes" selected="true"/>
- <select idref="install_hids" selected="true"/>
- <select idref="rsyslog_files_permissions" selected="true"/>
diff --git a/SOURCES/scap-security-guide-0.1.30-rhbz#1344581.patch b/SOURCES/scap-security-guide-0.1.30-rhbz#1344581.patch
deleted file mode 100644
index e9d4f21..0000000
--- a/SOURCES/scap-security-guide-0.1.30-rhbz#1344581.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 2276972999ecb8c54ddea8ad40bdc15a7ea86a3a Mon Sep 17 00:00:00 2001
-From: Jan Lieskovsky <jlieskov@redhat.com>
-Date: Fri, 1 Jul 2016 15:02:12 +0200
-Subject: [PATCH] [BugFix] Enhance the OVAL checks for: *
- accounts_passwords_pam_faillock_deny_root *
- accounts_passwords_pam_faillock_deny
-
-rules to work properly also in case sssd package is installed
-and sssd daemon is running
-
-Fixes downstream: https://bugzilla.redhat.com/show_bug.cgi?id=1344581
----
- RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml | 8 ++++----
- shared/oval/accounts_passwords_pam_faillock_deny.xml            | 8 ++++----
- 2 files changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml b/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml
-index 50f2e5a..7b60d22 100644
---- a/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml
-+++ b/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml
-@@ -34,7 +34,7 @@
-     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
-     <!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
-          pam_unix.so module in auth section -->
--    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
-+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
-     <!-- Check only the first instance -->
-     <ind:instance datatype="int" operation="equals">1</ind:instance>
-   </ind:textfilecontent54_object>
-@@ -51,7 +51,7 @@
-     <ind:behaviors singleline="true" />
-     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
-     <!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
--    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n]</ind:pattern>
-+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n]</ind:pattern>
-     <!-- Check only the first instance -->
-     <ind:instance datatype="int" operation="equals">1</ind:instance>
-   </ind:textfilecontent54_object>
-@@ -69,7 +69,7 @@
-     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
-     <!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
-          pam_unix.so module in auth section -->
--    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
-+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
-     <!-- Check only the first instance -->
-     <ind:instance datatype="int" operation="equals">1</ind:instance>
-   </ind:textfilecontent54_object>
-@@ -86,7 +86,7 @@
-     <ind:behaviors singleline="true" />
-     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
-     <!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
--    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n]</ind:pattern>
-+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n]</ind:pattern>
-     <!-- Check only the first instance -->
-     <ind:instance datatype="int" operation="equals">1</ind:instance>
-   </ind:textfilecontent54_object>
-diff --git a/shared/oval/accounts_passwords_pam_faillock_deny.xml b/shared/oval/accounts_passwords_pam_faillock_deny.xml
-index 96b5043..0923dc9 100644
---- a/shared/oval/accounts_passwords_pam_faillock_deny.xml
-+++ b/shared/oval/accounts_passwords_pam_faillock_deny.xml
-@@ -51,7 +51,7 @@
-     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
-     <!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
-          pam_unix.so module in auth section -->
--    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
-+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
-     <!-- Check only the first instance -->
-     <ind:instance datatype="int" operation="equals">1</ind:instance>
-   </ind:textfilecontent54_object>
-@@ -69,7 +69,7 @@
-     <ind:behaviors singleline="true" />
-     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
-     <!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
--    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]</ind:pattern>
-+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]</ind:pattern>
-     <!-- Check only the first instance -->
-     <ind:instance datatype="int" operation="equals">1</ind:instance>
-   </ind:textfilecontent54_object>
-@@ -106,7 +106,7 @@
-     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
-     <!-- Since order of PAM modules matters ensure pam_faillock.so preauth silent in auth section is listed before
-          pam_unix.so module in auth section -->
--    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
-+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n]</ind:pattern>
-     <!-- Check only the first instance -->
-     <ind:instance datatype="int" operation="equals">1</ind:instance>
-   </ind:textfilecontent54_object>
-@@ -124,7 +124,7 @@
-     <ind:behaviors singleline="true" />
-     <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
-     <!-- Since order of PAM modules matters ensure pam_faillock.so in auth section is listed right after pam_unix.so auth row -->
--    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]</ind:pattern>
-+    <ind:pattern operation="pattern match">[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n]</ind:pattern>
-     <!-- Check only the first instance -->
-     <ind:instance datatype="int" operation="equals">1</ind:instance>
-   </ind:textfilecontent54_object>
diff --git a/SOURCES/scap-security-guide-0.1.30-rhbz#1351541.patch b/SOURCES/scap-security-guide-0.1.30-rhbz#1351541.patch
deleted file mode 100644
index f775f47..0000000
--- a/SOURCES/scap-security-guide-0.1.30-rhbz#1351541.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From e4d8a19ff626f416a4972344b529ff9fd5bc1c6f Mon Sep 17 00:00:00 2001
-From: Jan Lieskovsky <jlieskov@redhat.com>
-Date: Thu, 30 Jun 2016 14:30:52 +0200
-Subject: [PATCH] [BugFix] [RHEL/6] Make the title of the RHEL-6
- stig-rhel6-server-gui-upstream profile consistent with its RHEL-7 equivalent
-
-Fixes #1319
----
- RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml
-index 669ac2b..d5351d8 100644
---- a/RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml
-+++ b/RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml
-@@ -1,5 +1,5 @@
- <Profile id="stig-rhel6-server-gui-upstream" extends="stig-rhel6-server-upstream">
--<title override="true">Upstream STIG for Red Hat Enterprise Linux 6 Server</title>
-+<title override="true">Upstream STIG for Red Hat Enterprise Linux 6 Server Running GUIs</title>
- <description override="true">This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process,
- serving as the upstream development environment for the Red Hat Enterprise Linux 6 Server STIG.
