diff --git a/.gitignore b/.gitignore
index 7a06ebd..6d68201 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/scap-security-guide-0.1.33.tar.bz2
+SOURCES/scap-security-guide-0.1.36.tar.bz2
diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata
index ec8edd4..8589e93 100644
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@@ -1 +1 @@
-165667e0ac14d568b3544e42170d16761b637b3b SOURCES/scap-security-guide-0.1.33.tar.bz2
+1c244d1053d58edb7e5020b7e906b9edc89db48c SOURCES/scap-security-guide-0.1.36.tar.bz2
diff --git a/SOURCES/scap-security-guide-0.1.33-drop_set_firewalld_default_zone_remediation.patch b/SOURCES/scap-security-guide-0.1.33-drop_set_firewalld_default_zone_remediation.patch
deleted file mode 100644
index a080fd1..0000000
--- a/SOURCES/scap-security-guide-0.1.33-drop_set_firewalld_default_zone_remediation.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 8098e6e16c1b7a403c27744508c9892d482061fa Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Thu, 14 Sep 2017 19:07:46 +0200
-Subject: [PATCH] Drop firewalld default zone and sshd port fixes
-
-Providing a fix for 'firewalld_sshd_port_enabled' can be very complicated
-and will very likely not fit to everyone's use case. And because of that
-we drop remediation for 'set_firewalld_sshd_port', which is causing the
-remediated machine to refuse all connections.
----
- shared/templates/static/bash/set_firewalld_default_zone.sh | 10 ----
- 1 file changed, 10 deletions(-)
- delete mode 100644 shared/templates/static/bash/set_firewalld_default_zone.sh
-
-diff --git a/shared/templates/static/bash/set_firewalld_default_zone.sh b/shared/templates/static/bash/set_firewalld_default_zone.sh
-deleted file mode 100644
-index ada8b68a7..000000000
---- a/shared/templates/static/bash/set_firewalld_default_zone.sh
-+++ /dev/null
-@@ -1,6 +0,0 @@
--# platform = Red Hat Enterprise Linux 7
--grep -q ^DefaultZone= /etc/firewalld/firewalld.conf && \
-- sed -i "s/DefaultZone=.*/DefaultZone=drop/g" /etc/firewalld/firewalld.conf
--if ! [ $? -eq 0 ]; then
-- echo "DefaultZone=drop" >> /etc/firewalld/firewalld.conf
--fi
diff --git a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch
deleted file mode 100644
index 15650cb..0000000
--- a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 96e23141350598de62a0265b5a5007f107bb2525 Mon Sep 17 00:00:00 2001
-From: Martin Preisler <mpreisle@redhat.com>
-Date: Thu, 18 May 2017 11:23:35 -0400
-Subject: [PATCH] Use double dash instead of a single dash in ANACONDA
- remediation templates
-
----
- shared/templates/template_ANACONDA_package_installed | 2 +-
- shared/templates/template_ANACONDA_package_removed | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/shared/templates/template_ANACONDA_package_installed b/shared/templates/template_ANACONDA_package_installed
-index 0fb9ba08d..9adffa7e6 100644
---- a/shared/templates/template_ANACONDA_package_installed
-+++ b/shared/templates/template_ANACONDA_package_installed
-@@ -4,4 +4,4 @@
- # complexity = low
- # disruption = low
-
--package -add=PKGNAME
-+package --add=PKGNAME
-diff --git a/shared/templates/template_ANACONDA_package_removed b/shared/templates/template_ANACONDA_package_removed
-index 21d950692..1882c0deb 100644
---- a/shared/templates/template_ANACONDA_package_removed
-+++ b/shared/templates/template_ANACONDA_package_removed
-@@ -4,4 +4,4 @@
- # complexity = low
- # disruption = low
-
--package -remove=PKGNAME
-+package --remove=PKGNAME
diff --git a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch
deleted file mode 100644
index 5b682ad..0000000
--- a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-From 1b25ec4ff54215a7668a8cfdcf83ec6c6bb0f4bf Mon Sep 17 00:00:00 2001
-From: Gabe <redhatrises@gmail.com>
-Date: Thu, 18 May 2017 09:31:43 -0600
-Subject: [PATCH] Fix typo in ANACONDA static templates
-
----
- shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda b/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda
-index 992562ebf..b10200ab1 100644
---- a/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda
-+++ b/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda
-@@ -4,4 +4,4 @@
- # complexity = low
- # disruption = high
-
--part /tmp -mountoptions="nodev"
-+part /tmp --mountoptions="nodev"
diff --git a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch
deleted file mode 100644
index e1006a1..0000000
--- a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 620d6704401d8c9538d590c7e8bfdd18cb33034c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Wed, 14 Jun 2017 15:32:30 +0200
-Subject: [PATCH] RHBZ#1461330: Add Anaconda remediation for rule
- "smartcard_auth"
-
-Packages pam_pkcs11 and esc weren't installed by Anaconda during
-installing, which caused that users can't log in.
----
- shared/templates/static/anaconda/smartcard_auth.anaconda | 3 +++
- 1 file changed, 3 insertions(+)
- create mode 100644 shared/templates/static/anaconda/smartcard_auth.anaconda
-
-diff --git a/shared/templates/static/anaconda/smartcard_auth.anaconda b/shared/templates/static/anaconda/smartcard_auth.anaconda
-new file mode 100644
-index 000000000..fbe3aa984
---- /dev/null
-+++ b/shared/templates/static/anaconda/smartcard_auth.anaconda
-@@ -0,0 +1,3 @@
-+# platform = multi_platform_rhel
-+
-+package --add=pam_pkcs11 --add=esc
diff --git a/SOURCES/scap-security-guide-0.1.33-fix-guide-role-install-dir.patch b/SOURCES/scap-security-guide-0.1.33-fix-guide-role-install-dir.patch
deleted file mode 100644
index 65640f6..0000000
--- a/SOURCES/scap-security-guide-0.1.33-fix-guide-role-install-dir.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
-index 45a841f..83a3ad0 100644
---- a/cmake/SSGCommon.cmake
-+++ b/cmake/SSGCommon.cmake
-@@ -753,7 +753,7 @@ macro(ssg_build_product PRODUCT)
- install(
- CODE "
- file(GLOB GUIDE_FILES \"${CMAKE_BINARY_DIR}/guides/ssg-${PRODUCT}-guide-*.html\") \n
-- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_GUIDE_INSTALL_DIR}\"
-+ file(INSTALL DESTINATION \"${SSG_GUIDE_INSTALL_DIR}\"
- TYPE FILE FILES \${GUIDE_FILES}
- )"
- COMPONENT doc
-@@ -761,14 +761,14 @@ macro(ssg_build_product PRODUCT)
- install(
- CODE "
- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${PRODUCT}-role-*.yml\") \n
-- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\"
-+ file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\"
- TYPE FILE FILES \${ROLE_FILES}
- )"
- )
- install(
- CODE "
- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${PRODUCT}-role-*.sh\") \n
-- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\"
-+ file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\"
- TYPE FILE FILES \${ROLE_FILES}
- )"
- )
-@@ -878,7 +878,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
- install(
- CODE "
- file(GLOB GUIDE_FILES \"${CMAKE_BINARY_DIR}/guides/ssg-${DERIVATIVE}-guide-*.html\") \n
-- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_GUIDE_INSTALL_DIR}\"
-+ file(INSTALL DESTINATION \"${SSG_GUIDE_INSTALL_DIR}\"
- TYPE FILE FILES \${GUIDE_FILES}
- )"
- COMPONENT doc
-@@ -886,14 +886,14 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE)
- install(
- CODE "
- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${DERIVATIVE}-role-*.yml\") \n
-- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\"
-+ file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\"
- TYPE FILE FILES \${ROLE_FILES}
- )"
- )
- install(
- CODE "
- file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${DERIVATIVE}-role-*.sh\") \n
-- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\"
-+ file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\"
- TYPE FILE FILES \${ROLE_FILES}
- )"
- )
diff --git a/SOURCES/scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch b/SOURCES/scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch
deleted file mode 100644
index c2a1579..0000000
--- a/SOURCES/scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 17c80ede5d0e9d6253b2fa0c70714dd64e349eca Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Mon, 15 May 2017 17:25:35 +0200
-Subject: [PATCH] Build table for ospp-rhel7, not ospp-rhel7-server
-
-The profile has been renamed from ospp-rhel7-server to ospp-rhel7.
