diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3b17f94
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/scap-security-guide-0.1.19.tar.gz
diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata
new file mode 100644
index 0000000..511f55a
--- /dev/null
+++ b/.scap-security-guide.metadata
@@ -0,0 +1 @@
+f7257eb00ab18acda843d41851a430268d6bba30 SOURCES/scap-security-guide-0.1.19.tar.gz
diff --git a/README.md b/README.md
deleted file mode 100644
index 98f42b4..0000000
--- a/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-The master branch has no content
-
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch
new file mode 100644
index 0000000..fac759b
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch
@@ -0,0 +1,26 @@
+--- scap-security-guide-0.1.19/RHEL/7/input/services/base.xml.orig	2014-09-29 07:29:50.979356661 -0400
++++ scap-security-guide-0.1.19/RHEL/7/input/services/base.xml	2014-09-29 07:30:23.749395788 -0400
+@@ -91,23 +91,6 @@ service is not necessary.
+ <ref nist="CM-7" />
+ </Rule>
+ 
+-<Rule id="service_cpuspeed_disabled">
+-<title>Disable CPU Speed (cpuspeed)</title>
+-<description>The <tt>cpuspeed</tt> service can adjust the clock speed of supported CPUs based upon
+-the current processing load thereby conserving power and reducing heat.
+-<service-disable-macro service="cpuspeed" />
+-</description>
+-<ocil><service-disable-check-macro service="cpuspeed" /></ocil>
+-<rationale>The <tt>cpuspeed</tt> service is only necessary if adjusting the CPU clock speed
+-provides benefit. Traditionally this has included laptops (to enhance battery life),
+-but may also apply to server or desktop environments where conserving power is
+-highly desirable or necessary.
+-</rationale>
+-<ident cce="RHEL7-CCE-TBD" />
+-<oval id="service_cpuspeed_disabled" />
+-<ref nist="CM-7" />
+-</Rule>
+-
+ <Rule id="service_irqbalance_enabled">
+ <title>Enable IRQ Balance (irqbalance)</title>
+ <description>The <tt>irqbalance</tt> service optimizes the balance between
diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch
new file mode 100644
index 0000000..8e4ee57
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch
@@ -0,0 +1,38 @@
+--- scap-security-guide-0.1.19/RHEL/7/input/system/selinux.xml.orig	2014-09-29 06:19:27.427097200 -0400
++++ scap-security-guide-0.1.19/RHEL/7/input/system/selinux.xml	2014-09-29 06:20:14.703998808 -0400
+@@ -117,23 +117,6 @@ targeted for exploitation, such as netwo
+ <tested by="DS" on="20121024"/>
+ </Rule>
+ 
+-<Rule id="service_restorecond_enabled">
+-<title>Enable the SELinux Context Restoration Service (restorecond)</title>
+-<description>The <tt>restorecond</tt> service utilizes <tt>inotify</tt> to look
+-for the creation of new files listed in the
+-<tt>/etc/selinux/restorecond.conf</tt> configuration file. When a file is
+-created, <tt>restorecond</tt> ensures the file receives the proper SELinux
+-security context.
+-<service-enable-macro service="restorecond" />
+-</description>
+-<rationale>The <tt>restorecond</tt> service helps ensure that the default SELinux
+-file context is applied to files. This allows automatic correction
+-of file contexts created by some programs.</rationale>
+-<ident cce="RHEL7-CCE-TBD" />
+-<oval id="service_restorecond_enabled" />
+-<ref nist="AC-3,AC-3(3),AC-4,AC-6,AU-9" />
+-</Rule>
+-
+ <Rule id="package_setroubleshoot_removed">
+ <title>Uninstall setroubleshoot Package</title>
+ <description>The SETroubleshoot service notifies desktop users of SELinux
+--- scap-security-guide-0.1.19/RHEL/7/input/fixes/bash/service_restorecond_enabled.sh	2014-09-28 07:55:58.000000000 -0400
++++ /dev/null	2014-09-29 05:45:02.862000000 -0400
+@@ -1,9 +0,0 @@
+-#
+-# Enable restorecond.service for all systemd targets
+-#
+-systemctl enable restorecond.service
+-
+-#
+-# Start restorecond.service if not currently running
+-#
+-systemctl start restorecond.service
diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch
new file mode 100644
index 0000000..b34822c
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch
@@ -0,0 +1,14 @@
+--- scap-security-guide-0.1.19/RHEL/7/input/guide.xslt.orig	2014-09-29 07:55:24.154151816 -0400
++++ scap-security-guide-0.1.19/RHEL/7/input/guide.xslt	2014-09-29 07:56:48.376190494 -0400
+@@ -8,10 +8,7 @@
+       <xsl:copy-of select="@*|node()" />
+ 
+        <!-- adding profiles here -->
+-		<xsl:apply-templates select="document('profiles/test.xml')" />
+-		<xsl:apply-templates select="document('profiles/rht-ccp.xml')" />
+-		<xsl:apply-templates select="document('profiles/common.xml')" />
+-		<xsl:apply-templates select="document('profiles/stig-rhel7-server-upstream.xml')" />
++                <xsl:apply-templates select="document('profiles/rht-ccp.xml')" />
+ 
+        <Value id="conditional_clause" type="string" operator="equals">
+                  <title>A conditional clause for check statements.</title>
diff --git a/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch b/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch
new file mode 100644
index 0000000..7cc9038
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch
@@ -0,0 +1,89 @@
+--- scap-security-guide-0.1.19/RHEL/7/input/system/accounts/pam.xml.orig	2014-09-29 08:53:24.078751294 -0400
++++ scap-security-guide-0.1.19/RHEL/7/input/system/accounts/pam.xml	2014-09-29 08:59:28.963638607 -0400
+@@ -81,33 +81,28 @@ and gives them an opportunity to notify
+ 
+ <Group id="password_quality">
+ <title>Set Password Quality Requirements</title>
+-<description>The default <tt>pam_cracklib</tt> PAM module provides strength
++<description>The default <tt>pam_pwquality</tt> PAM module provides strength
+ checking for passwords. It performs a number of checks, such as
+ making sure passwords are not similar to dictionary words, are of
+ at least a certain length, are not the previous password reversed,
+ and are not simply a change of case from the previous password. It
+ can also require passwords to be in certain character classes.
+ <br /><br />
+-The <tt>pam_passwdqc</tt> PAM module also provides the ability to enforce
+-stringent password strength requirements. It is provided
+-in an RPM of the same name.
+-<br /><br />
+-The man pages <tt>pam_cracklib(8)</tt> and <tt>pam_passwdqc(8)</tt>
+-provide information on the capabilities and configuration of
+-each.</description>
++The man page <tt>pam_pwquality(8)</tt> provide further information
++on the capabilities and configuration.</description>
+ 
+ <Group id="password_quality_pamcracklib">
+ <title>Set Password Quality Requirements, if using
+-pam_cracklib</title>
+-<description>The <tt>pam_cracklib</tt> PAM module can be configured to meet
++ pam_pwquality</title>
++<description>The <tt>pam_pwquality</tt> PAM module can be configured to meet
+ requirements for a variety of policies.
+ <br /><br />
+-For example, to configure <tt>pam_cracklib</tt> to require at least one uppercase
++For example, to configure <tt>pam_pwquality</tt> to require at least one uppercase
+ character, lowercase character, digit, and other (special)
+ character, locate the following line in <tt>/etc/pam.d/system-auth</tt>:
+-<pre>password requisite pam_cracklib.so try_first_pass retry=3</pre>
++<pre>password requisite pam_pwquality.so try_first_pass retry=3</pre>
+ and then alter it to read:
+-<pre>password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4</pre>
++<pre>password required pam_pwquality.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4</pre>
+ If no such line exists, add one as the first line of the password section in <tt>/etc/pam.d/system-auth</tt>.