- 
diff --git a/SOURCES/scap-security-guide-0.1.30-rhbz#1351751.patch b/SOURCES/scap-security-guide-0.1.30-rhbz#1351751.patch
deleted file mode 100644
index 862fd9d..0000000
--- a/SOURCES/scap-security-guide-0.1.30-rhbz#1351751.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-From 989cb130cb7d03f27294313c3ee2f1f4d61568db Mon Sep 17 00:00:00 2001
-From: Jan Lieskovsky <jlieskov@redhat.com>
-Date: Tue, 28 Jun 2016 13:04:24 +0200
-Subject: [PATCH 1/2] [Enhancement] [RHEL/6] [RHEL/7] Include the generated
- HTML tables for RHEL-6 and RHEL-7 products into the produced RPM package
-
-Part of #1297
----
- RHEL/6/Makefile             |  5 +++--
- RHEL/7/Makefile             |  2 ++
- scap-security-guide.spec.in | 36 +++++++++++++++++++++++-------------
- 3 files changed, 28 insertions(+), 15 deletions(-)
-
-diff --git a/RHEL/6/Makefile b/RHEL/6/Makefile
-index 782d0f7..ac7d74e 100644
---- a/RHEL/6/Makefile
-+++ b/RHEL/6/Makefile
-@@ -69,8 +69,7 @@ table-stigs: $(OUT)/xccdf-unlinked-final.xml table-srgmap checks
- 		$(TRANS)/xccdf-apply-overlay-stig.xslt $<
- 	xsltproc -o $(OUT)/table-$(PROD)-stig.html $(TRANS)/xccdf2table-stig.xslt $(OUT)/unlinked-stig-$(PROD)-xccdf.xml
- 
--tables: table-refs table-idents table-stigs
--#tables: table-refs table-idents table-srgmap table-stigs
-+tables: table-refs table-idents table-srgmap table-stigs
- 
- content: $(OUT)/xccdf-unlinked-final.xml checks
- 	cp $< $(OUT)/unlinked-$(PROD)-xccdf.xml
-@@ -180,6 +179,8 @@ dist: tables guide content
- 	cp $(OUT)/$(ID)-$(PROD)-cpe-dictionary.xml $(DIST)/content
- 	cp $(OUT)/$(ID)-$(PROD)-cpe-oval.xml $(DIST)/content
- 	cp $(OUT)/$(ID)-$(PROD)-ds.xml $(DIST)/content
-+	mkdir -p $(DIST)/tables
-+	cp $(OUT)/table-*.{x,}html $(DIST)/tables
- 	mkdir -p $(DIST)/guide
- 	cp $(OUT)/*-guide-*.html $(DIST)/guide
- 	cp $(OUT)/$(ID)-centos6-xccdf.xml $(DIST)/content
-diff --git a/RHEL/7/Makefile b/RHEL/7/Makefile
-index fc9f284..0cafa7c 100644
---- a/RHEL/7/Makefile
-+++ b/RHEL/7/Makefile
-@@ -183,6 +183,8 @@ dist: tables guide content
- 	cp $(OUT)/$(ID)-$(PROD)-cpe-dictionary.xml $(DIST)/content
- 	cp $(OUT)/$(ID)-$(PROD)-cpe-oval.xml $(DIST)/content
- 	cp $(OUT)/$(ID)-$(PROD)-ds.xml $(DIST)/content
-+	mkdir -p $(DIST)/tables
-+	cp $(OUT)/table-*.{x,}html $(DIST)/tables
- 	mkdir -p $(DIST)/guide
- 	cp $(OUT)/*-guide-*.html $(DIST)/guide
- 	cp $(OUT)/$(ID)-centos7-xccdf.xml $(DIST)/content
-diff --git a/scap-security-guide.spec.in b/scap-security-guide.spec.in
-index ae3cc05..6fbb800 100644
---- a/scap-security-guide.spec.in
-+++ b/scap-security-guide.spec.in
-@@ -82,30 +82,40 @@ rm %{buildroot}%{_datadir}/xml/scap/ssg/content/*-cpe-dictionary.xml
- # We do this after the filtering on Fedora because we don't ship JBossEAP5 datastreams
- cp -a JBossEAP5/eap5-* %{buildroot}%{_datadir}/xml/scap/ssg/content/
- 
--# Docs
--mkdir -p %{buildroot}/%{_docdir}/%{name}/guides
--cp -a RHEL/6/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
--cp -a RHEL/7/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
--cp -a Firefox/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
--cp -a JRE/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
-+# Add in HTML tables for selected products
-+mkdir -p %{buildroot}/%{_docdir}/%{name}-%{version}/tables
-+cp -a RHEL/6/dist/tables/* %{buildroot}/%{_docdir}/%{name}-%{version}/tables
-+cp -a RHEL/7/dist/tables/* %{buildroot}/%{_docdir}/%{name}-%{version}/tables
-+
-+# Add in LICENSE and README.md
-+cp -a LICENSE README.md %{buildroot}/%{_docdir}/%{name}-%{version}
-+
-+# scap-security-guide-doc subpackage contains just HTML guides for supported products
-+mkdir -p %{buildroot}/%{_docdir}/%{name}-%{version}/guides
-+cp -a RHEL/6/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
-+cp -a RHEL/7/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