----
- RHEL/7/CMakeLists.txt | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/RHEL/7/CMakeLists.txt b/RHEL/7/CMakeLists.txt
-index b49f556e8..5253b3a9f 100644
---- a/RHEL/7/CMakeLists.txt
-+++ b/RHEL/7/CMakeLists.txt
-@@ -10,7 +10,7 @@ ssg_build_html_table_by_ref(${PRODUCT} "cui")
- ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
-
- ssg_build_html_nistrefs_table(${PRODUCT} "common")
--ssg_build_html_nistrefs_table(${PRODUCT} "ospp-${PRODUCT}-server")
-+ssg_build_html_nistrefs_table(${PRODUCT} "ospp-${PRODUCT}")
- ssg_build_html_nistrefs_table(${PRODUCT} "C2S")
- ssg_build_html_nistrefs_table(${PRODUCT} "stig-${PRODUCT}-disa")
-
diff --git a/SOURCES/scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch b/SOURCES/scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch
deleted file mode 100644
index f297c49..0000000
--- a/SOURCES/scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From cca881e45751b0abd4f7044813079dc61d5a53ec Mon Sep 17 00:00:00 2001
-From: Martin Preisler <mpreisle@redhat.com>
-Date: Tue, 9 May 2017 15:51:55 -0400
-Subject: [PATCH] Use @override for NIST 800 171 CUI profile
-
-Otherwise the name of the profile gets concatenated with the name of the
-profile it extends.
----
- RHEL/7/input/profiles/nist-800-171-cui.xml | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/RHEL/7/input/profiles/nist-800-171-cui.xml b/RHEL/7/input/profiles/nist-800-171-cui.xml
-index 0a3ea2550..a021035f9 100644
---- a/RHEL/7/input/profiles/nist-800-171-cui.xml
-+++ b/RHEL/7/input/profiles/nist-800-171-cui.xml
-@@ -1,6 +1,5 @@
- <Profile id="nist-800-171-cui" extends="ospp-rhel7">
--<title>Unclassified Information in Non-federal Information Systems and
--Organizations (NIST 800-171)</title>
-+<title override="true">Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</title>
- <description>From NIST 800-171, Section 2.2:
- Security requirements for protecting the confidentiality of CUI in nonfederal
- information systems and organizations have a well-defined structure that
diff --git a/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch
index aae4ece..f37821c 100644
--- a/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch
+++ b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch
@@ -26,4 +26,4 @@ index 10b83bc..305957b 100644
-
.SH EXAMPLES
To scan your system utilizing the OpenSCAP utility against the
- stig-rhel6-server-upstream profile:
+ ospp-rhel7 profile:
diff --git a/SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch b/SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch
new file mode 100644
index 0000000..928131d
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch
@@ -0,0 +1,57 @@
+From 44d270133421722ac0dfa0af9756b73d582f4d56 Mon Sep 17 00:00:00 2001
+From: Gabe <redhatrises@gmail.com>
+Date: Fri, 8 Dec 2017 11:59:13 -0700
+Subject: [PATCH] Deprecate RhostsRSAAuthentication as it have been deprecated
+ in 7.4
+
+- Fixes #2478
+---
+ shared/checks/oval/sshd_disable_rhosts_rsa.xml | 7 +++++--
+ shared/xccdf/services/ssh.xml | 9 +++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
+index d7e00fafc..2abf88c70 100644
+--- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml
++++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
+@@ -15,8 +15,11 @@
+ <criteria comment="sshd is installed and configured" operator="AND">
+ <extend_definition comment="sshd is required and installed, or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
+- <criterion comment="Check RhostsRSAAuthentication in /etc/ssh/sshd_config"
+- negate="true" test_ref="test_sshd_disable_rhosts_rsa" />
++ <criteria comment="SSH version is equal or higher than 7.4 has deprecated RhostsRSAAuthentication" operator="OR">
++ <extend_definition comment="OpenSSH version 7.4 or higher has deprecated RhostsRSAAuthentication" definition_ref="sshd_version_equal_or_higher_than_74" />
++ <criterion comment="Check RhostsRSAAuthentication in /etc/ssh/sshd_config"
++ negate="true" test_ref="test_sshd_disable_rhosts_rsa" />
++ </criteria>
+ </criteria>
+ </criteria>
+ </definition>
+diff --git a/shared/xccdf/services/ssh.xml b/shared/xccdf/services/ssh.xml
+index 6edd47ab8..53c28faa9 100644
+--- a/shared/xccdf/services/ssh.xml
++++ b/shared/xccdf/services/ssh.xml
+@@ -603,6 +603,11 @@ following line in <tt>/etc/ssh/sshd_config</tt>:
+ <pre>RhostsRSAAuthentication no</pre>
+ </description>
+ <ocil>
++To check which SSH protocol version is allowed, check version of
++<tt>openssh-server</tt> with following command:
++<pre>$ rpm -qi openssh-server | grep Version</pre>
++Versions equal to or higher than 7.4 have deprecated the <tt>RhostsRSAAuthentication</tt> option.
++If version is lower than 7.4, run the following command to check configuration:
+ <sshd-check-macro option="RhostsRSAAuthentication" value="no" default="yes" />
+ </ocil>
+ <rationale>
+@@ -610,6 +615,10 @@ Configuring this setting for the SSH daemon provides additional
+ assurance that remove login via SSH will require a password, even
+ in the event of misconfiguration elsewhere.
+ </rationale>
++<warning category="general">As of <tt>openssh-server</tt> version <tt>7.4</tt> and above,
++the <tt>RhostsRSAAuthentication</tt> option has been deprecated, and the line
++<pre>RhostsRSAAuthentication no</pre> in <tt>/etc/ssh/sshd_config</tt> is not
++necessary.</warning>
+ <ident prodtype="rhel7" cce="80373-4" />
+ <oval id="sshd_disable_rhosts_rsa" value="sshd_required" />
+ <ref prodtype="rhel7" stigid="040330" />
diff --git a/SOURCES/scap-security-guide-0.1.37-add-disa-stig-rule-id.patch b/SOURCES/scap-security-guide-0.1.37-add-disa-stig-rule-id.patch
new file mode 100644
index 0000000..16e5eac
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.37-add-disa-stig-rule-id.patch
@@ -0,0 +1,95 @@
+From 4bfc0f1d9cfe21ec672fc806f5421272f1c0b41f Mon Sep 17 00:00:00 2001
+From: Wesley Ceraso Prudencio <wcerasop@redhat.com>
+Date: Wed, 1 Nov 2017 14:17:24 +0100
+Subject: [PATCH] Enables the STIG Rule ID to be output
+
+Signed-off-by: Wesley Ceraso Prudencio <wcerasop@redhat.com>
+---
+ cmake/SSGCommon.cmake | 5 ++++
+ shared/utils/add_stig_references.py | 57 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 62 insertions(+)
+ create mode 100755 shared/utils/add_stig_references.py
+
+diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
+index 8ac826ef6..786e07532 100644
+--- a/cmake/SSGCommon.cmake
++++ b/cmake/SSGCommon.cmake
+@@ -130,10 +130,15 @@ macro(ssg_build_shorthand_xml PRODUCT)
+ endmacro()
+
+ macro(ssg_build_xccdf_unlinked PRODUCT)
++ file(GLOB STIG_REFERENCE_FILE_LIST "${SSG_SHARED_REFS}/disa-stig-${PRODUCT}-*-xccdf-manual.xml")
++ list(APPEND STIG_REFERENCE_FILE_LIST "not-found")
++ list(GET STIG_REFERENCE_FILE_LIST 0 STIG_REFERENCE_FILE)
++
+ add_custom_command(
+ OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml"
+ COMMAND "${XSLTPROC_EXECUTABLE}" --stringparam ssg_version "${SSG_VERSION}" --output "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/shorthand2xccdf.xslt" "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml"
+ COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" xccdf resolve -o "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml"
++ COMMAND "${SSG_SHARED_UTILS}/add_stig_references.py" --disa-stig "${STIG_REFERENCE_FILE}" --unlinked-xccdf "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml"
+ DEPENDS generate-internal-${PRODUCT}-shorthand.xml
+ DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml"
+ DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/shorthand2xccdf.xslt"
+diff --git a/shared/utils/add_stig_references.py b/shared/utils/add_stig_references.py
+new file mode 100755
+index 000000000..0ab208793
+--- /dev/null
++++ b/shared/utils/add_stig_references.py
+@@ -0,0 +1,57 @@
++#!/usr/bin/env python2
++
++try:
++ from xml.etree import cElementTree as etree
++except ImportError:
++ import cElementTree as etree
++
++import re
++import sys
++import argparse
++
++parser = argparse.ArgumentParser(
++ description='Add STIG references to XCCDF files.')