+ The arguments can be modified to ensure compliance with
+ your organization's security policy. Discussion of each parameter follows.
+@@ -268,14 +263,14 @@ is different from account lockout, which
+ 
+ <Rule id="accounts_password_pam_cracklib_maxrepeat">
+ <title>Set Password to Maximum of Three Consecutive Repeating Characters</title>
+-<description>The pam_cracklib module's <tt>maxrepeat</tt> parameter controls requirements for
++<description>The pam_pwquality module's <tt>maxrepeat</tt> parameter controls requirements for
+ consecutive repeating characters. When set to a positive number, it will reject passwords
+ which contain more than that number of consecutive characters. Add <tt>maxrepeat=3</tt>
+-after pam_cracklib.so to prevent a run of four or more identical characters.
++after pam_pwquality.so to prevent a run of four or more identical characters.
+ </description>
+ <ocil clause="maxrepeat is not found or not set to the required value">
+ To check the maximum value for consecutive repeating characters, run the following command:
+-<pre>$ grep pam_cracklib /etc/pam.d/system-auth</pre>
++<pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
+ Look for the value of the <tt>maxrepeat</tt> parameter. The DoD requirement is 3.
+ </ocil>
+ <rationale>
+@@ -413,7 +408,7 @@ Note that passwords which are changed on
+ 
+ <Rule id="accounts_password_pam_cracklib_minclass">
+ <title>Set Password Strength Minimum Different Categories</title>
+-<description>The pam_cracklib module's <tt>minclass</tt> parameter controls requirements for
++<description>The pam_pwquality module's <tt>minclass</tt> parameter controls requirements for
+ usage of different character classes, or types, of character that must exist in a password
+ before it is considered valid. For example, setting this value to three (3) requires that
+ any password must have characters from at least three different categories in order to be
+@@ -425,7 +420,7 @@ four categories available:
+ * Digits
+ * Special characters (for example, punctuation)
+ </pre>
+-Add <tt>minclass=<i>NUM</i></tt> after pam_cracklib.so entry into the
++Add <tt>minclass=<i>NUM</i></tt> after pam_pwquality.so entry into the
+ <tt>/etc/pam.d/system-auth</tt> file in order to require differing categories of
+ characters when changing passwords, substituting <i>NUM</i> appropriately (for example to
+ require at least three character classes to be used in password, use <tt>minclass=3</tt>).
+@@ -433,7 +428,7 @@ require at least three character classes
+ <ocil clause="minclass is not found or not set to the required value">
+ To check how many categories of characters must be used in password during a password change,
+ run the following command:
+-<pre>$ grep pam_cracklib /etc/pam.d/system-auth</pre>
++<pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
+ The <tt>minclass</tt> parameter will indicate how many character classes must be used. If
+ the requirement was for the password to contain characters from three different categories,
+ then this would appear as <tt>minclass=3</tt>.
diff --git a/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch b/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch
new file mode 100644
index 0000000..5395704
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch
@@ -0,0 +1,109 @@
+--- scap-security-guide-0.1.19/RHEL/6/input/auxiliary/scap-security-guide.8.orig	2014-10-21 09:26:33.048661043 -0400
++++ scap-security-guide-0.1.19/RHEL/6/input/auxiliary/scap-security-guide.8	2014-10-21 09:29:18.031611398 -0400
+@@ -1,4 +1,4 @@
+-.TH scap-security-guide 8 "26 Jan 2013" "version 1"
++.TH scap-security-guide 8 "29 Sep 2014" "version 1"
+ 
+ .SH NAME
+ SCAP Security Guide - Delivers security guidance, baselines, and 
+@@ -23,59 +23,24 @@ https://fedorahosted.org/scap-security-g
+ 
+ 
+ .SH PROFILES
+-The SSG content is broken into 'profiles,' groupings of security settings that correlate to a known policy. Available profiles are:
++The SSG content is broken into 'profiles,' groupings of security settings that
++correlate to a known policy. Available profiles are:
+ 
+-.I stig-rhel6-server-upstream
++.I rht-cpp
+ .RS
+-The Security Technical Implementation Guides (STIGs) and the NSA Guides are the
+-configuration standards for DOD IA and IA-enabled devices/systems. Since 1998,
+-DISA Field Security Operations (FSO) has played a critical role enhancing the
+-security posture of DoD's security systems by providing the Security Technical
+-Implementation Guides (STIGs). This profile was created as a collaboration
+-effort between the National Security Agency, DISA FSO, and Red Hat.
+-
+-As a result of the upstream/downstream relationship between the SCAP Security
+-Guide project and the official DISA FSO STIG baseline, users should expect
+-variance between SSG and DISA FSO content. For additional information relating
+-to STIGs, please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/
+-
+-While this profile is packaged by Red Hat as part of the SCAP Security Guide
+-package, please note that commercial support of this SCAP content is NOT
+-available. This profile is provided as example SCAP content with no
+-endorsement for suitability or production readiness. Support for this profile
+-is provided by the upstream SCAP Security Guide community on a best-effort
+-basis. The upstream project homepage is https://fedorahosted.org/scap-security-guide/.
+-
+-.RE
+-.I usgcb-rhel6-server
+-.RS
+-The purpose of the United States Government Configuration Baseline (USGCB)
+-initiative is to create security configuration baselines for Information
+-Technology products widely deployed across the federal agencies. The USGCB
+-baseline evolved from the Federal Desktop Core Configuration mandate. The
+-USGCB is a Federal government-wide initiative that provides guidance to
+-agencies on what should be done to improve and maintain an effective
+-configuration settings focusing primarily on security.
+-
+-.B "NOTE: "
+-While the current content maps to USGCB requirements, it has NOT
+-been validated by NIST as of yet. This content should be considered
+-draft, we are highly interested in feedback.
+-
+-For additional information relating to USGCB, please refer to the NIST
+-webpage at http://usgcb.nist.gov/usgcb_content.html.
++Red Hat Corporate Profile for Certified Cloud Providers (RH CCP). This is a
++*draft* SCAP profile for Red Hat Certified Cloud Providers.
+ .RE
+ 
+-
+ .SH EXAMPLES
+ To scan your system utilizing the OpenSCAP utility against the
+-stig-rhel6-server-upstream profile:
++rht-ccp profile:
+ 
+-oscap  xccdf eval --profile stig-rhel6-server-upstream \ 
++oscap  xccdf eval --profile rht-ccp \ 
+ --results /tmp/`hostname`-ssg-results.xml \
+ --report /tmp/`hostname`-ssg-results.html \
+---cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \
+-/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
++--cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml \
++/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
+ .PP
+ Additional details can be found on the projects wiki page:
+ https://fedorahosted.org/scap-security-guide/wiki/usageguide
+@@ -99,15 +64,10 @@ ssg-{profile}-oval.xml
+ ssg-{profile}-xccdf.xml
+ .RE
+ 
+-.I /usr/share/xml/scap/ssg/guides/
+-.RS
+-HTML versions of SSG profiles.
+-.RE
+-
+-.I /usr/share/xml/scap/ssg/policytables/
++.I /usr/share/doc/scap-security-guide-0.1.19
+ .RS
+-HTML tables reflecting which institutionalized policy a particular SSG rule
+-conforms to.
++Contains HTML versions of the SSG profiles and also HTML tables reflecting which
++institutionalized policy a particular SSG rule conforms to.
+ .RE
+ 
+ .SH STATEMENT OF SUPPORT
+@@ -116,9 +76,9 @@ and the NSA, provides XCCDF and OVAL con
+ source project, community participation extends into U.S. Department of Defense 
+ agencies, civilian agencies, academia, and other industrial partners.
+ 
+-SCAP Security Guide is provided to consumers through Red Hat's Extended
+-Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security Guide
+-content is considered "vendor provided."