-+cp -a Firefox/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
-+cp -a JRE/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
- # outside of the normal build system, different guide
--cp -a JBossEAP5/docs/JBossEAP5_Guide.html %{buildroot}/%{_docdir}/%{name}/guides
-+cp -a JBossEAP5/docs/JBossEAP5_Guide.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
- 
- %if 0%{?fedora}
--cp -a Fedora/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
--cp -a Chromium/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
--#cp -a Webmin/output/*-guide-*.html %{buildroot}/%{_defaultdocdir}/%{name}/guides
-+cp -a Fedora/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
-+cp -a Chromium/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
-+#cp -a Webmin/output/*-guide-*.html %{buildroot}/%{_defaultdocdir}/%{name}-%{version}/guides
- %endif
- 
- %files
- %{_datadir}/xml/scap
- %{_datadir}/%{name}
- %lang(en) %{_mandir}/en/man8/scap-security-guide.8.*
--%doc LICENSE
--%doc README.md
-+%doc %{_docdir}/%{name}-%{version}/tables/*.html
-+%doc %{_docdir}/%{name}-%{version}/tables/*.xhtml
-+%doc %{_docdir}/%{name}-%{version}/LICENSE
-+%doc %{_docdir}/%{name}-%{version}/README.md
- 
- %files doc
--%doc %{_docdir}/%{name}/guides/*.html
-+%doc %{_docdir}/%{name}-%{version}/guides/*.html
- 
- %changelog
- * __DATE__ __REL_MANAGER__ <__REL_MANAGER_MAIL__> __VERSION__-__RELEASE__
-
-From 33ea7d73d7a53b465c15ac6289fe8833749622dc Mon Sep 17 00:00:00 2001
-From: Jan Lieskovsky <jlieskov@redhat.com>
-Date: Tue, 28 Jun 2016 18:50:17 +0200
-Subject: [PATCH 2/2] [Enhancement][RHEL/6][RHEL/7] Provide currently available
- RHEL-6 and RHEL-7 kickstart files in the produced RPM package
-
-Fixes (together with previous commit): #1297
----
- scap-security-guide.spec.in | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/scap-security-guide.spec.in b/scap-security-guide.spec.in
-index 6fbb800..056e84c 100644
---- a/scap-security-guide.spec.in
-+++ b/scap-security-guide.spec.in
-@@ -90,6 +90,11 @@ cp -a RHEL/7/dist/tables/* %{buildroot}/%{_docdir}/%{name}-%{version}/tables
- # Add in LICENSE and README.md
- cp -a LICENSE README.md %{buildroot}/%{_docdir}/%{name}-%{version}
- 
-+# Add in kickstart files for selected products
-+mkdir -p %{buildroot}%{_datadir}/%{name}/kickstart
-+cp -a RHEL/6/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart
-+cp -a RHEL/7/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart
-+
- # scap-security-guide-doc subpackage contains just HTML guides for supported products
- mkdir -p %{buildroot}/%{_docdir}/%{name}-%{version}/guides
- cp -a RHEL/6/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides
-@@ -107,7 +112,7 @@ cp -a Chromium/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/
- 
- %files
- %{_datadir}/xml/scap
--%{_datadir}/%{name}
-+%{_datadir}/%{name}/kickstart
- %lang(en) %{_mandir}/en/man8/scap-security-guide.8.*
- %doc %{_docdir}/%{name}-%{version}/tables/*.html
- %doc %{_docdir}/%{name}-%{version}/tables/*.xhtml
diff --git a/SOURCES/scap-security-guide-0.1.30-zstream-rhbz#1415152.patch b/SOURCES/scap-security-guide-0.1.30-zstream-rhbz#1415152.patch
deleted file mode 100644
index 648d7d2..0000000
--- a/SOURCES/scap-security-guide-0.1.30-zstream-rhbz#1415152.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-diff --git a/shared/remediations/bash/templates/remediation_functions b/shared/remediations/bash/templates/remediation_functions
-index 1ef7e19..40d8ad3 100644
---- a/shared/remediations/bash/templates/remediation_functions
-+++ b/shared/remediations/bash/templates/remediation_functions
-@@ -774,7 +774,7 @@ function replace_or_append {
- 
-   # Strip any search characters in the key arg so that the key can be replaced without
-   # adding any search characters to the config file.