++parser.add_argument(
++ "--disa-stig", help="DISA STIG Reference XCCDF file",dest="reference")
++parser.add_argument(
++ "--unlinked-xccdf", help="unlinked SSG XCCDF file", dest="destination")
++args = parser.parse_args()
++
++reference = args.reference
++destination = args.destination
++
++xccdf_namespace = "http://checklists.nist.gov/xccdf/1.1"
++stig_href = 'http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx'
++stig_references_beginning = 'http://iase.disa.mil/stigs/'
++
++try:
++ reference_root = etree.parse(reference)
++except IOError as exception:
++ print 'INFO: DISA STIG Reference file not found for this platform'
++ sys.exit(0)
++
++reference_rules = reference_root.findall('.//{%s}Rule' % xccdf_namespace)
++
++dictionary = {}
++
++for rule in reference_rules:
++ version = rule.find('.//{%s}version' % xccdf_namespace)
++ if version is not None and version.text:
++ dictionary[version.text] = rule.get('id')
++
++target_root = etree.parse(destination)
++target_rules = target_root.findall('.//{%s}Rule' % xccdf_namespace)
++
++for rule in target_rules:
++ refs = rule.findall('.//{%s}reference' % xccdf_namespace)
++ for ref in refs:
++ if (ref.get('href').startswith(stig_references_beginning) and
++ ref.text in dictionary):
++ index = rule.getchildren().index(ref)
++ new_ref = etree.Element(
++ '{%s}reference' % xccdf_namespace, {'href': stig_href})
++ new_ref.text = dictionary[ref.text]
++ new_ref.tail = ref.tail
++ rule.insert(index + 1, new_ref)
++
++target_root.write(destination)
diff --git a/SOURCES/scap-security-guide-0.1.37-disable-check-libexec_ownership.patch b/SOURCES/scap-security-guide-0.1.37-disable-check-libexec_ownership.patch
new file mode 100644
index 0000000..6289dcb
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.37-disable-check-libexec_ownership.patch
@@ -0,0 +1,23 @@
+From 6f502074053282dd3afbb5ed1594fbbd524c9bc6 Mon Sep 17 00:00:00 2001
+From: Gabe <redhatrises@gmail.com>
+Date: Fri, 8 Dec 2017 11:34:50 -0700
+Subject: [PATCH] Do not check library ownership in libexec
+
+- Fixes #2473
+---
+ shared/checks/oval/file_ownership_library_dirs.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shared/checks/oval/file_ownership_library_dirs.xml b/shared/checks/oval/file_ownership_library_dirs.xml
+index 41394a01e..186c99012 100644
+--- a/shared/checks/oval/file_ownership_library_dirs.xml
++++ b/shared/checks/oval/file_ownership_library_dirs.xml
+@@ -34,7 +34,7 @@
+
+ <unix:file_object comment="library files" id="object_file_ownership_lib_files" version="1">
+ <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
+- <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
++ <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
+ <unix:filename operation="pattern match">^.*$</unix:filename>
+ <filter action="include">state_owner_libraries_not_root</filter>
+ </unix:file_object>
diff --git a/SOURCES/scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch b/SOURCES/scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch
new file mode 100644
index 0000000..83822b8
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch
@@ -0,0 +1,31 @@
+From 4f9987487d11001ef666408dc88abaf783fa7395 Mon Sep 17 00:00:00 2001
+From: Marek Haicman <mhaicman@redhat.com>
+Date: Tue, 12 Dec 2017 00:04:39 +0100
+Subject: [PATCH] Fixed few remediation errors caused by missing include.
+
+---
+ ...el7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh | 2 ++
+ shared/fixes/bash/disable_ctrlaltdel_burstaction.sh | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh b/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh
+index 26498471e..755d483ac 100644
+--- a/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh
++++ b/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh
+@@ -1,3 +1,5 @@
++source fix_audit_syscall_rule.sh
++
+ # Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit
+ # system calls on Red Hat Enterprise Linux 7 or Fedora OSes
+ function rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation {
+diff --git a/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh b/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh
+index ab01748c8..5266cf255 100644
+--- a/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh
++++ b/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh
+@@ -1,3 +1,6 @@
+ # platform = Red Hat Enterprise Linux 7, multi_platform_fedora
+
++# Include source function library.
++. /usr/share/scap-security-guide/remediation_functions
++
+ replace_or_append '/etc/systemd/system.conf' '^CtrlAltDelBurstAction=' 'none' '@CCENUM@' '%s=%s'
diff --git a/SOURCES/scap-security-guide-0.1.37-fix-srg-table-empty-column.path b/SOURCES/scap-security-guide-0.1.37-fix-srg-table-empty-column.path
new file mode 100644
index 0000000..242934a
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.37-fix-srg-table-empty-column.path
@@ -0,0 +1,51 @@
+From 8b43d43533cf4a00de60da71a8aaa6e87776766f Mon Sep 17 00:00:00 2001
+From: Gabe <redhatrises@gmail.com>
+Date: Fri, 3 Nov 2017 10:36:57 -0600
+Subject: [PATCH] Remove CCI formatting from shared table-srgmap XSLT
+
+- CCI formatting is now done in earlier XSLT transformations.