++SCAP Security Guide is provided to consumers through Red Hat's system and content
++management services (Red Hat Network Classic or Red Hat Subscription Management).
++As such, SCAP Security Guide content is considered "vendor provided."
+ 
+ Note that while Red Hat hosts the infrastructure for this project and
+ Red Hat engineers are involved as maintainers and leaders, there is no
diff --git a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch
new file mode 100644
index 0000000..65b59a6
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch
@@ -0,0 +1,472 @@
+diff --git a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml
+index a00fc16..dc1b249 100644
+--- a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml
++++ b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml
+@@ -99,7 +99,7 @@ upstream project homepage is https://fedorahosted.org/scap-security-guide/.
+ <refine-value idref="var_accounts_passwords_pam_faillock_fail_interval" selector="900"/>
+ 
+ <!-- from inherited Rule, accounts_password_pam_unix_remember -->
+-<refine-value idref="var_password_pam_unix_remember" selector="24"/>
++<refine-value idref="var_password_pam_unix_remember" selector="5"/>
+ 
+ <refine-value idref="var_accounts_maximum_age_login_defs" selector="60"/>
+ <refine-value idref="var_accounts_minimum_age_login_defs" selector="1"/>
+diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml
+index adf0aaf..b2da2a4 100644
+--- a/RHEL/6/input/system/accounts/pam.xml
++++ b/RHEL/6/input/system/accounts/pam.xml
+@@ -48,7 +48,7 @@ operator="equals" interactive="0">
+ <tt>/etc/security/opasswd</tt> in order to force password change history and
+ keep the user from alternating between the same password too
+ frequently.</description>
+-<value selector="">24</value>
++<value selector="">5</value>
+ <value selector="0">0</value>
+ <value selector="5">5</value>
+ <value selector="10">10</value>
+@@ -342,7 +342,7 @@ more difficult by ensuring a larger search space.
+ usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
+ contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional
+ length credit for each special character.
+-Add <tt>ocredit=-1</tt> after pam_cracklib.so to require use of a special character in passwords.
++Add <tt>ocredit=<sub idref="var_password_pam_ocredit" /></tt> after pam_cracklib.so to require use of a special character in passwords.
+ </description>
+ <ocil clause="ocredit is not found or not set to the required value">
+ To check how many special characters are required in a password, run the following command:
+@@ -357,7 +357,7 @@ more difficult by ensuring a larger search space.
+ </rationale>
+ <ident cce="26409-3" />
+ <oval id="accounts_password_pam_ocredit" value="var_password_pam_ocredit"/>
+-<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="1619" />
++<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="1619" srg="266" />
+ <tested by="DS" on="20121024"/>
+ </Rule>
+ 
+@@ -551,7 +551,7 @@ be accomplished by using the <tt>remember</tt> option for the <tt>pam_unix</tt>
+ module.  In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember=<sub idref="var_password_pam_unix_remember" /></tt> to the
+ line which refers to the <tt>pam_unix.so</tt> module, as shown:
+ <pre>password sufficient pam_unix.so <i>existing_options</i> remember=<sub idref="var_password_pam_unix_remember" /></pre>
+-The DoD and FISMA requirement is 24 passwords.</description>
++The DoD STIG requirement is 5 passwords.</description>
+ <ocil clause="it does not">
+ To verify the password reuse setting is compliant, run the following command:
+ <pre>$ grep remember /etc/pam.d/system-auth</pre>
+diff --git a/RHEL/6/input/system/accounts/restrictions/password_expiration.xml b/RHEL/6/input/system/accounts/restrictions/password_expiration.xml
+index e4af5aa..a8e90c2 100644
+--- a/RHEL/6/input/system/accounts/restrictions/password_expiration.xml
++++ b/RHEL/6/input/system/accounts/restrictions/password_expiration.xml
+@@ -159,7 +159,7 @@ increases the risk of users writing down the password in a convenient
+ location subject to physical compromise.</rationale>
+ <ident cce="26985-2" />
+ <oval id="accounts_maximum_age_login_defs" value="var_accounts_maximum_age_login_defs"/>
+-<ref nist="IA-5(f),IA-5(g),IA-5(1)(d)" disa="180,199" />
++<ref nist="IA-5(f),IA-5(g),IA-5(1)(d)" disa="180,199" srg="76" />
+ <tested by="DS" on="20121026"/>
+ </Rule>
+ 
+diff --git a/RHEL/7/input/checks/accounts_password_pam_minlen.xml b/RHEL/7/input/checks/accounts_password_pam_minlen.xml
+new file mode 100644
+index 0000000..77f89af
+--- /dev/null
++++ b/RHEL/7/input/checks/accounts_password_pam_minlen.xml
+@@ -0,0 +1,40 @@
++<def-group>
++  <definition class="compliance" id="accounts_password_pam_minlen" version="1">
++    <metadata>
++      <title>Set Password minlen Requirements</title>
++      <affected family="unix">
++        <platform>Red Hat Enterprise Linux 7</platform>
++      </affected>
++      <description>The password minlen should meet minimum requirements</description>
++      <reference source="swells" ref_id="20140926" ref_url="test_attestation" />
++    </metadata>
++    <criteria operator="AND" comment="system is RHEL7 with pam_pwquality configured">
++      <extend_definition comment="RHEL7 installed" definition_ref="installed_OS_is_rhel7" />
++      <criterion comment="rhel7 pam_pwquality" test_ref="test_password_pam_pwquality_minlen" />
++    </criteria>
++  </definition>
++
++  <!-- RHEL 7 check -->
++  <ind:textfilecontent54_test check="all"
++  comment="check the configuration of /etc/pam.d/system-auth pwquality"
++  id="test_password_pam_pwquality_minlen" version="1">
++    <ind:object object_ref="obj_password_pam_pwquality_minlen" />
++    <ind:state state_ref="state_password_pam_minlen" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object id="obj_password_pam_pwquality_minlen"
++  version="1">
++    <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
++    <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*minlen=(-?\d+)(?:[\s]|$)</ind:pattern>
++    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++  <!-- OVAL variables -->
++  <ind:textfilecontent54_state id="state_password_pam_minlen" version="1">
++    <ind:instance datatype="int">1</ind:instance>
++    <ind:subexpression datatype="int" operation="greater than or equal" var_ref="var_password_pam_minlen" />
++  </ind:textfilecontent54_state>
++
++  <external_variable comment="External variable for pam_cracklib minlen" datatype="int" id="var_password_pam_minlen" version="1" />
++
++</def-group>
+diff --git a/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh b/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh
+new file mode 100644
+index 0000000..5bc5b0f
+--- /dev/null
++++ b/RHEL/7/input/fixes/bash/accounts_password_pam_minlen.sh
+@@ -0,0 +1,8 @@
++source ./templates/support.sh
++populate var_password_pam_minlen
++
++if grep -q "minlen=" /etc/pam.d/system-auth; then   
++	sed -i --follow-symlink "s/\(minlen *= *\).*/\1$var_password_pam_minlen/" /etc/pam.d/system-auth
++else
++	sed -i --follow-symlink "/pam_pwquality.so/ s/$/ minlen=$var_password_pam_minlen/" /etc/pam.d/system-auth
++fi
+diff --git a/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml b/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml
+index ef079b4..19a06b3 100644
+--- a/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml
++++ b/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml
+@@ -2,6 +2,36 @@
+ <title>Pre-release Draft STIG for RHEL 7 Server</title>
+ <description>This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
+ 
++<!-- STIG refinement values. Note these are set by DISA FSO,
++     and should not be manipulated -->
++<refine-value idref="var_password_pam_unix_remember" selector="5" />
++<refine-value idref="var_accounts_maximum_age_login_defs" selector="60" />