--  stripped_key=${key//[!a-zA-Z]/}
-+  stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key)
- 
-   # If there is no print format specified in the last arg, use the default format.
-   if ! [ "x$format" = x ] ; then
-diff --git a/shared/remediations/bash/sshd_use_approved_macs.sh b/shared/remediations/bash/sshd_use_approved_macs.sh
-index c6e1c29..b93809a 100644
---- a/shared/remediations/bash/sshd_use_approved_macs.sh
-+++ b/shared/remediations/bash/sshd_use_approved_macs.sh
-@@ -1,6 +1,6 @@
- # platform = multi_platform_rhel
--grep -qi ^MACs /etc/ssh/sshd_config && \
--  sed -i "s/MACs.*/MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1/gI" /etc/ssh/sshd_config
--if ! [ $? -eq 0 ]; then
--    echo "MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1" >> /etc/ssh/sshd_config
--fi
-+
-+# Include source function library.
-+. /usr/share/scap-security-guide/remediation_functions
-+
-+replace_or_append '/etc/ssh/sshd_config' '^MACs' 'hmac-sha2-512,hmac-sha2-256,hmac-sha1' 'CCENUM' '%s %s'
-diff --git a/shared/xccdf/remediation_functions.xml b/shared/xccdf/remediation_functions.xml
-index dc14346..f2f2e62 100644
---- a/shared/xccdf/remediation_functions.xml
-+++ b/shared/xccdf/remediation_functions.xml
-@@ -1152,7 +1152,7 @@ function replace_or_append {
- 
-   # Strip any search characters in the key arg so that the key can be replaced without
-   # adding any search characters to the config file.
--  stripped_key=${key//[!a-zA-Z]/}
-+  stripped_key=$(sed "s/[\^=\$,;+]*//g" &lt;&lt;&lt; $key)
- 
-   # If there is no print format specified in the last arg, use the default format.
-   if ! [ "x$format" = x ] ; then
diff --git a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch
new file mode 100644
index 0000000..15650cb
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch
@@ -0,0 +1,31 @@
+From 96e23141350598de62a0265b5a5007f107bb2525 Mon Sep 17 00:00:00 2001
+From: Martin Preisler <mpreisle@redhat.com>
+Date: Thu, 18 May 2017 11:23:35 -0400
+Subject: [PATCH] Use double dash instead of a single dash in ANACONDA
+ remediation templates
+
+---
+ shared/templates/template_ANACONDA_package_installed | 2 +-
+ shared/templates/template_ANACONDA_package_removed   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/shared/templates/template_ANACONDA_package_installed b/shared/templates/template_ANACONDA_package_installed
+index 0fb9ba08d..9adffa7e6 100644
+--- a/shared/templates/template_ANACONDA_package_installed
++++ b/shared/templates/template_ANACONDA_package_installed
+@@ -4,4 +4,4 @@
+ # complexity = low
+ # disruption = low
+ 
+-package -add=PKGNAME
++package --add=PKGNAME
+diff --git a/shared/templates/template_ANACONDA_package_removed b/shared/templates/template_ANACONDA_package_removed
+index 21d950692..1882c0deb 100644
+--- a/shared/templates/template_ANACONDA_package_removed
++++ b/shared/templates/template_ANACONDA_package_removed
+@@ -4,4 +4,4 @@
+ # complexity = low
+ # disruption = low
+ 
+-package -remove=PKGNAME
++package --remove=PKGNAME
diff --git a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch
new file mode 100644
index 0000000..5b682ad
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch
@@ -0,0 +1,19 @@
+From 1b25ec4ff54215a7668a8cfdcf83ec6c6bb0f4bf Mon Sep 17 00:00:00 2001
+From: Gabe <redhatrises@gmail.com>
+Date: Thu, 18 May 2017 09:31:43 -0600
+Subject: [PATCH] Fix typo in ANACONDA static templates
+
+---
+ shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda b/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda
+index 992562ebf..b10200ab1 100644
+--- a/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda
++++ b/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda
+@@ -4,4 +4,4 @@
+ # complexity = low
+ # disruption = high
+ 
+-part /tmp -mountoptions="nodev"
++part /tmp --mountoptions="nodev"
diff --git a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch
new file mode 100644
index 0000000..e1006a1
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch
@@ -0,0 +1,22 @@
+From 620d6704401d8c9538d590c7e8bfdd18cb33034c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Wed, 14 Jun 2017 15:32:30 +0200
+Subject: [PATCH] RHBZ#1461330: Add Anaconda remediation for rule
+ "smartcard_auth"
+
+Packages pam_pkcs11 and esc weren't installed by Anaconda during
+installing, which caused that users can't log in.