+- Fixes #2447
+---
+ shared/transforms/shared_table-srgmap.xslt | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/shared/transforms/shared_table-srgmap.xslt b/shared/transforms/shared_table-srgmap.xslt
+index 4a50dea33..7179f560e 100644
+--- a/shared/transforms/shared_table-srgmap.xslt
++++ b/shared/transforms/shared_table-srgmap.xslt
+@@ -46,7 +46,7 @@
+ </xsl:choose>
+ </thead>
+ <xsl:for-each select=".//cdf:Rule">
+- <xsl:variable name="curr_cci" select="string(number(substring-after(cdf:ident,'CCI-')))"/>
++ <xsl:variable name="curr_cci" select="cdf:ident"/>
+ <xsl:choose>
+ <!-- output multiple rows if we're in flat mode and at least one ref exists -->
+ <xsl:when test="$flat and $items/cdf:reference[@href=$disa-cciuri and text()=$curr_cci]">
+@@ -77,10 +77,9 @@
+ <xsl:for-each select="$items">
+ <xsl:variable name="item" select="."/>
+ <xsl:for-each select="cdf:reference[@href=$disa-cciuri]">
+- <xsl:variable name="cci_formatted" select='format-number(self::node()[text()], "000000")' />
+- <xsl:variable name="cci_expanded" select="concat('CCI-', $cci_formatted)" />
+- <xsl:variable name="srg_cci" select="$rule/cdf:ident" />
+- <xsl:if test="$cci_expanded=$srg_cci" >
++ <xsl:variable name="ssg_cci" select='self::node()[text()]' />
++ <xsl:variable name="srg_cci" select="$rule/cdf:ident" />
++ <xsl:if test="$ssg_cci=$srg_cci" >
+ <table>
+ <tr>
+ <td> <xsl:value-of select="$item/cdf:title"/> </td>
+@@ -100,10 +99,9 @@
+ <xsl:for-each select="$items">
+ <xsl:variable name="item" select="."/>
+ <xsl:for-each select="cdf:reference[@href=$disa-cciuri]">
+- <xsl:variable name="cci_formatted" select='format-number(self::node()[text()], "000000")' />
+- <xsl:variable name="cci_expanded" select="concat('CCI-', $cci_formatted)" />
++ <xsl:variable name="ssg_cci" select='self::node()[text()]' />
+ <xsl:variable name="srg_cci" select="$rule/cdf:ident" />
+- <xsl:if test="$cci_expanded=$srg_cci" >
++ <xsl:if test="$ssg_cci=$srg_cci" >
+ <tr>
+ <td> <xsl:value-of select="$rule/cdf:version"/> </td>
+ <td> <xsl:value-of select="$rule/cdf:ident"/> </td>
diff --git a/SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch b/SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch
new file mode 100644
index 0000000..8aeb431
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch
@@ -0,0 +1,822 @@
+From 939d1cfd84b980e3a96dd1d82dfddcabf4b2a34a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 8 Dec 2017 15:14:26 +0100
+Subject: [PATCH 1/6] Drop check of package in sshd_required definitions
+
+This is not the best place to check if openssh-server is installed.
+
+We can check for openssh-server package when sshd is required and not
+required.
+But when sshd_required is not set, we don't check if openssh-server is
+installed or not, because both are valid states.
+
+This gives the impression that when extending sshd_required_or_unset
+and sshd_not_required_or_unset there is no need to check for
+openssh-server package, which is not true.
+
+The only purpose of these definitions should be to check for state of
+sshd_required value.
+---
+ shared/checks/oval/sshd_not_required_or_unset.xml | 6 +-----
+ shared/checks/oval/sshd_required_or_unset.xml | 6 +-----
+ 2 files changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/shared/checks/oval/sshd_not_required_or_unset.xml b/shared/checks/oval/sshd_not_required_or_unset.xml
+index 76bf1b9b4..206b1b474 100644
+--- a/shared/checks/oval/sshd_not_required_or_unset.xml
++++ b/shared/checks/oval/sshd_not_required_or_unset.xml
+@@ -9,11 +9,7 @@
+ <description>If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good.</description>
+ </metadata>
+ <criteria comment="SSH not required or not set" operator="OR">
+- <criteria comment="SSH is not required and not installed" operator="AND">
+- <criterion test_ref="test_sshd_not_required" />
+- <extend_definition comment="rpm package openssh-server removed"
+- definition_ref="package_openssh-server_removed" />
+- </criteria>
++ <criterion test_ref="test_sshd_not_required" />
+ <extend_definition comment="SSH requirement is unset"
+ definition_ref="sshd_requirement_unset" />
+ </criteria>
+diff --git a/shared/checks/oval/sshd_required_or_unset.xml b/shared/checks/oval/sshd_required_or_unset.xml
+index 04d6a687b..4518b181f 100644
+--- a/shared/checks/oval/sshd_required_or_unset.xml
++++ b/shared/checks/oval/sshd_required_or_unset.xml
+@@ -9,11 +9,7 @@
+ <description>If SSHD is required, we check it is installed. If SSH requirement is unset, we are good.</description>
+ </metadata>
+ <criteria comment="SSH required or not set" operator="OR">
+- <criteria comment="SSH is required and installed" operator="AND">
+- <criterion test_ref="test_sshd_required" />
+- <extend_definition comment="rpm package openssh-server installed"
+- definition_ref="package_openssh-server_installed" />
+- </criteria>
++ <criterion test_ref="test_sshd_required" />
+ <extend_definition comment="SSH requirement is unset"
+ definition_ref="sshd_requirement_unset" />
+ </criteria>
+
+From 0b02493e535e9b529af9eb71bf97f5b02d04c89e Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 13 Dec 2017 18:09:47 +0100
+Subject: [PATCH 2/6] Also check state openssh-server package when
+ sshd_required is unset
+
+Explicitly check state of openssh-server package.
+When openssh-server is installed, system should be configured, when not
+installed, system is ok.
+When sshd_required is set, either to required or not required, they act
+as selector of openssh-server package state. If sshd_required is unset,
+the state of openssh-server package selects whether system should be
+configured or not.
+---
+ rhel7/checks/oval/sshd_disable_compression.xml | 14 ++++++++++----
+ rhel7/checks/oval/sshd_disable_gssapi_auth.xml | 14 ++++++++++----
+ rhel7/checks/oval/sshd_disable_kerb_auth.xml | 14 ++++++++++----
+ rhel7/checks/oval/sshd_enable_strictmodes.xml | 14 ++++++++++----
+ rhel7/checks/oval/sshd_use_approved_macs.xml | 14 ++++++++++----
+ rhel7/checks/oval/sshd_use_priv_separation.xml | 14 ++++++++++----
+ shared/checks/oval/disable_host_auth.xml | 15 +++++++++++----
+ shared/checks/oval/sshd_allow_only_protocol2.xml | 15 +++++++++++----
+ shared/checks/oval/sshd_disable_empty_passwords.xml | 14 ++++++++++----
+ shared/checks/oval/sshd_disable_rhosts.xml | 14 ++++++++++----
+ shared/checks/oval/sshd_disable_rhosts_rsa.xml | 14 ++++++++++----
+ shared/checks/oval/sshd_disable_root_login.xml | 14 ++++++++++----
+ shared/checks/oval/sshd_disable_user_known_hosts.xml | 15 +++++++++++----
+ shared/checks/oval/sshd_do_not_permit_user_env.xml | 14 ++++++++++----
+ shared/checks/oval/sshd_enable_warning_banner.xml | 14 ++++++++++----
+ shared/checks/oval/sshd_enable_x11_forwarding.xml | 14 ++++++++++----
+ shared/checks/oval/sshd_print_last_log.xml | 14 ++++++++++----
+ shared/checks/oval/sshd_set_idle_timeout.xml | 18 ++++++++++++------
+ shared/checks/oval/sshd_set_keepalive.xml | 14 ++++++++++----
+ shared/checks/oval/sshd_use_approved_ciphers.xml | 18 ++++++++++++------
+ shared/checks/oval/sshd_use_approved_macs.xml | 14 ++++++++++----
+ 21 files changed, 217 insertions(+), 88 deletions(-)
+
+diff --git a/rhel7/checks/oval/sshd_disable_compression.xml b/rhel7/checks/oval/sshd_disable_compression.xml
+index 8a4334f06..014741fe1 100644
+--- a/rhel7/checks/oval/sshd_disable_compression.xml