++<refine-value idref="var_password_pam_ocredit" selector="1" />
++<refine-value idref="var_password_pam_ucredit" selector="1" />
++<refine-value idref="var_password_pam_lcredit" selector="1" />
++<refine-value idref="var_password_pam_dcredit" selector="1" />
++<refine-value idref="var_password_pam_minlen" selector="15" />
++<refine-value idref="var_password_pam_difok" selector="15" />
++<refine-value idref="var_accounts_minimum_age_login_defs" selector="1" />
++<refine-value idref="var_accounts_passwords_pam_faillock_fail_interval" selector="900" />
++<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="3" />
++
++<!-- BEGIN STIG RULE SELECTION -->
++
++<!-- Disk Partitioning -->
+ <select idref="encrypt_partitions" selected="true"/>
+ 
++<!-- Password Requirements -->
++<select idref="accounts_maximum_age_login_defs" selected="true" />
++<select idref="accounts_password_pam_unix_remember" selected="true" />
++<select idref="accounts_password_pam_ocredit" selected="true" />
++<select idref="accounts_password_pam_ucredit" selected="true" />
++<select idref="accounts_password_pam_lcredit" selected="true" />
++<select idref="accounts_password_pam_dcredit" selected="true" />
++<select idref="accounts_password_pam_minlen" selected="true" />
++<select idref="accounts_password_pam_difok" selected="true" />
++<select idref="accounts_minimum_age_login_defs" selected="true" />
++<select idref="accounts_passwords_pam_fail_interval" selected="true" />
++<select idref="accounts_passwords_pam_faillock_deny" selected="true" />
++
+ </Profile>
+diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml
+index 3cdd433..f5d9cdf 100644
+--- a/RHEL/7/input/system/accounts/pam.xml
++++ b/RHEL/7/input/system/accounts/pam.xml
+@@ -48,7 +48,7 @@ operator="equals" interactive="0">
+ <tt>/etc/security/opasswd</tt> in order to force password change history and
+ keep the user from alternating between the same password too
+ frequently.</description>
+-<value selector="">24</value>
++<value selector="">5</value>
+ <value selector="0">0</value>
+ <value selector="5">5</value>
+ <value selector="10">10</value>
+@@ -137,13 +137,14 @@ reason.</warning>
+ <Value id="var_password_pam_minlen" type="number" operator="equals" interactive="0">
+ <title>minlen</title>
+ <description>Minimum number of characters in password</description>
+-<value selector="">14</value>
++<value selector="">15</value>
+ <value selector="6">6</value>
+ <!-- NIST 800-53 requires 1 in a million using brute force which translates to six numbers -->
+ <value selector="8">8</value>
+ <value selector="10">10</value>
+ <value selector="12">12</value>
+ <value selector="14">14</value>
++<!-- DoD STIG requires 15 -->
+ <value selector="15">15</value>
+ </Value>
+ 
+@@ -190,11 +191,12 @@ password</description>
+ password</description>
+ <warning category="general">Keep this high for short
+ passwords</warning>
+-<value selector="">4</value>
++<value selector="">15</value>
+ <value selector="2">2</value>
+ <value selector="3">3</value>
+ <value selector="4">4</value>
+ <value selector="5">5</value>
++<value selector="15">15</value>
+ </Value>
+ 
+ <Value id="var_password_pam_minclass" type="number" operator="equals" interactive="0">
+@@ -306,10 +308,34 @@ search space.
+ </rationale>
+ <ident cce="27163-5" />
+ <oval id="accounts_password_pam_dcredit" value="var_password_pam_dcredit"/>
+-<ref nist="IA-5(b),IA-5(c),194" disa=""/>
++<ref nist="IA-5(b),IA-5(c),194" disa="194" srg="71"/>
+ <tested by="DS" on="20121024"/>
+ </Rule>
+ 
++<Rule id="accounts_password_pam_minlen">
++<title>Set Password Minimum Length</title>
++<description>The pam_pwquality module's <tt>minlen</tt> parameter controls requirements for
++minimum characters required in a password. Add <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>
++after pam_pwquality to set minimum password length requirements.
++</description>
++<ocil clause="minlen is not found or not set to the required value (or higher)">
++To check how many characters are required in a password, run the following command:
++<pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
++Your output should contain <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>
++</ocil>
++<rationale>
++Password length is one factor of several that helps to determine
++strength and how long it takes to crack a password. Use of more characters in
++a password helps to exponentially increase the time and/or resources
++required to compromise the password.
++</rationale>
++<ident cce="26615-5" />
++<oval id="accounts_password_pam_minlen" value="var_password_pam_minlen" />
++<ref nist="IA-5(1)(a)" disa="205" srg="78" />
++<tested by="swells" on="20140928" />
++</Rule>
++
++
+ <Rule id="accounts_password_pam_ucredit">
+ <title>Set Password Strength Minimum Uppercase Characters</title>
+ <description>The pam_pwquality module's <tt>ucredit=</tt> parameter controls requirements for
+@@ -331,18 +357,18 @@ more difficult by ensuring a larger search space.
+ </rationale>
+ <ident cce="26988-6" />
+ <oval id="accounts_password_pam_ucredit" value="var_password_pam_ucredit"/>
+-<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="" />
++<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="192" srg="69" />
+ <tested by="DS" on="20121024"/>
+ </Rule>
+ 
+ <Rule id="accounts_password_pam_ocredit">
+ <title>Set Password Strength Minimum Special Characters</title>
+ <description>The pam_pwquality module's <tt>ocredit=</tt> parameter controls requirements for
+-usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
++usage of special (or "other") characters in a password. When set to a negative number, any password will be required to
+ contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional
+ length credit for each special character.
+-Add <tt>ocredit=-1</tt> after pam_pwquality.so to require use of a special character in passwords.
+-</description>
++Add <tt>ocredit=<sub idref="var_password_pam_ocredit" /></tt> after pam_pwquality.so to 
++require use of a special character in passwords.</description>
+ <ocil clause="ocredit is not found or not set to the required value">
+ To check how many special characters are required in a password, run the following command:
+ <pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
+@@ -356,7 +382,7 @@ more difficult by ensuring a larger search space.
+ </rationale>
+ <ident cce="27151-0" />
+ <oval id="accounts_password_pam_ocredit" value="var_password_pam_ocredit"/>
+-<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="" />
++<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="1619" srg="266" />
+ <tested by="DS" on="20121024"/>
+ </Rule>
+ 
+@@ -381,7 +407,7 @@ more difficult by ensuring a larger search space.
+ </rationale>
+ <ident cce="27111-4" />
+ <oval id="accounts_password_pam_lcredit" value="var_password_pam_lcredit"/>
+-<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="" />
++<ref nist="IA-5(b),IA-5(c),IA-5(1)(a)" disa="193" srg="70" />
+ <tested by="DS" on="20121024"/>
+ </Rule>
+ 
+@@ -391,14 +417,14 @@ more difficult by ensuring a larger search space.
+ usage of different characters during a password change.
+ Add <tt>difok=<i>NUM</i></tt> after pam_pwquality.so to require differing
+ characters when changing passwords, substituting <i>NUM</i> appropriately.
+-The DoD requirement is <tt>4</tt>.
++The DoD requirement is <tt>15</tt>.
+ </description>
+ <ocil clause="difok is not found or not set to the required value">
+ To check how many characters must differ during a password change, run the following command:
+ <pre>$ grep pam_pwquality /etc/pam.d/system-auth</pre>
+ The <tt>difok</tt> parameter will indicate how many characters must differ.
+-The DoD requires four characters differ during a password change.
+-This would appear as <tt>difok=4</tt>.
++The DoD requires 15 characters differ during a password change.
++This would appear as <tt>difok=15</tt>.