+---
+ shared/templates/static/anaconda/smartcard_auth.anaconda | 3 +++
+ 1 file changed, 3 insertions(+)
+ create mode 100644 shared/templates/static/anaconda/smartcard_auth.anaconda
+
+diff --git a/shared/templates/static/anaconda/smartcard_auth.anaconda b/shared/templates/static/anaconda/smartcard_auth.anaconda
+new file mode 100644
+index 000000000..fbe3aa984
+--- /dev/null
++++ b/shared/templates/static/anaconda/smartcard_auth.anaconda
+@@ -0,0 +1,3 @@
++# platform = multi_platform_rhel
++
++package --add=pam_pkcs11 --add=esc
diff --git a/SOURCES/scap-security-guide-0.1.33-fix-guide-role-install-dir.patch b/SOURCES/scap-security-guide-0.1.33-fix-guide-role-install-dir.patch
new file mode 100644
index 0000000..65640f6
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.33-fix-guide-role-install-dir.patch
@@ -0,0 +1,56 @@
+diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
+index 45a841f..83a3ad0 100644
+--- a/cmake/SSGCommon.cmake
++++ b/cmake/SSGCommon.cmake
+@@ -753,7 +753,7 @@ macro(ssg_build_product PRODUCT)
+     install(
+        CODE "
+            file(GLOB GUIDE_FILES \"${CMAKE_BINARY_DIR}/guides/ssg-${PRODUCT}-guide-*.html\") \n
+-           file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_GUIDE_INSTALL_DIR}\"
++           file(INSTALL DESTINATION \"${SSG_GUIDE_INSTALL_DIR}\"
+            TYPE FILE FILES \${GUIDE_FILES}
+        )"
+        COMPONENT doc
+@@ -761,14 +761,14 @@ macro(ssg_build_product PRODUCT)
+     install(
+        CODE "
+        file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${PRODUCT}-role-*.yml\") \n
+-           file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\"
++           file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\"
+                TYPE FILE FILES \${ROLE_FILES}
+        )"
+     )
+     install(
+        CODE "
+        file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${PRODUCT}-role-*.sh\") \n
+-           file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\"
++           file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\"
+                TYPE FILE FILES \${ROLE_FILES}
+        )"
+     )
+@@ -878,7 +878,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
+     install(
+        CODE "
+        file(GLOB GUIDE_FILES \"${CMAKE_BINARY_DIR}/guides/ssg-${DERIVATIVE}-guide-*.html\") \n
+-           file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_GUIDE_INSTALL_DIR}\"
++           file(INSTALL DESTINATION \"${SSG_GUIDE_INSTALL_DIR}\"
+            TYPE FILE FILES \${GUIDE_FILES}
+        )"
+        COMPONENT doc
+@@ -886,14 +886,14 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
+     install(
+        CODE "
+        file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${DERIVATIVE}-role-*.yml\") \n
+-           file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\"
++           file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\"
+                TYPE FILE FILES \${ROLE_FILES}
+        )"
+     )
+     install(
+        CODE "
+        file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${DERIVATIVE}-role-*.sh\") \n
+-           file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\"
++           file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\"
+                TYPE FILE FILES \${ROLE_FILES}
+        )"
+     )
diff --git a/SOURCES/scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch b/SOURCES/scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch
new file mode 100644
index 0000000..c2a1579
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch
@@ -0,0 +1,23 @@
+From 17c80ede5d0e9d6253b2fa0c70714dd64e349eca Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 15 May 2017 17:25:35 +0200
+Subject: [PATCH] Build table for ospp-rhel7, not ospp-rhel7-server
+
+The profile has been renamed from ospp-rhel7-server to ospp-rhel7.