++++ b/rhel7/checks/oval/sshd_disable_compression.xml
+@@ -7,13 +7,19 @@
+ </affected>
+ <description>SSH should either have compression disabled or set to delayed.</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check Compression in /etc/ssh/sshd_config"
+ test_ref="test_sshd_disable_compression" />
+ </criteria>
+diff --git a/rhel7/checks/oval/sshd_disable_gssapi_auth.xml b/rhel7/checks/oval/sshd_disable_gssapi_auth.xml
+index ee184b8e8..5f32edc1e 100644
+--- a/rhel7/checks/oval/sshd_disable_gssapi_auth.xml
++++ b/rhel7/checks/oval/sshd_disable_gssapi_auth.xml
+@@ -8,13 +8,19 @@
+ <description>Unless needed, disable the GSSAPI authentication option for
+ the SSH Server.</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check GSSAPIAuthentication in /etc/ssh/sshd_config"
+ test_ref="test_sshd_disable_gssapi_auth" />
+ </criteria>
+diff --git a/rhel7/checks/oval/sshd_disable_kerb_auth.xml b/rhel7/checks/oval/sshd_disable_kerb_auth.xml
+index c63cef03e..6f0e0babe 100644
+--- a/rhel7/checks/oval/sshd_disable_kerb_auth.xml
++++ b/rhel7/checks/oval/sshd_disable_kerb_auth.xml
+@@ -8,13 +8,19 @@
+ <description>Unless needed, disable the Kerberos authentication option for
+ the SSH Server.</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check KerberosAuthentication in /etc/ssh/sshd_config"
+ test_ref="test_sshd_disable_kerb_auth" />
+ </criteria>
+diff --git a/rhel7/checks/oval/sshd_enable_strictmodes.xml b/rhel7/checks/oval/sshd_enable_strictmodes.xml
+index 1346191d5..7728f6ae6 100644
+--- a/rhel7/checks/oval/sshd_enable_strictmodes.xml
++++ b/rhel7/checks/oval/sshd_enable_strictmodes.xml
+@@ -8,13 +8,19 @@
+ <description>Enable StrictMode to check users home directory permissions
+ and configurations.</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check StrictModes in /etc/ssh/sshd_config"
+ test_ref="test_sshd_enable_strictmodes" />
+ </criteria>
+diff --git a/rhel7/checks/oval/sshd_use_approved_macs.xml b/rhel7/checks/oval/sshd_use_approved_macs.xml
+index bd05a5152..20b57041b 100644
+--- a/rhel7/checks/oval/sshd_use_approved_macs.xml
++++ b/rhel7/checks/oval/sshd_use_approved_macs.xml
+@@ -9,13 +9,19 @@
+ </metadata>
+ <criteria operator="AND">
+ <extend_definition comment="Installed OS is certified" definition_ref="installed_OS_is_certified" />
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check MACs in /etc/ssh/sshd_config"
+ test_ref="test_sshd_use_approved_macs" />
+ </criteria>
+diff --git a/rhel7/checks/oval/sshd_use_priv_separation.xml b/rhel7/checks/oval/sshd_use_priv_separation.xml
+index c5ae32c27..2ec883fea 100644
+--- a/rhel7/checks/oval/sshd_use_priv_separation.xml
++++ b/rhel7/checks/oval/sshd_use_priv_separation.xml
+@@ -8,13 +8,19 @@
+ <description>Use priviledge separation to cause the SSH process to drop
+ root privileges when not needed.</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check UsePrivilegeSeparation in /etc/ssh/sshd_config"
+ test_ref="test_sshd_use_priv_separation" />
+ </criteria>
+diff --git a/shared/checks/oval/disable_host_auth.xml b/shared/checks/oval/disable_host_auth.xml
+index 3e4cc5aea..3a00964ab 100644
+--- a/shared/checks/oval/disable_host_auth.xml
++++ b/shared/checks/oval/disable_host_auth.xml
+@@ -7,12 +7,19 @@
+ </affected>
+ <description>SSH host-based authentication should be disabled.</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met" operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="SSH is configured correctly or is not installed"
++ operator="OR">
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check HostbasedAuthentication in /etc/ssh/sshd_config"
+ test_ref="test_sshd_hostbasedauthentication" />
+ </criteria>
+diff --git a/shared/checks/oval/sshd_allow_only_protocol2.xml b/shared/checks/oval/sshd_allow_only_protocol2.xml
+index 0a7ace128..224010263 100644
+--- a/shared/checks/oval/sshd_allow_only_protocol2.xml
++++ b/shared/checks/oval/sshd_allow_only_protocol2.xml
+@@ -9,12 +9,19 @@
+ </affected>
+ <description>The OpenSSH daemon should be running protocol 2.</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met" operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="SSH is configured correctly or is not installed"
++ operator="OR">
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criteria comment="SSH version is equal or higher than 7.4 or it is configured with protocol 2" operator="OR">
+ <extend_definition comment="OpenSSH version 7.4 or higher supports only protocol 2" definition_ref="sshd_version_equal_or_higher_than_74" />
+ <criterion comment="Check Protocol in /etc/ssh/sshd_config"
+diff --git a/shared/checks/oval/sshd_disable_empty_passwords.xml b/shared/checks/oval/sshd_disable_empty_passwords.xml
+index e923d64fd..9570ee5c7 100644
+--- a/shared/checks/oval/sshd_disable_empty_passwords.xml
++++ b/shared/checks/oval/sshd_disable_empty_passwords.xml
+@@ -8,13 +8,19 @@
+ <description>Remote connections from accounts with empty passwords should
+ be disabled (and dependencies are met)</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check PermitEmptyPasswords in /etc/ssh/sshd_config"
+ negate="true" test_ref="test_sshd_permitemptypasswords_no" />
+ </criteria>
+diff --git a/shared/checks/oval/sshd_disable_rhosts.xml b/shared/checks/oval/sshd_disable_rhosts.xml
+index 86eb94a22..163ccfca5 100644
+--- a/shared/checks/oval/sshd_disable_rhosts.xml
++++ b/shared/checks/oval/sshd_disable_rhosts.xml
+@@ -8,13 +8,19 @@
+ <description>Emulation of the rsh command through the ssh server should
+ be disabled (and dependencies are met)</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check IgnoreRhosts in /etc/ssh/sshd_config"
+ test_ref="test_sshd_rsh_emulation_disabled" />
+ </criteria>
+diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
+index 2abf88c70..e949fb031 100644
+--- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml
++++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml
+@@ -8,13 +8,19 @@
+ <description>SSH can allow authentication through the obsolete rsh command
+ through the use of the authenticating user's SSH keys. This should be disabled.</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criteria comment="SSH version is equal or higher than 7.4 has deprecated RhostsRSAAuthentication" operator="OR">
+ <extend_definition comment="OpenSSH version 7.4 or higher has deprecated RhostsRSAAuthentication" definition_ref="sshd_version_equal_or_higher_than_74" />
+ <criterion comment="Check RhostsRSAAuthentication in /etc/ssh/sshd_config"
+diff --git a/shared/checks/oval/sshd_disable_root_login.xml b/shared/checks/oval/sshd_disable_root_login.xml
+index 7bfd54d4e..10e7afb18 100644
+--- a/shared/checks/oval/sshd_disable_root_login.xml
++++ b/shared/checks/oval/sshd_disable_root_login.xml
+@@ -8,13 +8,19 @@
+ <description>Root login via SSH should be disabled (and dependencies are
+ met)</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config"
+ negate="true" test_ref="test_sshd_permitrootlogin_no" />
+ </criteria>
+diff --git a/shared/checks/oval/sshd_disable_user_known_hosts.xml b/shared/checks/oval/sshd_disable_user_known_hosts.xml
+index cc01ec6ca..0e121d496 100644
+--- a/shared/checks/oval/sshd_disable_user_known_hosts.xml
++++ b/shared/checks/oval/sshd_disable_user_known_hosts.xml
+@@ -9,12 +9,19 @@
+ to connect to systems if a cache of the remote systems public keys are available.