+ </ocil>
+ <rationale>
+ Requiring a minimum number of different characters during password changes ensures that
+@@ -407,7 +433,7 @@ Note that passwords which are changed on compromised systems will still be compr
+ </rationale>
+ <ident cce="26631-2" />
+ <oval id="accounts_password_pam_difok" value="var_password_pam_difok"/>
+-<ref nist="IA-5(b),IA-5(c),IA-5(1)(b)" disa=""/>
++<ref nist="IA-5(b),IA-5(c),IA-5(1)(b)" disa="195" srg="72" />
+ <tested by="DS" on="20121024"/>
+ </Rule>
+ 
+@@ -476,13 +502,13 @@ attempts using <tt>pam_faillock.so</tt>:
+ <br /><br />
+ Add the following lines immediately below the <tt>pam_unix.so</tt> statement in <tt>AUTH</tt> section of
+ both <tt>/etc/pam.d/system-auth</tt> and /etc/pam.d/password-auth:
+-<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</pre>
+-<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</pre>
++<pre>auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
++<pre>auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
+ </description>
+ <ocil clause="that is not the case">
+ To ensure the failed password attempt policy is configured correctly, run the following command:
+ <pre>$ grep pam_faillock /etc/pam.d/system-auth</pre>
+-The output should show <tt>deny=3</tt>.
++The output should show <tt>deny=<id subref="var_accounts_passwords_pam_faillock_deny" /></tt>.
+ </ocil>
+ <rationale>
+ Locking out user accounts after a number of incorrect attempts
+@@ -490,7 +516,7 @@ prevents direct password guessing attacks.
+ </rationale>
+ <ident cce="26891-2" />
+ <oval id="accounts_passwords_pam_faillock_deny" value="var_accounts_passwords_pam_faillock_deny"/>
+-<ref nist="AC-7(a)" disa="" />
++<ref nist="AC-7(a)" disa="44" srg="21" />
+ </Rule>
+ 
+ <Rule id="accounts_passwords_pam_faillock_unlock_time" severity="medium">
+@@ -500,8 +526,8 @@ To configure the system to lock out accounts after a number of incorrect login
+ attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>:
+ <br /><br />
+ Add the following lines immediately below the <tt>pam_env.so</tt> statement in <tt>/etc/pam.d/system-auth</tt>:
+-<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</pre>
+-<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</pre>
++<pre>auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
++<pre>auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
+ </description>
+ <ocil clause="that is not the case">
+ To ensure the failed password attempt policy is configured correctly, run the following command:
+@@ -527,43 +553,46 @@ attempts.
+ <br /><br />
+ Add the following <tt>fail_interval</tt> directives to <tt>pam_faillock.so</tt> immediately below the <tt>pam_env.so</tt> statement in
+ <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>:
+-<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</pre>
+-<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</pre>
++<pre>auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
++<pre>auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
+ </description>
+ <ocil clause="that is not the case">
+ To ensure the failed password attempt policy is configured correctly, run the following command:
+ <pre>$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth</pre>
+-For each file, the output should show <tt>fail_interval=&lt;interval-in-seconds&gt;</tt> where <tt>interval-in-seconds</tt> is 900 (15 minutes) or greater.  If the <tt>fail_interval</tt> parameter is not set, the default setting of 900 seconds is acceptable.
++For each file, the output should show <tt>fail_interval=&lt;interval-in-seconds&gt;</tt> where <tt>interval-in-seconds</tt> is 
++<tt><id subref="var_accounts_passwords_pam_faillock_fail_interval" /></tt>  or greater. 
++If the <tt>fail_interval</tt> parameter is not set, the default setting of 900 seconds is acceptable.
+ </ocil>
+ <rationale>
+ Locking out user accounts after a number of incorrect attempts within a
+ specific period of time prevents direct password guessing attacks.
+ </rationale>
+-<ident cce="RHEL7-CCE-TBD" />
++<ident cce="26763-3" />
+ <oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/>
+-<ref nist="AC-7(a)" disa="1452" />
++<ref nist="AC-7(a)" disa="44" srg="21" />
+ </Rule>
+ 
+ <Rule id="accounts_password_pam_unix_remember" severity="medium">
+ <title>Limit Password Reuse</title>
+ <description>Do not allow users to reuse recent passwords. This can
+ be accomplished by using the <tt>remember</tt> option for the <tt>pam_unix</tt> PAM
+-module.  In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember=24</tt> to the 
++module.  In the file <tt>/etc/pam.d/system-auth</tt>, append
++<tt>remember=<sub idref="var_password_pam_unix_remember" /></tt> to the 
+ line which refers to the <tt>pam_unix.so</tt> module, as shown:
+-<pre>password sufficient pam_unix.so <i>existing_options</i> remember=24</pre>
+-The DoD and FISMA requirement is 24 passwords.</description>
++<pre>password sufficient pam_unix.so <i>existing_options</i> remember=<sub idref="var_password_pam_unix_remember" /></pre>
++The DoD STIG requirement is 5 passwords.</description>
+ <ocil clause="it does not">
+ To verify the password reuse setting is compliant, run the following command:
+ <pre>$ grep remember /etc/pam.d/system-auth</pre>
+ The output should show the following at the end of the line:
+-<pre>remember=24</pre>
++<pre>remember=<sub idref="var_password_pam_unix_rememer" /></pre>
+ </ocil>
+ <rationale>
+ Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
+ </rationale>
+ <ident cce="26923-3" />
+ <oval id="accounts_password_pam_unix_remember" value="var_password_pam_unix_remember" />
+-<ref nist="IA-5(f),IA-5(1)(e)" disa="" />
++<ref nist="IA-5(f),IA-5(1)(e)" disa="200" srg="77" />
+ <tested by="DS" on="20121024"/>
+ </Rule>
+ </Group>
+diff --git a/RHEL/7/input/system/accounts/restrictions/password_expiration.xml b/RHEL/7/input/system/accounts/restrictions/password_expiration.xml
+index d79c4a8..9e56b9d 100644
+--- a/RHEL/7/input/system/accounts/restrictions/password_expiration.xml
++++ b/RHEL/7/input/system/accounts/restrictions/password_expiration.xml
+@@ -60,8 +60,8 @@ age, and 7 day warning period with the following command:
+ <value selector="">7</value>
+ <value selector="7">7</value>
+ <value selector="5">5</value>
+-<value selector="1">1</value>
+ <value selector="2">2</value>
++<value selector="1">1</value>
+ <value selector="0">0</value>
+ </Value>
+ 
+@@ -131,7 +131,7 @@ after satisfying the password reuse requirement.
+ </rationale>
+ <ident cce="27002-5" />
+ <oval id="accounts_minimum_age_login_defs" value="var_accounts_minimum_age_login_defs"/>
+-<ref nist="IA-5(f),IA-5(1)(d)" disa=""/>
++<ref nist="IA-5(f),IA-5(1)(d)" disa="198" srg="75" />
+ <tested by="DS" on="20121026"/>
+ </Rule>
+ 
+@@ -145,7 +145,7 @@ and add or correct the following line, replacing <i>DAYS</i> appropriately:
+ A value of 180 days is sufficient for many environments. 
+ The DoD requirement is 60.
+ </description>
+-<ocil clause="it is not set to the required value">
++<ocil clause="PASS_MAX_DAYS is not set to the required value">
+ To check the maximum password age, run the command:
+ <pre>$ grep PASS_MAX_DAYS /etc/login.defs</pre>
+ The DoD and FISMA requirement is 60.