+---
+ RHEL/7/CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/RHEL/7/CMakeLists.txt b/RHEL/7/CMakeLists.txt
+index b49f556e8..5253b3a9f 100644
+--- a/RHEL/7/CMakeLists.txt
++++ b/RHEL/7/CMakeLists.txt
+@@ -10,7 +10,7 @@ ssg_build_html_table_by_ref(${PRODUCT} "cui")
+ ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
+ 
+ ssg_build_html_nistrefs_table(${PRODUCT} "common")
+-ssg_build_html_nistrefs_table(${PRODUCT} "ospp-${PRODUCT}-server")
++ssg_build_html_nistrefs_table(${PRODUCT} "ospp-${PRODUCT}")
+ ssg_build_html_nistrefs_table(${PRODUCT} "C2S")
+ ssg_build_html_nistrefs_table(${PRODUCT} "stig-${PRODUCT}-disa")
+ 
diff --git a/SOURCES/scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch b/SOURCES/scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch
new file mode 100644
index 0000000..f297c49
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch
@@ -0,0 +1,23 @@
+From cca881e45751b0abd4f7044813079dc61d5a53ec Mon Sep 17 00:00:00 2001
+From: Martin Preisler <mpreisle@redhat.com>
+Date: Tue, 9 May 2017 15:51:55 -0400
+Subject: [PATCH] Use @override for NIST 800 171 CUI profile
+
+Otherwise the name of the profile gets concatenated with the name of the
+profile it extends.
+---
+ RHEL/7/input/profiles/nist-800-171-cui.xml | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/RHEL/7/input/profiles/nist-800-171-cui.xml b/RHEL/7/input/profiles/nist-800-171-cui.xml
+index 0a3ea2550..a021035f9 100644
+--- a/RHEL/7/input/profiles/nist-800-171-cui.xml
++++ b/RHEL/7/input/profiles/nist-800-171-cui.xml
+@@ -1,6 +1,5 @@
+ <Profile id="nist-800-171-cui" extends="ospp-rhel7">
+-<title>Unclassified Information in Non-federal Information Systems and
+-Organizations (NIST 800-171)</title>
++<title override="true">Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</title>
+ <description>From NIST 800-171, Section 2.2:
+ Security requirements for protecting the confidentiality of CUI in nonfederal 
+ information systems and organizations have a well-defined structure that 
diff --git a/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch
new file mode 100644
index 0000000..aae4ece
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch
@@ -0,0 +1,29 @@
+diff --git a/docs/scap-security-guide.8 b/docs/scap-security-guide.8
+index 10b83bc..305957b 100644
+--- a/docs/scap-security-guide.8
++++ b/docs/scap-security-guide.8
+@@ -301,24 +301,6 @@ This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publicati
+ for securing Controlled Unclassified Information (CUI).
+ 
+ 
+-.SH Fedora PROFILES
+-The Fedora SSG content is broken into 'profiles,' groupings of security settings that
+-correlate to a known policy. Currently available profile:
+-
+-.I common
+-.RS
+-The common profile is intended to be used as a base, universal profile for
+-scanning of general-purpose Fedora systems.
+-.RE
+-
+-.I standard
+-.RS
+-The Standard System Security Profile contains rules to ensure standard security
+-baseline of a Fedora system.
+-Regardless of your system's workload all of these checks should pass.