+ This should be disabled.</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met" operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="SSH is configured correctly or is not installed"
++ operator="OR">
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check IgnoreUserKnownHosts in /etc/ssh/sshd_config"
+ test_ref="test_sshd_disable_user_known_hosts" />
+ </criteria>
+diff --git a/shared/checks/oval/sshd_do_not_permit_user_env.xml b/shared/checks/oval/sshd_do_not_permit_user_env.xml
+index ad8ecdf68..afb799e20 100644
+--- a/shared/checks/oval/sshd_do_not_permit_user_env.xml
++++ b/shared/checks/oval/sshd_do_not_permit_user_env.xml
+@@ -7,13 +7,19 @@
+ </affected>
+ <description>PermitUserEnvironment should be disabled</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check PermitUserEnvironment in /etc/ssh/sshd_config"
+ negate="true" test_ref="test_sshd_no_user_envset" />
+ </criteria>
+diff --git a/shared/checks/oval/sshd_enable_warning_banner.xml b/shared/checks/oval/sshd_enable_warning_banner.xml
+index 933822eb6..cd14ec9e9 100644
+--- a/shared/checks/oval/sshd_enable_warning_banner.xml
++++ b/shared/checks/oval/sshd_enable_warning_banner.xml
+@@ -8,13 +8,19 @@
+ <description>SSH warning banner should be enabled (and dependencies are
+ met)</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check Banner in /etc/ssh/sshd_config"
+ test_ref="test_sshd_banner_set" />
+ </criteria>
+diff --git a/shared/checks/oval/sshd_enable_x11_forwarding.xml b/shared/checks/oval/sshd_enable_x11_forwarding.xml
+index 3aa45e51b..0a0e1bafd 100644
+--- a/shared/checks/oval/sshd_enable_x11_forwarding.xml
++++ b/shared/checks/oval/sshd_enable_x11_forwarding.xml
+@@ -7,13 +7,19 @@
+ </affected>
+ <description>Enable X11Forwarding to encrypt X11 remote connections over SSH.</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check X11Forwarding in /etc/ssh/sshd_config"
+ test_ref="test_sshd_enable_x11_forwarding" />
+ </criteria>
+diff --git a/shared/checks/oval/sshd_print_last_log.xml b/shared/checks/oval/sshd_print_last_log.xml
+index 29367969d..83bc0df79 100644
+--- a/shared/checks/oval/sshd_print_last_log.xml
++++ b/shared/checks/oval/sshd_print_last_log.xml
+@@ -8,13 +8,19 @@
+ <description>Enable PrintLastLog to display user's last login time
+ and date.</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check PrintLastLog in /etc/ssh/sshd_config"
+ test_ref="test_sshd_enable_printlastlog" />
+ </criteria>
+diff --git a/shared/checks/oval/sshd_set_idle_timeout.xml b/shared/checks/oval/sshd_set_idle_timeout.xml
+index a414790a0..180e87d83 100644
+--- a/shared/checks/oval/sshd_set_idle_timeout.xml
++++ b/shared/checks/oval/sshd_set_idle_timeout.xml
+@@ -8,14 +8,20 @@
+ <description>The SSH idle timeout interval should be set to an
+ appropriate value.</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
+ definition_ref="sshd_not_required_or_unset" />
+- <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
+- definition_ref="sshd_required_or_unset" />
+- <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config"
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
++ <criteria comment="sshd is installed and configured" operator="AND">
++ <extend_definition comment="sshd is required or requirement is unset"
++ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
++ <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config"
+ test_ref="test_sshd_idle_timeout" />
+ </criteria>
+ </criteria>
+diff --git a/shared/checks/oval/sshd_set_keepalive.xml b/shared/checks/oval/sshd_set_keepalive.xml
+index 5640638ae..8774e1d25 100644
+--- a/shared/checks/oval/sshd_set_keepalive.xml
++++ b/shared/checks/oval/sshd_set_keepalive.xml
+@@ -8,13 +8,19 @@
+ <description>The SSH ClientAliveCountMax should be set to an appropriate
+ value (and dependencies are met)</description>
+ </metadata>
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check ClientAliveCountMax in /etc/ssh/sshd_config"
+ test_ref="test_sshd_clientalivecountmax" />
+ </criteria>
+diff --git a/shared/checks/oval/sshd_use_approved_ciphers.xml b/shared/checks/oval/sshd_use_approved_ciphers.xml
+index 84088aa5c..5a4e3a1f9 100644
+--- a/shared/checks/oval/sshd_use_approved_ciphers.xml
++++ b/shared/checks/oval/sshd_use_approved_ciphers.xml
+@@ -9,13 +9,19 @@
+ </metadata>
+ <criteria operator="AND">
+ <extend_definition comment="Installed OS is certified" definition_ref="installed_OS_is_certified" />
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
+- <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
+- definition_ref="sshd_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
++ <criteria comment="sshd is installed and configured" operator="AND">
++ <extend_definition comment="sshd is required or requirement is unset"
++ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check the Cipers list in /etc/ssh/sshd_config"
+ test_ref="test_sshd_use_approved_ciphers" />
+ </criteria>
+diff --git a/shared/checks/oval/sshd_use_approved_macs.xml b/shared/checks/oval/sshd_use_approved_macs.xml
+index d2f622af1..b403d0449 100644
+--- a/shared/checks/oval/sshd_use_approved_macs.xml
++++ b/shared/checks/oval/sshd_use_approved_macs.xml
+@@ -9,13 +9,19 @@
+ </metadata>
+ <criteria operator="AND">
+ <extend_definition comment="Installed OS is certified" definition_ref="installed_OS_is_certified" />
+- <criteria comment="SSH is not installed or conditions are met"
++ <criteria comment="SSH is configured correctly or is not installed"
+ operator="OR">
+- <extend_definition comment="sshd is not required and not installed, or requirement is unset"
+- definition_ref="sshd_not_required_or_unset" />
++ <criteria comment="sshd is not installed" operator="AND">
++ <extend_definition comment="sshd is not required or requirement is unset"
++ definition_ref="sshd_not_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server removed"
++ definition_ref="package_openssh-server_removed" />
++ </criteria>
+ <criteria comment="sshd is installed and configured" operator="AND">
+- <extend_definition comment="sshd is required and installed, or requirement is unset"
++ <extend_definition comment="sshd is required or requirement is unset"
+ definition_ref="sshd_required_or_unset" />
++ <extend_definition comment="rpm package openssh-server installed"
++ definition_ref="package_openssh-server_installed" />
+ <criterion comment="Check MACs in /etc/ssh/sshd_config"
+ test_ref="test_sshd_use_approved_macs" />
+ </criteria>
+
+From 441881052627a5b14be015d74d36d271f9268908 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 13 Dec 2017 18:22:29 +0100
+Subject: [PATCH 3/6] Remove backslashes from echo command
+
+Echo command output is literal, there is no need for backslashes
+---
+ .../rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh
+index 227611543..7172539c7 100644
+--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh
++++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh
+@@ -5,5 +5,5 @@
+ if grep -q "^Ciphers" /etc/ssh/sshd_config; then
+ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
+ else
+- echo "Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
++ echo "Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator.liu.se" >> /etc/ssh/sshd_config
+ fi
+
+From 995a5e64eb841c73849571395cc985f94607c4cb Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 18 Dec 2017 11:12:13 +0100
+Subject: [PATCH 4/6] Fix test scenarios for sshd_use_priv_separation
+
+As of PR #2162 the Rule checks for "sandbox"
+---
+ .../rule_sshd_use_priv_separation/correct_value.pass.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh
+index d63caa85b..36e8c1bba 100644
+--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh
++++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh
+@@ -3,7 +3,7 @@
+ # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+
+ if grep -q "^UsePrivilegeSeparation" /etc/ssh/sshd_config; then
+- sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation yes/" /etc/ssh/sshd_config
++ sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation sandbox/" /etc/ssh/sshd_config
+ else
+- echo "UsePrivilegeSeparation yes" >> /etc/ssh/sshd_config
++ echo "UsePrivilegeSeparation sandbox" >> /etc/ssh/sshd_config
+ fi
+
+From 877f3620d7462e2af6727a9feff16d6a7f08a239 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 18 Dec 2017 11:40:07 +0100
+Subject: [PATCH 5/6] Fix test scenarios for sshd_disable_kerb_auth
+
+As of Pr #2463, the definition checks for ausence of
+"KerberosAuthentication yes", as default setting is not enabled.