+@@ -157,9 +157,9 @@ periodically change their passwords. This could possibly decrease
+ the utility of a stolen password. Requiring shorter password lifetimes
+ increases the risk of users writing down the password in a convenient
+ location subject to physical compromise.</rationale>
+-<ident cce="RHEL7-CCE-TBD" />
++<ident cce="27051-2" />
+ <oval id="accounts_maximum_age_login_defs" value="var_accounts_maximum_age_login_defs"/>
+-<ref nist="IA-5(f),IA-5(g),IA-5(1)(d)" disa="180,199" />
++<ref nist="IA-5(f),IA-5(g),IA-5(1)(d)" disa="180,199" srg="76" />
+ <tested by="DS" on="20121026"/>
+ </Rule>
+ 
+diff --git a/shared/.gitignore b/shared/.gitignore
+index d7b3ccb..39328cf 100644
+--- a/shared/.gitignore
++++ b/shared/.gitignore
+@@ -1,3 +1,4 @@
+ # files not to track in git
+ *.pyc
+ *.ini
++*.swp
+diff --git a/shared/references/cce-rhel-avail.txt b/shared/references/cce-rhel-avail.txt
+index 381d3da..41dc47e 100644
+--- a/shared/references/cce-rhel-avail.txt
++++ b/shared/references/cce-rhel-avail.txt
+@@ -1,6 +1,3 @@
+-CCE-27051-2
+-CCE-26615-5
+-CCE-26763-3
+ CCE-26436-6
+ CCE-26989-4
+ CCE-26992-8
diff --git a/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch
new file mode 100644
index 0000000..5bc5cc7
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch
@@ -0,0 +1,142 @@
+diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml
+index b2da2a4..29fa69f 100644
+--- a/RHEL/6/input/system/accounts/pam.xml
++++ b/RHEL/6/input/system/accounts/pam.xml
+@@ -472,12 +472,17 @@ and a second to use unlock_time and set it to a Value
+ <title>Set Deny For Failed Password Attempts</title>
+ <description>
+ To configure the system to lock out accounts after a number of incorrect login
+-attempts using <tt>pam_faillock.so</tt>:
++attempts using <tt>pam_faillock.so</tt>, modify the content of both
++<tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
+ <br /><br />
+-Add the following lines immediately below the <tt>pam_unix.so</tt> statement in <tt>AUTH</tt> section of
+-both <tt>/etc/pam.d/system-auth</tt> and /etc/pam.d/password-auth:
+-<pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=900</pre>
+-<pre>auth required pam_faillock.so authsucc deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=900</pre>
++<ul>
++<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
++<p><pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
++<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
++<p><pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
++<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
++<p><pre>account required pam_faillock.so</pre></p></li>
++</ul>
+ </description>
+ <ocil clause="that is not the case">
+ To ensure the failed password attempt policy is configured correctly, run the following command:
+@@ -497,11 +502,17 @@ prevents direct password guessing attacks.
+ <title>Set Lockout Time For Failed Password Attempts</title>
+ <description>
+ To configure the system to lock out accounts after a number of incorrect login
+-attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>:
++attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>,
++modify the content of both <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
+ <br /><br />
+-Add the following lines immediately below the <tt>pam_env.so</tt> statement in <tt>/etc/pam.d/system-auth</tt>:
+-<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=900</pre>
+-<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=900</pre>
++<ul>
++<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
++<p><pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
++<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
++<p><pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
++<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
++<p><pre>account required pam_faillock.so</pre></p></li>
++</ul>
+ </description>
+ <ocil clause="that is not the case">
+ To ensure the failed password attempt policy is configured correctly, run the following command:
+@@ -523,12 +534,16 @@ situations.
+ <title>Set Interval For Counting Failed Password Attempts</title>
+ <description>
+ Utilizing <tt>pam_faillock.so</tt>, the <tt>fail_interval</tt> directive configures the system to lock out accounts after a number of incorrect login
+-attempts.
++attempts. Modify the content of both <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
+ <br /><br />
+-Add the following <tt>fail_interval</tt> directives to <tt>pam_faillock.so</tt> immediately below the <tt>pam_env.so</tt> statement in
+-<tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>:
+-<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
+-<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
++<ul>
++<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
++<p><pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
++<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
++<p><pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
++<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
++<p><pre>account required pam_faillock.so</pre></p></li>
++</ul>
+ </description>
+ <ocil clause="that is not the case">
+ To ensure the failed password attempt policy is configured correctly, run the following command:
+diff --git a/RHEL/7/input/system/accounts/pam.xml b/RHEL/7/input/system/accounts/pam.xml
+index f5d9cdf..e6bcd60 100644
+--- a/RHEL/7/input/system/accounts/pam.xml
++++ b/RHEL/7/input/system/accounts/pam.xml
+@@ -498,12 +498,17 @@ and a second to use unlock_time and set it to a Value
+ <title>Set Deny For Failed Password Attempts</title>
+ <description>
+ To configure the system to lock out accounts after a number of incorrect login
+-attempts using <tt>pam_faillock.so</tt>:
++attempts using <tt>pam_faillock.so</tt>, modify the content of both
++<tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
+ <br /><br />
+-Add the following lines immediately below the <tt>pam_unix.so</tt> statement in <tt>AUTH</tt> section of
+-both <tt>/etc/pam.d/system-auth</tt> and /etc/pam.d/password-auth:
+-<pre>auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
+-<pre>auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
++<ul>
++<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
++<p><pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
++<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
++<p><pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
++<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
++<p><pre>account required pam_faillock.so</pre></p></li>
++</ul>
+ </description>
+ <ocil clause="that is not the case">
+ To ensure the failed password attempt policy is configured correctly, run the following command:
+@@ -523,11 +528,17 @@ prevents direct password guessing attacks.
+ <title>Set Lockout Time For Failed Password Attempts</title>
+ <description>
+ To configure the system to lock out accounts after a number of incorrect login
+-attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>:
++attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>,
++modify the content of both <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
+ <br /><br />
+-Add the following lines immediately below the <tt>pam_env.so</tt> statement in <tt>/etc/pam.d/system-auth</tt>:
+-<pre>auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
+-<pre>auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
++<ul>
++<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
++<p><pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
++<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
++<p><pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
++<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
++<p><pre>account required pam_faillock.so</pre></p></li>
++</ul>
+ </description>
+ <ocil clause="that is not the case">
+ To ensure the failed password attempt policy is configured correctly, run the following command:
+@@ -549,12 +560,16 @@ situations.
+ <title>Set Interval For Counting Failed Password Attempts</title>
+ <description>
+ Utilizing <tt>pam_faillock.so</tt>, the <tt>fail_interval</tt> directive configures the system to lock out accounts after a number of incorrect login
+-attempts.
++attempts. Modify the content of both <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> as follows:
+ <br /><br />
+-Add the following <tt>fail_interval</tt> directives to <tt>pam_faillock.so</tt> immediately below the <tt>pam_env.so</tt> statement in
+-<tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt>:
+-<pre>auth [default=die] pam_faillock.so authfail deny=<id subref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
+-<pre>auth required pam_faillock.so authsucc deny=<id subref="var_accounts_passwords_pam_faillock_deny" />  unlock_time=604800 fail_interval=<id subref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
++<ul>
++<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
++<p><pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
++<li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
++<p><pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></p></li>
++<li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
++<p><pre>account required pam_faillock.so</pre></p></li>
++</ul>
+ </description>
+ <ocil clause="that is not the case">
+ To ensure the failed password attempt policy is configured correctly, run the following command:
diff --git a/SOURCES/scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch b/SOURCES/scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch
new file mode 100644
index 0000000..2b77b38
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch
@@ -0,0 +1,24 @@
+diff --git a/RHEL/7/input/profiles/rht-ccp.xml b/RHEL/7/input/profiles/rht-ccp.xml
+index e611421..5236ffa 100644
+--- a/RHEL/7/input/profiles/rht-ccp.xml
++++ b/RHEL/7/input/profiles/rht-ccp.xml
+@@ -18,7 +18,7 @@
+ <refine-value idref="var_password_pam_ocredit" selector="2"/>
+ <refine-value idref="var_password_pam_lcredit" selector="2"/>
+ <refine-value idref="var_password_pam_difok" selector="3"/>
+-<refine-value idref="var_password_history_retain_limit" selector="5"/>
++<refine-value idref="var_password_pam_unix_remember" selector="5"/>
+ <refine-value idref="var_accounts_user_umask" selector="077"/>
+ <refine-value idref="login_banner_text" selector="usgcb_default"/>
+ 
+diff --git a/shared/fixes/bash/accounts_password_pam_unix_remember.sh b/shared/fixes/bash/accounts_password_pam_unix_remember.sh
+index 04e0767..98aecef 100644
+--- a/shared/fixes/bash/accounts_password_pam_unix_remember.sh
++++ b/shared/fixes/bash/accounts_password_pam_unix_remember.sh
+@@ -4,5 +4,5 @@ populate var_password_pam_unix_remember
+ if grep -q "remember=" /etc/pam.d/system-auth; then   
+ 	sed -i --follow-symlink "s/\(remember *= *\).*/\1$var_password_pam_unix_remember/" /etc/pam.d/system-auth
+ else
+-	sed -i --follow-symlink "/^password[\s]sufficient[\s]pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
++	sed -i --follow-symlink "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" /etc/pam.d/system-auth
+ fi
diff --git a/SOURCES/scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch b/SOURCES/scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch
new file mode 100644
index 0000000..03cdfd6
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch
@@ -0,0 +1,20 @@
+diff --git a/RHEL/7/Makefile b/RHEL/7/Makefile
+index c3be98b..0f15c1d 100644
+--- a/RHEL/7/Makefile
++++ b/RHEL/7/Makefile
+@@ -44,11 +44,12 @@ checks:
+ 
+ guide: shorthand2xccdf
+ #	remove auxiliary Groups which are only for use in tables, and not guide output.