+-.RE
+-
+-
+ .SH EXAMPLES
+ To scan your system utilizing the OpenSCAP utility against the
+ stig-rhel6-server-upstream profile:
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index a75ac4d..a25ce82 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -1,4 +1,8 @@
-%global		redhatssgversion	30
+%global		redhatssgversion	33
+
+# Somehow, _pkgdocdir is already defined and points to unversioned docs dir
+# RHEL 7.X uses versioned docs dir, hence the definition below
+%global _pkgdocdir %{_docdir}/%{name}-%{version}
 
 Name:		scap-security-guide
 Version:	0.1.%{redhatssgversion}
@@ -8,19 +12,17 @@ Summary:	Security guidance and baselines in SCAP formats
 Group:		System Environment/Base
 License:	Public Domain
 URL:		https://github.com/OpenSCAP/scap-security-guide
-Source0:	%{name}-%{version}.tar.gz
-Patch1:		scap-security-guide-0.1.25-update-upstream-manual-page.patch
-Patch2:		scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
-Patch3:		scap-security-guide-0.1.30-rhbz#1351541.patch
-Patch4:		scap-security-guide-0.1.30-rhbz#1344581.patch
-Patch5:		scap-security-guide-0.1.30-rhbz#1351751.patch
-Patch6:		scap-security-guide-0.1.30-downstream-rhbz#1357019.patch
-Patch7:		scap-security-guide-0.1.30-zstream-rhbz#1415152.patch
-Patch99:        scap-security-guide-0.1.25-centos-menu-branding.patch
-Patch100:       scap-security-guide-0.1.30-centos-menu-branding-2.patch
+Source0:	%{name}-%{version}.tar.bz2
+Patch1:		scap-security-guide-0.1.33-update-upstream-manual-page.patch
+Patch2:		scap-security-guide-0.1.33-fix-guide-role-install-dir.patch
+Patch3:		scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch
+Patch4:		scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch
+Patch5:		scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch
+Patch6:		scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch
+Patch7:		scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch
 BuildArch:	noarch
 
-BuildRequires:	libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml
+BuildRequires:	libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml, cmake >= 2.8
 Requires:	xml-common, openscap-scanner >= 1.2.5
 
 %description
@@ -47,99 +49,92 @@ been generated from XCCDF benchmarks present in %{name} package.
 %setup -q -n %{name}-%{version}
 # Update manual page to drop the part dedicated to Fedora content
 %patch1 -p1 -b .man_page_update
-# Temporarily drop "Verify and Correct File Permissions with RPM"
-# rule from RHEL-7's PCI-DSS profile (RH BZ#1267861)
-%patch2 -p1 -b .rhel7_pcidss_drop_rpm_verify_permissions_rule
-# Fix for RHBZ#1351541
-%patch3 -p1 -b .rhbz#1351541
-# Fix for RHBZ#1344581
-%patch4 -p1 -b .rhbz#1344581
-# Fix for RHBZ#1351751
-%patch5 -p1 -b .rhbz#1351751
-# Downstream fix for RHBZ#1357019 (slightly differs from upstream
-# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1388.patch
-# version because 'smartcard-auth.sh' remediation in upstream got moved
-# to different location already). The rest of the change (except the path)
-# is identical with upstream form
-%patch6 -p1 -b .rhbz#1357019
-# Z-stream fix for RHBZ#1415152
-# Patch consists of upstream
-# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1555.diff
-# and modified version of upstream
-# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1471.diff
-# Patch for PR 1471 was modified to remove unrelated changes, and remediations files got
-# moved to different location. Also, changes in 'sshd_use_approved_macs.sh' are slightly
-# different due to commit c6730b867f6760b94ec193e95484a16054b27f48a).
-%patch7 -p1 -b .rhbz#1415152
-%patch99 -p1
-%patch100 -p1
-
-# Remove the RHEL Certified Cloud Provider profile for debranding purposes
-%{__rm} RHEL/7/input/profiles/rht-ccp.xml
+%patch2 -p1 -b .guide_role_dir_fix
+%patch3 -p1 -b .ospp_rhel7_table_fix
+# Patches 4 and 5 fixes rhbz#1450731
+%patch4 -p1 -b .anaconda_template_add_remove_package_fix
+%patch5 -p1 -b .anaconda_template_partition_mountoptions_fix
+# Fix for rhbz#1449211
+%patch6 -p1 -b .profile_nist_800_171_cui_malformed_title_fix
+%patch7 -p1 -b .anaconda-smart-card-auth
 
 %build
-(cd RHEL/7 && make dist)
-(cd RHEL/6 && make dist)
-(cd Firefox && make dist)
-(cd JRE && make dist)
+%cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \
+-DSSG_PRODUCT_CHROMIUM:BOOL=OFF \
+-DSSG_PRODUCT_DEBIAN8:BOOL=OFF \
+-DSSG_PRODUCT_FEDORA:BOOL=OFF \
+-DSSG_PRODUCT_JBOSS_EAP5:BOOL=OFF \
+-DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF \
+-DSSG_PRODUCT_OPENSUSE:BOOL=OFF \
+-DSSG_PRODUCT_OSP7:BOOL=OFF \
+-DSSG_PRODUCT_RHEL5:BOOL=OFF \
+-DSSG_PRODUCT_RHEV3:BOOL=OFF \
+-DSSG_PRODUCT_SUSE11:BOOL=OFF \
+-DSSG_PRODUCT_SUSE12:BOOL=OFF \
+-DSSG_PRODUCT_UBUNTU1404:BOOL=OFF \
+-DSSG_PRODUCT_UBUNTU1604:BOOL=OFF \
+-DSSG_PRODUCT_WRLINUX:BOOL=OFF \
+-DSSG_PRODUCT_WEBMIN:BOOL=OFF \
+-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
+-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF .
+make %{?_smp_mflags}
 
 %install
-
-mkdir -p %{buildroot}%{_datadir}/xml/scap/ssg/content
-mkdir -p %{buildroot}%{_mandir}/en/man8/
-
-# Add in RHEL-7 core content (SCAP)
-cp -a RHEL/7/dist/content/ssg-rhel7-cpe-dictionary.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-cp -a RHEL/7/dist/content/ssg-rhel7-cpe-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-cp -a RHEL/7/dist/content/ssg-centos7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-cp -a RHEL/7/dist/content/ssg-rhel7-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-cp -a RHEL/7/dist/content/ssg-centos7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
-
-# Add in RHEL-6 datastream (SCAP)
-cp -a RHEL/6/dist/content/ssg-centos6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
-
-# Add in Firefox datastream (SCAP)
-cp -a Firefox/dist/content/ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
-
-# Add in Java Runtime Environment (JRE) datastream (SCAP)
-cp -a JRE/dist/content/ssg-jre-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
-
-# Add in currently available kickstart files
-mkdir -p %{buildroot}%{_datadir}/%{name}/kickstart
-cp -a RHEL/6/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart
-cp -a RHEL/7/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart
-
-# Add in manpage
-cp -a docs/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-guide.8
+%make_install
 
 %files
 %defattr(-,root,root,-)
 %{_datadir}/xml/scap
 %{_datadir}/%{name}
-%lang(en) %{_mandir}/en/man8/scap-security-guide.8.gz
-%doc RHEL/6/dist/tables/*.html
-%doc RHEL/6/dist/tables/*.xhtml
-%doc RHEL/7/dist/tables/*.html
-%doc RHEL/7/dist/tables/*.xhtml
-%doc ./LICENSE
+%lang(en) %{_mandir}/man8/scap-security-guide.8.gz
+%doc LICENSE
+%doc Contributors.md
+%doc README.md
 %doc RHEL/6/input/auxiliary/DISCLAIMER
 
 %files doc
 %defattr(-,root,root,-)
-%doc RHEL/6/output/ssg-centos6-guide-*.html
-%doc RHEL/7/output/ssg-centos7-guide-*.html
-%doc JRE/output/ssg-jre-guide-*.html
-%doc Firefox/output/ssg-firefox-guide-*.html
+%doc roles/ssg-*-role*.yml
+%doc roles/ssg-*-role*.sh
+%doc guides/ssg-*-guide-*.html
 
 %changelog
-* Fri Mar  3 2017 Johnny Hughes <johnny@centos.org> 0.1.30-5
-- Manual CentOS Debranding
+* Wed Jun 14 2017 Watson Sato <wsato@redhat.com> 0.1.33-5
+- Fix Anaconda Smartcard auth remediation (RHBZ#1461330)
+
+* Fri May 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-4
+- Fix specfile to not include tables twice
+
+* Fri May 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-3
+- Fix malformed title of profile nist-800-171-cui
+
+* Fri May 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-2
+- Fix emtpy ospp-rhel7 table
+- Fix Anaconda remediation templates (RHBZ#1450731)
+
+* Mon May 01 2017 Watson Sato <wsato@redhat.com> 0.1.33-1
+- Update to upstream version 0.1.33
+- DISA RHEL7 STIG profile alignment improved
+- Introduction of remediation roles
+- RPM and DEB test packages are built by CMake with CPack
+- Lots of remediation fixes
+
+* Tue Mar 28 2017 Watson Sato <wsato@redhat.com> 0.1.32-1
+- Update to upstream version 0.1.32
+- New CMake build system
+- Improved NIST 800-171 profile
+- Initial RHVH profile
+- New CPE to identify systems like machines (bare-metal and VM) and containers (image and container)
+- Template clean up in lots of remediations
+
+* Fri Mar 10 2017 Watson Sato <wsato@redhat.com> 0.1.30-6
+- Ship separate OCIL definitions for Red Hat Enterprise Linux 7 (RHBZ#1428144)
 
 * Tue Feb 14 2017 Watson Sato <wsato@redhat.com> 0.1.30-5
 - Fix template remediation function used by SSHD remediation
 - Reduce scope of patch that fixes SSHD remediation (RH BZ#1415152)
 
-* Tue Jan 31 2017 Jan Watson Sato <wsato@redhat.com> 0.1.30-4
+* Tue Jan 31 2017 Watson Sato <wsato@redhat.com> 0.1.30-4
 - Correct remediation for SSHD which caused it not to start (RH BZ#1415152)
 
 * Wed Aug 10 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-3