+---
+ .../group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh | 9 ---------
+ .../group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh | 9 +++++++++
+ .../{line_not_there.fail.sh => line_not_there.pass.sh} | 0
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+ delete mode 100644 tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh
+ create mode 100644 tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh
+ rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/{line_not_there.fail.sh => line_not_there.pass.sh} (100%)
+
+diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh
+deleted file mode 100644
+index 3ae082173..000000000
+--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh
++++ /dev/null
+@@ -1,9 +0,0 @@
+-#!/bin/bash
+-#
+-# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+-
+-if grep -q "^KerberosAuthentication" /etc/ssh/sshd_config; then
+- sed -i "s/^KerberosAuthentication.*/# KerberosAuthentication no/" /etc/ssh/sshd_config
+-else
+- echo "# KerberosAuthentication no" >> /etc/ssh/sshd_config
+-fi
+diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh
+new file mode 100644
+index 000000000..c7d58fbc6
+--- /dev/null
++++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh
+@@ -0,0 +1,9 @@
++#!/bin/bash
++#
++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
++
++if grep -q "^KerberosAuthentication" /etc/ssh/sshd_config; then
++ sed -i "s/^KerberosAuthentication.*/# KerberosAuthentication yes/" /etc/ssh/sshd_config
++else
++ echo "# KerberosAuthentication yes" >> /etc/ssh/sshd_config
++fi
+diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.pass.sh
+similarity index 100%
+rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.fail.sh
+rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.pass.sh
+
+From 4ebe165ede448c8998251257998cc94ea5cf3786 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 18 Dec 2017 11:52:39 +0100
+Subject: [PATCH 6/6] Fix test scenarios for sshd_enable_strictmodes
+
+As of Pr #2463, the definition checks fo ausence of "StrictModes no", as
+default value is enabled already.
+---
+ .../rule_sshd_enable_strictmodes/{comment.fail.sh => comment.pass.sh} | 4 ++--
+ .../{line_not_there.fail.sh => line_not_there.pass.sh} | 0
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+ rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/{comment.fail.sh => comment.pass.sh} (53%)
+ rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/{line_not_there.fail.sh => line_not_there.pass.sh} (100%)
+
+diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh
+similarity index 53%
+rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh
+rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh
+index 3d3b90875..bac02cb4f 100644
+--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh
++++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh
+@@ -3,7 +3,7 @@
+ # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+
+ if grep -q "^StrictModes" /etc/ssh/sshd_config; then
+- sed -i "s/^StrictModes.*/# StrictModes yes/" /etc/ssh/sshd_config
++ sed -i "s/^StrictModes.*/# StrictModes no/" /etc/ssh/sshd_config
+ else
+- echo "# StrictModes yes" >> /etc/ssh/sshd_config
++ echo "# StrictModes no" >> /etc/ssh/sshd_config
+ fi
+diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.pass.sh
+similarity index 100%
+rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.fail.sh
+rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.pass.sh
diff --git a/SOURCES/scap-security-guide-0.1.37-fix-title.patch b/SOURCES/scap-security-guide-0.1.37-fix-title.patch
new file mode 100644
index 0000000..7d41a1b
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.37-fix-title.patch
@@ -0,0 +1,20 @@
+From a29a5b25a537298144d43a1deba5f8fe14fd1472 Mon Sep 17 00:00:00 2001
+From: Marek Haicman <mhaicman@redhat.com>
+Date: Sat, 9 Dec 2017 00:21:10 +0100
+Subject: [PATCH] Fix title of DISA STIG profile in RHEL6 DS.
+
+---
+ rhel6/profiles/stig-rhel6-disa.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rhel6/profiles/stig-rhel6-disa.xml b/rhel6/profiles/stig-rhel6-disa.xml
+index eec5e92e5..9694d6591 100644
+--- a/rhel6/profiles/stig-rhel6-disa.xml
++++ b/rhel6/profiles/stig-rhel6-disa.xml
+@@ -1,5 +1,5 @@
+ <Profile id="stig-rhel6-server-upstream" extends="common">
+-<title>DISA STIG for Red Hat Enterprise Linux 6</title>
++<title override="true">DISA STIG for Red Hat Enterprise Linux 6</title>
+ <description>
+ This profile contains configuration checks that align to the
+ DISA STIG for Red Hat Enterprise Linux 6.
diff --git a/SOURCES/scap-security-guide-0.1.37-fix-umask_for_daemons.patch b/SOURCES/scap-security-guide-0.1.37-fix-umask_for_daemons.patch
new file mode 100644
index 0000000..06a0fa1
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.37-fix-umask_for_daemons.patch
@@ -0,0 +1,39 @@
+From 810c6774166d8b591300322e269acd6a1d3554ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Tue, 5 Dec 2017 16:15:46 +0100
+Subject: [PATCH] RHBZ #1520493: Fix umask_for_daemons
+
+OpenSCAP evaluated this rule as "error" because it tried to evauluate
+the variable 'var_umask_for_daemons_umask_as_number', which was defined
+as external, but in fact is created in other definition. OpenSCAP
+could not find its value. The fix is very similar to PR #1945.
+---
+ shared/checks/oval/umask_for_daemons.xml | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/shared/checks/oval/umask_for_daemons.xml b/shared/checks/oval/umask_for_daemons.xml
+index 7f54e4957..a8ce76275 100644
+--- a/shared/checks/oval/umask_for_daemons.xml
++++ b/shared/checks/oval/umask_for_daemons.xml
+@@ -61,12 +61,6 @@
+ </arithmetic>
+ </local_variable>
+
+- <!-- The 'var_umask_for_daemons_umask_as_number' variable is created by evaluation of
+- the referenced 'var_umask_for_daemons_as_number' OVAL definition -->
+- <external_variable id="var_umask_for_daemons_umask_as_number"
+- comment="Required umask converted from string to octal number"
+- datatype="int" version="1"/>
+-
+ <ind:variable_test id="tst_umask_for_daemons" version="1" check="all"
+ comment="Test the retrieved /etc/init.d/functions umask value(s) match the var_umask_for_daemons requirement">
+ <ind:object object_ref="obj_umask_for_daemons" />
+@@ -77,6 +71,8 @@
+ <ind:var_ref>var_etc_init_d_functions_umask_as_number</ind:var_ref>
+ </ind:variable_object>
+
++ <!-- The 'var_umask_for_daemons_umask_as_number' variable is created by evaluation of
++ the referenced 'var_umask_for_daemons_as_number' OVAL definition -->
+ <ind:variable_state id="ste_umask_for_daemons" version="1">
+ <ind:value datatype="int" operation="bitwise and" var_ref="var_umask_for_daemons_umask_as_number" />
+ </ind:variable_state>
diff --git a/SOURCES/scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch b/SOURCES/scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch
new file mode 100644
index 0000000..9e484b4
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch
@@ -0,0 +1,22 @@
+From b0b3bf1153e72f178400ef91b722d7fcdab94277 Mon Sep 17 00:00:00 2001
+From: Marek Haicman <mhaicman@redhat.com>
+Date: Fri, 5 Jan 2018 22:54:11 +0100
+Subject: [PATCH] Fixing reference to outdated PAM configuration manual
+
+---
+ shared/xccdf/system/accounts/pam.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shared/xccdf/system/accounts/pam.xml b/shared/xccdf/system/accounts/pam.xml
+index 5ba904da1..572a1216c 100644
+--- a/shared/xccdf/system/accounts/pam.xml
++++ b/shared/xccdf/system/accounts/pam.xml
+@@ -39,7 +39,7 @@ most users.</warning>
+ files, destroying any manually made changes and replacing them with
+ a series of system defaults. One reference to the configuration
+ file syntax can be found at
+-<weblink-macro link="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html"/>
++<weblink-macro link="http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html"/>
+ .</warning>
+
+ <Value id="var_password_pam_unix_remember" type="number"
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index f38890b..df508cc 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -1,4 +1,4 @@
-%global redhatssgversion 33
+%global redhatssgversion 36
# Somehow, _pkgdocdir is already defined and points to unversioned docs dir
# RHEL 7.X uses versioned docs dir, hence the definition below
@@ -6,7 +6,7 @@
Name: scap-security-guide
Version: 0.1.%{redhatssgversion}
-Release: 6%{?dist}
+Release: 7%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: System Environment/Base
@@ -14,13 +14,15 @@ License: Public Domain
URL: https://github.com/OpenSCAP/scap-security-guide
Source0: %{name}-%{version}.tar.bz2
Patch1: scap-security-guide-0.1.33-update-upstream-manual-page.patch
-Patch2: scap-security-guide-0.1.33-fix-guide-role-install-dir.patch
-Patch3: scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch
-Patch4: scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch
-Patch5: scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch
-Patch6: scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch
-Patch7: scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch
-Patch8: scap-security-guide-0.1.33-drop_set_firewalld_default_zone_remediation.patch
+Patch2: scap-security-guide-0.1.37-add-disa-stig-rule-id.patch
+Patch3: scap-security-guide-0.1.37-disable-check-libexec_ownership.patch
+Patch4: scap-security-guide-0.1.37-fix-title.patch
+Patch5: scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch
+Patch6: scap-security-guide-0.1.37-fix-umask_for_daemons.patch
+Patch7: scap-security-guide-0.1.37-fix-sshd_required-unset.patch
+Patch8: scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch
+Patch9: scap-security-guide-0.1.37-fix-srg-table-empty-column.path
+Patch10: scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch
BuildArch: noarch
BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml, cmake >= 2.8
@@ -50,43 +52,53 @@ been generated from XCCDF benchmarks present in %{name} package.