+-#	specifying a nonexistent profile, "allrules," to make oscap print all Rules
+ 	xsltproc -o $(OUT)/unlinked-rhel7-xccdf-guide.xml $(TRANS)/xccdf-removeaux.xslt $(OUT)/unlinked-rhel7-xccdf.xml
+ 	xsltproc -o $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml $(TRANS)/xccdf-removetested.xslt $(OUT)/unlinked-rhel7-xccdf-guide.xml
+-	oscap xccdf generate guide --profile allrules $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml > $(OUT)/rhel7-guide.html
+-	xsltproc -o $(OUT)/rhel7-guide-custom.html $(TRANS)/xccdf2html.xslt $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml
++#       OpenSCAP-1.1.1 expects exact profile name in order to include also rules into guide
++#       Create guide for RHT-CCP profile
++	oscap xccdf generate guide --profile rht-ccp $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml > $(OUT)/rhel7-ccp-guide.html
++	xsltproc -o $(OUT)/rhel7-ccp-guide-custom.html $(TRANS)/xccdf2html.xslt $(OUT)/unlinked-notest-rhel7-xccdf-guide.xml
+ 
+ # example, if needed: for converting XCCDF into shorthand
+ #xccdf2shorthand:
diff --git a/SOURCES/scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch b/SOURCES/scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch
new file mode 100644
index 0000000..e88e7a4
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch
@@ -0,0 +1,51 @@
+diff --git a/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh b/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh
+index ca11120..b1dbd3a 100644
+--- a/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh
++++ b/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh
+@@ -1,18 +1,36 @@
+ source ./templates/support.sh
+ populate var_accounts_passwords_pam_faillock_deny
+ 
+-for pamFile in "/etc/pam.d/system-auth /etc/pam.d/password-auth"
+-do
++AUTH_FILES[0]="/etc/pam.d/system-auth"
++AUTH_FILES[1]="/etc/pam.d/password-auth"
+ 
+-	if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then
+-		sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
+-	else
+-		sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
+-	fi
++for pamFile in "${AUTH_FILES[@]}"
++do
+ 	
+-	if grep -q "^auth.*[default=die].*pam_faillock.so.*authsucc.*deny=" /etc/pam.d/system-auth; then
+-	        sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authsucc.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
++	# pam_faillock.so already present?
++	if grep -q "^auth.*pam_faillock.so.*" $pamFile; then
++
++		# pam_faillock.so present, deny directive present?
++		if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*deny=" $pamFile; then
++
++			# both pam_faillock.so & deny present, just correct deny directive value
++			sed -i --follow-symlink "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
++			sed -i --follow-symlink "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\(deny *= *\).*/\1\2$var_accounts_passwords_pam_faillock_deny/" $pamFile
++
++		# pam_faillock.so present, but deny directive not yet
++		else
++
++			# append correct deny value to appropriate places
++			sed -i --follow-symlink "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
++			sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
++		fi
++
++	# pam_faillock.so not present yet
+ 	else
+-	        sed -i --follow-symlink "/^auth.*[default=die].*pam_faillock.so.*authsucc/ s/$/ deny=$var_accounts_passwords_pam_faillock_deny/" $pamFile
++
++		# insert pam_faillock.so preauth & authfail rows with proper value of the 'deny' option
++		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/i auth        required      pam_faillock.so preauth silent deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
++		sed -i --follow-symlink "/^auth.*sufficient.*pam_unix.so.*/a auth        [default=die] pam_faillock.so authfail deny=$var_accounts_passwords_pam_faillock_deny" $pamFile
++		sed -i --follow-symlink "/^account.*required.*pam_unix.so/i account     required      pam_faillock.so" $pamFile
+ 	fi
+ done
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
new file mode 100644
index 0000000..ce8bb89
--- /dev/null
+++ b/SPECS/scap-security-guide.spec
@@ -0,0 +1,214 @@
+%global		redhatssgversion	19
+
+Name:		scap-security-guide
+Version:	0.1.%{redhatssgversion}
+Release:	2%{?dist}
+Summary:	Security guidance and baselines in SCAP formats
+
+Group:		System Environment/Base
+License:	Public Domain
+URL:		https://fedorahosted.org/scap-security-guide/
+
+Source0:	http://repos.ssgproject.org/sources/%{name}-%{version}.tar.gz
+Patch1:		scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch
+Patch2:		scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch
+Patch3:		scap-security-guide-0.1.19-rhel7-drop-cpuspeed-rule-since-obsolete.patch
+Patch4:		scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch
+Patch5:		scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch
+Patch6:		scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch
+Patch7:		scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch
+Patch8:		scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch
+Patch9:		scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch
+Patch10:	scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch
+BuildArch:	noarch
+
+BuildRequires:	libxslt, expat, python, openscap-scanner >= 1.1.1, python-lxml
+Requires:	xml-common, openscap-scanner >= 1.1.1
+
+%description
+The scap-security-guide project provides a guide for configuration of the
+system from the final system's security point of view. The guidance is
+specified in the Security Content Automation Protocol (SCAP) format and
+constitutes a catalog of practical hardening advice, linked to government
+requirements where applicable. The project bridges the gap between generalized
+policy requirements and specific implementation guidelines. The Red Hat
+Enterprise Linux 7 system administrator can use the oscap command-line tool
+from the openscap-utils package to verify that the system conforms to provided
+guideline. Refer to scap-security-guide(8) manual page for further information.
+
+%prep
+%setup -q -n %{name}-%{version}
+# For RHEL-7 include only RHT-CCP profile
+%patch1 -p1 -b .rht-ccp-only
+# Drop restorecond due to https://github.com/OpenSCAP/scap-security-guide/issues/258
+%patch2 -p1 -E -b .drop-restorecond
+# Drop cpuspeed rule since obsoleted in Fedora-16 by cpupower from kernel-tools RPM
+# http://marc.info/?l=fedora-devel-list&m=131107769617369&w=2
+%patch3 -p1 -b .drop-cpuspeed
+# Update manual page to be more appropriate against RHEL-7
+%patch4 -p1 -b .manual-page
+# Update pam.xml to use pam_pwquality instead of pam_cracklib
+%patch5 -p1 -b .replace-pam_cracklib
+# Fix 'Limit Password Reuse' remediation error
+%patch6 -p1 -b .reuse
+# Fix 'Set Deny For Failed Password Attempts' remediation error
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1 -b .set-deny
+# Specify exact profile name when generating RHEL-7 HTML guide
+%patch10 -p1 -b .exact-profile
+
+%build
+(cd RHEL/6 && make dist)
+(cd RHEL/7 && make dist)
+
+%install
+
+mkdir -p %{buildroot}%{_datadir}/xml/scap/ssg/content
+mkdir -p %{buildroot}%{_mandir}/en/man8/
+
+# Add in RHEL-7 core content (SCAP)
+cp -a RHEL/7/dist/content/* %{buildroot}%{_datadir}/xml/scap/ssg/content/
+
+# Add in RHEL-6 datastream (SCAP)
+cp -a RHEL/6/dist/content/ssg-rhel6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
+
+# Add in manpage
+cp -a RHEL/6/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-guide.8
+
+%files
+%defattr(-,root,root,-)
+%{_datadir}/xml/scap
+%lang(en) %{_mandir}/en/man8/scap-security-guide.8.gz
+%doc RHEL/6/LICENSE RHEL/6/output/rhel6-guide.html RHEL/7/output/rhel7-ccp-guide.html RHEL/6/output/table-rhel6-cces.html RHEL/7/output/table-rhel7-cces.html RHEL/6/output/table-rhel6-nistrefs-common.html RHEL/6/output/table-rhel6-nistrefs.html RHEL/6/output/table-rhel6-srgmap-flat.html RHEL/6/output/table-rhel6-srgmap-flat.xhtml RHEL/6/output/table-rhel6-srgmap.html RHEL/6/output/table-rhel6-stig.html RHEL/6/input/auxiliary/DISCLAIMER
+
+%changelog
+* Tue Oct 21 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.19-2
+- Fix Limit Password Reuse remediation script error
+- Fix Set Deny For Failed Password Attempts remediation script error
+- Use RHT-CCP profile name when generating HTML guide
+- Describe RHT-CCP profile in the manual page
+
+* Mon Sep 29 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.19-1
+- Include RHEL-7 content (RHT-CCP profile only)
+- Drop RHEL-7 restorecond XCCDF rule since policycoreutils-restorecond in Optional channel
+- Drop RHEL-7 cpuspeed XCCDF rule since obsoleted by cpupower from kernel-tools
+- Update manual page to be more appropriate for RHEL-7
+- Drop RHEL-6 C2S profile update patch since merged upstream
+
+* Tue Sep 02 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-4
+- Initial build for Red Hat Enterprise Linux 7
+
+* Thu Aug 28 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-3
+- Update C2S profile <description> per request from CIS
+
+* Thu Jun 26 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-2
+- Include the upstream STIG for RHEL 6 Server profile disclaimer file too
+
+* Sun Jun 22 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-1
+- Make new 0.1.18 release
+
+* Wed May 14 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.17-2
+- Drop vendor line from the spec file. Let the build system to provide it.
+
+* Fri May 09 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.17-1
+- Upgrade to upstream 0.1.17 version
+
+* Mon May 05 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.16-2
+- Initial RPM for RHEL base channels
+
+* Mon May 05 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.16-1
+- Change naming scheme (0.1-16 => 0.1.16-1)
+
+* Fri Feb 21 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-16
+- Include datastream file into RHEL6 RPM package too
+- Bump version
+
+* Tue Dec 24 2013 Shawn Wells <shawn@redhat.com> 0.1-16.rc2
++ RHEL6 stig-rhel6-server XCCDF profile renamed to stig-rhel6-server-upstream
+
+* Mon Dec 23 2013 Shawn Wells <shawn@redhat.com> 0.1-16.rc1
+- [bugfix] RHEL6 no_empty_passwords remediation script overwrote
+  system-auth symlink. Added --follow-symlink to sed command.
+
+* Fri Nov 01 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15
+- Version bump
+
+* Sat Oct 26 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc5
+- Point the spec's source to proper remote tarball location
+- Modify the main Makefile to use remote tarball when building RHEL/6's SRPM
+
+* Sat Oct 26 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc4
+- Don't include the table html files two times
+- Remove makewhatis
+
+* Fri Oct 25 2013 Shawn Wells <shawn@redhat.com> 0.1-15.rc3
+- [bugfix] Updated rsyslog_remote_loghost to scan /etc/rsyslog.conf and /etc/rsyslog.d/*
+- Numberous XCCDF->OVAL naming schema updates
+- All rules now have CCE
+
+* Fri Oct 25 2013 Shawn Wells <shawn@redhat.com> 0.1-15.rc2
+- RHEL/6 HTML table naming bugfixes (table-rhel6-*, not table-*-rhel6)
+
+* Fri Oct 25 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc1
+- Apply spec file changes required by review request (RH BZ#1018905)
+
+* Thu Oct 24 2013 Shawn Wells <shawn@redhat.com> 0.1-14
+- Formal RPM release
+- Inclusion of rht-ccp profile
+- OVAL unit testing patches
+- Bash remediation patches
+- Bugfixes
+
+* Mon Oct 07 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-14.rc1
+- Change RPM versioning scheme to include release into tarball
+
+* Sat Sep 28 2013 Shawn Wells <shawn@redhat.com> 0.1-13
+- Updated RPM spec file to fix rpmlint warnings
+
+* Wed Jun 26 2013 Shawn Wells <shawn@redhat.com> 0.1-12
+- Updated RPM version to 0.1-12
+
+* Fri Apr 26 2013 Shawn Wells <shawn@redhat.com> 0.1-11
+- Significant amount of OVAL bugfixes
+- Incorporation of Draft RHEL/6 STIG feedback
+
+* Sat Feb 16 2013 Shawn Wells <shawn@redhat.com> 0.1-10
+- `man scap-security-guide`
+- OVAL bug fixes
+- NIST 800-53 mappings update
+
+* Wed Nov 28 2012 Shawn Wells <shawn@redhat.com> 0.1-9
+- Updated BuildRequires to reflect python-lxml (thank you, Ray S.!)
+- Reverting to noarch RPM
+
+* Tue Nov 27 2012 Shawn Wells <shawn@redhat.com> 0.1-8
+- Significant copy editing to XCCDF rules per community
+  feedback on the DISA RHEL/6 STIG Initial Draft
+
+* Thu Nov 1 2012 Shawn Wells <shawn@redhat.com> 0.1-7
+- Corrected XCCDF content errors
+- OpenSCAP now supports CPE dictionaries, important to
+  utilize --cpe-dict when scanning machines with OpenSCAP,
+  e.g.:
+  $ oscap xccdf eval --profile stig-server \
+   --cpe-dict ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xml
+
+* Mon Oct 22 2012 Shawn Wells <shawn@redhat.com> 0.1-6
+- Corrected RPM versioning, we're on 0.1 release 6 (not version 1 release 6)
+- Updated RPM includes feedback received from DoD Consensus meetings
+
+* Fri Oct 5  2012 Jeffrey Blank <blank@eclipse.ncsc.mil> 1.0-5
+- Adjusted installation directory to /usr/share/xml/scap.
+
+* Tue Aug 28  2012 Spencer Shimko <sshimko@tresys.com> 1.0-4
+- Fix BuildRequires and Requires.
+
+* Tue Jul 3 2012 Jeffrey Blank <blank@eclipse.ncsc.mil> 1.0-3
+- Modified install section, made description more concise.
+
+* Thu Apr 19 2012 Spencer Shimko <sshimko@tresys.com> 1.0-2
+- Minor updates to pass some variables in from build system.
+
+* Mon Apr 02 2012 Shawn Wells <shawn@redhat.com> 1.0-1
+- First attempt at SSG RPM. May ${deity} help us...