%setup -q -n %{name}-%{version}
# Update manual page to drop the part dedicated to Fedora content
%patch1 -p1 -b .man_page_update
-%patch2 -p1 -b .guide_role_dir_fix
-%patch3 -p1 -b .ospp_rhel7_table_fix
-# Patches 4 and 5 fixes rhbz#1450731
-%patch4 -p1 -b .anaconda_template_add_remove_package_fix
-%patch5 -p1 -b .anaconda_template_partition_mountoptions_fix
-# Fix for rhbz#1449211
-%patch6 -p1 -b .profile_nist_800_171_cui_malformed_title_fix
-%patch7 -p1 -b .anaconda-smart-card-auth
-# Fix for rhbz#1478414, patch adapted from https://github.com/OpenSCAP/scap-security-guide/pull/2328
-%patch8 -p1 -b .drop_set_firewalld_default_zone_remediation
+%patch2 -p1 -b .add_disa_stig_rule_id
+# patch2 introduces a script that build system needs to execute
+chmod u+x shared/utils/add_stig_references.py
+mkdir build
+# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1523809
+# Taken from https://github.com/OpenSCAP/scap-security-guide/pull/2479
+%patch3 -p1 -b .libexec_ownership
+# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1521081
+# Taken from https://github.com/OpenSCAP/scap-security-guide/pull/2481
+%patch4 -p1 -b .title
+# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1523827
+# Taken from https://github.com/OpenSCAP/scap-security-guide/pull/2480
+%patch5 -p1 -b .RhostsRSAAuthentication
+# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1520493
+# Taken from https://github.com/OpenSCAP/scap-security-guide/pull/2476
+%patch6 -p1 -b .umask_for_daemons
+%patch7 -p1 -b .sshd_required_unset
+%patch8 -p1 -b .bash_remediation_include
+%patch9 -p1 -b .srg_table_column_empty
+%patch10 -p1 -b .reference_pam_config
%build
+cd build
%cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \
-DSSG_PRODUCT_CHROMIUM:BOOL=OFF \
-DSSG_PRODUCT_DEBIAN8:BOOL=OFF \
-DSSG_PRODUCT_FEDORA:BOOL=OFF \
--DSSG_PRODUCT_JBOSS_EAP5:BOOL=OFF \
+-DSSG_PRODUCT_JBOSS_EAP6:BOOL=OFF \
-DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF \
+-DSSG_PRODUCT_OCP3:BOOL=OFF \
-DSSG_PRODUCT_OPENSUSE:BOOL=OFF \
-DSSG_PRODUCT_OSP7:BOOL=OFF \
--DSSG_PRODUCT_RHEL5:BOOL=OFF \
-DSSG_PRODUCT_RHEV3:BOOL=OFF \
-DSSG_PRODUCT_SUSE11:BOOL=OFF \
-DSSG_PRODUCT_SUSE12:BOOL=OFF \
--DSSG_PRODUCT_UBUNTU1404:BOOL=OFF \
--DSSG_PRODUCT_UBUNTU1604:BOOL=OFF \
+-DSSG_PRODUCT_UBUNTU14:BOOL=OFF \
+-DSSG_PRODUCT_UBUNTU16:BOOL=OFF \
-DSSG_PRODUCT_WRLINUX:BOOL=OFF \
-DSSG_PRODUCT_WEBMIN:BOOL=OFF \
--DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
--DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF .
+-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
+-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../
make %{?_smp_mflags}
%install
+cd build
%make_install
-sed 's/Red Hat Enterprise Linux/CentOS Linux/g' -i ssg-centos*.xml
-
%files
%defattr(-,root,root,-)
%{_datadir}/xml/scap
@@ -95,17 +107,62 @@ sed 's/Red Hat Enterprise Linux/CentOS Linux/g' -i ssg-centos*.xml
%doc LICENSE
%doc Contributors.md
%doc README.md
-%doc RHEL/6/input/auxiliary/DISCLAIMER
+%doc DISCLAIMER
+# All files installed by cmake are automatically include in main package
+# We exclude the guides to here add them in doc package
+%exclude %{_pkgdocdir}/guides/
%files doc
%defattr(-,root,root,-)
-%doc roles/ssg-*-role*.yml
-%doc roles/ssg-*-role*.sh
-%doc guides/ssg-*-guide-*.html
+%doc build/guides/ssg-*-guide-*.html
%changelog
-* Thu Oct 19 2017 Johnny Hughes <johnny@centos.org> 0.1.33-6
-- Manual CentOS debranding
+* Mon Jan 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-7
+- Fix sshd_required unset (RHBZ#1522956)
+- Fix missing bash remediation functions include (RHBZ#1524738)
+- Fix empty columns in SRG HTML Table (RHBZ#1531105)
+- Fix reference to oudated PAM config manual (RHBZ#1447760)
+
+* Tue Dec 12 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-6
+- Rebuild with OpenSCAP 1.2.16
+
+* Mon Dec 11 2017 Matěj Týč <matyc@redhat.com> - 0.1.36-5
+- Patched not to check library ownership in libexec.
+- Patched to fix title of DISA STIG profile.
+- Patched to deprecate RhostsRSAAuthentication.
+- Patched to fix umask_for_daemons.
+
+* Thu Nov 16 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-4
+- Rebuild with OpenSCAP 1.2.16
+
+* Tue Nov 14 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-3
+- Add DISA STIG Rule IDs to XCCDF Rules with STIGID
+
+* Fri Nov 03 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-2
+- Fix configuration to not build new products introduced in upstream
+
+* Fri Nov 03 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
+- Update to upstream release 0.1.36
+- Introduction of SCAP Security Guide Test Suite
+- Better alignment of RHEL6 and RHEL7 with DISA STIG
+- Remove JBoss EAP5 content due to being End-of-Life
+- New STIG Profile for JBOSS EAP 6
+- Updates in C2S Profile for RHEL 7
+- Variables can be directly tailored in Ansible roles
+- Content presents less false positives in containers
+- Changes in directory layout
+
+* Wed Sep 20 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.35-2
+- Do not build content for JBOSS EAP6
+
+* Wed Sep 20 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.35-1
+- Update to upstream release 0.1.35
+- Remove Red Hat Enterprise Linux 5 content due to being End-of-Life March 31, 2017
+- Added several templates for OVAL checks
+- Many optimizations in build process
+- Different title for PCI-DSS Benchmark variants
+- Remediation roles moved to /usr/share/scap-security
+- Fix duplicated roles and guides (RHBZ#1465691)
* Tue Sep 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-6
- Dropped remediation that makes system not accessible by SSH (RHBZ#1478414)